-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alerts not RFC 5322 compliant. Google's gmail blocks them #14824
Comments
Hi @JTMosaic, |
Thank you for the link to using wazuh-control. However, this led me to a very strange situation. With debug enabled, the problem does not happen and the mail is sent correctly. Here's what I did:
This certainly does sound like a bug but I'm not sure how to gather trace or error information Can you tell me where wazuh-maild should log to? |
I did some more troubleshooting, including killing wazuh-maild and starting it in the foreground with debug flags. Unfortunately, in that mode I cannot get the mail to be blocked. However, as soon as I restart all of Wazuh with debug disabled, I can replicate the issue. I've also narrowed down the issue a bit further and found that it only occurs if there are more than one <email_to> entries in ossec.conf's global section. |
There is very little data in the log and there is no difference between a message which is blocked and one that is not: Non-Blocked message
Blocked message
|
I will test this problem in order to detect what is the bug. |
I can probably do that. Do you want ossec.conf, then? Not sure if it matters but this was a 4.2.5 with open distro for elasticsearch upgraded to 4.3.7 and the wazuh components |
Hi @JTMosaic, |
Correct, @FrancoRivero. The problem only started after the upgrade. I've attached our ossec.conf. Note that I've removed our email addresses and replaced them with placeholders Our organization's mail domain is hosted on gmail and that is where the issue with the RFC comes in. Thank you for looking into this! |
Hi @JTMosaic, |
@FrancoRivero, thank you for all your effort! I have noticed that the issue only occurs when there are multiple <email_to> entries in ossec.conf and maild.grouping=0 in internal_options.conf. We had two but have switched to a group email address and one entry as a solution. Maybe this is the issue? If Wazuh is creating an email with multiple TO fields rather than serializing the addresses in one field that may violate the RFC As for testing, it is possible the debug flag was a false indicator as I was able to send a few alerts with it off and a few were blocked with it on. Unfortunately, Wazuh doesn't have a "test alert" functionality that I am aware of so I can't test all possible alerts. I know it happened for the Shellshock alert mentioned above so that is the only one I tested with. |
Hi @JTMosaic,
Although I cannot reproduce the issue, unfortunately we need more time to analyse it, so we are planning to add it to our roadmap.
With this information I or someone working on this topic may be able to try to reproduce and fix the possible bug. I am sorry for not being able to solve your problem at the moment but we will do our best to correct the problem and have a product with as few errors as possible. Regards |
Thanks you for the update, @FrancoRivero. I appreciate all your efforts! As I mentioned, we have workarounds (only using one email_to or setting maild.grouping to 0) so we are in a good working configuration at the moment. The manager is running on Amazon Linux 2 (kernel 4) maild.strict_checking=1 To recreate the issue I am pushing a log entry for a shellshock attack into the webserver log on another box with wazuh agent. It took me several tries this morning to replicate the issue with the first 3 alerts successfully sending but the 4th and 5th tries bounced and the 6th send successfully. The issue appears to be transient. Logs of the failure message from maillog are below (highlight added) Sep 22 09:02:02 roc-log postfix/smtp[27455]: 86048BFD5D: to=<jt.shyman@>, relay=aspmx.l.google.com[142.251.16.27]:25, delay=0.45, delays=0.05/0/0.07/0.33, dsn=5.7.1, status=bounced (host aspmx.l.google.com[142.251.16.27] said: 550-5.7.1 [] Our system has detected that this message is not RFC 550-5.7.1 5322 compliant: duplicate headers. To reduce the amount of spam sent 550-5.7.1 to Gmail, this message has been blocked. Please review 550 5.7.1 RFC 5322 specifications for more information. i6-20020a05620a248600b006ced53b80e8si3697364qkn.131 - gsmtp (in reply to end of DATA command)) Sep 22 09:04:32 roc-log postfix/smtp[27706]: B2F65BFD5D: to=<jt.shyman@>, relay=aspmx.l.google.com[142.251.16.27]:25, delay=0.66, delays=0.05/0.01/0.1/0.49, dsn=5.7.1, status=bounced (host aspmx.l.google.com[142.251.16.27] said: 550-5.7.1 [] Our system has detected that this message is not RFC 550-5.7.1 5322 compliant: duplicate headers. To reduce the amount of spam sent 550-5.7.1 to Gmail, this message has been blocked. Please review 550 5.7.1 RFC 5322 specifications for more information. c17-20020a05622a059100b0035cd0208541si3174461qtb.364 - gsmtp (in reply to end of DATA command)) However, with only 1 <email_to> value I cannot get the failure to occur at all. Thanks for your continued efforts on this! |
