Problems to configure Email connection on Signals

Signals Alerting
1

Hello,

I would appreciate some help on how to fix this issue I’m having to setup my SMTP to sending the signals.

Using the latest version of Elasticsearch the search guard plugins.

I use mailgun as SMTP, and been using the same settings for all other services on my stack and no issues.

On Searchguard, I get the following error

[2021-11-10T11:05:49,376][WARN ][o.e.h.AbstractHttpServerTransport] [hz-acc-elk01] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/[0:0:0:0:0:0:0:1]:9200, remoteAddress=/[0:0:0:0:0:0:0:1]:45618}
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73743a393230300d0a557365722d4167656e743a20476f2d687474702d636c69656e742f312e310d0a4163636570743a206170706c69636174696f6e2f6a736f6e0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477) ~[netty-codec-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-codec-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:620) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:583) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986) [netty-common-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.66.Final.jar:4.1.66.Final]
	at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73743a393230300d0a557365722d4167656e743a20476f2d687474702d636c69656e742f312e310d0a4163636570743a206170706c69636174696f6e2f6a736f6e0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1216) ~[netty-handler-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1286) ~[netty-handler-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507) ~[netty-codec-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446) ~[netty-codec-4.1.66.Final.jar:4.1.66.Final]

I searched about this error and it seems that is because an unencrypted communication is happening, haven’t been able to found where/how.

curl -k -u admin:admin -XPUT “https://localhost:9200/_signals/account/email/default” -H ‘Content-Type: application/json’ -d’
{
“host”: “smtp.eu.mailgun.org”,
“port”: 587,
“enable_tls”: true,
“default_from”: “xxxx@xxx.com”,
“user”: “xxxx@xxx.com”,
“password”: “xxxxxxx”,
“trusted_hosts”: “smtp.eu.mailgun.org
}’

I’m using the Demo configuration that sets the certificates and etc, and on kibana.yml I have specified

The URLs of the Elasticsearch instances to use for all your queries.

elasticsearch.hosts: [“https://localhost:9200”]

Is there anything I’m missing ?

Thanks in advance.

2

@sidineycrescencio could you share your email account config from Signals?

What’s the version of:

  1. OS
  2. Search Guard
  3. Elasticsearch?
3

OS: CentOS 8
Elasticsearch: 7.15.1
SearchGuard: 52.4.0 / 52.0.0 (kibana)

4

@sidineycrescencio the above is just a warning and not an error. It doesn’t report connectivity issues with port 587.

Do you see any other errors before or after that warning?
Is that warning present when email account is not configured?

I understand that you’re not receiving any emails with that configuration. Can you share your watch config too?

5

@pablo I just assumed it was related to my SMTP configuration since the warning would always appear after the signal was executed, but you are right, after deleting my watches and account config the error remains.

Indeed, I’m not receiving the mails, and using the samples from documentation, just changed the action configuration.
Thanks!

{
  "checks": [
    {
      "type": "static",
      "name": "constants",
      "target": "constants",
      "value": {
        "ticket_price": 800,
        "window": "1h"
      }
    },
    {
      "type": "search",
      "name": "avg_ticket_price",
      "target": "avg_ticket_price",
      "request": {
        "indices": [
          "kibana_sample_data_flights"
        ],
        "body": {
          "size": 0,
          "aggregations": {
            "metricAgg": {
              "avg": {
                "field": "AvgTicketPrice"
              }
            }
          },
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "timestamp": {
                    "gte": "now-{{data.constants.window}}",
                    "lte": "now"
                  }
                }
              }
            }
          }
        }
      }
    },
    {
      "type": "condition",
      "name": "low_price",
      "source": "data.avg_ticket_price.aggregations.metricAgg.value < data.constants.ticket_price"
    }
  ],
  "active": true,
  "_meta": {
    "last_edit": {
      "user": "admin",
      "date": "2021-11-08T14:58:33.979Z"
    }
  },
  "trigger": {
    "schedule": {
      "interval": [
        "1m"
      ]
    }
  },
  "log_runtime_data": false,
  "actions": [
    {
      "type": "email",
      "name": "my_email_action",
      "throttle_period": "1h",
      "account": "default",
      "to": "mymail@domain.com",
      "subject": "Test",
      "text_body": "Test",
      "html_body": "<p>Test</p>"
    }
  ],
  "_tenant": "_main",
  "_id": "avg_ticket_price"
}