Active IQ and AutoSupport Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active IQ and AutoSupport Discussions

Start a New Post

Autosupport SMTP Auth

Krish7
‎2020-05-06 01:20 PM

Hello All, 

As part of security hardening, our Messaging team, has implemented SMTP authentication now, so from now on if we need to send any auto support, we need to have a technical user to authenticate with Mail server to send out the emails, but I am not sure if the ONTAP support SMTP auth, currently we are not allowed to use HTTP or HTTPS (even thought they are more secure then SMTP) I have not seen any document saying so (tr-4444), has anyone experienced this ?

 

Does ONTAP (9.5) supports SMTP auth for autosuport.

 

Any response is highly appreciated.

 

Thanks

Krish

0 Kudos
1 ACCEPTED SOLUTION

andris
NetApp
‎2020-05-07 03:29 PM
In response to Krish7

OK. In case you want to bring this up with your NetApp representative:

 
Here are your options (in preferred order):
  1. HTTPS (TCP/443) to support.netapp.com
  2. HTTPS via a configured proxy (simple authentication supported, if needed) to support.netapp.com
  3. Arrange for a "SMTP whitelist sender" exception for the ONTAP clusters - the allowed destinations can be locked down to autosupport@netapp.com, any external support partner e-mail destinations or internal e-mail destinations.

View solution in original post

13 REPLIES 13

tahmad
NetApp
‎2020-05-07 01:50 AM

SMTP protocol can be used.

Setting up AutoSupport 

0 Kudos

Krish7
‎2020-05-07 03:33 AM
In response to tahmad

Hi, thanks for your response, sorry for the confusion, it's not  the SMTP protocol the issue here, we are using it and working fine previously,  now email team has introduced a policy, that every email or system alerts are to be authenticated on the email servers, to all the alerts out (security), so now we have been forced to the same for our autosupport to be authenticated and to my knowledge there is no option in autosupport modify  ,  so we our question was does NetApp supports  SMTP authentication.

 

It's SMTP authentication not the protocol  the concern here.

 

Thanks

Krish

0 Kudos

tahmad
NetApp
‎2020-05-07 04:24 AM
In response to Krish7
 

 

SMTP auth for autosupport is supported.

 

Please refer to this document for more information:

[-mail-hosts <text>, ...] - SMTP Mail Hosts
Use this parameter to specify up to five SMTP mail hosts through which AutoSupport messages are sent out.

system node autosupport modify 

0 Kudos

Krish7
‎2020-05-07 07:49 AM
In response to tahmad

Hi

 

hmm......ok let me ask like this,  can you get SMTP auth for autosupport using a USER ? 

 

So instead of whitelisting the mgt ip, they want to use USER account to verify.

 

Hope I am clear now... it's not about SMTP  Mail Hosts , it's about the authentication against a user.

 

Thanks

0 Kudos

Ontapforrum
‎2020-05-07 08:28 AM
In response to Krish7

Hi,

 

On NetApp Filers, I believe SMTP authentication is not possible. As you mentioned, SMTP as 'protocol' can be used but then there are lots of limitation and SMTP authentication is one such limitation.  Agree to your point, Whitelisting is simply asking Mail-host to ignore 'security' and trust the IPs, which is not you want isn't it.

 

If you provide mail host that requires authentication: Likelihood, Auto-support delivery might hang indefinitely, and I believe you should be able to trace the authentication error in the cluster node logs in notifyd.log:
Location: /mroot/etc/log/mlog/notifyd.log

 

Workaround as it seems: Change the Auto-support SMTP mail host to a mail host that does not require authentication or use https.

 

Thanks!

0 Kudos

andris
NetApp
‎2020-05-07 09:38 AM
In response to Ontapforrum

The man page link has more info. Did you see it?

==

Also, you can optionally prepend a user name and password combination for authentication to each mail server. The format of the username and password pair is user1@mymailhost.example.com. User will be prompted for the password. The username and password can be specified on none, all, or some of the mail hosts.

==

When you execute the modify command, if you specify a user as above, you will be interactively prompted for a password.

 

Note1: AutoSupport only supports simple authentication. STARTTLS is not supported. There is an RFE in the system for that with no target date.

 

Note2: With ONTAP 9.5 and later, AutoSupport configuration is enforced cluster-wide. So, the user:password configuration for the mailhost is shared by all nodes in the cluster.

0 Kudos

Krish7
‎2020-05-07 01:03 PM
In response to andris

Thanks a lot for all the responses. one of the mandatory requirement is STARTTLS.

0 Kudos

andris
NetApp
‎2020-05-07 03:29 PM
In response to Krish7

OK. In case you want to bring this up with your NetApp representative:

 
Here are your options (in preferred order):
  1. HTTPS (TCP/443) to support.netapp.com
  2. HTTPS via a configured proxy (simple authentication supported, if needed) to support.netapp.com
  3. Arrange for a "SMTP whitelist sender" exception for the ONTAP clusters - the allowed destinations can be locked down to autosupport@netapp.com, any external support partner e-mail destinations or internal e-mail destinations.

Krish7
‎2020-05-26 05:08 AM
In response to andris

Thanks a lot Sir,

 

Does http or https needs to be authentication against the proxy server ? as our network security team are adding the mgt ip's to send out the auto upport instead of any technical user authenticating again proxy server, but we are seeing this error: Received HTTP Code 407 from proxy after CONNECT.

 

 

Thanks

Krish

0 Kudos

bretta
NetApp
‎2020-05-26 06:42 AM
In response to Krish7

Here's an example of setting up a proxy with a password, which I'm assuming your company requires:

 

system node autosupport modify node nodename proxy-url user1:mypass@proxyurl:8080

0 Kudos

Krish7
‎2020-05-26 06:45 AM
In response to bretta

Thanks for your response, but in our case, there are no users, our mgt IP's are white listed at the proxy server, so we can send out auto support.

0 Kudos

bretta
NetApp
‎2020-05-26 07:22 AM
In response to Krish7

They are forwarding to support.netapp.com from a certain port, I assume? (Note: They must set the proxy to send to NetApp Support specifically.) Let's assume that port is 1234 and the proxy is called proxy1.company1.com then if no password is needed, this is what you need:

 

system node autosupport modify -node node1 -proxy-url proxy1.company1.com:1234

Note: No http or https is needed in the URL.

andris
NetApp
‎2020-05-26 09:37 AM
In response to bretta

man page:

[-proxy-url <text>] - Support Proxy URL

Use this parameter to specify an HTTP or HTTPS proxy if the -transport parameter is set to HTTP or HTTPS and your organization uses a proxy. Enter the URL without an http:// or https:// prefix. If authentication is required, use the format "[username]@[host][:[port]]". You will be prompted for the password. The default is an empty string. To specify a proxy that contains a question mark, press ESC followed by the "?". This field can be cleared by setting the value to an empty string using two double quotes ("").

0 Kudos
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2022 NetApp Cookies settings
Let us know
Public