Sendmail SMTP relay error but only from some ISPs

26 posts / 0 new
Last post
#1 Tue, 06/02/2009 - 22:21
Dim Git

Sendmail SMTP relay error but only from some ISPs

Hi People,

I have a very strange error (well to me it is strange anyway).

We have a problem sending email via our domain which is hosted remotely on a dedicated server (which we are responsible for maintaining) but it only happens in specific situations.

To simplify the story, here is the setup:

A laptop roaming and using an internet connections at an-isp.com can send and receive email. It sends email using our dedicated server's SMTP without a problem.

A desktop in the office connected to another-big-isp.com cannot send an email using our server's SMTP, it receives an error like this : "550 5.7.1 <recipient@somewhere.co.uk>... Relaying denied".

Of course, the desktop can send email using the SMTP servers of another-big-isp.com.

The dedicated server is running Fedora 5, Sendmail and GPL Virtualmin installed as a module in Webmin.

One strange symptom is that the desktop can send and email using our dedicated server SMTP provided it is destined for an email address at another-big-isp.com.

The only common denominator seems to be another-big-isp.com who are telling us that there are no blocked ports or anything else.

Has anybody got any ideas ?

I would greatly appreciate a clue or two.

Wed, 06/03/2009 - 00:07
Joe
Joe's picture

Mail client errors are not useful in troubleshooting mail problems. We need to see the maillog entry (or entries) that occur when you attempt to send mail.

--

Check out the forum guidelines!

Wed, 06/03/2009 - 06:03 (Reply to #2)
andreychek

Yeah, on Fedora, I believe the email log would be in /var/log/maillog.

That'd be really handy in being able to resolve this. But a few additional thoughts:

1. If someone is trying to send an email via your SMTP server, and receiving &quot;relay access denied&quot; -- make double-sure that &quot;Authenticate Outgoing SMTP&quot; is chosen in their desktop client. That's frequently not a default.

2. You say you have Fedora 5. That's really old :-) I believe support for it would have stopped roughly two years ago. I hope you have an alternate way of obtaining and applying security fixes ;-) You might consider a distro like CentOS, which is supported for 5 years -- as well as supported by the Virtualmin installer, which makes installing and configuring easy as pie! (and I like pie)

3. Since Virtualmin didn't setup Postfix, we might need to see your /etc/postfix/main.cf too, that may offer some clues.

Wed, 06/03/2009 - 07:01 (Reply to #3)
Dim Git

Thanks to you both for taking the trouble to think about and reply to my headache. :o)

Your posts re the logs caused me to take another delve into and a closer look.

Here is a copy of the lines which I found :
([XXX.XXX.XXX.XXX] is the IP of the senders connection of course)

<div class='quote'>
Jun 3 14:26:44 ns sendmail[17714]: n53DQiOi017714: from=&lt;nick@senders-domain.co.uk&gt;, size=371, class=0, nrcpts=1, msgid=&lt;200906031326.n53DQiOi017714@ns.the-hosting-servers-domain.co.uk&gt;, proto=ESMTP, daemon=MTA, relay=[XXX.XXX.XXX.XXX]

Jun 3 14:27:12 ns sendmail[17780]: n53DRCWX017780: ruleset=check_rcpt, arg1=&lt;fred@recipient-domain.co.uk&gt;, relay=[XXX.XXX.XXX.XXX], reject=550 5.7.1 &lt;fred@recipient-domain.co.uk&gt;... Relaying denied. IP name lookup failed [XXX.XXX.XXX.XXX]

Jun 3 14:27:14 ns sendmail[17780]: n53DRCWX017780: from=&lt;nick@senders-domain.co.uk&gt;, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[XXX.XXX.XXX.XXX]
</div>

The &quot;IP name lookup failed [XXX.XXX.XXX.XXX]&quot; part kinda looks a likely suspect to me. Again, I could be wrong but ...

If that is doing a reverse lookup to see if the IP number &quot;senders-domain.co.uk&quot; is the same as the IP the email came from. That could be the answer.

Does that sound likely ?

Or am I still as thick as two short planks ?

Thanks for reading.

Wed, 06/03/2009 - 07:08 (Reply to #4)
andreychek

Hmm, I wonder if there's some form of DNS issue going on.

