Dear RT users,
We at CERT-Hungary are using a very old version (3.0.12) of RT with the
IR plugin. Recently I installed RT 4.0.18 with IR 3.0.2, using Ubuntu
12.04.4 LTS on a separate server. Copied every configuration items from
the old version to the new what I thought to be important. Made some
improvements and changes as well. Do not plan to migrate data since it
is very problematic due to the huge change between the two versions.
Everything seems to be working fine… except one very important thing:
‘Reply’ function does not send email to the sender, neither does ‘New
investigation’ to the correspondent.
The strange thing is that RT receives emails and even sends but only to
CCs, BCCs, One-time CCs and One-time BCCs.
Any help would be appreciated.
Please consider that I am not a Linux guru.
Best regards,
Tamas Szep
GovCERT-Hungary
It doesn’t matter if I reply with the same user or not: it won’t send an
email.
NotifyActor is set to 0, but isn’t it responsible for notifying the
person who actually performs an update? I mean that the sender (from
outside the world) who sends us an email is not an ‘actor’ in this
context, is he?
OK, here is a scenario:
- John Smith sends us an email that his network is being attacked eg.
by spear fishing emails. He sends us the attacker’s IP address and other
info.
- RT gets this and an Incident Report is being generated automatically.
- Our incident handler colleague Takes the Incident Report and Replies
to John Smith that we acknowledged his problem. (here is the first
problem, email is not being sent)
- The incident handler creates an Incident from the Report.
- The incident handler launches a new Investigation. (here is the
second problem, email is not being sent)
6…etc.
Just to mention: CC, BCC is OK, so the mail handler (using Sendmail) is
working right.
Tamas
Are you replying with the same user that created the ticket? By
default RT won’t send a mail to you if you performed the action that
generated an email.
We at CERT-Hungary are using a very old version (3.0.12) of RT with the
IR plugin. Recently I installed RT 4.0.18 with IR 3.0.2, using Ubuntu
12.04.4 LTS on a separate server. Copied every configuration items from
the old version to the new what I thought to be important. Made some
improvements and changes as well.
What configurations did you copy. Did you change the Scrips?
Do not plan to migrate data since it
is very problematic due to the huge change between the two versions.
Which problems, we’ve walked a few clients through upgrading from that
vintage of RTIR, keeping their data intact.
Everything seems to be working fine… except one very important thing:
‘Reply’ function does not send email to the sender, neither does ‘New
investigation’ to the correspondent.
These are both standard built-in features of RT and RTIR
The strange thing is that RT receives emails and even sends but only to
CCs, BCCs, One-time CCs and One-time BCCs.
You claim to not be putting yourself in as the Requestor (thus
avoiding NotifyActor), please show the debug logs when sending mail
that should notify the Requestor. This is most easily accomplished by
Set($LogToScreen,‘debug’); and then going and reading your Apache
error logs.
-kevin
What configurations did you copy. Did you change the Scrips?
I think I didn’t copy any Scrips. I am going to look it up.
Which problems, we’ve walked a few clients through upgrading from that
vintage of RTIR, keeping their data intact.
Good to know! Maybe I will try that. It may take a lot of time to
upgrade from version to version however and as a GovCERT we can’t stop
incident handling so I don’t want to mess with the live one. Any ideas?
Everything seems to be working fine… except one very important
thing: ‘Reply’ function does not send email to the sender, neither does
‘New investigation’ to the correspondent.
These are both standard built-in features of RT and RTIR
I don’t understand. Not sending email to the sender when I want to and
not sending email to the correspondent when launching an investigation
are built-in features? I would say it is a bad configuration at us or
something like that.
You claim to not be putting yourself in as the Requestor (thus
avoiding NotifyActor), please show the debug logs when sending mail
that should notify the Requestor. This is most easily accomplished by
Set($LogToScreen,‘debug’); and then going and reading your Apache
error logs.
First I try to change NotifyActor to 1. If the problem still exists I
will post the Apache log.
Tamas Szep
GovCERT-Hungary
I turned on debug mode but that’s way too much info to copy here. So I
changed it to ‘info’ mode. Below is the log.
