Troubleshooting
Problem
Notification emails can fail to send due to the error message "timed out while receiving the initial server greeting" found in the /var/log/maillog file.
Cause
IBM QRadar can send encrypted emails over STARTTLS on port 587 only and if this port is disabled it can cause a timed-out error while receiving the initial server greeting.
Diagnosing The Problem
If email notifications are not working, search the logs for an error containing "initial server greeting" by using the following command:
grep -i "initial server greeting" /var/log/maillog | less
If you get this output, then follow the steps in Resolving The Problem:
<HOSTNAME> postfix/error[25535]: 2351D1800D56: to=<EMAIL_ADDRESS>, relay=none, delay=2999, delays=2999/0/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: conversation with <MAIL_SERVER>[<IP>] timed out while receiving the initial server greeting)
<HOSTNAME> postfix/error[25499]: 55B2718001D3: to=<EMAIL_ADDRESS>, relay=none, delay=0.05, delays=0.04/0/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: conversation with <MAIL_SERVER>[<IP>] timed out while receiving the initial server greeting)
Resolving The Problem
- SSH into the QRadar console.
- Verify with telnet on port 25.
The correct greeting looks something similar to.telnet MAIL_SERVER_IP 25220 MAIL_SERVER ESMTP MAIL Service ready at ... - If there is no greeting message, the email server needs to be configured to support both connections SMTPS (465) and STARTTLS (587) bi-directionally. Administrators can contact their mail server team to check whether ports 465 and 587 are open on the email server.
- Administrators must also check with their network, or firewall teams to confirm ports 465 and 587 are open between the QRadar server and the email server.
Results
After the ports are opened, then Administrators can wait for the scheduled email notifications to be delivered.
If you are still having an issue, contact support.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtmAAA","label":"Reports"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 November 2022
UID
ibm16839441