Symantec Privileged Access Management

  • 1.  Anyone using Google Apps to send CA PAM e-mails?

    Posted Jan 17, 2017 02:37 PM

    Hello Friends!

     

    Anyone using with success smtp.gmail.com or aspmx.l.google.com to send e-mail to multiple domains?

     

    The problem is: using aspmx.l.google.com:25 I can send e-mails only to one domain and it must be hosted by Google Apps. If I send to more than 1 domain, it doesn't matter if they are hosted by Google Apps only the first domain is accepted.

     

    smtp.gmail.com:465 > CA PAM says connectivity is open, but I always get: "DEBUG SMTP: could not connect to host "smtp.gmail.com", port: 465, response: -1"

     

    smtp.gmail.com:587 > CA PAM says connectivity is open, but I get "530 5.7.0 Must issue a STARTTLS command first. u29sm19203095qki.4 - gsmtp"

     

    aspmx.l.google.com:25 > Only the first domain is accepted, remaining is ignored.

     

    Any thougts?



  • 2.  Re: Anyone using Google Apps to send CA PAM e-mails?

    Broadcom Employee
    Posted Feb 17, 2017 03:03 AM

    What email capability are you referring to? The Config > Monitor settings on the access control side of PAM? Or the email settings under the password management module? 

     

    Configurations are different for each of these PAM modules.

     

    For the access control email alerts, you can't use the Gmail or Google Apps settings without an SMTP relay. This is because the access control side of PAM does not support authenticated SMTP, and Google does not allow unauthenticated SMTP communications.lmdur to the potential for abuse. 

     

    Here are some quick instructions for configuring PostFix as a relay between PAM and Google. 

     

    Effectively, you were having PAM talk to your SMTP relay over and an unauthenticated connection, and PostFix is in using an authenticated connection to your Google SMTP server.

     

    And, yes, you have to have a separate Linux host in your demo environment to do this.

     

    **Using Google as an SMTP relay host**

    ** Assumes you have already installed PostFix with default locations  and configurations. 

     

    1 - Edit the file /etc/postfix/main.cf, and add these lines:

     

    relayhost = [smtp.gmail.com]:587
    smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd.gmail

     

    2 - Create a file /etc/postfix/relay_passwd.gmail with this one line:

     

    smtp.gmail.com <gmail-id>:<gmail-password>

     

    Replace <gmail-id> and <gmail-password> with your Google account details. They are separated with a ‘:’.

     

    3 - Finally run these commands:


    -  postmap /etc/postfix/relay_passwd.gmail

    -  chown root:root /etc/postfix/relay_passwd.*

    -  chmod 600 /etc/postfix/relay_passwd.*

    -  service postfix restart

     

    ** Be careful with Gmail as your account may get flagged as violating terms of use.

     

    The password management module supports authenticated SMTP email so using the standard Google Gmail or Google apps SMTP settings should work.

     

    If your Google account is set up for application-specific passwords, then you will need to go into your Google account and set up one for this function in both the access control and credential management email configurations. 

     

    If you want to use Office 365 instead, the setup is similar.  The Office 365 mail accounts can be used as relay host using Client SMTP submission method.

     

    See details here: http://technet.microsoft.com/en-us/library/dn554323(v=exchg.150).aspx

     

    1 - Edit the file /etc/postfix/main.cf,  and add these lines:

     

    relayhost = [smtp.office365.com]:587
    smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd.o365

     

    2 - Create a file /etc/postfix/relay_passwd.o365 with this one line:

     
    smtp.office365.com <o365-ID>:<o365-password>

     

    Replace <o365-id> and <o365-password> with your o365 account details. They are separated with a ‘:’.

     

    3 - Run these commands:


    -  postmap /etc/postfix/relay_passwd.o365

    -  chown root:root /etc/postfix/relay_passwd.*

    -  chmod 600 /etc/postfix/relay_passwd.*

    -  service postfix restart

     

    Laslty, there are 3rd party services that you can subscribe to that allow unauthenticated SMTP emails. For these, you don't need any of the above., obviously, but you do have to pay to use them. 

     

    Let us know how any of the above works out for you. 

     

    --Shawn



  • 3.  Re: Anyone using Google Apps to send CA PAM e-mails?
    Best Answer

    Posted Feb 17, 2017 07:44 AM

    Hello hansh07,

     

    We managed that using an Lotus Notes internal SMTP, but thanks for sharing for the community!

     

    Ellery