IBM Support

IJ25315: EMAILS FROM RULE RESPONSES CAN FAIL AND NOT BE SENT PROPERLY

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Due to the new SMTP changes in QRadar v7.4.0 where the relay
    host is changed to localhost, the SMTP configuration is
    overwritten for the lookup causing emails to not be sent
    properly.
    This can prevent emails from features such as the rule response
    to not be sent.
    The following errors can be seen in the /var/log/maillog file
    when this issue is occurring:
    May 29 10:17:37 postfix/smtp[1446]: warning: relayhost
    configuration problem
    May 29 10:17:37 postfix/smtp[1448]: 31145B59:
    to=<root@user.domain.com>, relay=none, delay=435,
    delays=395/0.03/40/0, dsn=4.4.3, status=deferred (Host or
    domain name not found. Name service error for name=localhost
    type=AAAA: Host not found)
    To identify the issue you can use the grep command to verify if
    the error is found such as:
    1) grep -A1 "relayhost configuration problem" /var/log/maillog
    

Local fix

  • As a temporary workaround, you can set the smtp_host_lookup
    value from "dns" to "dns,native" in the /etc/postfix/main.cf
    file by running the following commands in CLI on the host(s)
    that the email server is configured:
    1) sed -i "s/smtp_host_lookup = dns/smtp_host_lookup =
    dns,native/g" /etc/postfix/main.cf
    You will also need to change the script
    /opt/ibm/si/si-postfix/bin/configure-postfix.sh to prevent the
    postfix service to reset the configuration by running this
    command:
    2) sed -i "s/'tls|sasl|smtp' |/'tls|sasl|smtp' | grep -v
    smtp_host_lookup |/g"
    /opt/ibm/si/si-postfix/bin/configure-postfix.sh
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.2 FixPack
    2 and 7.3.3 FixPack 8.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.2 FixPack
    2 and 7.3.3 FixPack 8.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ25315

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    740

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-06-01

  • Closed date

    2021-01-28

  • Last modified date

    2021-05-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"740"}]

Document Information

Modified date:
04 May 2021