On MSSQL 2012 and MSSQL 2016 I use database mail for sending informations from alerts, jobs, etc. I disabled public a private profile and only DBO can send emails from MSSQL. But I still fight with security audit, because their SW tell them that 'Database Mail XPs' is enabled.
Can I set 'Database Mail XPs' so that this functionality will enable only when the alert or similar functionality needs send email as DBO?
I get from security audit this message: The 'Database Mail XPs' setting determines whether or not Database Mail can be started on the server. Database Mail is a Microsoft SQL feature that provides the SQL Server Database Engine the ability to send e-mail messages. Email messages sent by the database may contain sensitive data. As a malicious user may exploit this capability to transfer data to systems outside the environment, this feature should be disabled/restricted as appropriate to the needs of the business. NOTE: By configuring the 'Database Mail XPs' option to "0" you can prevent the Database Mail utility from starting. If Database Mail is already running when setting the option to a value of "0", it will continue to run until being idle for the amount of time stipulated in the 'DatabaseMailExeMinimumLifeTime' option.
Related
In Database Mail, I find this statement:
Database Mail is an enterprise solution for sending e-mail messages from the SQL Server Database Engine or Azure SQL Managed Instance. Your applications can send e-mail messages to users using Database Mail via an external SMTP server.
As I've been using Database Mail for over ten years, this is good to read.
However, apparently Database Mail uses the .NET SmtpClient class, which has not been kept up-to-date and even recommends "MailKit".
In Exchange Online / Deprecation of Basic Authentication, I find the following phrase:
SMTP AUTH will still be available when Basic authentication is permanently disabled on October 1, 2022.
So the obvious question is whether SQL Database Mail with SmtpClient uses "SMTP AUTH" and therefore can still connect to Exchange without an SMTP relay.
Or if a relay is needed, would the built-in Windows Server SMTP relay be able to "upgrade" the credential exchange when connecting off-site?
We have Database Mail configured using an outlook.com account, so there are definitely cases where Database Mail can send to a Microsoft-controlled email server using SMTP.
Bottom line, do we need to know anything other than that SMTP AUTH is still available?
I've been using Database Mail successfully for about ten years, but it seems that while mail protocols and security have moved forward, SQL Server Database Mail has not.
At a new company, I've spent a full work day already trying various credentials and parameters. The most recent release I have tested with is SQL Server 2019.
What I believe I need to know is how to configure SQL Server Database Mail to work with one of the following:
Office 365 or Exchange SMTP
Windows [Server] SMTP relay
In tests with GMAIL/SMTP, AT&T/SMTP and Earthlink/SMTP, all returned errors, and at least some of the error messages are clearly from the destination SMTP service and not the result of firewall or connectivity problems. For example:
The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 8 (2023-01-06T11:14:56). Exception Message: Cannot send mails to mail server. (Mailbox unavailable. The server response was: 5.5.1 Authentication Required - ELNK003_308 - https://postmaster-earthlink.vadesecure.com/outbound_error_codes/#_308). )
Unfortunately, error 308 is not actually documented within the linked Earthlink page.
Looking into some available posts, I find that Database Mail is said to use the SmtpClient class, which in turn is pretty much obsolete, with recommendations to use MailKit. That's fine, but SQL Server Database Mail has apparently NOT been updated to use MailKit.
Returning to what I think are my choices are from above:
If I am to configure SMTP to Office 365 (we already have an account) or Exchange (if we have Exchange also), then what SMTP configuration parameters do I need to use with Database Mail and within Office 365?
=OR=
If I am to use Windows Server SMTP relay, then how do I configure the SMTP relay's OUTPUT mail to satisfy to the "modern" security requirements of Office 365, GMAIL, Earthlink or AT&T?
(I've used the Windows Server SMTP relay in years past, but only to offload the messages from SQL Server, not to satisfy security requirements)
Just wondering how to set up a SQL Server Reporting Services subscription to email the report as an attachment.
When setting up a usual subscription for a report, it seems to only provide a Windows File Share option.
Is there any clean instructions on how to set up email distributions of a report (to a list of email addresses) with the generated report sent as an attachment?
Kind regards,
Stefan
Okay, I had to setup SMTP server and update the Email Settings in the Reporting Services Configuration Manager
https://msdn.microsoft.com/en-us/library/ms159155.aspx#bkmk_configure_for_local_or_remote_SMTP
Only after configuring this, does the Email option became available when setting up the subscription.
I am trying to send an email using the sp_send_dbmail stored procedure of SQL Server with an attachement,
My account doesn't have sysadmin privileges, when an attachement is sent as normal SQL Server user, I get this error
The client connection security context could not be impersonated.
Attaching files requires an integrated client login
Is there is any way to send SQL Server email with attachement without using sysadmin privileges?