I sent in a problem, RT got it. Then I (root user in RT) took it,
replied to it (error#1:email wasn’t sent), created an Incident from the
report and finally launched an Investigation with a correspondent
(error#2:email wasn’t sent).
Here is the log (if it helps better, I create a new one with debug mode):
root@rtir-virtual-machine:/home/rtir# service rtir-service start
root@rtir-virtual-machine:/home/rtir# Plack::Handler::Starlet: Accepting
connections at http://0:443/
[13526] [Mon May 19 11:11:45 2014] [info]:
rt-4.0.18-13526-1400497904-1322.53-3-0@cert-hungary.hu #53/738 - Scrip
3 On Create Autoreply To Requestors
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13526] [Mon May 19 11:11:45 2014] [info]:
rt-4.0.18-13526-1400497904-1322.53-3-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13526] [Mon May 19 11:11:45 2014] [info]:
rt-4.0.18-13526-1400497904-1714.53-4-0@cert-hungary.hu #53/738 - Scrip
4 On Create Notify AdminCcs
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13526] [Mon May 19 11:11:45 2014] [info]:
rt-4.0.18-13526-1400497904-1714.53-4-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13526] [Mon May 19 11:11:45 2014] [info]: Ticket 53 created in queue
‘Incident Reports’ by problem_sender@acme.com
(/opt/rt4/sbin/…/lib/RT/Ticket.pm:694)
[13530] [Mon May 19 11:12:09 2014] [info]: Finished adding callbacks
(/opt/rt4/local/plugins/RT-IR/html/Callbacks/RTIR/Elements/MakeClicky/Default:212)
[13529] [Mon May 19 11:12:16 2014] [info]:
rt-4.0.18-13529-1400497936-1293.53-2-0@cert-hungary.hu #53/742 - Scrip
2 On Owner Change Notify Owner
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13529] [Mon May 19 11:12:16 2014] [info]:
rt-4.0.18-13529-1400497936-1293.53-2-0@cert-hungary.hu sent To:
root@localhost (/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:316)
[13531] [Mon May 19 11:12:18 2014] [info]: Finished adding callbacks
(/opt/rt4/local/plugins/RT-IR/html/Callbacks/RTIR/Elements/MakeClicky/Default:212)
[13534] [Mon May 19 11:12:41 2014] [info]:
rt-4.0.18-13534-1400497961-1073.53-5-0@cert-hungary.hu #53/745 - Scrip
5 On Correspond Notify AdminCcs
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13534] [Mon May 19 11:12:41 2014] [info]:
rt-4.0.18-13534-1400497961-1073.53-5-0@cert-hungary.hu sent To:
“AdminCc of cert-hungary.hu Ticket #53”:; Bcc: rtir_test@cert-hungary.hu
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:316)
[13534] [Mon May 19 11:12:41 2014] [info]:
rt-4.0.18-13534-1400497961-1996.53-7-0@cert-hungary.hu #53/745 - Scrip
7 On Correspond Notify Other Recipients
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13534] [Mon May 19 11:12:41 2014] [info]:
rt-4.0.18-13534-1400497961-1996.53-7-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13534] [Mon May 19 11:12:41 2014] [info]:
rt-4.0.18-13534-1400497961-1507.53-6-0@cert-hungary.hu #53/745 - Scrip
6 On Correspond Notify Requestors and Ccs
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13534] [Mon May 19 11:12:41 2014] [info]:
rt-4.0.18-13534-1400497961-1507.53-6-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13534] [Mon May 19 11:12:41 2014] [info]:
rt-4.0.18-13534-1400497961-399.53-50-0@cert-hungary.hu #53/745 - Scrip
50 Response to Sender (/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13534] [Mon May 19 11:12:41 2014] [info]:
rt-4.0.18-13534-1400497961-399.53-50-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13535] [Mon May 19 11:12:42 2014] [critical]: RT Received mail
(rt-4.0.18-13534-1400497961-1073.53-5-0@cert-hungary.hu
) from itself. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:1855)
[13535] [Mon May 19 11:12:42 2014] [crit]: RT Bounce: [cert-hungary.hu
#53] Spam report: RT thinks this message may be a bounce
(/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:248)
