Awesome, @rseichter . I think a lot of people would be happy for the feature.
I still think using the local smtpd to relay the mail is the best option (let the dedicated software you already have do the heavy lifting), but that doesn't seem like a popular option.
Let us know if there's anything we can do to help you get this implemented.

@ddpbsd : Sorry to curb your enthusiasm, but I filed this issue as an enhancement suggestion only. I have only recently started looking into OSSEC, and currently have no plans to implement TLS support myself. I'd regret if I inadvertently fooled people.

As for using a local smtpd: I maintain machines that don't have an MTA for policy reasons. In other cases, I'd like to use the sendmail binary, but I as far as I can tell OSSEC does not yet support this?

Weird, I thought all unixy systems came with an smtpd, and have for a while.
OpenSMTPd is pretty simple and light.
I think using a sendmail binary is supposed to work, but it seems to be undocumented and I've never tried it.

I wrote "don't have an MTA for policy reasons". 😉 A dedicated database server, to name just one example, does not need to send or receive mail, so not installing an MTA (or any other software not required for the server's purpose) is a common security measure.

We can agree to disagree. I won't muddle this issue anymore.
To get this feature, we need someone to write the patch and submit a pull request.
They should also be willing to maintain the feature in the future.

@ddpbsd - Are you able to give me more information on your statement that "using a sendmail binary is supposed to work, but it seems to be undocumented"? I'm not familiar enough with C to be able to go into the source and figure out how to get this to work.

My servers are configured with nullmailer and mailx which forwards email to a SaaS-based email provider. So if OSSEC supported Username/Password for SMTP, I'd be good. Or, if it supported injection directly to /usr/bin/mail (which I am using nullmailer to proxy to the SaaS provider) then I would also be good.

You seem to suggest that the second option might actually work but there are some hidden, undocumented config settings I'd need?

@DrLongGhost https://github.com/ossec/ossec-hids/blob/master/src/os_maild/sendmail.c#L59
If smtpserver is set to something that starts with / it maild will use that binary to send mail. That's all I know, I've never needed to resort to it.

@ddpbsd - Thanks for the info. I'd thought that might be how it works.

I tried it and when I change <smtp_server> to /usr/bin/mail, nothing happens. There is no email sent and no errors in any logs anywhere indicating why it failed. I assume it's failing simply because sendmail/mailx is not an actual mail server so it was never going to work, but I'm not all that clear on the particulars of SMTP to say for sure.

On the plus side, I did realize that I can relatively easily push the alert logs to CloudWatch on AWS and generate alerts there, so that's likely my path forward. I would prefer if the more robust email options described in this feature request existed, but at least I can get OSSEC working for me in the meantime. Thanks for your help!

@DrLongGhost There is more information in pull request #689

@ddpbsd - Thanks for that link. I actually got email injection working!

I ended up having to fix several issues:

• I needed to set <email_alert_level>1</email_alert_level> so that my test events would actually trigger an email. This is probably why I wasn't seeing anything in the logs.
• In my particular setup (using nullmailer instead of postfix) this was the config that worked for me:

<global>
    <email_notification>yes</email_notification>
    <email_to>where_ever@domain.com</email_to>
    <email_from>support@mydomain.io</email_from>
    <smtp_server>/usr/bin/nullmailer-inject -f support@mydomain.io</smtp_server>
  </global>

This let me inject into the nullmailer queue and nullmailer then takes the email and forwards it on to my email SaaS provider (via, I believe, authenticated, secure SMTP).

Thanks again for the links!

Back to the original topic, I'd like to stress that I'd really appreciate that feature! I think, running a local mail server (or something similar) as a relay or whatever is somewhat annoying and maybe could be considered as outdated. It is so much more convenient to configure one "real" mail server with everything you need, set-up an internal account on that mail server for sending out notification emails, and then from every machine which needs to send emails, authenticate on your remote server and you are done. Way better than fiddling around on every machine with postfix, sendmail, ssmtp, several layers of relays, mailutils, and whatnot.

For many ecosystems, there are ready to use libraries/tools out there. For example, for Node.js there is emailjs and there is also the nice python command line tool smtp-cli

@cschwaderer It's on my list (despite the fact that using ansible to install opensmtpd seems like the better solution), but the list is long. What can I do to help you get started on adding these features?

@ddpbsd Given that "Copyright (C) 2019 Trend Micro Inc." is shown in the first line of the README, would it be possible to secure financial sponsorship for adding this feature (as in some commercial entity providing me with an incentive to spend my time developing it)?

@rseichter You'd have to talk to Trend. They basically have nothing to do with the project AFAIK.