Email action not working office365

Elastic Stack Elasticsearch
1

Hi, I'm trying to make the email action work for office365 and I keep getting this error. I'm able to make the smtp work fine when I use the email output in my logstash config file but now I think I'd rather do it with Watcher.

     "id": "send_email",
      "type": "email",
      "status": "failure",
      "reason": "MessagingException[failed to send email with subject [Watcher Notification] via account [outlook_account]]; nested: SMTPSendFailedException
 [550 5.7.60 SMTP; Client does not have permissions to send as this sender\n]; "

Here are my elasticsearch.yml and watcher actions

xpack.notification.email.account:
  outlook_account:
    profile: outlook
    smtp:
        auth: true ##I've tried to make false but same error
        starttls.enable: true
        host: smtp.office365.com ## instead of smtp-mail.outlook.com
        port: 587
        user: <username>
        password: <password>

and action:

"actions" : {
"send_email" : { 
"email" : { 
  "to" : "kofi@mydomain.com", 
  "subject" : "Watcher Notification", 
  "body" : "{{ctx.payload.hits.total}} error logs found" 
}
}
}

Any idea why this isn't working for me?

2

Hey,

this is not a watcher error, but seems a configuration glitch. Your SMTP server is telling you Client does not have permissions to send as this sender - which means that this username, password combination are not allowed with the configured from address (at least that's what I understood). Maybe there is an additional step to allow this specifically instead of only supplying username/password (many email providers work like that)?

--Alex

3

What do you mean by an additional step? Like an additional verification?

4

yes, something to allow sending email from other hosts - this varies per email provider and is also just a guess as I dont have concrete experience with office365.

5

for the "auth" value, are true and false the only options? Or are other values acceptable?

6

To make email output work in logstash for this same account, I needed to use this config:

  email {
            debug => true
            to => "<userA>"
            subject => "ESCALATED ISSUE: %{subject}"
            body => "%{message}"
            from => "<user>"
            address => "smtp.office365.com"
            username => "<user>"
            password => "<pass>"
            port => 587
            use_tls => true
            authentication => "LOGIN"
7

Ok, so after trying every combination of field it works. For anyone looking to do any kind of email process with office365, it seems to be important to indicate the "from" field. The elasticsearch.yml field is the same that I posted above and in the watch, my action is:

"actions" : {
  "send_email" : { 
     "email" : {
        "from" : "<the same user as specified in the "user" field in the .yml>",
        "to" : "<toUser>", 
        "subject" : "Watcher Notification", 
        "body" : "{{ctx.payload.hits.total}} error logs found" 
}
}
}

Thanks for helping out @spinscale

8

Hey,

glad you got it working.

just to get this right: So when configuring the exact same from address in the elasticsearch.yml configuration, sending email did not work. But it did work when put into the action directly? And there was no other change inbetween? I want to make sure that there is no bug on our side...

--Alex

9

I didn't put a "from" address in the .yml, only in the action directly. On the action >> email page, it didn't say anything about putting a "from" address in the .yml nor do i know if one can. I just followed the instructions from that page and only included the auth, starttls.enabled, host, port user and password fields.

Does that answer your question?

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.