[13535] [Mon May 19 11:12:42 2014] [error]: Could not record email:
Message Bounced (/opt/rt4/share/html/REST/1.0/NoAuth/mail-gateway:75)
[13533] [Mon May 19 11:12:42 2014] [info]: Finished adding callbacks
(/opt/rt4/local/plugins/RT-IR/html/Callbacks/RTIR/Elements/MakeClicky/Default:212)
[13527] [Mon May 19 11:13:20 2014] [info]:
rt-4.0.18-13527-1400498000-407.54-3-0@cert-hungary.hu #54/753 - Scrip
3 On Create Autoreply To Requestors
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13527] [Mon May 19 11:13:20 2014] [info]:
rt-4.0.18-13527-1400498000-407.54-3-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13527] [Mon May 19 11:13:20 2014] [info]:
rt-4.0.18-13527-1400498000-1375.54-4-0@cert-hungary.hu #54/753 - Scrip
4 On Create Notify AdminCcs
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13527] [Mon May 19 11:13:20 2014] [info]:
rt-4.0.18-13527-1400498000-1375.54-4-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13527] [Mon May 19 11:13:20 2014] [info]: Ticket 54 created in queue
‘Incidents’ by root (/opt/rt4/sbin/…/lib/RT/Ticket.pm:694)
[13528] [Mon May 19 11:13:21 2014] [info]: Finished adding callbacks
(/opt/rt4/local/plugins/RT-IR/html/Callbacks/RTIR/Elements/MakeClicky/Default:212)
[13534] [Mon May 19 11:14:03 2014] [info]:
rt-4.0.18-13534-1400498043-1233.55-3-0@cert-hungary.hu #55/760 - Scrip
3 On Create Autoreply To Requestors
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13534] [Mon May 19 11:14:03 2014] [info]:
rt-4.0.18-13534-1400498043-1233.55-3-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13534] [Mon May 19 11:14:03 2014] [info]:
rt-4.0.18-13534-1400498043-829.55-4-0@cert-hungary.hu #55/760 - Scrip
4 On Create Notify AdminCcs
(/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13534] [Mon May 19 11:14:03 2014] [info]:
rt-4.0.18-13534-1400498043-829.55-4-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13534] [Mon May 19 11:14:03 2014] [info]:
rt-4.0.18-13534-1400498043-17.55-49-0@cert-hungary.hu #55/760 - Scrip
49 On Create Notify Ccs (/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13534] [Mon May 19 11:14:03 2014] [info]:
rt-4.0.18-13534-1400498043-17.55-49-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13534] [Mon May 19 11:14:03 2014] [info]: Ticket 55 created in queue
‘Investigations’ by root (/opt/rt4/sbin/…/lib/RT/Ticket.pm:694)
[13535] [Mon May 19 11:14:04 2014] [info]: Finished adding callbacks
(/opt/rt4/local/plugins/RT-IR/html/Callbacks/RTIR/Elements/MakeClicky/Default:212)
Tamas Szep
GovCERT-Hungary
Which problems, we’ve walked a few clients through upgrading from that
vintage of RTIR, keeping their data intact.
Good to know! Maybe I will try that. It may take a lot of time to
upgrade from version to version however and as a GovCERT we can’t stop
incident handling so I don’t want to mess with the live one. Any ideas?
Don’t ugprade from version to version.
Copy the database to a new system. Install RT 4.0.20 and follow all
the upgrading steps. Then install RTIR 3.0.2 and follow those
upgrading steps. You will need to have some downtime obviously, but
you cannot know how much downtime without running through the
migration.
Installing each intermediate RT/RTIR version is unnecessary and no
documentation implies you need to do that. If you find documentation
that suggests it, please file a bug so I can remove it.
These are both standard built-in features of RT and RTIR
I don’t understand. Not sending email to the sender when I want to and
not sending email to the correspondent when launching an investigation
are built-in features? I would say it is a bad configuration at us or
something like that.
No. Sending mail to the correspondent on reply or on investigation
creation are standard features of RTIR. That they are not working
implies a misconfiguration or error in your install.
