Hello Bros,

This message is in regards to getting the notification types ACTION_EMAIL and ACTION_EMAIL_ADMIN to actually send an email.

I tried getting on IRC and noone replied, and I’ve tried everything.

First, let me say that I know bro can send emails with sendmail because when bro crashes I get messages from my server and I’ve also tested manually sending an email with sendmail.

I’ve been testing this with the Weak_Keys bro script to detect any SSL/TLS keys that are less than 4096 length (so that it triggers on pretty much every website)


my local.bro only contains:

@load policy/protocols/ssl/weak-keys.bro

The code added to weak-keys.bro at the end of the export section to enable the email action is as follows:

hook Notice::policy(n: Notice::Info)
if ( n$note == SSL::Weak_Key )
add n$actions[Notice::ACTION_EMAIL_ADMIN];

I can see in the notice.log that one of the listed actions for these notices. Example from notice.log:

1428960187.772499 Cec6cr4QGk6SIcnxdb 60350 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 256 bit key - 443 - bro Notice::ACTION_EMAIL_ADMIN,Notice::ACTION_LOG 86400.000000 F - - - - -

I’ve also tried this with ACTION_EMAIL and it still doesn’t work.

Checking the /var/log/mail.log and looks like it is trying to send emails but they aren’t reaching my gmail.

Apr 13 14:40:59 brotector sendmail[21412]: t3DLewwo021412:, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=38033, relay=[] [], dsn=2.0.0, stat=Sent (t3DLexYr021419 Message accepted for delivery)
Apr 13 14:41:00 brotector sm-mta[21426]: STARTTLS=client,, version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128
Apr 13 14:41:01 brotector sm-mta[21426]: t3DLexYr021419: to=<>, ctladdr=root@brotector.brotector.bro (0/0), delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=128310, [], dsn=2.0.0, stat=Sent (OK 1428961259 y62si5959254yhc.175 - gsmtp)

So perhaps it’s being dropped for seeming like spam, but it does not arrive in the spam folder. What I really don’t understand is why the crash notices will reach my inbox without issue.

Is there any way to fix this or maybe use an external SMTP authenticated solution like mandrill?

I’ve tried everything and looked up so much information and watched tons of videos. Countless hours spent. I really cant get the email alerts to work.

Any help is appreciated.