Active IQ and AutoSupport Discussions

Autosupport SMTP Auth

Krish7
16,291 Views

Hello All, 

As part of security hardening, our Messaging team, has implemented SMTP authentication now, so from now on if we need to send any auto support, we need to have a technical user to authenticate with Mail server to send out the emails, but I am not sure if the ONTAP support SMTP auth, currently we are not allowed to use HTTP or HTTPS (even thought they are more secure then SMTP) I have not seen any document saying so (tr-4444), has anyone experienced this ?

 

Does ONTAP (9.5) supports SMTP auth for autosuport.

 

Any response is highly appreciated.

 

Thanks

Krish

1 ACCEPTED SOLUTION

andris
16,113 Views

OK. In case you want to bring this up with your NetApp representative:

 
Here are your options (in preferred order):
  1. HTTPS (TCP/443) to support.netapp.com
  2. HTTPS via a configured proxy (simple authentication supported, if needed) to support.netapp.com
  3. Arrange for a "SMTP whitelist sender" exception for the ONTAP clusters - the allowed destinations can be locked down to autosupport@netapp.com, any external support partner e-mail destinations or internal e-mail destinations.

View solution in original post

13 REPLIES 13

tahmad
16,241 Views

SMTP protocol can be used.

Setting up AutoSupport 

Krish7
16,236 Views

Hi, thanks for your response, sorry for the confusion, it's not  the SMTP protocol the issue here, we are using it and working fine previously,  now email team has introduced a policy, that every email or system alerts are to be authenticated on the email servers, to all the alerts out (security), so now we have been forced to the same for our autosupport to be authenticated and to my knowledge there is no option in autosupport modify  ,  so we our question was does NetApp supports  SMTP authentication.

 

It's SMTP authentication not the protocol  the concern here.

 

Thanks

Krish

tahmad
16,221 Views
 

 

SMTP auth for autosupport is supported.

 

Please refer to this document for more information:

[-mail-hosts <text>, ...] - SMTP Mail Hosts
Use this parameter to specify up to five SMTP mail hosts through which AutoSupport messages are sent out.

system node autosupport modify 

Krish7
16,200 Views

Hi

 

hmm......ok let me ask like this,  can you get SMTP auth for autosupport using a USER ? 

 

So instead of whitelisting the mgt ip, they want to use USER account to verify.

 

Hope I am clear now... it's not about SMTP  Mail Hosts , it's about the authentication against a user.

 

Thanks

Ontapforrum
16,189 Views

Hi,

 

On NetApp Filers, I believe SMTP authentication is not possible. As you mentioned, SMTP as 'protocol' can be used but then there are lots of limitation and SMTP authentication is one such limitation.  Agree to your point, Whitelisting is simply asking Mail-host to ignore 'security' and trust the IPs, which is not you want isn't it.

 

If you provide mail host that requires authentication: Likelihood, Auto-support delivery might hang indefinitely, and I believe you should be able to trace the authentication error in the cluster node logs in notifyd.log:
Location: /mroot/etc/log/mlog/notifyd.log

 

Workaround as it seems: Change the Auto-support SMTP mail host to a mail host that does not require authentication or use https.

 

Thanks!

andris
16,160 Views

The man page link has more info. Did you see it?

==

Also, you can optionally prepend a user name and password combination for authentication to each mail server. The format of the username and password pair is user1@mymailhost.example.com. User will be prompted for the password. The username and password can be specified on none, all, or some of the mail hosts.

==

When you execute the modify command, if you specify a user as above, you will be interactively prompted for a password.

 

Note1: AutoSupport only supports simple authentication. STARTTLS is not supported. There is an RFE in the system for that with no target date.

 

Note2: With ONTAP 9.5 and later, AutoSupport configuration is enforced cluster-wide. So, the user:password configuration for the mailhost is shared by all nodes in the cluster.

Krish7
16,138 Views

Thanks a lot for all the responses. one of the mandatory requirement is STARTTLS.

andris
16,114 Views

OK. In case you want to bring this up with your NetApp representative:

 
Here are your options (in preferred order):
  1. HTTPS (TCP/443) to support.netapp.com
  2. HTTPS via a configured proxy (simple authentication supported, if needed) to support.netapp.com
  3. Arrange for a "SMTP whitelist sender" exception for the ONTAP clusters - the allowed destinations can be locked down to autosupport@netapp.com, any external support partner e-mail destinations or internal e-mail destinations.

Krish7
15,743 Views

Thanks a lot Sir,

 

Does http or https needs to be authentication against the proxy server ? as our network security team are adding the mgt ip's to send out the auto upport instead of any technical user authenticating again proxy server, but we are seeing this error: Received HTTP Code 407 from proxy after CONNECT.

 

 

Thanks

Krish

bretta
15,733 Views

Here's an example of setting up a proxy with a password, which I'm assuming your company requires:

 

system node autosupport modify node nodename proxy-url user1:mypass@proxyurl:8080

Krish7
15,731 Views

Thanks for your response, but in our case, there are no users, our mgt IP's are white listed at the proxy server, so we can send out auto support.

bretta
15,715 Views

They are forwarding to support.netapp.com from a certain port, I assume? (Note: They must set the proxy to send to NetApp Support specifically.) Let's assume that port is 1234 and the proxy is called proxy1.company1.com then if no password is needed, this is what you need:

 

system node autosupport modify -node node1 -proxy-url proxy1.company1.com:1234

Note: No http or https is needed in the URL.

andris
15,702 Views

man page:

[-proxy-url <text>] - Support Proxy URL

Use this parameter to specify an HTTP or HTTPS proxy if the -transport parameter is set to HTTP or HTTPS and your organization uses a proxy. Enter the URL without an http:// or https:// prefix. If authentication is required, use the format "[username]@[host][:[port]]". You will be prompted for the password. The default is an empty string. To specify a proxy that contains a question mark, press ESC followed by the "?". This field can be cleared by setting the value to an empty string using two double quotes ("").

Public