SMTP SERVER configuration for wazuh with step-by-step guidelines

 Initially we configuring the email alert for wazuh, it has provided features to send
alert to other system when they generated on wazuh server and we also configure
the one or more recipient address when rules are triggered or based on custom
settings
 This configure enables admin and client to enhance orchestration by automatically
daily event reports and other notification via authenticated SMTP server integration
in wazuh
 Wazuh does not natively support direct email alerts via SMTP servers requiring
authentication, such as Gmail, Outlook, or Yahoo. Instead, we configure a relay server like
Postfix to securely route email notifications, ensuring reliable alert delivery.
 perform the following steps based on relay server to configure postfix with Gmail, run the
below command to install the required packages then select “No configuration” once after
prompted the mail server configuration type
“apt-get update && apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-
modules”
 Append these lines to the /etc/postfix/main.cf to configure postfix create the file suppose if
missing

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination
 Set the credentials of the sender in the /etc/postfix/sasl_passwd file and create a database
file for Postfix. Replace the <USERNAME> and <PASSWORD> variables with sender’s email
address username and password respectively.
echo [smtp.gmail.com]:587 <USERNAME>@gmail.com:<PASSWORD> > /etc/postfix/sasl_passwd

postmap /etc/postfix/sasl_passwd

Note
The password must be an App Password. App Passwords can only be used with accounts that
have 2-Step Verification turned on.

 Secure your password DB file so that only the root user has full read and write access to it.
This is because the /etc/postfix/sasl_passwd and /etc/postfix/sasl_passwd.db files have
plaintext credentials.

chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

 Restart Postfix to affect the configuration changes

systemctl restart postfix

Run the following command to test the configuration:

echo "Test mail from postfix" | mail -s "Test Postfix" -r "<CONFIGURED_EMAIL>"

Replace:

 <CONFIGURED_EMAIL> with your configured email address.

 <RECEIVER_EMAIL> with the email address of the recipient.

The command sends an email to the receiver’s email with subject Test Postfix and

body Test mail from postfix.

 We using the genetic email option to Configure email notifications within the <global> tag of
the Wazuh server’s /var/ossec/etc/ossec.conf file as follows:

<global>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from><USERNAME>@gmail.com</email_from>
<email_to><RECEIVER_EMAIL></email_to> </global>
Where:

 <email_notification> toggles the use of email alerting.

 <smtp_server> defines the SMTP server to use to deliver alerts.

 <email_from> specifies the email address of the configured sender.

Replace <USERNAME> with your configured username of your email address.

 <email_to> specifies the email address of the recipient of alerts.

Replace <RECEIVER_EMAIL> with the email address of the recipient.

Once the above has been configured, the email_alert_level option needs to be set to the
minimum alert level to trigger an email. By default, this level is set to 12 and that allows
value is any integer value from 1 to 16
 Similar way to The <log_alert_level> tag sets the minimum severity level to trigger alerts
stored in the /var/ossec/logs/alerts/alerts.log and/or
the /var/ossec/logs/alerts/alerts.json file. The default value is 3. The allowed value is any
integer from 1 to 16
 Keep note down these points according to documentations the rule has a level lower than
the minimum level specified in the <alerts> section, the alert will not be sent and also If the
severity level here is less than the email_alert_level configured in the <alerts> section, the
email will not be sent.

Restart the wazuh-manager by apply the changes

systemctl restart wazuh-manager

 The most benefits of this configurations are to extends automated alerts like an instead
of manually checking logs all the time, the system will automatically send important security
alerts straight to your email. This ensures you never miss any critical updates.
 It provides a faster respond to threats for instance If any security threat is detected, you'll be
notified immediately. This helps in responding quickly, reducing the chances of damage or
data loss.
 We also implement a Customizable Notifications as per choose what kind of alerts you want
to receive—whether it’s critical security breaches or just routine reports—so you’re not
overwhelmed with unnecessary emails.
 It provides a secure and reliable communication, Since the SMTP server uses authentication,
only authorized users can send alerts, preventing spam or fake notifications.
 It works for compliance and audit Support, for instance a business that need to meet
compliance requirements, email alerts ensure that security incidents are properly
documented, making audits easier.