For example, if you log in and type:

host google.com

Do you receive a series of IP addresses for Google?

Next, if you type (again, from on your server):

dig mx recipient-domain.co.uk

Does the resulting IP address point to your server?

If not, your system could think it needs to send the email elsewhere, potentially causing the error you saw.
-Eric

Thu, 06/04/2009 - 05:35 (Reply to #5)
Dim Git

Thanks Eric,

I hope I haven't confused things.

Did you mean &quot;dig mx senders-domain.co.uk&quot; because the problem is with our user sending email and it is refused at our server.

Assuming that to be I did a &quot;dig mx senders-domain.co.uk&quot; and this is what I got :

[root@ns /]# dig mx senders-domain.co.uk

; &lt;&lt;&gt;&gt; DiG 9.3.4 &lt;&lt;&gt;&gt; mx senders-domain.co.uk
;; global options: printcmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 8110
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;senders-domain.co.uk. IN MX

;; ANSWER SECTION:
senders-domain.co.uk. 5717 IN MX 5 mail.senders-domain.co.uk.

;; Query time: 39 msec
;; SERVER: 217.199.171.4#53(217.199.171.4)
;; WHEN: Thu Jun 4 15:23:54 2009
;; MSG SIZE rcvd: 55

Thanks again for your time.

Thu, 06/04/2009 - 05:41 (Reply to #6)
Dim Git

Also, Eric, I agree with you, this OS is a little old, unfortunately I am stuck with it for a while longer yet. :o(

I have also tried with &quot;Authenticate Outgoing SMTP&quot; set and unset but it made no difference.

And, Postfix does not seem to be set up on this box. I am scared to try to install it now in case it doesn't import Sendmail &quot;stuff&quot; properly afterwards.

Wed, 06/03/2009 - 10:38 (Reply to #7)
Joe
Joe's picture

<div class='quote'>If that is doing a reverse lookup to see if the IP number &quot;senders-domain.co.uk&quot; is the same as the IP the email came from. That could be the answer.

Does that sound likely ?</div>

The reverse lookup does not need to match. In some cases it <i>does</i> need to exist, which in your case it does not (that's the error here; not matching doesn't even come into play in that log...it simply doesn't resolve at all).

I don't know if that's why your server is rejecting the mail, but you could try fixing that problem first.

--

Check out the forum guidelines!

Thu, 06/04/2009 - 05:43 (Reply to #8)
Dim Git

Thanks Joe,

I have set up a reverse for the domain on another ISP connection so it won't match but at least it will be set up.

That seems to be delayed waiting for the great slow web. ;o)

I will update when it looks like it is done.

Thanks again.

Thu, 06/04/2009 - 12:05 (Reply to #9)
Joe
Joe's picture

Yeah, don't install Postfix. Eric was just wanting to know what your configuration looks like. Sendmail is fine, too, and there's no reason to change at this late stage in the game for this tired old server. ;-)

When you move to a new server (presumably running a longer lived OS, like CentOS) you can switch to Postfix, if you like (it's a bit easier to comprehend, troubleshoot, and configure, and it's also a bit faster and has a better security history).

--

Check out the forum guidelines!

Thu, 06/04/2009 - 12:12 (Reply to #10)
andreychek

Yeah, when I had said that, I didn't realize it was Sendmail you were using (I thought it was a manually configured Postfix -- yes, you had said it was Sendmail, but I was silly and overlooked that :-)

As Joe said, I wouldn't really recommend setting that up on this server, but perhaps on your next one.
-Eric

Thu, 06/04/2009 - 18:18 (Reply to #11)
Dim Git

OK, well thanks for trying guys.

Seems like we have run out of suggestions here. I really need to get this sorted so any thoughts where I can turn now ?

:o(

Thu, 06/04/2009 - 18:21 (Reply to #12)
Dim Git

That will teach me to be so quick posting a reply so early in the morning.

Before moving on I will of course test later today in case the reverse lookup has solved it.

Thu, 06/04/2009 - 18:21 (Reply to #13)
Joe
Joe's picture

I thought we were just getting started. You never gave us any more logs to go on after you fixed your reverse resolution problem, did you? We gotta see logs, man!

--

Check out the forum guidelines!

