Skip to main content

Modifying global mail settings

Bravura Security Fabric sends email using the GLOBAL MAIL PLUGIN plugin. The following plugin programs, shipped with Bravura Security Fabric , can be used with this plugin point:

Click below to view a demonstration.

To configure the global mail plugin and other required settings for sending email:

  1. Click Manage the system > Workflow > Email configuration > Email configuration.

    When you select the Workflow menu, if the required settings for sending email are not configured, Bravura Security Fabric automatically directs you to this page.

  2. Type values for the options listed below as required.

  3. Click Update.

    Option

    Description

    GLOBAL MAIL PLUGIN

    The plugin to send email.

    GLOBAL MAIL PLUGIN MAILDIR

    The directory path to store messages when they are written to a file. The default is <Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance> \mail.

    Ensure that this directory exists.

    MAIL AUTH LOGIN

    The login ID for mailing systems that require authentication.

    MAIL AUTH MECHANISM

    Authentication mechanism to be used by Bravura Security Fabric to log into an authenticating mail server to deliver emails. Valid values are NONE, LOGIN, SASL_XOAUTH2. If unspecified, use LOGIN when MAIL_AUTH_LOGIN and MAIL_AUTH_PASSWORD are specified.

    MAIL AUTH OAUTH2 CLIENT ID

    The OAuth 2.0 client ID to be used by Bravura Security Fabric to log into an authenticating mail server to deliver emails. This value is used for the SASL_XOAUTH2 authentication mechanism.

    MAIL AUTH OAUTH2 CLIENT SECRET

    The OAuth 2.0 client secret to be used by Bravura Security Fabric to log into an authenticating mail server to deliver emails. This value is used for the SASL_XOAUTH2 authentication mechanism.

    MAIL AUTH OAUTH2 GRANT TYPE

    The OAuth 2.0 grant type to be used by Bravura Security Fabric to log into an authenticating mail server to deliver emails. This value is used for the SASL_XOAUTH2 authentication mechanism.

    MAIL AUTH OAUTH2 PASSWORD

    The OAuth 2.0 password to be used by Bravura Security Fabric to log into an authenticating mail server to deliver emails. This value is used for the SASL_XOAUTH2 authentication mechanism.

    MAIL AUTH OAUTH2 SCOPE

    The OAuth 2.0 scope to be used by Bravura Security Fabric to log into an authenticating mail server to deliver emails. This value is used for the SASL_XOAUTH2 authentication mechanism.

    MAIL AUTH OAUTH2 TOKEN ENDPOINT

    The OAuth 2.0 token endpoint to be used by Bravura Security Fabric to log into an authenticating mail server to deliver emails. This value is used for the SASL_XOAUTH2 authentication mechanism.

    MAIL AUTH OAUTH2 USERNAME

    The OAuth 2.0 username to be used by Bravura Security Fabric to log into an authenticating mail server to deliver emails. This value is used for the SASL_XOAUTH2 authentication mechanism.

    MAIL AUTH PASSWORD

    The password for the login ID specified by MAIL AUTH LOGIN.

    Note: If you change the MAIL AUTH LOGIN, MAIL SERVER, or MAIL SERVER PORT value later, you must also update this field.

    MAIL AUTH SASL XOAUTH2 USER

    The SASL XOAUTH2 user to be used by Bravura Security Fabric to log into an authenticating mail server to deliver emails. This value is used for the SASL_XOAUTH2 authentication mechanism.

    MAIL CONTENT TYPE

    Enable HTML content in emails. When disabled (default), email content is plain text.

    MAIL SEND METHOD

    The delivery options for notification messages. This value is used by global-mail-plugin to send an email and/or write the message to a file. Valid values are:

    SMTP Send email via MAIL SERVER

    NOTES Send email via a Lotus Notes/Domino mail system

    FILE Write to a file in the directory specified by GLOBAL MAIL PLUGIN MAILDIR

    Multiple methods can be used. If the MAIL SERVER is specified, the default is SMTP; otherwise, the default is FILE.

    MAIL SERVER

    The mail server address.

    MAIL SERVER PORT

    The port number for the SMTP mail server. Default is 25.

    RECIPIENT EMAIL

    A comma-delimited list of email addresses of Bravura Security Fabric administrators who should receive notification of events relating to the running of the server.

    This value is set during installation.

    SENDER EMAIL

    The email address that will appear as the sender of emails. This is required if using Lotus Notes or SMTP to send email.

    Note

    The email server configuration data is saved in the registry. These settings are not propagated to replication nodes unless you run the File Replication Service.