I sent in a problem, RT got it. Then I (root user in RT) took it,
replied to it (error#1:email wasn’t sent), created an Incident from the
report and finally launched an Investigation with a correspondent
(error#2:email wasn’t sent).
I see two problems here.
RT thinks that problem_sender@acme.com isn’t a valid email recipient.
Please show the Correspondents page for ticket 53 and the user page
for that user to confirm they are set up properly.
Additionally, you should not make the RTIR email address the AdminCc
of the IR queue. This is causing RT to send mail to itself which has
to be detected as a bounce loop and dropped.
Here is the log (if it helps better, I create a new one with debug mode):
rt-4.0.18-13534-1400497961-1507.53-6-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13534] [Mon May 19 11:12:41 2014] [info]:
rt-4.0.18-13534-1400497961-399.53-50-0@cert-hungary.hu #53/745 - Scrip
50 Response to Sender (/opt/rt4/sbin/…/lib/RT/Action/SendEmail.pm:285)
[13534] [Mon May 19 11:12:41 2014] [info]:
rt-4.0.18-13534-1400497961-399.53-50-0@cert-hungary.hu No recipients
found. Not sending. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:385)
[13535] [Mon May 19 11:12:42 2014] [critical]: RT Received mail
(rt-4.0.18-13534-1400497961-1073.53-5-0@cert-hungary.hu
) from itself. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:1855)
[13535] [Mon May 19 11:12:42 2014] [crit]: RT Bounce: [cert-hungary.hu
#53] Spam report: RT thinks this message may be a bounce
(/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:248)
[13535] [Mon May 19 11:12:42 2014] [error]: Could not record email:
Message Bounced (/opt/rt4/share/html/REST/1.0/NoAuth/mail-gateway:75)
-kevin
Don’t ugprade from version to version.
Copy the database to a new system. Install RT 4.0.20 and follow all
the upgrading steps. Then install RTIR 3.0.2 and follow those
upgrading steps. You will need to have some downtime obviously, but
you cannot know how much downtime without running through the
migration.
That is really good news! We will do the upgrade this way in the near
future. Thank you for that info.
Sending mail to the correspondent on reply or on investigation
creation are standard features of RTIR. That they are not working
implies a misconfiguration or error in your install.
I thought so. I hope that a clean install (mentioned above) will resolve
that.
RT thinks that problem_sender@acme.com isn’t a valid email recipient.
Please show the Correspondents page for ticket 53 and the user page
for that user to confirm they are set up properly.
The Correspondents page shows that the correspondent is me (???) as a
user. Remember, I was logged in as root, not as Tamas Szep. Next to my
name is: ‘(no email address)’ Hmmm…
Owner: GovCERT-Hungary
Correspondents: Tam�s Sz�p (no email address)
CC:
Admin CC: Group: DutyTeam EDUNET
I don’ know why the Admin CC is EDUNET when I selected GOVNET by the way.
Additionally, you should not make the RTIR email address the AdminCc
of the IR queue. This is causing RT to send mail to itself which has
to be detected as a bounce loop and dropped.
Where can I change that?
Tamas Szep
GovCERT-Hungary
RT thinks that problem_sender@acme.com isn’t a valid email recipient.
Please show the Correspondents page for ticket 53 and the user page
for that user to confirm they are set up properly.
The Correspondents page shows that the correspondent is me (???) as a
user. Remember, I was logged in as root, not as Tamas Szep. Next to my
name is: ‘(no email address)’ Hmmm…
So, you have no email address, so RT cannot send you email.
This makes this an invalid test.
Owner: GovCERT-Hungary
Correspondents: Tamás Szép (no email address)
CC:
Admin CC: Group: DutyTeam EDUNET
I don’ know why the Admin CC is EDUNET when I selected GOVNET by the way.
Dunno, depends what you’ve done to the Constituency CF in your
configuring. Please read:
http://bestpractical.com/docs/rtir/3.0/Constituencies.html
Additionally, you should not make the RTIR email address the AdminCc
of the IR queue. This is causing RT to send mail to itself which has
to be detected as a bounce loop and dropped.
Where can I change that?
Tools → Configuration → Queues → Queue Name → Watchers
-kevin