Issue description   

Prerequisites   

• Proper network connectivity between Eventlog Analyzer and the email service provider.
• Port level connectivity to the mail server is necessary in case of SMTP Service Configuration.
• In case of SMTP-based authentication, it is required for the user account to have Send As permission for the email address specified in the From section.
• In case of Microsoft API-based configuration or SMTP-OAuth configuration, make sure to enter the Client Secret Value properly.
• Make sure to use a valid email user account that is not configured with MFA in M365.

Possible causes   

• Eventlog Analyzer server is unable to reach the SMTP Server.
• The SMTP Server details could be incorrect.
• The SMTP Server may not support basic authentication.
• The user account provided for the Authentication purpose may not have send as permission for the User Account specified in the From address.
• Incorrect security protocol chosen (TLS/SSL/None)
• SmtpClientAuthentication is disabled for the tenant (for Microsoft email service)
• Application-specific password required Error because the Gmail account being enabled with two-step verification for Authentication.

• Invalid client secret value supplied
• Redirect URI mismatch
• Client secret value expired
• PKIX path building failed due to certificate missing in Product CACERT file.

• Connectivity to the API Endpoints is not available.
• OAuth Scope is not given properly. 

Resolution steps

1. Verify the connectivity between Eventlog Analyzer server and the SMTP Server.
2. To check the same, open Powershell within the Eventlog Analyzer server and execute the test-netconnection command as follows.
   

tnc <SMTPServerIP/Hostname> -p <SMTPServicePortNumber>

1. For example
   

tnc 10.10.10.10 -p 25

1. If the connectivity test fails, we request you to fix the connection and try again.
2. If the connectivity test succeeds, then please proceed with executing the SMTP Powershell command given below to simulate a sample email send activity.

Note: Based on the results displayed in the Powershell, appropriate resolutions can be suggested.

Steps:

• Login to the server where Eventlog Analyzer is installed on
• Open Powershell as an administrator
• Enter the commands below to verify if SMTP credentials work natively
• Depending on the Security Protocol that the client's SMTP Server accepts, you can choose either one of the three powershell commands

➤ 
When "Use Secure Connection"=NONE:-

Send-MailMessage -To "<to-mail@server.com>" -From "<from-mail@server.com>" -Subject "<subject>" -SmtpServer "<smtpserver>" -port <port> -Credential "<username>"

Example :-

Send-MailMessage -To "totesting@test.com" -From "fromtesting@test.com" -Subject "test subject" -SmtpServer "smtp.testserver.com" -port 587 -Credential "fromtesting@test.com

➤ 
When "Use Secure Connection"=TLS,

[System.Net.ServicePointManager]::SecurityProtocol = 'Tls,TLS11,TLS12'

Send-MailMessage -To "<to-mail@server.com>" -From "<from-mail@server.com>" -Subject "<subject>" -SmtpServer "<smtpserver>" -port <port> -Credential "<username>" -UseSsl

➤ 
When "Use Secure Connection"=SSL,

[System.Net.ServicePointManager]::SecurityProtocol = 'Ssl3'

Send-MailMessage -To "<to-mail@server.com>" -From "<from-mail@server.com>" -Subject "<subject>" -SmtpServer "<smtpserver>" -port <port> -Credential "<username>" -UseSsl

1. Replace the fields surrounded by angular brackets. For example :-

Send-MailMessage -To "totesting@test.com" -From "fromtesting@test.com" -Subject "test subject" -SmtpServer "smtp.testserver.com" -port 587 -Credential "fromtesting@test.com -UseSSL

1. If you receive the following errors when executing the above scripts via Poweshell, please find the next course of action

• Operation timed out

In case of timeout error, this could mostly be due to connectivity issue between Eventlog Analyzer server and the SMTP Server.

Kindly check the connectivity between the SMTP Server and Eventlog Analyzer server.

Look out for any network firewall level restriction that could potentially prevent the connections.

Once you have identified the restriction, you may run either the test-netconnection or the send-mailmessage command to validate the connectivity.

• Could not resolve host 

When the email server could not be resolved by the hostname, customers can be suggested to check the DNS Server entries for the record. After the DNS Entry related issue is rectified, the connection to SMTP Service will be successful.

• The SMTP Server requires a secure connection or the client was not authenticated

When the supplied credentials is incorrect/Invalid or the -credential parameter could be missing in the powershell Send-MailMessage command.

If the test email was sent successfully via Powershell script please proceed to next step.

