How to Send a Test Email to Verify Email Profile Settings

Printer Friendly Page

Overview

When configuring an Email Server Profile (Device > Server Profiles > Email), the steps described in this document show how to test if the:

  • SMTP settings are correct
  • Server is reachable
    Screen Shot 2014-06-16 at 4.51.04 PM copy.jpg

 

Steps

  1. Go to Monitor > PDF Reports > Report Groups and Add a Predefined Report, for this example 'risky-users' was selected:
    Screen Shot 2014-06-16 at 4.52.48 PM copy.jpg
  2. Go to Monitor > PDF Reports > Email Scheduler , click Add and enter a name. Select the created Report Group and select the Email Profile to test. (Choose an existing Email Profile or click "New Email Profile" to create one new)
  3. Click on "Send test email" to verify the SMTP settings.
    Screen Shot 2014-06-16 at 4.55.12 PM.png
    An email is sent verifying the SMTP settings:
    Screen Shot 2014-06-16 at 4.58.48 PM copy.jpg

 

Invalid Recipient

In the event that the test email fails without an error indication, this can happen if the RCPT TO is an email address outside your organization. Many SMTP servers are configured so that they will not relay emails from unauthenticated sources.

 

Follow the procedure below to verify if one of the recipients is not supported:

  1. From your terminal (Linux, Mac) or cmd (Windows) window, telnet to the target SMTP server. Since telnet is not available on PAN-OS, this test should be initiated from your computer and not the Firewall.
    $ telnet <server_ip_or_fwdn> 25
    Note: If the connection is rejected, either the server is not listening for connections on port 25 or there is a security device preventing the connection from your workstation.
  2. If the connection succeeds, use the following commands:
    • HELO <server_ip_or_fwdn>      (250 - Hello messages and subsequent 250 messages expected)
    • MAIL FROM: <you@yourcompany.com>      (250 2.1.0 Sender OK expected)
    • RCPT TO: <recipient1@yourcompany.com>       (250 2.1.5 Recipient OK expected)
    • RCPT TO: <recipient2@othercompany.com>      (550 5.7.1 Unable to relay expected)

 

For example:

Screen Shot 2015-02-27 at 8.51.06 AM.png

 

Note1:  For a more complete SMTP troubleshooting document, please refer to: Not authorized to view the specified document 1065

Note2:  SMTP Authentication is not currently supported.

 

owner: mivaldi

Tags (7)
Comments

The CLI test procedure it's not valid because there is no telnet cmd on the latest PAN-OS anymore.

I think that the CLI test procedure was not intended to be run on PAN-OS. As the instructions state on the First Step:
"Telnet to the target SMTP server, from your terminal or cmd window".

Also, the NOTE on the first step state:

"the connection from your workstation."

I hope this helps.

Thank you for pointing this out, and jdelio's assumption is correct. This test is supposed to be ran from a workstation, ideally on the same subnet as the firewall's management interface. I'll add an extra note to clarify this.

The problem is that the telnet method does not ensure reliable results. For example, there may be a mail server that accept mails from the workstation where the test is done but denied sending mail to the firewall. Without going any further, this is what happened to me a few days ago.

The basic problem is how to identify the source of the problem when the PAN-OS can not send mail. After some research I found how to identify and filter at the PAN-OS the cause of problems.

We can use the command:

Administrator@PA-200> grep ignore-case yes mp-log ms.log pattern mail

Example 1: The firewall can not reach the SMTP server.

mailclient: Socket Error. host=192.168.1.8 error=148 - No route to host

2014-11-18 13:56:15.750 +0100 Error: _pan_email(pan_email.c:295): failed to forward log to mail server: 192.168.1.8

Example 2: The firewall has not been authenticated

mailclient: error reply: 530 5.7.1 Client was not authenticated

2015-03-09 11:58:11.691 +0100 Error: _pan_email(pan_email.c:295): failed to forward log to mail server: 192.168.1.10

Example 3: Network problems.

mailclient: Socket timeout. host=192.168.1.8

2014-12-10 11:18:12.673 +0100 Error: _pan_email(pan_email.c:295): failed to forward log to mail server: 192.168.1.8

Note: If the result of the grep command aren't enough explanatory we can add the "context" parameter to increase the amount of info showed related to the searched pattern.

Administrator@PA-200> grep context 5 ignore-case yes mp-log ms.log pattern mail

or

Administrator@PA-200> grep before-context 5 after-context 5 ignore-case yes mp-log ms.log pattern mail

You are correct. The server may also be configured to allow relay if the source is the firewall but not the workstation. The telnet test is not completely accurate, and may yield false positives/negatives. It's important to take this into consideration when running the tests. Thank you for sharing your feedback.

I think the main point, is making people aware that most SMTP servers won't relay out to different domains by default, and if you need it to, there's additional configuration required on the SMTP server to allow relay.

A better SMTP troubleshooting guide can be found at Troubleshooting E-mail Alerts and Reports Generated from PAN-OS Devices however, it describes a procedure that was available back when telnet was a valid command in PAN-OS.

<removed>

Is there any way to use Gmail's SMTP.gmail.com and test it? I did, it doesn't seem to be working... Any other thoughs?

Using gmail for smtp requires authentication and PA does not yet support this for the SMTP settings.  So you cannot use gmail for smtp at this time.

Is there anything on the roadmap for SMTP AUTH?  Seems like a firewall of this caliber should have that feature as it's a security feature as well.  

For roadmap questions, you need to contact your Sales engineer.  Palo Alto does not discuss roadmaps in public forums or venues.

Can we change the port number of the gateway? I have tried the obvious by setting the gateway as 192.168.0.5:125 but it does not seem to work.

Anything change on 8.0 ? looking to setup email reporting...

Does it support office365? 

You need ask your Exchange or Messaging team to add PA firewall managment IP in internal email relay server or external relay server (based on domain). Otheriwse you will get error that smtp gateway can't be connected. 

@rudy.bernal,

Sorry for the delay in answering you.

I was able to verify that with PAN-OS 8.0, that everything is exactly the same as in this article.

Palo Alto Report Timings.jpgwhy daily report receving time is different everyday? I think it could be because of time required for report generation.

Hi @Deepak_Khirit

 

Report jobs are generated daily and put in a work queue, together with all the default reports

Depending on the day of the week/month, the traffic seen in the past day/week/month, the workload on a single report may be shorter or longer and potentially the time it takes for the whole queue to be processed can vary significantly. 

 

Too bad email choices are so limited!

 

Lacking SMTP Auth support

Lacking alternate port support

Pretty much forces you to have to deploy a box just to act as a mail relay for the firewall / panorama.

 

I'm with @andrew571

 

hi @andrew571 and @John.Petrucci

 

have you reached out to your sales contacts yet about these requests?

They are able to submit new, or add your votes to Feature Requests

 

for example Authenticated SMTP is FR241, SMTP on a different port is FR2179

 

hope this helps!

 Hi,

I have same email report iusse after upgraded to 8.1.1 from 6.0.11 (PA-500).   I can sure my smtp server is no configureation changed, just no report received now. Any hits ?

 

Thanks.