Focal OSSEC alerts not delivered when SMTP server requires that the From: address match the SASL-authenticated user

[zenmonkeykstop]

Description

OSSEC alerts are sent via email from the monitor server using postfix and an external SMTP server. By default under Xenial, the sender email address was [email protected]. In cases where the SMTP server requires that the email sender matches the authenticated user, an additional site-specific variable, ossec_from_address must be set - it's used to map the local address to the variable value.

This is failing under Focal. Even with ossec_from_address set, emails are being rejected due to a mismatch. It appears that Focal is using ossec@mon as the sender instead.

Steps to Reproduce

• Set up a prod install using an SMTP server as described above, and setting ossec_from_address in the site-specific file before running the install playbook
• observe mail log output in /var/log/mail.log on mon

Expected Behavior

• Mail delivered as email address specified without issue

Actual Behavior

• Mail rejected

Comments

Suggestions to fix, any other relevant information.

[zenmonkeykstop]

Confirmed that adding an entry for ossec@mon gets alert emails flowing again.

While it would be good to understand why this is happening, it might be worthwhile setting this by default for all new installs, and eliminating the need for the ossec_from_address setting altogther, unless there's also a case where it has to be set to something other than the sender address on the SMTP server. (None spring to mind but SES, maybe?)

[zenmonkeykstop]

One thing to note here is that the description above assumes the Monitor Server hostname is mon - this is user-configurable, so a fix should use the actual system hostname.