IBM Security Guardium

 View Only
  • 1.  SMTP troubleshooting

    Posted Thu January 19, 2023 01:43 PM
      |   view attached
    Hello guys

    Currently I have been trying to configure the sending of alerts by SMTP in Guardium but without success.

    The connection to the SMTP server succeeds, but the test emails never arrive. We tried by GUI and CLI via diag.

    I run an ncat on port 25 and the connection was refused, I think that might have something to do with my problem.

    ------------------------------
    Frederico Menge
    ------------------------------


  • 2.  RE: SMTP troubleshooting

    Posted Thu January 26, 2023 09:56 AM

    Hi,

    you can check if a smtp service is available via telnet <server> 25.

    If you´re connected type EHLO. If the connection refuses or no service is answering than there is no smtp daemon running.

    Best regards



    ------------------------------
    David Honisch
    ------------------------------



  • 3.  RE: SMTP troubleshooting

    IBM Champion
    Posted Fri January 27, 2023 08:50 AM
    How to troubleshoot Guardium SMTP issues (ibm.com)

    IBM Security Guardium - Emails are not being sent with authenticated user for SMTP

    Here are some IBM docs for troubleshooting email issues.  Start with the first link.  If you're at IBM version 11.4, there is a patch that addresses a known issue with the sender.  p410 or p500 resolve the issue.

    ------------------------------
    Walter York
    ------------------------------



  • 4.  RE: SMTP troubleshooting

    IBM Champion
    Posted Fri January 27, 2023 03:44 PM
    Hi Frederico,

    Looking at the result of your ncat attempt to verify TCP connectivity I would take the connection refused literally.  It appears you are unable to make a basic TCP connection to your email server on port 25.  This may be due to a firewall, router or email server rule preventing the communication.  Or perhaps you have the incorrect IP address.   If you would like to confirm this issue by means of a packet capture from your Guardium appliance do the following

    1. Login to the CLI
    2. run  "support store tcpdump on raw 10m 5" 
        This will begin capturing all network traffic for 10 minutes and max out at 5GB of data.
    3. Run the "support show port open [smtp server ip] [listening port]  in your example 192.168.3.95 25
        Do this a couple of times.
    4. When you are done run "support store tcpdump off"
    5. Run the fileserver
        Run "show system log"  This will return the IP address of the system you are on.
    6. Run "fileserver [your IP address] 3600
        This will run the fileserver for 1 hour.
    7. Goto   https://your.guardium.device:8445
        Navigate to Logs | opt-ibm-guardium-log 
        Download the tcpdump.log file
    8. Open the file in Wireshark and examine the activity between you and the email server
    9. My guess is you will see your Guardium box send out a bunch of SYN packets followed by RST packets from some device between you and the email server or from the email server itself

    Good Luck!



    ------------------------------
    Patrick OBrien
    ------------------------------