Configure local mail server for SAP HANA DB

Published on

Monitoring a HANA database is part of an administrator’s daily task. However, so that you don’t have to laboriously dig through the individual logs, activating the SAP Alerting Framework and automatically sending mails when threshold values are exceeded is a sensible configuration.

Unfortunately, SAP has not provided a way to authenticate against a mail server (SMTP-Auth) with the Alert Framework. This is incomprehensible, since nowadays it is necessary to authenticate oneself to the internal SMTP server even within one’s own company network. However, this feature can be fixed with the underlying Linux server.

The goal of this configuration is to create a workaround. The alerting framework is configured with the local mail server of the underlying Linux operating system, which does not require authentication.

The local mail server then forwards the mail to the organization’s mail server again, and authenticates itself to them.

For a HANA DB, as of 2020, the only options are to run the database on a RedHat release or a SUSE Linux Enterprise Server. These instructions refer to the SMTP postfix that is shipped by default with SLES 12. The settings should also work, slightly modified, with other mail servers such as Exim.

Customize Postfix main.cf

The main configuration is located in the file main.cf. It is very large, but also contains many explanations. The settings mentioned below can be found in my example starting at line 690. But you can also just search for inet_interface. This is the first setting to be changed.

$ sudo vim /etc/postfix/main.cf
## Nur das lokale Netzwerk Interface kann Mails empfangen
inet_interface = 127.0.0.1

...

## Für wen ist der SMTP zuständig? Meine Domain und mein Host.
mydomain = intranet.local
mydestination = $myhostname,  localhost.$mydomain, $mydomain

## Hier wird der eigentliche SMTP Server, an dem wir die Mails ausliefern wollen, definiert. Das kann ein Exchange Server oder irgendein anderer SMTP Server, den man per SMTP_AUTH ansprechen kann.
relayhost = smtp.intranet.local

...
## Hier werden die Authentifizierungseinstellungen vorgenommen. Wenn Postfix als Client agiert, muss er sich authentifizieren. Die Daten dazu findet er in der gehashten Datei saslpasswd
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd

## Gegenüber den Postfix muss man sich nicht authentifizieren. Das öffnet der HANA DB die Möglichkeit, seine Mails abzuliefern. Zusammen mit der Einschränkung auf das lokale Interface, ist dies akzeptabel.
smtpd_sasl_auth_enable = no

After the configuration has been adjusted, the file for the access data for the mail server must be created and hashed.

Deposit access data

In order for the local mail server to be able to deliver mail to another mail server, it must authenticate itself to that mail server. For this purpose, the credentials are stored in the /etc/postfix/saslpasswd in plain text. It is important to restrict the file permissions so that this data is not visible to everyone. Postfix itself works only with a hashed file (saslpasswd.db). This is created with postmap.

$ sudo vim /etc/postfix/saslpasswd
smtp.intranet.local      user:password

$ chmod 600 /etc/postfix/saslpasswd
$ sudo postmap /etc/postfix/saslpasswd

After the file is created, restart the Postfix server and create a test mail. To check if the service of Postfix was started without errors, you can use sudo systemctl status postfix to display the status. If there are any errors in the configuration, the service will not start.

Send test mail

$ sudo systemctl restart postfix
$ mail -r  -s "Test Mail from Linux" 
Text der Mail
Das Programm mail wird mit einem einzelnen Punkt in einer Zeile beendet 
.
EOT
$  

If you want to write to multiple recipients, you must use mailx. It works similar to the mail program.

$ mailx -R  -s "Test Mail from Linux" , 

Mail(x) is an interactive program. If you want to attach log files in a batch script, it works (only?) if you pass the contents to mail(x).

$ cat /tmp/logfile.txt | mailx -R  -s "Test Mail from Linux" , 

You can see what Postfix has done by using the journalctrl command.

$ sudo journalctrl -u postfix

What to note: Postfix, as well as other mail servers are very powerful. You should therefore have some basic understanding of SMTP. Otherwise, you can also get a security hole with misconfigurations. Therefore, such a configuration should fit into the company’s security policy and be discussed with the security officers.

Nevertheless, with these simple configuration adjustments, the alerting framework of the HANA DB can be routed to the local mail server. I will explain how to set up the alerting framework in another article.

Links

Little help for Postfix – http://www.postfix.org/SOHO_README.html