IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  qRadar 7.4.2 SMTP config issue

    Posted Thu April 01, 2021 01:31 PM

    Hi all!

    I have qRadar 7.4.2 All-in-one. And I want to configure SMTP. SMTP server is OK, authentication(disabled) is OK, SMTP test via CLI is OK. and I added record into hosts file, resolving via CLI is OK!

    But I have this log:

    Mar 29 18:44:11 qr01v742 postfix/smtpd[24178]: connect from localhost.localdomain[127.0.0.1] Mar 29 18:44:11 qr01v742 postfix/smtpd[24178]: DD5F4152: client=localhost.localdomain[127.0.0.1] Mar 29 18:44:11 qr01v742 postfix/cleanup[24181]: DD5F4152: message-id=<-768056137.11.1617029051847Support Member> Mar 29 18:44:11 qr01v742 postfix/smtpd[24178]: disconnect from localhost.localdomain[127.0.0.1] Mar 29 18:44:11 qr01v742 postfix/qmgr[22014]: DD5F4152: from=<qradarSupport Member>, size=3349, nrcpt=1 (queue active) Mar 29 18:44:11 qr01v742 postfix/error[24182]: DD5F4152: to=<user1Support Member>, relay=none, delay=0.03, delays=0.01/0.02/0/0, dsn=4.3.5, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=trn-mail.company.local type=AAAA: Host not found).

    I tested the same situation on 7.3.3 - everything works good!

    Any ideas?

    Thanks!



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: qRadar 7.4.2 SMTP config issue

    Posted Fri April 02, 2021 12:39 PM

    I would start by looking at this issue APAR IJ25315 to apply the workaround described in this issue.

    If you continue to have problems, then you can look at an update your the settings for smtp_host_lookup. This issue might be due to a config and by changing smtp_host_lookup=dns, native to smtp_host_lookup=native

    it might fix the issue. If DNS server cannot find A/AAAA record, it

    should return "NXDOMAIN", while in this case it returned "SERVFAIL".

    The reason for this is that DNS was expecting domain name as part of the

    hostname, so "mailserver" resolution would fail, but

    "mailserver.YOURDOMAIN.com" succeeds.

    If you aren't sure how to make this change or confirm the issue, open a case with QRadar Support and they review the APAR workaround is applied and that rule response emails trigger correctly.

    Edit: This issue was indeed introduced in 7.4.x due to a postfix update in RHEL. I believe there is also info here: https://access.redhat.com/solutions/4647781



    #QRadar
    #Support
    #SupportMigration


Related Content