SMTP Configuration

SMTP Short for simple mail transfer protocol, SMTP is a protocol for sending email messages between servers. settings to enable Keyfactor Command to deliver reports and alerts via email are generally specified during initial Keyfactor Command installation and configuration, but can be modify through the Management Portal if needed.

System Settings → SMTP Configuration

To make a change to these settings:

1. On the SMTP Configuration page, modify the configuration as needed.

2. In the General section of the page, configure:

   • Host: The FQDN of your SMTP server.

   • Port: The SMTP port that your SMTP server receives messages on. Common ports are:

     • 25 — Traditional SMTP (server-to-server relay). Often allowed only from trusted hosts; may be STARTTLS-capable. This is the default.

     • 587 — Message submission (MSA). The modern, recommended port for apps/services. Uses AUTH and usually STARTTLS.

     • 465 — SMTPS (implicit TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers.). TLS from the first byte; some providers still prefer this.

   • Sender Name: The display name used as the sender of the messages coming from Keyfactor Command. This does not typically need to be a valid value in your mail server.

   • Sender Account: Specifies the account used to send email.

     • If Anonymous is selected for Relay Authentication, you may enter any value (your mail server must allow anonymous connections).

     • If Basic Authentication or OAuth Client Credentials is selected, you must enter a valid account recognized by your mail server.

   • Use SSL: Enable this if this option is supported by your mail server.

   In the Relay Authentication dropdown, select the appropriate authentication method for your environment:

   • Anonymous: No login. The server must allow unauthenticated relay (often IP-restricted).

   • Basic Authentication: Username and password (SMTP AUTH). Use with TLS/STARTTLS. Older and widely supported.

   • OAuth Client Credentials: Token-based (OAuth 2.0). No stored password.

   

   Figure 482: SMTP Configuration

3. In the Authentication section of the page if you selected Basic Authentication or OAuth Client Credentials, configure authentication information.

   Basic Authentication:

   • Set/Update Username: In the Username dialog, choose Load from Keyfactor Secrets or Load From PAM Provider, and follow the respective instructions.

   • Set/Update Password: In the Password dialog, choose Load from Keyfactor Secrets or Load From PAM Provider, and follow the respective instructions.

     Select the Load From Keyfactor Secrets radio button if you want Keyfactor Command to encrypt and store the secret value in the Keyfactor Command database as a secret. Enter and confirm the value in the Secret Value field.

     Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

     Tip:  A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret has historically been an option for customers that don’t already have a relationship with a PAM provider such as CyberArk or Delinea/Thycotic. More recent versions of Keyfactor Command offer Keyfactor Command local PAM databases, allowing you to store secrets in the Keyfactor Command database using PAM.

     Select the Load from PAM Provider radio button if you want to store the secret value in a Keyfactor Command local or supported third-party PAM solution (see Privileged Access Management (PAM)). Select a PAM provider in the Providers dropdown. The remaining fields on the dialog will vary depending on the PAM provider. For example:

     Keyfactor Command Local Database

     Select your Keyfactor Command local database provider in the Providers dropdown. The remaining field in the dialog will then be:

     • Secret Reference Name: The name given to the secret defined in Keyfactor Command (see Managing Secrets for a Local Keyfactor Command PAM Provider).

     CyberArk

     Select your CyberArk provider in the Providers dropdown (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • PrivateArk Folder Name: The path and name of the folder that stores the secret (e.g., Root or Root\MyDir).
     • PrivateArk Protected Password Name: The name of the username or password to use for this instance.

     Delinea/Thycotic

     Select your Delinea/Thycotic provider in the Providers dropdown (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

     • Thycotic Secret ID: The numeric ID of the secret to retrieve from provider server.

     Hashicorp

     Select your Hashicorp Vault provider in the Providers dropdown (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

     • KV Secret Key: The key of the secret to retrieve from the Hashicorp Vault.
     • KV Secret Name: The name of the secret to retrieve from the Hashicorp Vault.
     

     

     Figure 483: SMTP Username

   OAuth Client Credentials:

   • Set/Update Client ID: The ID of the service account you registered in your OAuth provider for Keyfactor Command’s outbound email authentication. In the Client ID dialog, choose Load from Keyfactor Secrets or Load From PAM Provider, and follow the respective instructions.

   • Set/Update Client Secret: The secret of the service account you registered in your OAuth provider for Keyfactor Command’s outbound email authentication. In the Client Secret dialog, choose Load from Keyfactor Secrets or Load From PAM Provider, and follow the respective instructions.

   • Token Endpoint: The token endpoint An endpoint is a URL that enables the API to gain access to resources on a server. URL for the identity provider.

   • Scope: One or more scopes that should be included in token requests delivered to the identity provider when making a token request. Multiple scopes should be separated by spaces.

   • Audience: An audience value to be included in token requests delivered to the identity provider when making a token request.

   • Request Headers: Click Add to add one ore more custom OIDC request headers for the identity provider given as name/value pairs.

     Parameters configured in this value are added to the headers when Keyfactor Command sends an OIDC request to the OAuth server for the following request types:

     • Discovery Document

     • JSON Web Key Set

     • Token

   Select the Load From Keyfactor Secrets radio button if you want Keyfactor Command to encrypt and store the secret value in the Keyfactor Command database as a secret. Enter and confirm the value in the Secret Value field.

   Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

   Tip:  A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret has historically been an option for customers that don’t already have a relationship with a PAM provider such as CyberArk or Delinea/Thycotic. More recent versions of Keyfactor Command offer Keyfactor Command local PAM databases, allowing you to store secrets in the Keyfactor Command database using PAM.

   Select the Load from PAM Provider radio button if you want to store the secret value in a Keyfactor Command local or supported third-party PAM solution (see Privileged Access Management (PAM)). Select a PAM provider in the Providers dropdown. The remaining fields on the dialog will vary depending on the PAM provider. For example:

   Keyfactor Command Local Database

   Select your Keyfactor Command local database provider in the Providers dropdown. The remaining field in the dialog will then be:

   • Secret Reference Name: The name given to the secret defined in Keyfactor Command (see Managing Secrets for a Local Keyfactor Command PAM Provider).

   CyberArk

   Select your CyberArk provider in the Providers dropdown (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

   • PrivateArk Folder Name: The path and name of the folder that stores the secret (e.g., Root or Root\MyDir).
   • PrivateArk Protected Password Name: The name of the username or password to use for this instance.

   Delinea/Thycotic

   Select your Delinea/Thycotic provider in the Providers dropdown (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be:

   • Thycotic Secret ID: The numeric ID of the secret to retrieve from provider server.

   Hashicorp

   Select your Hashicorp Vault provider in the Providers dropdown (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be:

   • KV Secret Key: The key of the secret to retrieve from the Hashicorp Vault.
   • KV Secret Name: The name of the secret to retrieve from the Hashicorp Vault.

   

   Figure 484: OAuth Client Credentials

4. You can test the settings either before or after saving them. Click the Test button, enter a valid email address (a mailbox you can access) in the Send a Test SMTP Message dialog and click Save. Verify that the test email is delivered. You will receive an error message if the test failed.

   

   Figure 485: Send an SMTP Test Message

5. Click Save to save any changes you have made.

To cancel any changes you’ve made without saving, click the Undo button.

Tip:  Click the help icon () next to the SMTP Configuration page title to open the Keyfactor Software & Documentation Portal to this section. You will receive a prompt indicating:

You are being redirected to an external website ‘software.keyfactor.com'. Would you like to proceed?

You can also find Help in the Navigator The Navigator is the Keyfactor Command left-hand (newer versions) or top (older versions) navigation menu. Certificate collections and reports can be configured to be added to the menu using user-defined Show in Navigator settings.. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.

Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).