search cancel

Unable to send mail from CA PAM

book

Article ID: 213669

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Once CA PAM is configured to send mail on approval (for Password View Policies) and for monitoring an instance, this is not working properly. Checking the mail.log file obtained by downloading the remote engineer files there are plenty of errors like the following ones:

Apr 24 19:01:01 alpamip02 exim[17814]: 2021-04-24 19:01:01 1laNWX-0004dK-Mx Failed to create spool file /var/spool/exim4//input//1laNWX-0004dK-Mx-D: Permission denied
Apr 24 19:01:01 alpamip02 exim[17814]: 2021-04-24 19:01:01 1laNWX-0004dK-Mx Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=112 egid=117
Apr 24 19:01:01 alpamip02 exim[17814]: exim: could not open panic log - aborting: see message(s) above
Apr 24 20:01:02 alpamip02 exim[23668]: 2021-04-24 20:01:02 1laOSc-00069k-6G Failed to create spool file /var/spool/exim4//input//1laOSc-00069k-6G-D: Permission denied
Apr 24 20:01:02 alpamip02 exim[23668]: 2021-04-24 20:01:02 1laOSc-00069k-6G Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=112 egid=117
Apr 24 20:01:02 alpamip02 exim[23668]: exim: could not open panic log - aborting: see message(s) above

In catalina.log there are  exceptions like the following:

Apr 16, 2021 5:10:34 PM com.cloakware.cspm.server.app.impl.SendPasswordViewEmailCmd invoke
WARNING: Error sending password view request e-mail
com.cloakware.cspm.server.app.ApplicationException: com.cloakware.cspm.server.app.ApplicationException: PasswordViewEmail.send: invalid email address
        at com.cloakware.cspm.server.app.PasswordViewEmail.prepare(PasswordViewEmail.java:125)
        at com.cloakware.cspm.server.app.impl.SendPasswordViewEmailCmd.invoke(SendPasswordViewEmailCmd.java:75)
        at com.cloakware.cspm.server.app.impl.ApplicationContextImpl.invokeCommand(ApplicationContextImpl.java:270)
        at com.cloakware.cspm.server.app.impl.ApplicationContextImpl.invokeCommand(ApplicationContextImpl.java:122)
        at com.cloakware.cspm.server.app.impl.ExecuteCommandThread.call(ExecuteCommandThread.java:55)
        at com.cloakware.cspm.server.app.impl.ExecuteCommandThread.call(ExecuteCommandThread.java:15)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.cloakware.cspm.server.app.ApplicationException: PasswordViewEmail.send: invalid email address
        at com.cloakware.cspm.server.app.PasswordViewEmail.prepare(PasswordViewEmail.java:113)
        ... 9 more

Even though the e-mail addresses configured in CA PAM are valid and correctly configured

Cause

The present error is caused by incorrect permissions in the /var/spool/exim4 folder. The message indicate that user 112 (euid=112) which is Debian-exim, belonging to group 117 (egid=117), group Debian-exim, cannot write to that folder hence preventing the mail subsystem from working properly. Debian-exim is the user associated with the exim application which, by default, comes as the mail subsystem application for Debian systems (the base OS for PAM being Debian 9 for PAM 3.4.X).

In particular, in a working mail configuration for CA PAM, the /var/spool/exim directory must have the following permissions and ownership:

ls -la /var/spool/exim4
total 24
drwxr-x--- 5 Debian-exim Debian-exim 4096 Mar  4  2020 .
drwxr-xr-x 5 root        root        4096 Mar  4  2020 ..
drwxr-x--- 2 Debian-exim Debian-exim 4096 Nov 21 06:25 db
-rw-r--r-- 1 Debian-exim Debian-exim 1236 Mar  4  2020 gnutls-params-2048
drwxr-x--- 2 Debian-exim Debian-exim 4096 Apr 27 06:25 input
drwxr-x--- 2 Debian-exim Debian-exim 4096 Apr 27 06:25 msglog

if by whatever issue the user or group ownership has been changed, this error will appear

Environment

CA PAM version 3.4.X and 3.3.X

Resolution

If this issue appears, it is necessary to reset manually ownership and/or permissions of the /var/spool/exim4 directories. Please engage Broadcom Support to carry out this operation