Editing SMTP transfer settings of event logs

Virtual Storage Platform One SDS Block System Administrator Guide

Version
1.16.x
Audience
anonymous
Part Number
MK-24VSP1SDS001-03

VSP One SDS Block acts as an SMTP client and transfers an e-mail containing event log information to the outgoing SMTP server. A user is responsible for preparing an SMTP server and POP/IMAP server required for mail services. The following figure shows an example configuration required for mail services. Depending on operations, the configuration might include additional components, such as an SMTP server for relaying e-mails.

To use SMTP transfer, edit SMTP transfer settings of event logs as follows. Import a root certificate that proves the authenticity of the server certificates set on the outgoing SMTP server to the storage cluster. This enables TLS communication with the outgoing SMTP server. PEM- and DER-format certificate files are supported.

For the format of emails sent via the outgoing SMTP server, see Email format.

Event logs transferred to the SMTP server are those whose severity is "Critical", "Error", or "Warning". The time from when an applicable event log is generated until an email is sent is approximately 1 minute and 20 seconds.

Note:
  • (Bare metal)

    The cluster master node (primary) might be changed to another storage node due to storage node failure or other reasons. To ensure that email messages can be received in such cases, when registering a source IP address, set the representative IP address of the storage cluster and the IP addresses of all storage nodes for the control network.

  • (Cloud)

    SMTP transfers from VSP One SDS Block do not pass through the load balancer, so the source IP address remains the IP address of each storage node for the control network. Therefore, when you register a source IP address, specify the IP address of each cluster master node for the control network, not the IP address assigned to the load balancer.

  • Required role: Security

  1. Import a root certificate that proves the authenticity of the server certificates set on the outgoing SMTP server to the storage cluster.

    You can perform this for the cluster master node (primary) only.

    Run either of the following commands with the certificate file and the outgoing SMTP server ID specified.

    REST API: POST /v1/objects/smtp-server-root-certificates/<targetServer>/actions/import/invoke

    CLI: smtp_server_root_certificate_import

    Verify the job ID which is displayed after the command is run.

    Note:

    The fields in the extended profile of an X.509 certificate support the following fields as specified in RFC 5280:

    • Basic Constraints

    • Key Usage

    • Subject Key Identifier

    • Authority Key Identifier

    • Certificate Policies

    • Subject Alternative Name

    • Name Constraints

    • Policy Constraints

    • Extended Key Usage

    • Inhibit anyPolicy

  2. Verify the state of the job by specifying the job ID.

    REST API: GET /v1/objects/jobs/<jobId>

    CLI: job_show

    If the job state is "Succeeded", the job is completed.

    If TLS communication with the outgoing SMTP server is enabled, the root certificate is applied immediately.

  3. Set SMTP transfer of event logs.

    Run either of the following commands with the parameters for setting email notification for the event log transfer destination specified.

    REST API: PATCH /v1/objects/event-log-setting

    CLI: event_log_setting_set

    Verify the job ID which is displayed after the command is run.

    CAUTION:
    • When using a DNS server, a storage node caches DNS inquiry results for the time (DNS TTL) set in the DNS server. For this reason, if the content registered in the DNS server (correspondence between the host name and IP address) is changed, the storage node might access an old address during DNS TTL. Therefore, if you have changed the content registered in the DNS server (correspondence between the host name and IP address), wait until the time specified for DNS TTL has passed, and then set SMTP transfer.

    • Some SMTP servers have filters and rules to block emails with problematic source email addresses. For this reason, set receivable source email addresses in the SMTP transfer settings. For example, if an SMTP server cannot resolve the domain name in a source email address, the server might block the email. However, setting one of the following for the domain name in source email addresses in the SMTP transfer settings might enable you to receive such an email.

      • FQDN that corresponds to the representative IP address of the storage cluster (only when the representative IP address of the storage cluster is set)

      • (Cloud) FQDN that corresponds to the IP address of the load balancer (ELB) (only when the load balancer (ELB) is used)

      • FQDN that corresponds to the IP address of the cluster master node for one of control networks

  4. Verify the state of the job by specifying the job ID.

    REST API: GET /v1/objects/jobs/<jobId>

    CLI: job_show

    If the job state is "Succeeded", the job is completed.

  5. Verify that SMTP transfer of event logs is set correctly.

    If the SMTP transfer setting and the setting on the outgoing SMTP server side are made properly, an event log is notified via an email (Subject = VSSB-Report KARS10603-I), indicating that the job for setting event log SMTP transfer has been started. Although the email is sent immediately, it might be delayed depending on the network condition. If the email client could not receive the email, go to the next step.

  6. Obtain a list of event logs.

    REST API: GET /v1/objects/event-logs

    CLI: event_log_list

  7. If one of the following event logs is output, take the specified action.

    messageId

    Action to be taken

    KARS10650-W

    See the specific error cause described in the Detailed Information section of the event log, verify and correct the SMTP transfer settings and outgoing SMTP server settings, and then set SMTP transfer.

    KARS10652-W

    Import a root certificate, and then set SMTP transfer.

    KARS10651-W

    Verify whether the root certificate has expired or is invalid, import the correct root certificate, and then set SMTP transfer.

    If none of the above event logs exists, VSP One SDS Block has successfully transferred the e-mail to the outgoing SMTP server. This implies that VSP One SDS Block as an SMTP client cannot detect the e-mail for the following reasons:

    • In the outgoing SMTP server settings specified in the SMTP transfer settings, there is a problem in the settings for relaying the email to another SMTP server.

    • In the outgoing SMTP server settings specified in the SMTP transfer settings, there is a problem in the settings for transferring the email to the POP/IMAP server.

    • Setting for POP/IMAP server, SMTP server for relay, email client (or another component) is incorrect.

    • A network problem exists between components.

    The following table lists the major actions performed by VSP One SDS Block as an SMTP client and event logs notified when an error occurs. In step 7, if there is no event log that indicates SMTP transfer error, the following operations were successfully performed. If the email client cannot receive the email, refer to this table for identifying the cause.

    Action

    Event log upon error

    If a host name is specified for smtpServerName in the SMTP transfer settings, resolve the host name.

    KARS10650-W (Detailed information = Connection to the SMTP server is not established.)

    Establish a TCP connection with the outgoing SMTP server.

    KARS10650-W (Detailed information = Connection to the SMTP server is not established.)

    Send the SMTP protocol EHLO command over the TCP protocol, and check the response.

    KARS10650-W (Detailed information = Connection to the SMTP server is not established.)

    Use the SMTP protocol STARTTLS command to verify that the outgoing SMTP server allows TLS communication.

    KARS10650-W (Detailed information = STARTTLS feature is not available in the SMTP server.)

    Make sure the outgoing SMTP server supports TLS 1.2.

    KARS10650-W (Detailed information = TLS 1.2 is not available in the SMTP server.)

    Make sure the outgoing SMTP server supports a cipher suite that meets the requirements.

    [Supported cipher suites]

    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    KARS10650-W (Detailed information = Connection to the SMTP server is not established.)

    Validate the server certificate of the outgoing SMTP server using the root certificate imported into the VSP One SDS Block.

    KARS10651-W

    Send the SMTP protocol EHLO command over the TLS protocol, and verify the response.

    KARS10650-W (Detailed information = Connection to the SMTP server is not established.)

    Use the SMTP protocol AUTH command to send the smtpAuthAccount and smtpAuthPassword SMTP transfer settings and be authenticated by the outgoing SMTP server.

    KARS10650-W (Detailed information = Authentication feature is not available in the SMTP server.)

    Or, KARS10650-W (Detailed information = Authentication is failed.)

    Use the SMTP protocol MAIL FROM command to send the fromAddress SMTP transfer setting and inform the source address to the outgoing SMTP server.

    KARS10650-W (Detailed information = Sender address is not accepted in the SMTP server.)

    Use the SMTP protocol RCPT TO command to send the toAddress1, toAddress2, and toAddress3 SMTP transfer settings and inform the destination address to the outgoing SMTP server.

    KARS10650-W (Detailed information = Recipient address is not accepted in the SMTP server.)

    Use the SMTP protocol DATA command to send the email title and body information to the outgoing SMTP server.

    KARS10650-W (Detailed information = Sent data is not accepted in the SMTP server.)

    Send the SMTP protocol QUIT command.

    None

  8. (Bare metal) Back up the configuration information.

    Perform this step by referring to Backing up the configuration information (Bare metal).

    If you continue operations with other procedures, you must back up the configuration information after you have completed all operations.

    CAUTION:

    After notifying an event log indicating an error (KARS10650-W, KARS10651-W, or KARS10652-W), the VSP One SDS Block SMTP transfer function suppresses further notification of an event log with the same messageId until the problem is resolved. To enable notification of an event log with the same messageId again to identify the cause when the email client cannot receive the email, perform the following procedure.

    1. In the event log SMTP transfer settings, set isEnabled to False. For any required parameters other than isEnabled, set a specifiable value.

      REST API: PATCH /v1/objects/event-log-setting

      CLI: event_log_setting_set

    2. Verify the state of the job by specifying the job ID.

      REST API: GET /v1/objects/jobs/<jobId>

      CLI: job_show

      If you receive a response indicating "Succeeded" as the state, information configured in the SMTP transfer settings has been changed or set. Wait for approximately 20 seconds until VSP One SDS Block operates as an SMTP client (according to the configuration information), and then set SMTP transfer of event logs by repeating the procedure from step 3.

    Note:
    • When the cluster master node (primary) is blocked, an email that was already sent might be sent again, depending on the timing.

    • If the same address is set for destination email addresses 1 to 3, the same email might be sent more than once, depending on the SMTP server setting.

    • You can obtain a root certificate that proves the authenticity of the server certificates set on the outgoing SMTP server by running either of the following commands.

      You can perform this for the cluster master node (primary) only.

      Run the command with the ID of the outgoing SMTP server specified.

      A root certificate is obtained as a DER file.

      REST API: GET /v1/objects/smtp-server-root-certificates/<targetServer>/download

      CLI: smtp_server_root_certificate_download