We are facing this same issue currently. Here's some additional information on our setup: Wazuh Manager 4.3.7 running on CentOS 7. Our current ossec.conf on the manager truncated for brevity looks like:
The internal_options.conf file is unmodified from it's stock configuration. The idea behind this setup is that alerts of level 7 and above are sent to "wazuh@my.domain.com", and level 10 and above are also sent to "pager@my.domain.com". However, for the case of level 10 and above, the resulting messages are not compliant with RFC 5322, as they result in multiple "To" lines in the header: Header contents of a level 7 email (excluding MTA added data):
While the same from a level 10 message looks as follows:
Notice the multiple To: lines in the level 10 email - this is a violation of RFC 5322, which specifies only one To line in the headers. If multiple addresses are listed, they should be all on a single To line, separated by commas. Also, this is the "Header-To", and not "Envelope-To" - so it is provided by the Mail User Agent (MUA), and not the MTA - so this is defined by Wazuh, and not Sendmail/Postfix. We've been able to easily replicate this on our host by setting email_alert_level to 7, and email_alerts level 10 sending to "root", then triggering a level 10 alert (like a SSH password failure). The result will be a message in /var/mail/root, so you can do This appears to be a change made to Google's email validation sometime after Sept 22, 2022 - as we received one of these emails on that date, and none after that date. But, as my analysis clearly shows, the problem is definately with how Wazuh composes their Emails when level-based granular email alerts are enabled, and not with the MTA or Google themselves. This is a major problem when using level-based granular email alerts and at least Google mailboxes as recipients. IMHO, this should be considered as a Severe bug. |
I have the same issue of being emails blocked by Gmail. Bounced back emails by Gmail as follows: Original-Recipient: rfc822; XXXX@gmail.com Original-Recipient: rfc822; YYYY@gmail.com This happens whenever a email is set in <email_alerts> which is different from the main global section: <ossec_config> ... <email_alerts> This effectively makes the <email_alerts> unusable. I also agree this is a major bug to fix. |
Same issue here with the Ubuntu 22.02 with v4.4.5 Email header: Standard email_alerts configuration. This makes the <email_alerts> unusable which is an important part of the XDR. Waiting for a fix. |
And the same issue here. Wazuh Manager 4.4.5 running on Debian 11 with the following ossec.conf on the manager:
with an additional overwrite in local_rules.yml
The idea is that we get all FIM related changes via mail. Maybe a hint where to search: The error / double to-header occures only on the mails send via the <email_alerts> section. All other Wazuh related mails like Daily report, SCA-Mails or for example an alert for postfix restart on the Wazuh Server do work fine and have only one to-header. |
Same problem here using wazuh v4.5.4 version. Any update on this error? |
Wazuh 4.3.7 | wazuh-maild | Linux (Amazon2)
When maild.grouping =1 in internal_options.conf and an alert for Shellshock is sent (rule id 31168), the resulting email is not RFC 5322 compliant and Google rejects it:
relay=aspmx.l.google.com[142.250.31.27]:25, delay=0.57, delays=0.05/0.02/0.15/0.35, dsn=5.7.1, status=bounced (host aspmx.l.google.com[142.250.31.27] said: 550-5.7.1 [52.44.133.207] Our system has detected that this message is not RFC 550-5.7.1 5322 compliant: duplicate headers. To reduce the amount of spam sent 550-5.7.1 to Gmail, this message has been blocked. Please review 550 5.7.1 RFC 5322 specifications for more information. eq1-20020ad45961000000b00498ff1cac52si697465qvb.479 - gsmtp (in reply to end of DATA command))
However, other alerts, such as rule id 100005, do not run afoul of this issue.
If maild.grouping is set to 0, the problem goes away so there is a workaround, though the default is 1 and this could cause alerts to be missed.
There isn't a debug setting for maild as far as I can see.
The text was updated successfully, but these errors were encountered: