As part of security hardening, our Messaging team, has implemented SMTP authentication now, so from now on if we need to send any auto support, we need to have a technical user to authenticate with Mail server to send out the emails, but I am not sure if the ONTAP support SMTP auth, currently we are not allowed to use HTTP or HTTPS (even thought they are more secure then SMTP) I have not seen any document saying so (tr-4444), has anyone experienced this ?
Does ONTAP (9.5) supports SMTP auth for autosuport.
Hi, thanks for your response, sorry for the confusion, it's not the SMTP protocol the issue here, we are using it and working fine previously, now email team has introduced a policy, that every email or system alerts are to be authenticated on the email servers, to all the alerts out (security), so now we have been forced to the same for our autosupport to be authenticated and to my knowledge there is no option in autosupport modify , so we our question was does NetApp supports SMTP authentication.
It's SMTP authentication not the protocol the concern here.
On NetApp Filers, I believe SMTP authentication is not possible. As you mentioned, SMTP as 'protocol' can be used but then there are lots of limitation and SMTP authentication is one such limitation. Agree to your point, Whitelisting is simply asking Mail-host to ignore 'security' and trust the IPs, which is not you want isn't it.
If you provide mail host that requires authentication: Likelihood, Auto-support delivery might hang indefinitely, and I believe you should be able to trace the authentication error in the cluster node logs in notifyd.log: Location: /mroot/etc/log/mlog/notifyd.log
Workaround as it seems: Change the Auto-support SMTP mail host to a mail host that does not require authentication or use https.
Also, you can optionally prepend a user name and password combination for authentication to each mail server. The format of the username and password pair is email@example.com. User will be prompted for the password. The username and password can be specified on none, all, or some of the mail hosts.
When you execute the modify command, if you specify a user as above, you will be interactively prompted for a password.
Note1: AutoSupport only supports simple authentication. STARTTLS is not supported. There is an RFE in the system for that with no target date.
Note2: With ONTAP 9.5 and later, AutoSupport configuration is enforced cluster-wide. So, the user:password configuration for the mailhost is shared by all nodes in the cluster.
HTTPS via a configured proxy (simple authentication supported, if needed) to support.netapp.com
Arrange for a "SMTP whitelist sender" exception for the ONTAP clusters - the allowed destinations can be locked down to firstname.lastname@example.org, any external support partner e-mail destinations or internal e-mail destinations.
Does http or https needs to be authentication against the proxy server ? as our network security team are adding the mgt ip's to send out the auto upport instead of any technical user authenticating again proxy server, but we are seeing this error: Received HTTP Code 407 from proxy after CONNECT.
They are forwarding to support.netapp.com from a certain port, I assume? (Note: They must set the proxy to send to NetApp Support specifically.) Let's assume that port is 1234 and the proxy is called proxy1.company1.com then if no password is needed, this is what you need:
system node autosupport modify -node node1 -proxy-url proxy1.company1.com:1234
Use this parameter to specify an HTTP or HTTPS proxy if the -transport parameter is set to HTTP or HTTPS and your organization uses a proxy. Enter the URL without an http:// or https:// prefix. If authentication is required, use the format "[username]@[host][:[port]]". You will be prompted for the password. The default is an empty string. To specify a proxy that contains a question mark, press ESC followed by the "?". This field can be cleared by setting the value to an empty string using two double quotes ("").