Configuring OAuth 2.0 Email Authentication (SASL XOAUTH2)

To configure Bravura Security Fabric to use OAuth 2.0 authentication for sending email:

  1. Click Manage the system > Workflow > Email configuration > Email configuration.

  2. Set MAIL AUTH MECHANISM to SASL_XOAUTH2.

  3. Configure the OAuth 2.0 settings:

    • MAIL AUTH OAUTH2 CLIENT ID: Enter your OAuth client ID from your mail provider

    • MAIL AUTH OAUTH2 CLIENT SECRET: Enter your OAuth client secret

    • MAIL AUTH OAUTH2 GRANT TYPE: Select the appropriate grant type

    • MAIL AUTH OAUTH2 SCOPE: Enter the required scope(s) for your mail provider

    • MAIL AUTH OAUTH2 TOKEN ENDPOINT: Enter the token endpoint URL for your mail provider

    • MAIL AUTH OAUTH2 USERNAME: (Optional) Enter username if required by your grant type

    • MAIL AUTH OAUTH2 PASSWORD: (Optional) Enter password if required by your grant type

    • MAIL AUTH SASL XOAUTH2 USER: Enter the SASL XOAUTH2 user for authentication

  4. Configure standard mail settings:

    • MAIL SERVER: Your SMTP server address

    • MAIL SERVER PORT: Your SMTP server port

    • SENDER EMAIL: The email address that will appear as the sender

  5. Click Update.

Example - Microsoft 365 OAuth Configuration

MAIL AUTH MECHANISM: SASL_XOAUTH2
MAIL AUTH OAUTH2 CLIENT ID: 12345678-1234-1234-1234-123456789abc
MAIL AUTH OAUTH2 CLIENT SECRET: [your-client-secret]
MAIL AUTH OAUTH2 GRANT TYPE: client_credentials
MAIL AUTH OAUTH2 SCOPE: https://outlook.office365.com/.default
MAIL AUTH OAUTH2 TOKEN ENDPOINT: https://login.microsoftonline.com/your-tenant-id/oauth2/v2.0/token
MAIL AUTH SASL XOAUTH2 USER: noreply@yourcompany.com
MAIL SERVER: smtp.office365.com
MAIL SERVER PORT: 587
SENDER EMAIL: noreply@yourcompany.com

Note

The MAIL AUTH MECHANISM setting determines which authentication method is used:

  • NONE: No authentication

  • LOGIN: Use MAIL AUTH LOGIN and MAIL AUTH PASSWORD (existing behavior)

  • SASL_XOAUTH2: Use OAuth 2.0 authentication with the MAIL AUTH OAUTH2 settings

Configuring node-specific settings

The email configuration settings are node-specific, so those system variables are not stored in the backend database, but in each node's registry.

However, most registry settings replicate by default, to ensure that the settings on secondary nodes are made from the primary node.

Sometimes it is useful to add some of these configuration settings to the replication's utility blacklist, so that you can configure the setting separately on each application node.

After blacklisting the system variable, you must login separately to each node and change its value appropriately.

Uses cases

  1. Application administrators usually want to know what node any alerts are coming from, so they can address the issues on the specific servers, without having to look at the hidden message headers to identify through which gateways the message moved (sometimes all emails go through the same gateway, as in use case 2 below).

    Solution:

    • Blacklist SENDER_EMAIL.

    • Set its value to something like "instancename-nodename@company.com", for example "prod-pam-001@bravurasecurity.com".

  2. Some nodes running in different data centers may use different SMTP servers, or different credentials.

    Solution: lacklist MAIL SERVER (and optionally, MAIL SERVER PORT).

  3. Some nodes in different data centers may be managed by different teams.

    Solution: Blacklist RECIPIENT EMAIL.

Customizing the global mail plugin

The following plugin programs, shipped with Bravura Security Fabric , can be used with the GLOBAL MAIL PLUGIN plugin point:

  • global-mail-plugin.py, which uses MAIL SEND METHOD to send an email or writes the email to file. It is enabled by default.

    Caution

    This plugin should only be changed under supervision from Bravura Security support, as it is a base product script and any changes will add technical debt to be re-added after any patches are applied, which install the base version of the script.

  • plugin-email-domino.exe, which sends mail via a Lotus Notes / Domino mail system.

Customize global-mail-plugin.py

Execution points

This plugin is run by the idwfm service and by the psupdate and iddiscover programs. The plugin must be located in the \<instance>\plugin\ directory on the Bravura Security Fabric server.

