eem on cisco 877, trouble with mail server action and smtp auth

Answered Question
Dec 18th, 2010

hello all,

i'm using a router 877 at home and i really need to check out what this router do during the day.

So some time ago i configured it using some eem actions and sending to me email, without any problems.

Yesterday I changed my internet provider and now i need to use smtp autheticantion to send emails.

I read about how to authenticate, like username:password@host and also made a fast search here, without solve my problem.

I need to put as username the email of the provider like: mouse@host.com:mypassword@smtpserveraddress.com.

So, i want to know if someone had the same problem and solved it. Of course i couldn't use @ two times or eem would think that host.com is my smtp server! And right now is going in this way!

My IOS version is 15.1(2)T2, eem version is 3.1.

Hope someone could help me!

Thank you in advance.


Sandro

I have this problem too.
0 votes
Correct Answer by Joseph Clarke about 3 years 3 months ago

Here you go.

::cisco::eem::event_register_syslog occurs 1 pattern ".*LINEPROTO-5-UPDOWN.*FastEthernet3.*"

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*


set mail_pre "Mailservername: myusername@providerDomain:mypassword@providerSMTP\n"
append mail_pre "From: myusername@providerdomain\n"
append mail_pre "To: myusername2@providerDomain2\n"
append mail_pre
append mail_pre "Subject: Check VOIP ATA\n\n"
append mail_pre "Please check VOIP ATA, something not working properly\n\n"
set mail_msg [uplevel #0 [list subst -nobackslashes -nocommands $mail_pre]]
if [catch {smtp_send_email $mail_msg} result] {
    error $result $errorInfo
}

Save this to a file that ends with ".tcl" (e.g. interface-down-fritz.tcl), then copy it to your EEM policy directory on your router (i.e. the one specified in "event manager directory user policy").  Then register the policy with the command "event manager policy interface-down-fritz.tcl".

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.8 (5 ratings)
Joseph Clarke Sat, 12/18/2010 - 08:20

This is a known limitationwith SMTP AUTH and EEM.  An enhancement request, CSCsv24106, was filed to allow for escaping the '@' in a username.  However, I've looked over the code in 15.1(2)T, and it appears that the username with the '@' will be properly understood, provided you're using Tcl.  If you use applets, then it will not work.  If you post your applet, I can convert it to a Tcl policy for you.

smanet Sat, 12/18/2010 - 08:39

Thank you Joseph for your reply.

Here it's a sample, i have other that look like this.

If you can give back an example i will learn tcl also

Thank you in advance!

Sandro

event manager applet interface-down-fritz
event syslog occurs 1 pattern ".*LINEPROTO-5-UPDOWN.*FastEthernet3.*"
action 1.0 mail server "myusername@providerDomain:mypassword@providerSMTP" to "myusername2@providerDomain2" from "myusername@providerdomain" subject "Check VOIP ATA" body "Please check VOIP ATA, something not working properly"

Correct Answer
Joseph Clarke Sat, 12/18/2010 - 09:27

Here you go.

::cisco::eem::event_register_syslog occurs 1 pattern ".*LINEPROTO-5-UPDOWN.*FastEthernet3.*"

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*


set mail_pre "Mailservername: myusername@providerDomain:mypassword@providerSMTP\n"
append mail_pre "From: myusername@providerdomain\n"
append mail_pre "To: myusername2@providerDomain2\n"
append mail_pre
append mail_pre "Subject: Check VOIP ATA\n\n"
append mail_pre "Please check VOIP ATA, something not working properly\n\n"
set mail_msg [uplevel #0 [list subst -nobackslashes -nocommands $mail_pre]]
if [catch {smtp_send_email $mail_msg} result] {
    error $result $errorInfo
}

Save this to a file that ends with ".tcl" (e.g. interface-down-fritz.tcl), then copy it to your EEM policy directory on your router (i.e. the one specified in "event manager directory user policy").  Then register the policy with the command "event manager policy interface-down-fritz.tcl".

smanet Sat, 12/18/2010 - 09:36

Thank you again! Hope you could help me with this one too, i understand now how to look for UPDOWN of ports, but not how to for a cronjob like this:

event manager applet sendmyip
event timer cron cron-entry "*/30 * * * *"

Is there or on cisco a reference for the first line command (i mean the check that will start the policy)?

I don't want to ask more, i prefer to learn

Anyway i will test it soon, i have to fix this quickly!

Sandro

smanet Sat, 12/18/2010 - 11:17

Hello again,

i got this in my tests:

09:10:34: %HA_EM-6-LOG: send-my-ip.tcl: wrong 4th line format.
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl: usage: Cc:
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl:     while executing
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl: "smtp_send_email $mail_msg"
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl:     invoked from within
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl: "$slave eval $Contents"
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl:     (procedure "eval_script" line 7)
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl:     invoked from within
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl: "eval_script slave $scriptname"
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl:     invoked from within
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl: "if {$security_level == 1} {       #untrusted script
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl:      interp create -safe slave
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl:      interp share {} stdin slave
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl:      interp share {} stdout slave
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl: ..."
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl: Tcl policy execute failed:
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl: wrong 4th line format.
09:10:34: %HA_EM-6-LOG: send-my-ip.tcl: usage: Cc:

I left the fourth line blank as you gave me. Maybe i have to put a Cc: without address? I looked in the other link for tcl eem and i think that declare the line it's mandatory.

Is that true?

Thank you!

Joseph Clarke Sat, 12/18/2010 - 12:57

Yes, the conversion left out the mandatory Cc: field.  Change the empty append line to:

append mail_pre "Cc: \n"

Then that should work.

smanet Mon, 12/20/2010 - 03:01

Hello again Joseph,

thank you again. Now it works correctly. I didn't try without any cc address, i putted the same as the sender for a test.

But do you use a program to convert an applet to a tcl?

Bye!

Sandro

Joseph Clarke Mon, 12/20/2010 - 11:24

Yes, we have a web-based tool internally we can use.  I typically do it for simple applets as it saves me time typing :-).

smanet Mon, 12/20/2010 - 12:12

Cool, i hope that a time cisco will share this with us too!

Bye!

parhamkiani Tue, 10/16/2012 - 03:08

Hi Joseph,

We aim to send email to our mail server once access-list changed, so I followed eveything as your instructed to send email from the router to our mail server.I have created a test directory and save scrip with.tcl then push it to router. We are getting the following error. could you look into my script and show us the correct way.

many thanks.

3845-Dial-A#sh event manager directory user policy

flash:/Test/access-list-changed.tcl

3845-Dial-A(config)#event manager policy flash:/Test/access-list-changed

Embedded Event Manager configuration: flash:/Test/access-list-changed does not have valid policy extension

3845-Dial-A(config)#event manager policy flash:/Test/access-list-changed.tcl

Register event failed:couldn't read policy file: permission denied

Embedded Event Manager configuration: failed to retrieve intermediate registration result for policy

flash:/Test/access-list-changed.tcl: Unknown error 0

::cisco::eem::event_register_syslog occurs 1 pattern "ip access-list extended"

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

set mail_pre "10.1.1.1:me@bank.com:M123@bank.com" SMTP\n"

append mail_pre "From: me@bank.com\n"

append mail_pre "To:admin@bank.com\n"

append mail_pre

append mail_pre "The ACL on this router have changed\n\n"

set mail_msg [uplevel #0 [list subst -nobackslashes -nocommands $mail_pre]]

if [catch {smtp_send_email $mail_msg} result] {

    error $result $errorInfo

}

Joseph Clarke Thu, 10/18/2012 - 19:28

You need to configure:

event manager directory user policy flash:/Test

event manager policy access-list-changed.tcl

Florin Barhala Thu, 11/22/2012 - 07:58

Hello Joseph,

I read your excellent guide and I thank you for your efforts!

I am not sure about couple of things though:

- @providerSMTP is it an IP address or a FQDN

Here is the current config:

event manager directory user policy "flash:/tcl"


event manager applet Email

event timer watchdog time 28800

action 1 syslog priority notifications msg "Manual backup completed"

action 2 policy Email.tcl


event manager policy Email.tcl

dir flash:tcl

Directory of flash:/tcl/

    11  -rw-         665  Nov 22 2012 17:40:36 +02:00  Email.tcl

Is there anything else I forgot?

Many thanks!

Joseph Clarke Thu, 11/22/2012 - 08:01

It is best if the SMTP server is an IP address.  However, in newer versions of IOS, both an IP and an FQDN will work (provided the device is configured with a DNS server).

Florin Barhala Mon, 11/26/2012 - 07:18

Hello Joseph,

I believe I have one last question about the script you kindly provided:

event manager applet Email

event timer watchdog time 28800

action 1 syslog priority notifications msg "Manual backup completed"

action 2 policy Email.tcl

::cisco::eem::event_register_syslog occurs 1 pattern ".*LINEPROTO-5-UPDOWN.*FastEthernet3.*"

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

set mail_pre "Mailservername: ...........

What is the event that triggers EEM action: is the watchdog timer OR the pattern:

".*LINEPROTO-5-UPDOWN.*FastEthernet3.*"

Joseph Clarke Mon, 11/26/2012 - 08:44

The Tcl script attached to this thread triggers off of a syslog message.  It cannot be called from the applet as you have here.  It is designed to stand alone.

Florin Barhala Mon, 11/26/2012 - 23:19

Hi mate,

I admit I am now more confused than before. So basically I am left with two questions:

- is it possible "to call" a TCL script like yours in an EEM applet?

- here is my event trigger: event cli pattern "wr" sync no skip no occurs 1

Is it ok if I modify your script this way:

::cisco::eem::event_register_cli pattern "wr" sync no skip no occurs 1

I am not sure about the next word after event; is it register? Are there any other options?

Joseph Clarke Tue, 11/27/2012 - 21:43

Yes, it's possible to call a Tcl policy from an applet provided the Tcl policy is registered with the none event detector.  However, I don't know why you would do this in this case.  You can have the Tcl script do everything you want without the applet.

You are free to modify my script all you want.  However, a pattern as loose as "wr" might be dangerous.  If you want to match on write mem, then something like this would be best:

::cisco::eem::event_register_cli pattern "^write mem" sync no skip no occurs 1

I don't get this last question.  The way you've written this event registration line should be fine.

Florin Barhala Wed, 11/28/2012 - 01:52

Hi mate,

Now it finally works! I thank you again for your patience and time!

Whenever you wish I have couple more questions:

How can I add two trigger events in the script with an OR statement between; e.g.: I want to trigger it whenever "write mem" is sent as cli but also when some specific syslog message shows up

Should I add another line like this:

::cisco::eem::event_register_syslog occurs 1 pattern "     "

How can I state the OR logical operation between these two?

Where, or how did you write this code sequence, because for makes little sense and I cannot understand it:

set mail_msg [uplevel #0 [list subst -nobackslashes -nocommands $mail_pre]]

if [catch {smtp_send_email $mail_msg} result] {

    error $result $errorInfo

}

Florin Barhala Thu, 11/29/2012 - 07:36

Hi mate,

I print out the 8 pages and tried to understand "the thing".

