alertmanager
alertmanager copied to clipboard
prometheus
Email notify with NTLM auth
What did you do?
When using alertmanager in enterprise, which often come with a closed network and private email server (exchange server). Thus email notify with NTLM auth support is needed
What did you expect to see?
alertmanager should send email notify through exchange server
What did you see instead? Under which circumstances?
It is a known issue that alertmanager dose not support NTLM auth #2051, #2007, #1777, #1573.
So I tried to implement these part of logic for getting NTLM auth works. I've tried my best to don't break any changes except the RequireTLS checking. since exchange server is also listen on port 465, but it doesn't start tls during negotiation period.
Here is what I've done and tested ok for sending email to exchange server.
If PR is acceptable, I could make it up.
Environment
-
System information:
insert output of
uname -srmhere -
Alertmanager version:
insert output of
alertmanager --versionhere -
Prometheus version:
insert output of
prometheus --versionhere (if relevant to the issue) -
Alertmanager configuration file:
insert configuration here
- Prometheus configuration file:
insert configuration here (if relevant to the issue)
- Logs:
insert Prometheus and Alertmanager logs relevant to the issue here
Thanks for your interest. After looking at your proposal, I (as a maintainer) don't feel ready to maintain the implementation of the NTLM authentication mechanism in this repository (especially since we won't have any test coverage). If it were an external package/library, it would be easier for us since we would have to deal with less support and bug reports.
Having said that, changing the behavior on port 465 is a breaking change. I'm also not sure why you've duplicated the standard net/smtp package in the Alertmanager project.
I'll keep the issue open for now and let other contributors chime in.
I (as a maintainer) don't feel ready to maintain the implementation of the NTLM authentication mechanism in this repository (especially since we won't have any test coverage).
Yes, I agree with you that I it's relatively hard to test unless getting a MS domain controller setup.
I'm also not sure why you've duplicated the standard
net/smtppackage in the Alertmanager project.
That's because need to dump Client.Auth func out and handle ntlm msg reply in case 334. code line
Thanks for the reply. Having to replace the smtp package by an internal copy is a no-go for the project unfortunately.
I deployed prometheus inside company that uses exchange server, and for athuentication it only provides NTLM method, So,what should I do now to use alertmanager?!! (putting user blank does not work either, Guess sending anonymous email does not work either. )
I deployed prometheus inside company that uses exchange server, and for athuentication it only provides NTLM method, So,what should I do now to use alertmanager?!! (putting user blank does not work either, Guess sending anonymous email does not work either. )
I Found a work around and sneding email with No NTLM (or any other) authentication mechansim which is not right now supported by alertmanager, since my company uses exchange server; I asked admin of exchange server to create a new sepecific "Reciever Connector" that can accept request without any authentication and sending email anonymously; of course for security consideration this reciever should only handling request from specific server that alermanager is installed and running on it (you can make restriction by using remote IP when creating a new Reciever connector you can refer to this page for more info how to config exchange server for this purpose: https://docs.microsoft.com/en-us/exchange/mail-flow/connectors/receive-connectors?view=exchserver-2019 )
There is no easy way to do NTLm via email in golang. Additionally, NTLM is probably not the state of the art anymore.
Hello dears! I have found an excellent workarround. Alertmanager could send email to localhost:25, and on localhost you may setup Postfix, which supports NTLM.
yum remove sendmail
yum install postfix
yum install cyrus-*
Edit /etc/postfix/main.cf
...
myhostname = alert1.example.com
mydomain = example.com
...
mynetworks = 172.172.172.0/24, 127.0.0.0/8
...
relay_domains = some-other-domain.com, example.com
....
# IP address of MS Exchange server
relayhost = [172.172.172.100]:587
...
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
sender_canonical_classes = envelope_sender, header_sender
#change sender in emails
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
smtp_header_checks = regexp:/etc/postfix/header_check
Write login and password to MS Exchange account in /etc/postfix/sasl_passwd
[172.172.172.100]:587 user:password
Then convert it to hash (with .db extension) and remove file
postmap /etc/postfix/sasl_passwd
rm /etc/postfix/sasl_passwd
Write sender replacement rules /etc/postfix/sender_canonical_maps
/.+/ [email protected]
Write header replacement rules /etc/postfix/header_check
/From:.*/ REPLACE From: [email protected]
Apply settings
systemctl restart postfix
Send test Email
echo test-postfix | mailx -s test-postfix [email protected]
Check Log
cat /var/log/maillog
Setup Alertmanager in alertmanager.yml
global:
resolve_timeout: 5m
smtp_smarthost: 'localhost:25'
smtp_from: '[email protected]'