Input

The following is an example of input sent to the plugin:

"" "" = {
     "content" = "\nouadmin,\n \n  A request for account resources has been received, and is pending\nyour approval.\n\n\n\n\nTo accept, update, or deny the requested resources, please click on\nthe following link:\n\n  -->  http://w2k3archive2/51-5142/?LANG=en-us&userid=ouadmin&BATCH=2064&JUMPTOCGI=IDP\n\nAlternatively, visit\n\n  -->  http://w2k3archive2/51-5142/?LANG=en-us\n\nLog in, click the link for 'Authorize requests', and\nenter batch ID 2064.\n\n\n\nThis request's details:\n\n   Batch ID: 2064\n   Request Created at: \n   Requested By: test_request\n   Through delegate: \n   Requested User ID: test_recipient\n\n\n   Other Attributes:\n     \n\n     \n     \n     View managed password requests\n\n\n      AD, 7777\n\n\n\n     \n\n   Requester Notes:\n     \n\n   Reasons:\n     \n\n\n\n-- Identify Manager.\n\n\n-----------------------------------------------------------------\n\n"
               
      # The body of the message
     "fromemail" = "idmsuite_replies@YourEmailDomain.com"
      # The value of SENDER EMAIL.
     "fromname" = "ID Management Suite"
      # This is always ID Management Suite, and is not configurable.
     "frompass" = "mypass123"
      # The value of SENDER PASSWORD.
     "lockdir" = "E:\\Program Files\\Bravura Security\\Bravura Security Fabric\\Locks\\"
      # The lock file directory.
     "maildir" = "E:\\Program Files\\Bravura Security\\Bravura Security Fabric\\Logs\\default\\mail"
      # The value of GLOBAL MAIL PLUGIN MAILDIR
     "mailheader" = "From: $FROMNAME$ <$FROMEMAIL$>\nTo: $TONAME$ <$TOEMAIL$>\nSubject: $SUBJECT$\n\n$CONTENT$\n\n"
     "mailserver" = "smtp.example.local"
      # The value of MAIL SERVER.
     "mailserverport" = "25"
      # The value of MAIL SERVER PORT.
     "primaryID" = "ouadmin"
      # The profile ID of the primary authorizer,
               
      # in case this is a delegated email.
     "profileID" = "ouadmin"
      # The profile ID of the user receiving the mail.
     "subject" = "Access access request needs authorization"
        # The subject of the email.
     "toemail" = "ouadmin@"
      # The email address to which the message is sent.
      # If global mail plugin is run by psupdate or loaddb, this is the value
      # of RECIPIENT EMAIL.
     "toname" = "ouadmin"
      # The full name of the recipient of the email message.
               
     "content-type" = "1"
      # Indicate the content type of the email, 1 = HTML
     "triggeringEvent" = "EVENT_AUTH_EMAIL_INITIAL"
      # The idwfm event that is triggering the mail.
     "request" "" = {
        # Standard request data.
         }
     "extraHeaders" "" = {
         "In-Reply-To" = "<request ID>"
         "References" = "<request ID>"
         "X-Hitachi-ID-purposeTag" = "EM_WORKFLOW_REQ_INITIAL_AUTHORIZER_NEEDAUTH_CONTENT_PRIMARY"
     }
      # Provide extra email headers
}

Request data is optional. It is empty if not supplied. The input can be used to change how email is sent based on the situation; for example, only sending email if certain request information is included.

Output

This plugin returns a success or failure message, using the errmsg key.

For example, the output for a successful email is:

       "" "" = {
          "errmsg" = "success "
          "retval" = "0"
        }
The output for a failed email would be:
        "" "" = {
          "errmsg" = "There was a problem because ..."
          "retval" = "1"
        }

Configure plugin-email-domino

To configure Bravura Security Fabric to use plugin-email-domino:

  1. Install the Lotus Notes / Domino client as described in Lotus Domino Server.

  2. Copy the ID file that will be used to send email, to the Bravura Security Fabric server.

  3. Ensure that Bravura Security Fabric can determine users’ email addresses.

Configure the global mail settings as follows:

  • GLOBAL MAIL PLUGIN plugin-email-domino.exe

  • GLOBAL MAIL PLUGIN MAILDIR Empty. This option is ignored.

  • MAIL AUTH LOGIN The path to the ID file that will be used to send email; for example, C:\idfiles\user.id.

  • MAIL AUTH PASSWORD The password for the ID file specified by MAIL AUTH LOGIN.

  • MAIL SERVER PORT Any numeric value. This option is ignored.

  • MAIL SERVER Any value. This option is ignored. The plugin determines this value from the Notes API.

  • RECIPIENT EMAIL The Bravura Security Fabric administrator’s full name or notes mail address; for example, IDMS Admin/global@example.local.

  • SENDER EMAIL The address that appears as the sender when email is sent to addresses specified in RECIPIENT EMAIL. plugin-email-domino uses this to retrieve the sender’s ID file to use as the sender.

In this section: