Incoming mail
It is necessary to configure incoming mail for FireFlow, in order to enable users to do the following:
- Submit change requests to FireFlow via email.
- Add comments to change requests by replying to FireFlow system-generated emails.
To configure incoming mail for FireFlow using basic and modern authentication , see Run the FireFlow setup program.
Alternatively, see below if you wish to Configure sendmail to receive forwarded emails as an MTA.
Incoming mail configuration methods
FireFlow supports the following methods for retrieving incoming mail:
Configure incoming emails using pop3 and/or imap4 |
Using basic authentication. Prerequisites:
To configure: See Run the FireFlow setup program. For troubleshooting: See Troubleshoot basic authentication. |
Configure for incoming emails using Microsoft Graph API |
Using Modern Authentication (Auth2.0). This is supported only for MS Exchange Online. Prerequisites:
To configure: See Run the FireFlow setup program. For troubleshooting: See Troubleshoot modern authentication. |
Configure sendmail to receive forwarded emails as an MTA |
Use this method if Microsoft Graph API, POP3 and IMAP4 access are not supported by your organization's email server, or not allowed by your organization's security policy. To configure: See Configure sendmail to receive forwarded emails as an MTA For troubleshooting: See Troubleshoot issues with sendmail. |
Setup MS Exchange Online server for incoming mail
The following steps explain how to configure MS Exchange Online server for incoming mail. For details about working with MS Exchange Online server, see Microsoft documentation.
Do the following:
-
In MS Exchange Online, get your existing Azure Active directory Tenant ID. You will need this for the FireFlow setup.
-
Register a new application and get its Client ID. You will need this for the FireFlow setup.
-
Add Permissions to the application for Microsoft Graph:
-
Application: Mail.ReadWrite
-
Note: This allows the application to access ALL the mailboxes in the AD, so be sure to follow the next few steps to limit access to only specific mailboxes.
-
Create a user or select an existing user with mailbox to pull emails for FireFlow (For example, [email protected]). You will need the UPN of this user for FireFlow setup.
-
To limit application access to this specific user mailbox only.
-
Create a mail enabled security group and add the user from previous step to it.
-
Limit application access only to the security group (requires using application Client ID and the security group UPN).
-
-
Create a Client Secret for the application. You will need this for the FireFlow setup.
Important: Be careful with the Client Secret. Treat it like you would any other sensitive password.
Note: When the Client Secret expires you will need to create a new one and run the FireFlowsetup again. To keep email functionality working correctly, we recommend generating and deploying a new Client Secret before it expires.
Configure sendmail to receive forwarded emails as an MTA
This solution involves configuring the organization’s main email server to forward emails that are addressed to FireFlow to the MTA running on the FireFlow server.
The outcome is that all emails sent to the FireFlow email address ([email protected]) are automatically forwarded to the address on the FireFlow server ([email protected]). The emails are received by the MTA running on the FireFlow server (sendmail) and processed by FireFlow.
Do the following:
-
Create a DNS entry (MX record) for the FireFlow server on the organization’s main DNS server (for example, fireflow.mycompany.com).
-
Log in to the FireFlow server using the username "root" and the related password.
-
If sendmail is not configured to listen on external interfaces, do the following:
-
Enter the following commands to back up the current sendmail configuration and then edit it:
cp -p /etc/mail/sendmail.mc /etc/mail/sendmail.mc_bkpcp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf_bkpvi /etc/mail/sendmail.mc
-
Comment the following line by adding a dnl # prefix:
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
-
Save the file and exit vi.
-
Enter the following command to compile the sendmail configuration:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
-
-
Use the algosec_conf script to configure the hostname to be same as the FireFlow server's DNS entry name.
For more details, see Configure ASMS machines.
-
Configure sendmail to process emails that are sent to the FireFlow server's address ([email protected]) using fireflow-mailgate, by doing the following:
-
Enter the following commands to backup the current aliases and then edit it:
cp -p /etc/aliases /etc/aliases_bkpcp -p /etc/aliases.db /etc/aliases.db_bkpln -s /usr/share/fireflow/local/bin/fireflow-mailgate /etc/smrsh/vi /etc/aliases
-
Add the following line to the end of the file:
fireflow: "|/etc/smrsh/fireflow-mailgate"
-
Save the file and exit vi.
-
Enter the following command to compile the aliases file:
[root@algosec /]# newaliases
-
Restart sendmail, by entering the following command:
/etc/init.d/sendmail restart
-
-
To verify that sendmail was configured correctly, submit a request by sending an email to the FireFlow server's email address.
FireFlow should create a new change request within a couple of minutes.
Do the following:
- If emails are not reaching FireFlow, you may need to configure sendmail to agree to relay messages from the main SMTP server, by doing the following:
Enter the following commands to backup the current access file and then edit it:
cp -p /etc/mail/access /etc/mail/access_bkpcp -p /etc/mail/access.db /etc/mail/access.db_bkpvi /etc/mail/access
Add a line to the file, allowing RELAY from the SMTP server's IP address.
For example, if the SMTP server's IP address is 192.168.2.34, the line should appear as follows:
192.168.2.34 RELAY
- Save the file and exit vi.
Enter the following command to compile the access file:
makemap hash /etc/mail/access.db < /etc/mail/access
- Check whether sendmail is configured to listen on external interfaces, by doing one of the following:
Try to connect to the FireFlow server on port 25, by entering the following command on another machine:
telnet <SERVER> 25
Replace <SERVER> with the FireFlow server's IP address.
If the connection does not succeed, then sendmail is not configured to listen on external interfaces.