Here is what I have now:

::cisco::eem::event_register_cli tag 1 pattern "^write mem"

::cisco::eem::event_register_cli tag 2 pattern "^wr.*"

::cisco::eem::trigger {

::cisco::eem::correlate event 1 or event 2

::cisco::eem::attribute tag 1 occurs 1 sync no skip no

::cisco::eem::attribute tag 2 occurs 1 sync no skip no

}

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

set mail_pre "Mailservername: backupservere@class.ro:wqnb@86.127.196.2\n"

append mail_pre "From: Cisco2811@algo.ro\n"

append mail_pre "To: backupservere@class.ro\n"

append mail_pre "Cc: \n"

append mail_pre "Subject: Cisco2811\n\n"

append mail_pre "Backup succesful\n\n"

set mail_msg [uplevel #0 [list subst -nobackslashes -nocommands $mail_pre]]

if [catch {smtp_send_email $mail_msg} result] {

    error $result $errorInfo

}

The good news is if I input write mem it WORKS.

If I input wr it doesn't work. I issued debug event manager all but wr doesn't trigger any reaction.

I want whenever I input wr to send the same email. I feel it's a minor mistake somewhere, but don't see it...

Joseph Clarke Sat, 12/01/2012 - 14:47

You don't need multiple events for this.  Try doing:

::cisco::eem:event_register_cli pattern "^write" sync no skip no

Florin Barhala Sun, 12/02/2012 - 00:20

Hi mate,

This is not working. What I tried:

- ::cisco::eem:event_register_cli pattern "^write" sync no skip no

- ::cisco::eem:event_register_cli pattern "^wr.*" sync no skip no

- ::cisco::eem:event_register_cli pattern "wr.*" sync no skip no

- ::cisco::eem:event_register_cli pattern "wr*" sync no skip no

None of these are triggering the action whenever I input: wr


Joseph Clarke Sun, 12/02/2012 - 17:21

I tested:

::cisco::eem::event_register_cli pattern "^wr.*" sync no skip no

It works.  Are you reregistering your Tcl policy when you make the changes?

Florin Barhala Mon, 12/03/2012 - 00:51

Good day!

I read EEM best practices updated by and also used the tool you kindly provided for conversion.

Now script looks like this and it is working (no errors):

::cisco::eem::event_register_cli tag 1 pattern "^wr.*" sync no skip no occurs 1

::cisco::eem::event_register_cli tag 2 pattern "^write mem.*" sync no skip no occurs 1

::cisco::eem::trigger {

    ::cisco::eem::correlate event 1 or event 2

    ::cisco::eem::attribute tag 1 occurs 1

    ::cisco::eem::attribute tag 2 occurs 1

}

What I would like to know: where do you recommend using the "occurs 1": when defining the tag, or later under trigger definition ?

Many thanks,

Florin.

Joseph Clarke Tue, 12/04/2012 - 12:40

With multiple events, you have to use it under the trigger.  However, for this particular use case, you don't need multiple events.  You can make it work with the one pattern.

jdart@mjp.net Mon, 11/25/2013 - 03:09

Hello.  I struggled with this problem for a day or two and stumbled across this post multiple times.  I just wanted to let those out there with no scripting knowledge (tcl) know that there *is* a workaround that can be used in EEM for email servers that require SSL authentication. Please note: one downside with this workaround is that if your router is handling any of your DNS resolution for your network you may have issues which I will mention at the bottom of this post.  The workaround does require a third party application called "stunnel" to be running on a PC (any computer really) that will be powered on at all times.  Below is the relevant router config info and stunnel.conf config for an IP SLA event which monitors pings to a Google DNS server, and sends an email out to a Gmail address.

Router config:

object-group network IPSLA-ECHO  (**Created for readability in my ACL**)

host 8.8.8.8

ip sla 10
icmp-echo 8.8.8.8 source-interface FastEthernet4
threshold 400
timeout 700
frequency 3

ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability

delay down 10 up 20

ip host gmail.com 192.168.150.35  (**This is the key -- this tells the router that gmail.com can be reached by going to 192.168.150.35 which is the local LAN IP address of the PC running stunnel**)

ip access-list extended INBOUND

permit icmp object-group IPSLA-ECHO any echo-reply

event manager environment _email_to john-doe@gmail.com  (**This obviously can be any email address**)

event manager environment _email_from john-doe@gmail.com  (**In my testing you can change this, but in the email the router will send, Gmail will still report the sender as the one that is being authenticated**)

event manager environment _email_server john-doe:Passw0rd1@gmail.com

event manager applet ICMP-SLOW

event track 10 state down

action 1.1 syslog msg "*** ICMP reply timed out or IP SLA threshold exceeded! Check ping times to Google DNS!! ***"

action 1.2 cli command "enable"

action 1.3 cli command "del /force flash:google_icmp_log"

action 1.4 cli command "show clock | append google_icmp_log"

action 1.5 cli command "show ip sla statistics | append google_icmp_log"

action 1.6 cli command "more flash:google_icmp_log"

action 1.7 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "ICMP to Google is slow!" body "ICMP exceeding threshhold of 400ms $_cli_result" source-interface Vlan5  (**Vlan5 is the local LAN network interface**)

action 1.8 syslog msg "*** ICMP response time notification has been sent!! ***"

stunnel.conf config:

cert = stunnel.pem

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

client = yes

options = NO_SSLv2

[pop3s]
accept  = 110
connect = pop.gmail.com:995

[imaps]
accept  = 143
connect = pop.gmail.com:993

[ssmtp]
accept  = 25
connect = smtp.gmail.com:465

That should be all that's needed.  What happens in a nutshell, is the applet sends the email with the appropriate credentials to what it *thinks* is gmail.com (it is in fact the PC running stunnel) and then stunnel serves as the bridge to help in authenticating with smtp.gmail.com and get the email sent through the correct server.  Hope that makes sense. 

Now the big downside to this as I mentioned in the beginning of the post, is depending on if your router is configured to do DNS, it could very well come back with responses to gmail.com queries as being at 192.168.150.35 (your stunnel PC IP address).  So far as I know this can only be worked around by adding entries to each PC's hosts file on the local network -- not a viable option for most people I know.  So realistically this workaround would only be viable if there is some other device/server doing DNS for the network.

In case you have any issues, please remember to use the debug commands in IOS to troubleshoot.  I ultimately got things working through use of debug logs (I think in this particular case I used "debug event manager all"). I found out that the router was establishing a connection with the server through the bridge, but the authentication was failing (I entered my password wrong even after triple checking it).

I am sure there are some other applications similar to stunnel that can do non-secure connections in a similar fashion, and it's possible stunnel can do non-secure ones as well (honestly did not look into it or try it). 

Hope this helps someone out there!

Justin

guiller3282 Mon, 01/06/2014 - 03:47

Hello,

Thank you very much in advance for any help you can offer. Debugging I get this but stunnel.conf is edited and started

%HA_EM-3-FMPD_SMTP: Error occured when sending mail to SMTP server: smtp.gmail.com : error in reply from SMTP server

Router Cisco 877 with IOS version is 12.4(15)T16


Router Config:

ip host gmail.com pc_host*

!

track 1 rtr 1 reachability

delay down 10 up 60

!

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

!

ip sla 1

icmp-echo 8.8.8.8 source-interface Dialer0

timeout 2000

frequency 4

ip sla schedule 1 life forever start-time now

event manager environment to@gmail

event manager environment from@gmail.com

event manager environment smtp.gmail.com*

event manager applet TRACK-1-OK

event track 1 state up

action 1.0 mail server "smtp.gmail.com" to "to@gmail.com" from "from@gmail.com" subject "E2E up/down" body "DSL is UP"*