1. Based on the error trace displayed in the UI, most of the mail server configuration errors shall be troubleshot.

• The SMTP Server may not support basic authentication
  
• In this scenario, it is required to validate the method of authentication supported by the SMTP Server.
• In case where SMTP Server only supports modern authentication, kindly refer to this article and set up the OAuth details accordingly.
• If SMTP Client Authentication is not supported by the Email Service Provider (Microsoft), customers may prefer to use API-based mail service configuration in Eventlog Analyzer or enable SMTP Client Authentication as per this Microsoft article.
  
• The user account provided for the authentication purpose may not have send as permission for the user account specified in the From address
• It is required for the user account specified in the Username field under the uathentication section to have Send As Permission to send emails impersonating the email address specified in From Address section.
• For Exchange on-premises, customers may refer to this article.
• For Exchange Online, customers may refer to this article.
• For Google Mail Service, customers may refer to this article.
  
• Incorrect security protocol chosen (TLS/SSL/None)
• Depending on the security protocol supported by the SMTP Server, the appropriate one can be chosen.
• For example, in the Serverout, the below-mentioned error traces can be found.
  
• Must issue a STARTTLS command first
• javax.mail.MessagingException: Could not convert socket to TLS;
• Unrecognized SSL message, plaintext connection
  
• The user credentials were incorrect
• Error: authentication failed and Authentication unsuccessful
• Application-specific password required
• In case of Google Workspace, an app-specific password is to be used when the user account used for authentication has two-factor authentication enabled.
• Customers may refer to this document and generate the application specific password and enter the same in the Password Section.
  
• Invalid client secret value supplied
• It is required to choose the correct client secret value.
• For Microsoft, the client secret value is available under the value column as depicted below.
  

• For Google, it is required to download a JSON File containing the value of Client Secret. 

• Redirect URI mismatch
  
• When Eventlog Analyzer is accessed using Local IP Address or Localhost URL, the connection to the SMTP Service using modern authentication will fail if the Redirect URL is not included.
• To fix this, make sure all the necessary redirect URLs are included in the respective Google or Microsoft Application section.
• For example, in case of Microsoft, the below-mentioned URLs are to be included.
  
• https://identitymanager.manageengine.com/api/public/v1/oauth/redirect
• protocol://localhost:port_number/context_if_any/RestAPI/WC/OAuthSetting (Sample URL, http://localhost:8400/event/RestAPI/WC/OAuthSetting)
• In case of Google Workspace, these URLs are to be included.
• https://identitymanager.manageengine.com/api/public/v1/oauth/redirect
• protocol://localhost:port_number/context_if_any/RestAPI/WC/OAuthSetting (Sample URL - http://localhost:8400/event/RestAPI/WC/OAuthSetting)
  
• Account specified is configured with multi-factor authentication.
• The account specified in the Authentication section should not be configured with MFA.
• As a workaround, it is required to remove the MFA configuration for the user account being used.
• For Microsoft Exchange online service, customer could make use of trusted IPs or conditional access options. Reference link
  

• Client secret value expired:

• In this scenario, customer is required to create a new client secret value with renewed validity

• PKIX Path Building Failed: Unable to find valid certification path to requested target:
  
• This error happens when the target SMTP Service SSL Certificate is not trusted by the Eventlog Analyzer JVM.
• To fix this, it is required to import the SMTP Server SSL Certificate to the CACERTS file of Eventlog Analyzer
• For more details on the steps to execute the Keytool command and import the necessary SSL Certificates to Cacerts file, kindly refer to the steps listed below.
  
• keytool -import -alias Mailserver -keystore "<Eventlog Analzyer Home>/jre/lib/security/cacerts" -file "path-to-certificate-file"
• In the place of "path-to-certificate-file" the location of the Mail Server Certificate is to be specified.
  

3. API Mail service related cases:
1. Connectivity to the API Endpoints is not available.
1. In this scenario, it is required for the Eventlog Analyzer server to have access to the Internet
2. Microsoft Endpoints are listed in this article, customers shall add the exclusion to the firewall.
3. Google Workspace related API Endpoints are included in this article.
2. Insufficient API Scope Permission
1. This happens when the API Scope given does not match the scope recommended by Eventlog Analyzer.
2. For Microsoft, it is required for the API Application to be given "Mail.Send" permission with Admin Consent.
3. In case of Google Workspace, it is required to give Access to the Scope "https://mail.google.com" 

Related topics and articles

1. Notification Settings

How to reach support