Check if there is a process listening on port 25, on an interface other than 127.0.0.1, by entering the following command:
netstat -an | grep 25
If the output consists of only one line that specifies 127.0.0.1, then sendmail is not configured to listen on external interfaces.
- Sometimes the specific setup requires additional steps to configure incoming email as MTA:
- Add the DNS name of the FireFlow server to /etc/mail/local-host-names.
- Add the following lines to sendmail config:
- define('MAIL_HUB','DOMAIN.com')dnl
- define('LOCAL_RELAY','DOMAIN.com')dnl
- Create an email address matching what is being forwarded and assign it to the FireFlow Linux user.
- Change the entry in the sendmail config to use the external IP instead of localhost.
- Allow incoming SMTP through iptables.
Note: All sendmail output is written to the log file /var/log/maillog. This file is useful for troubleshooting purposes.
Troubleshoot basic authentication
Note: Regardless of which method you choose, you must first define an email account for the FireFlow server, such as [email protected].
Do the following:
If you run into any issues, troubleshoot them as follows:
-
Log in to the FireFlow server using the username root.
-
Ensure that the configuration file /home/fireflow/.fetchmailrc is owned by user "fireflow" and that only this user has read/write permissions for the file.
-
Check the file's current owner and permissions, by entering the following command:
ls –l /home/fireflow/.fetchmailrc
-
If the owner and/or permissions require changing, enter the following commands:
chown fireflow:fireflow /home/fireflow/.fetchmailrc
chmod 600 /home/fireflow/.fetchmailrc
-
-
Open the file /home/fireflow/.fetchmailrc.
-
Do one of the following:
-
To configure fetchmail for POP3, add the following line in the file:
poll <SERVER> protocol POP3 user <USER> pass <PASSWORD> mda "/usr/share/fireflow/local/bin/fireflow-mailgate"
-
To configure fetchmail for POP3 over SSL, add the following line in the file:
poll <SERVER> protocol POP3 port <PORT> user <USER> pass <PASSWORD> ssl mda "/usr/share/fireflow/local/bin/fireflow-mailgate"
-
To configure fetchmail for IMAP, add the following line in the file:
poll <SERVER> protocol IMAP user <USER> pass <PASSWORD> mda "/usr/share/fireflow/local/bin/fireflow-mailgate"
In each case, replace the parameters as follows:
<SERVER> - The email server's IP address or hostname
<PORT> - The relevant port for the protocol used
<USER> - The username required for accessing the mailbox (for example, [email protected])
<PASSWORD> - The password required for accessing the mailbox
-
-
Save the file.
-
Ensure that the crontab of user “fireflow” runs fetchmail every 1 minute, by doing the following:
-
Enter the following command:
crontab -u fireflow -l
You should see the following line:
*/1 * * * * /usr/bin/fetchmail –-silent
The line should not be commented out by a # prefix.
-
If such a line does not exist, or if it is commented out, then edit the crontab of user “fireflow” by entering the command:
crontab -u fireflow -e
-
-
To verify that fetchmail was configured correctly, submit a request by sending an email to the incoming mail email address.
FireFlow should create a new change request within a couple of minutes.
Note: All fetchmail output is written to the log file /var/log/fetchmail.log, when it is executed without the –-silent flag. This file is useful for troubleshooting purposes.
Troubleshoot modern authentication
Note: Regardless of which method you choose, you must first define an email account for the FireFlow server, such as [email protected].
Do the following:
If you run into any issues, troubleshoot them as follows:
-
Log in to the FireFlow server using the username root.
-
Ensure that the configuration file /home/fireflow/.wsgetmail.json is owned by user "fireflow" and that only this user has read/write permissions for the file.
-
Check the file's current owner and permissions, by entering the following command:
ls –l /home/fireflow/.wsgetmail.json
-
If the owner and/or permissions require changing, enter the following commands:
chown fireflow:fireflow /home/fireflow/.wsgetmail.json
chmod 600 /home/fireflow/.wsgetmail.json
-
-
Open the file /home/fireflow/.wsgetmail.json.
-
Check the data in the parameters marked red as follows:
{
"client_id": "<Client ID>",
"tenant_id": "<Tenant ID>",
"secret": "[encrypted]",
"global_access": 1,
"username": "<UPN of user for incoming mail>",
"folder": "Inbox",
"command": "/usr/share/fireflow/local/bin/fireflow-mailgate",
"command_args": "",
"command_timeout": 30,
"action_on_fetched": "mark_as_read"
}
-
Save the file.
-
Ensure that the crontab of user “fireflow” runs fireflow-wsgetmail.pl every 1 minute, by doing the following:
-
Enter the following command:
crontab -u fireflow -l
You should see the following line:
*/1 * * * * BASH_ENV=/etc/profile bash -c "/usr/share/fireflow/local/bin/fireflow-wsgetmail.pl &>> /var/log/wsgetmail.log"
The line should not be commented out by a # prefix.
-
If such a line does not exist, or if it is commented out, then edit the crontab of user “fireflow” by entering the command:
crontab -u fireflow -e
-
-
To verify that fireflow-wsgetmail.pl was configured correctly, submit a request by sending an email to the incoming mail email address.
FireFlow should create a new change request within a couple of minutes.
Note: All fireflow-wsgetmail.pl output is written to the log file /var/log/wsgetmail.log. By adding the --debug flag to the cron, more details appear in the logs.
*/1 * * * * BASH_ENV=/etc/profile bash -c "/usr/share/fireflow/local/bin/fireflow-wsgetmail.pl --debug &>> /var/log/wsgetmail.log"
Note: When the Client Secret expires you will need to create a new one and run the FireFlow setup again. To keep email functionality working correctly, we recommend generating and deploying a new Client Secret before it expires.