Endpoint Protection

Greetings.

I have a clean build of SEPM 12.1 RU1 on a freshly formatted Win7 x64 machine.

I have not configured the SEPM E-Mail Server yet it is sending notifications from an unknown e-mail address from my domain.

If I go to the Server Properties Page and E-Mail Server Tab there is nothing configured there.

If I send a test message it succeeds with all the fields blank.

Can anyone shed some light on this issue?

are the notification from this SEPM?

did you check the notification and try deletingit and see if you still get those?

Are you sure that during installation and configuration of server you have not mentioned the mail server address?

Hi reg,

To illustrate your questions, can you post an example message (hopefully with its headers)?

Thank you for the replys.

@pete_4u2002: Notification e-mails are definately from the SEPM. 

@SUPPORT-2-SUPPORT: Clean install with no previous backup config imported. The e-mail server settings are left blank.

@Mick2009: They are default messages such as when a client is added to a group. The SEPM is contacting my HME and sending them to the SEPM's configured administrator's e-mail account.

I am at a wall trying to figure out how this is even happening.

I have opened a support case and this issue is being elevated to level 2.

SEPM_Server was most likely the name of a previous server build. But for a new build to be sending e-mails without any e-mail server configuration is still an issue.

Has anyone reading this encountered this issue or even heard of an incidence like this before?

I am leaning towards the SEPM obtaining information from older clients on the network. But why would any of the e-mail server configurations ever be stored in a client?

Are you using roaming profiles or has an e.mail client been configured on this machine, that would allow the machine to be able to use existing credentials in order to be able to send an e.mail alert?\

There is no "native" smtp service in Windows 7, so it would have to either use the server settings (which is not configured) or existing settings in the system profile...  

Hi, Jason1222.

Thanks for the questions.

To answer:

No roaming profiles are used nor has any e-mail client been configured on the system.

Fresh OS build with no backup files used.

I thought I was suppressing the messages (until a resolution could be found) by requiring SSL logon at a random port but then I got an Executive Weekly Summary Report yesterday so that made things more complicated.

Another oddity is that the notifications are not even in the notifications list even though they are marked to be logged and e-mail.

But an even bigger issue is that the e-mail address that the SEPM is sending from does not even exist on my domain.

You should not be concerned too much if the address does not exist. 

It probably came from something like: SEPM_Server@domain.com

* * * * * * * *

Can you check the header information of the e.mail you received and tell me if it originated from your mail server's IP address or FQDN?

If not, do you know/recognize the IP/name it did come from?

You have a local Mail Server and an MX record in your DNS server.  With nothing configured the system is probably using a DNS lookup to find and send the message.

What I will say, is a scary scary thing.  My Mail server is set to use SSL/TLS and authentication for sending all messages. 

Like you, the e.mail address does not exist and under normal circumstances, mail cannot be sent with an unknown address...  But, with nothing configured in the E.mail server properties, I can send test messages.

Which leads me to believe the system is looking up the MX record.

Yes, you are correct, the messages are originating from SEPM@mydomain.

Can you check the header information of the e.mail you received and tell me if it originated from your mail server's IP address or FQDN? 

The message is originating from my Mail Server's IP with a HELO command by the Mail Server's FQDN with ESMPT and the SEPM is certainly using JavaMail protocol. The MX record appears to be the route as you suggested.

Your apparent ability to recreate my issue is relieving (I do not want to rebuild from scratch yet again) but I am still perplexed that the SEPM would even attempt to generate an unknown sender message from an unconfigured account.

Thank you for your time on this one, Jason1222!

I will leave this post unresolved until I get final confirmation from Level 2+ support who hopefully will confirm this issue is by design (at which point I will mark resolved and configure the e-mail server settings tab!).