Well, if you would have looked at the MSDN documentation for sp_send_dbmail, it says:
Database Mail uses the Microsoft Windows security context of the current user to control access to files. Therefore, users who are authenticated with SQL Server Authentication cannot attach files using #file_attachments. Windows does not allow SQL Server to provide credentials from a remote computer to another remote computer. Therefore, Database Mail may not be able to attach files from a network share in cases where the command is run from a computer other than the computer that SQL Server runs on.
So from this it's clear you have to be connected to SQL Server using Windows authentication (with Integrated Security=SSPI; in your connection string) in order to be able to attach files to e-mails.
This will solve the problem , you just need to provide sysadmin rights to the sql user ,
Command :
sp_addsrvrolemember 'User', 'sysadmin'
I have a report using SSRS 2008 R2, I want to subscribe to this report using the "email" option. I have configured the settings in the reporting services manager to use server as "smtp.gmail.com" and sender address as my gmail ID.
I also tried using the SMTP virtual server and relay it using smart host as "smtp.gmail.com". But I get the following error while sending email :
Failure sending mail: The transport failed to connect to the server.
I am using IIS 7 and Windows Server 2008. Following is the snippet of my rsreportserver.config file:
<SMTPServer>smtp.gmail.com</SMTPServer>
<SMTPServerPort>587
</SMTPServerPort>
<SMTPAccountName>
</SMTPAccountName>
<SMTPConnectionTimeout>
</SMTPConnectionTimeout>
<SMTPServerPickupDirectory>
</SMTPServerPickupDirectory>
<SMTPUseSSL>True
</SMTPUseSSL>
<SendUsing>2</SendUsing>
<SMTPAuthenticate></SMTPAuthenticate>
<From>myid#gmail.com</From>
Any help will be highly appreciated.
Thanks
I was having a problems getting SSRS 2017 to connect. I tried a dozen different suggestions and ended up with the following. I didn't need to setup the SMTP relay or SMTP service on the windows server.
Open Reporting Services Configuration Manager. Go to E-mail Settings >>>
Sender Address: [user]#gmail.com (or your G-Suite domain)
Current Delivery Method: Use SMTP server
SMTP Server: smtp.gmail.com
Authentication= "Username and password (basic)"
Username: [user]#gmail.com (or your G-Suite domain)
Password
Confirm Password
Use Secure Connection: Checked
Now go to the rsreportserver.config file. Mine was located at
C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\rsreportserver.config
Find the <SMTPServerPort> and set to 587
Save rsreportserver.config
You'll also need to enable "Less secure app access" in the Security section of your Google Account settings otherwise will throw authentication errors.
Having struggled with this for the past few hours I thought it might be valuable to share another method for anyone else still unable to configure an SSRS instance to send subscription emails via gmail using their smtp relay service.
For this example, my company uses Gmail Servers to host our own domain and I assume that you have access to the Admin Console on Google Apps.
Step 1 - Configure Gmail
Log into Google Apps with an Administrator Account
Go into the admin console
Select Apps > Gmail > Advanced Settings
Find SMTP Relay Service
Add New
Allowed Senders - Set to "Only Addresses In My Domains"
Authentication - Set to "Only Accept Mail From Specified IP"
Add the Public IP Range of the Server SSRS is running on
Leave TLS Encryption Unchecked
Leave SMTP Authentication Unchecked
Save
You should then have settings that look like this:
Allowed senders: Only addresses in my domains
Only accept mail from the specified IP addresses: Yes
Allowed IP addresses: (Your Description)
Require SMTP Authentication: No
Require TLS encryption: No
Step 2 - Configure SSRS
Go to SSRS Configuration Manager > Email Settings
Enter Sender address as email#yourgmaildomain.co.uk
Use SMTP Server
SMTP Server = "smtp-relay.gmail.com"
Following these steps will allow you to send emails using SSRS subscriptions without needing to set up your own relay server. Hope this helps some other poor sole from spending hours trying to figure it out!
REF:
https://support.google.com/a/answer/2956491?vid=1-635782669150538047-3380580329
From what I have read, it sounds like you might have to setup a local SMTP relay server that you send the email through, b/c SSRS requires that "The Report Server service must have Send As permissions on the SMTP server" and does not appear to give any options for entering a password. I am assuming the SSRS subscription email setup only works using Windows authentication since it uses the SSRS Service, but the configuration documentation is vague. (http://technet.microsoft.com/en-us/library/ms345234(v=sql.105).aspx )
Here is a link that shows how to setup the SMTP relay server http://www.vsysad.com/2012/04/setup-and-configure-smtp-server-on-windows-server-2008-r2/
Here are the steps you'll need to do differently.
Item 19, choose Basic Authentication, enter your gmail account info, and make sure TLS encryption is checked.
Item 21, enter your server name as the Fully-qualiified domain name. Enter "smtp.google.com" as the "Smart host".
Then specify the SMTP server you just created above in your SSRS SMTP configuration.
You probably also need to enable POP3 on your gmail account if you have not already. https://support.google.com/mail/answer/13273?cbid=wl8yzeug2lob&src=cb&lev=topic