Thu, 06/04/2009 - 18:23 (Reply to #14)
Dim Git

WOW !

That was fast.

I will be back later when I have done some tests. Glad to know that you are still on the case. I got the impression it was over. Deep apologies. :o)

Thu, 06/04/2009 - 18:26 (Reply to #15)
Joe
Joe's picture

We're on the case until it is solved. Just like Huey, Louie and Dewey. But we needs the evidence.

--

Check out the forum guidelines!

Thu, 06/04/2009 - 18:29 (Reply to #16)
andreychek

I was thinking this was more like Larry, Moe, and Curly (especially with my knowledge of Sendmail!)

But regardless, we're here to help ;-)
-Eric

Thu, 06/04/2009 - 18:44 (Reply to #17)
Joe
Joe's picture

Or Groucho, Chico, and Harpo. I want to be Chico!

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:57
Dim Git

Me ? More like a doddery old fool like Mr Magoo but I think I would rather be Harpo, To be able to make music like that must be sooooo cool.

Anyway, thanks for sticking with this.

Today, it seems that the laptop cannot send when remote now. Since he was last able to send no changes have been made other than setting up reverse with the ISP (not the ISP that the laptop is connected to) I am beginning to wonder if that is a false lead.

Here is the log entry for that session :

[code:1]Jun 5 09:50:13 ns sendmail[27968]: n558oCTj027968: ruleset=check_rcpt, arg1=&lt;me@mydomain.co.uk&gt;, relay=cpc3-nott5-0-0-cust417.nott.cable.ntl.com [82.10.209.162], reject=550 5.7.1 &lt; me@mydomain.co.uk&gt;... Relaying denied

Jun 5 09:50:13 ns sendmail[27968]: n558oCTj027968: lost input channel from cpc3-nott5-0-0-cust417.nott.cable.ntl.com [82.10.209.162] to MTA after rcpt

Jun 5 09:50:13 ns sendmail[27968]: n558oCTj027968: from=&lt; nick@senders-domain.co.uk &gt;, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=cpc3-nott5-0-0-cust417.nott.cable.ntl.com [82.10.209.162][/code:1]

Just to make it clear, &acirc;

Sun, 06/07/2009 - 07:57
Dim Git

Me ? More like a doddery old fool like Mr Magoo but I think I would rather be Harpo, To be able to make music like that must be sooooo cool.

Anyway, thanks for sticking with this.

Today, it seems that the laptop cannot send when remote now. Since he was last able to send no changes have been made other than setting up reverse with the ISP (not the ISP that the laptop is connected to) I am beginning to wonder if that is a false lead.

Here is the log entry for that session :

[code:1]Jun 5 09:50:13 ns sendmail[27968]: n558oCTj027968: ruleset=check_rcpt, arg1=&lt;me@mydomain.co.uk&gt;, relay=cpc3-nott5-0-0-cust417.nott.cable.ntl.com [82.10.209.162], reject=550 5.7.1 &lt; me@mydomain.co.uk&gt;... Relaying denied

Jun 5 09:50:13 ns sendmail[27968]: n558oCTj027968: lost input channel from cpc3-nott5-0-0-cust417.nott.cable.ntl.com [82.10.209.162] to MTA after rcpt

Jun 5 09:50:13 ns sendmail[27968]: n558oCTj027968: from=&lt; nick@senders-domain.co.uk &gt;, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=cpc3-nott5-0-0-cust417.nott.cable.ntl.com [82.10.209.162][/code:1]

Just to make it clear, &acirc;

Fri, 06/05/2009 - 01:51
Joe
Joe's picture

I'm confused by what I'm seeing here in your example session via telnet. It looks like you're expecting your server to relay on behalf of a completely unknown sender (you, without authentication).

That would make your mail server the equivalent of a burglar or something (open relays are among the vilest evils on the Internet)...so I don't think you really want what you tried to work.

Unless, of course, you were connecting from the server itself. Which is an entirely different thing...and when you say, &quot;when remote&quot;, it makes me think sending works when you are on the same network as the mail server. Which means your not authenticating, but it allows unauthenticated sending when you are local. All of that is pretty sensible.

So, why not configure your mail client to authenticate to the server? I assume you have saslauthd setup and running to provide SMTP authentication service?

--

Check out the forum guidelines!

Fri, 06/05/2009 - 21:51 (Reply to #21)
Dim Git

OK, now I feel really stupid !

The telnet session was indeed from my PC and yes, of course it wouldn't authenticate. I should have realised that. If I do the same from the server, it does work ans the email is sent.

The mail client is set to authenticate, so that should be OK.

Now, saslauthd is another matter. Perhaps we are getting somewhere.

I know nothing of SASL and have done a lot of reading since your post, thanks Joe.

SASL does seem to be set up and running. In Webmin, Dovecot, User and Login Options I find :

&quot;SASL authentication realms&quot; is set to &quot;None&quot;
&quot;Default authentication realm&quot; is set to &quot;Default&quot;
&quot;Authentication methods&quot; is set to &quot;Plain-Text&quot;

I have searched for a method of testing if SASL is working but can only find references to Postfix and as you know, I am using Sendmail.

Can you offer any pearls of wisdom to this Dim Git ?

&quot;When remote&quot; means that the laptop is away from the office and connected via a different ISP. Sorry for confusing the issue.

Many thanks for your patience with me.

Fri, 06/05/2009 - 21:56 (Reply to #22)
Dim Git

Oops ! Double post, apologies.

On reflection and bearing in mind that the laptop issue seems to be a false lead because that is now not working, this does seem to be just an authentication issue.

Fri, 06/05/2009 - 22:17 (Reply to #23)
Joe
Joe's picture

<div class='quote'>Webmin, Dovecot, User and Login Options I find :

&quot;SASL authentication realms&quot; is set to &quot;None&quot;
&quot;Default authentication realm&quot; is set to &quot;Default&quot;
&quot;Authentication methods&quot; is set to &quot;Plain-Text&quot;</div>

Dovecot and saslauthd are not the same thing. The Dovecot you see in Webmin is a POP/IMAP server; nothing to do with SASL at all. There <i>is</i> a Dovecot SASL server, but it's probably not the one you have (it's not the default in Virtualmin systems at this time, though I imagine it must be better than Cyrus), as it didn't exist (or at least wasn't production quality) <i>way</i> back in the dark ages when your OS was released. ;-)

So, don't imagine SASL is setup just because Dovecot is. They almost certainly aren't related in any way.

To see if saslauthd is actually running:

service saslauthd status

But...you should be aware that saslauthd is not very intuitive to setup. You'd probably remember it, if you'd set it up, because it takes a lot of reading if you don't happen to stumble onto the right incantations early in the process.

--

Check out the forum guidelines!

Fri, 06/05/2009 - 22:36
Dim Git

WOW ! You are very quick with your replies.

Not surprisingly, you get the right answers when you ask the right question. Until now I didn't know the question should have been &quot;Why can't I authenticate&quot;. This has been something of learning curve for me. Thanks for your help.

I didn't set up saslauthd because I inherited this server and it's problems. :o(

If I do : service saslauthd status

I get : saslauthd (pid 7961 7960 7959 7958 7957) is running...

Now I am looking for the right thing I have been doing some more reading of other threads here. I found your FAQ on setting up SASL, brilliant but not about Sendmail :o(

Anyway, I did the telnet session as suggested there :

[code:1][root@ns ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 ns.the-servers-domain.co.uk ESMTP Sendmail 8.13.8/8.13.8; Sat, 6 Jun 2009 08:24:29 +0100
ehlo localhost
250-ns.the-servers-domain.co.uk Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
exit[/code:1]

There were no &quot;AUTH lines&quot;.

I continue my reading.

Thanks

Fri, 06/05/2009 - 23:24 (Reply to #25)
Joe
Joe's picture

So, you're treading in waters where I have never been. While I have administered Sendmail servers in the distant past, I have never setup saslauthd with Sendmail (SMTP authentication didn't even exist, as far as I know, the last time I setup a Sendmail server...it was still POP-before-SMTP, or you just gave it your IP addresse ranges).

We can help with saslauthd...but Sendmail, maybe someone else around here knows how to do it. I know Scott is a big Sendmail fan, and he's a regular around these parts. Maybe he'll chime in.

--

Check out the forum guidelines!

Topic locked