000035172 - RSA Netwitness SMTP notification messages are not reaching the recipient mailboxes

Document created by RSA Customer Support Employee on May 24, 2017
Version 1Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000035172
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics 
RSA Version/Condition: 10.6.x.x
 
Issue
  •  All of the global SMTP notifications for reporting engine alerts or for events-source monitoring policies doesn't work.
  • The article assumes that there is no problem with the SMTP configurations on the SA UI under: Administration > System > Global Notifications > Servers. Likewise, under Administration > System > Email
  • The article assumes that your SA head-server is able to reach your SMTP server over port# 25.
Cause1- The postfix email messages queue grows beyond threshold limit  where a large number of output email notification messages are piled-up under the directory  /var/spool/postfix/maildrop on the SA head-server. 
Below is a demonstration for the issue:
[root@sa-server maildrop]# pwd
/var/spool/postfix/maildrop
[root@sa-server maildrop]# ls -1 | wc -l
963

 
Resolution1- Start back the postfix service on the SA head-server using command: 
[root@sa-server maildrop]# postfix start
postfix/postfix-script: starting the Postfix mail system

2- You'll notice that the number of buffered SMTP notification messages is dropping-down:
[root@sa-server maildrop]# ls -1 | wc -l
683
[root@sa-server maildrop]# ls -1 | wc -l
670
[root@sa-server maildrop]# ls -1 | wc -l
535
[root@sa-server maildrop]# ls -1 | wc -l
519
[root@sa-server maildrop]# ls -1 | wc -l
506
[root@sa-server maildrop]# ls -1 | wc -l
493
[root@sa-server maildrop]# ls -1 | wc -l
0

 

Attachments

    Outcomes