PAM is being configured with an SMTP server, both the Email Settings and Monitor (Legacy) pages have been configured, but users are not getting emails when they log in.

Privileged Access Manager, all versions as of November 2023.

The SMTP server required session encryption, which is not a capability of the legacy monitor service. In the session logs, the following will be seen when the monitor service is started.

PAM-CMN-2062: gkmonitor[8675309]: Bad recipient <[email protected]>: 450 4.7.1 Session encryption is required
No valid recipient
Server said: 450 4.7.1 Session encryption is required

As of November 2023, there is no PAM release which supports SMTP encryption for the legacy monitor service. Newer email functionality such as Credential Manager, Secrets Management, and user deactivation emails can use SMTP encryption, but older functionality such as "Email Self on Login", Session Logs reports, or any email that says "Xsuite monitor" in the subject does not have the ability to use SMTP encryption.

As a workaround, an SMTP relay should be configured in the environment to allow legacy monitor emails to be sent.