* I use several possible key combinations:

ip host smtp.gmail.com pc_host

event manager environment from@email.com:password@smtp.gmail.com

action 1.0 mail server "from@gmail.com:password@smtp.gmail.com" to "to@gmail.com" from "from@gmail.com" subject "E2E up/down" body "DSL is UP"*

stunnel.conf config:

cert = stunnel.pem

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

client = yes

options = NO_SSLv2

[pop3s]
accept  = 110
connect = pop.gmail.com:995

[imaps]
accept  = 143
connect = pop.gmail.com:993

[ssmtp]
accept  = 25
connect = smtp.gmail.com:465

Greetings,

Guiller

guiller3282 Mon, 01/06/2014 - 10:09

more debugging

Jan  6 15:45:59.474: %HA_EM-6-LOG: TRACK-1-OK : DEBUG(smtp_lib) : smtp_read 530 5.7.0 Must issue a STARTTLS command first. t10sm13587456wia.6 - gsmtp

Jan  6 15:45:59.474: %HA_EM-6-LOG: TRACK-1-OK : DEBUG(smtp_lib) : buffer no reply code matched: 530 5.7.0 Must issue a STARTTLS command first. t10sm13587456wia.6 - gsmtp

Jan  6 16:45:59.474 MET: %HA_EM-3-FMPD_SMTP: Error occured when sending mail to SMTP server: smtp.gmail.com : error in reply from SMTP server

jdart@mjp.net Mon, 01/06/2014 - 11:34

Hi Guiller,

I saw in your script you were not using the environment variables in the same fashion as I had used above.  That's ok I think, they aren't entirely necessary depending on what type of needs you have.

The email address you are sending from needs to be a known gmail account that you have the credentials to obviously.

This line should be changed:

action 1.0 mail server "smtp.gmail.com" to "to@gmail.com" from "from@gmail.com" subject "E2E up/down" body "DSL is UP"*

Change it to the following:

action 1.0 mail server "from:password@gmail.com" to "to@gmail.com" from "from@gmail.com" subject "E2E up/down" body "DSL is UP" source-interface Vlan5 (Vlan5 can be replaced with the local Vlan interface your pc_host is connected to).

If that doesn't work, please try copying my example above exactly (of course replace your email addresses and passwords with your own).  If you choose to use the environment variables, then use _email_to, _email_from, and _email_server

If you use them like this then you can call on them in the action 1.0 mail server line:

event manager environment _email_to to@gmail.com

event manager environment _email_from from@gmail.com

event manager environment _email_server from:Passw0rd1@gmail.com

action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "E2E up/down" body "DSL is UP" source-interface Vlan5.

Try that out and let me know how that works.  Also don't forget to check the stunnel logs as well, they can have some useful information to help you pinpoint the issue.

Justin

guiller3282 Tue, 01/07/2014 - 14:00

Hello, thanks Justin but this version (12.4.15.T17) dont allow object groups or apply the command for source-interface vlanX(local vlan) at the end of action 1.0 line. That was driving my nuts xD, I am testing it following your suggestions about environment variables and credentials.

According to the Embedded Event Manager configuration Guide "Based on RFC 2554, the SMTP e-mail server name--Mailservername-- can be in any one of the following template formats: username:password@host, username@host, or host."

I am using the premise "username:password@host", and like host @gmail or @smtp.gmail.com.

Stunnel is running and debug when I force telnet from router Cisco to pchost with port 25. However, dont work when the applet run, checking router log, I get failed attemps connecting to mailserver.

Greetings

jdart@mjp.net Tue, 01/07/2014 - 14:50

Hi Guiller,

Understood, sorry I wasn't sure what differences there were in IOS versions.  I believe I am on 15.3 so that explains the lack of source-interface option.

For your purposes, the server address must be username:password@gmail.com.  If you use username:password@smtp.gmail.com, the gmail server will not recognize these credentials in my testing. 

FYI, the reason that the router doesn't need smtp.gmail.com references in its config, is because stunnel makes sure that the username:password@gmail.com credentials get passed to smtp.gmail.com for you.  Hopefully that makes sense.

Let me know if you have any luck!

Thanks,

Justin

Actions

Login or Register to take actions

This Discussion

Posted December 18, 2010 at 7:16 AM
Stats:
Replies:33 Avg. Rating:4.8
Views:3939 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 2,468
2 1,624
3 1,445
4 861
5 578