View previous topic :: View next topic |
Author |
Message |
seifn06 Tux's lil' helper
Joined: 19 Sep 2004 Posts: 90 Location: Lowell, Michigan
|
Posted: Wed Jun 05, 2024 8:48 pm Post subject: [SOLVED] Sendmail rejects all outgoing email, config issue? |
|
|
Hello!
I'm setting up a small office email server using mail-mta/sendmail-8.17.1.9 and Sendmail rejects every outbound email not destined for a mailbox on the local server computer running Sendmail. I suspect I've got a configuration issue with either my Gentoo system setup (ex: hostname, hosts or /etc/mail/sendmail.cf) or maybe the latest version of Sendmail has changed from the last time I installed it 2 years ago and has gotten a lot stricter about relaying? Do my server logs below give any clues about how to solve this problem? How do I troubleshoot sendmail to determine if it's correctly reading my access.db file? Is there anything wrong with my configuration? Do file permissions matter on my access.db or other sendmail config files?
I recently installed Gentoo on a new build and am setting up a new server. I have successfully setup older Sendmail versions on older Gentoo systems and suspect I have a configuration issue. I have tried tweaking my /etc/mail/access file many times now and recompiling that and restarting sendmail without success. I get the same results whether I'm using my Thunderbird email reader client on my remote computer or using telnet at the local terminal on the sendmail server.
My server logs show:
Code: |
Jun 5 15:28:07 <local_server_host_name> sm-mta[6361]: 455JRr1H006361: ruleset=check_rcpt, arg1=<destination@gmail.com>, relay=<remote_sender_host_name>.<domain_name>.com [192.168.0.222], reject=550 5.7.1 <destination@gmail.com>... Relaying denied
Jun 5 15:28:07 <local_server_host_name> sm-mta[6361]: 455JRr1H006361: lost input channel from <remote_sender_host_name>.<domain_name>.com [192.168.0.222] to MTA after rcpt
Jun 5 15:28:07 <local_server_host_name> sm-mta[6361]: 455JRr1H006361: from=<sender_email>@<domain_name>.com, size=469, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=<remote_sender_host_name>.<domain_name>.com [192.168.0.222]
|
My sendmail.mc:
Code: |
divert(-1)
divert(0)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`$Id$')dnl
OSTYPE(linux)dnl
DOMAIN(<domain_name>.com)dnl
define(`ALIAS_FILE', `/etc/mail/aliases')
define(`confBAD_RCPT_THROTTLE', `4')dnl
define(`confCONNECTION_RATE_THROTTLE', `6')dnl
define(`confDONT_PROBE_INTERFACES', `true')dnl
define(`confMAX_ALIAS_RECURSION', `6')dnl
# see "Sendmail, 3rd Ed." page 1012
define(`confMAX_HEADERS_LENGTH', `16384')dnl
# see "Sendmail, 3rd Ed." page 1015
define(`confMAX_QUEUE_CHILDREN', `4')dnl
# see "Sendmail, 3rd Ed." page 1016
define(`confMAX_RCPTS_PER_MESSAGE', `40')dnl
# see "Sendmail, 3rd Ed." page 1024
define(`confNO_RCPT_ACTION', `add-apparently-to')dnl
# see "Sendmail, 3rd Ed." page 1029
define(`confPRIVACY_FLAGS', ``authwarnings, goaway, noetrn, restrictmailq, novrfy, noexpn'')dnl
# see "Sendmail, 3rd Ed." page 1053
define(`confSINGLE_LINE_FROM_HEADER', `true')dnl
# see "Sendmail, 3rd Ed." page 1055
define(`confSMTP_LOGIN_MSG', `$j Sendmail $v. Speak friend and enter:')dnl
# see "Sendmail, 3rd Ed." page 1057
define(`confSAFE_QUEUE', `true')dnl
#
#
#
# End Sendmail option definitions
# see "Sendmail, 3rd Ed." page 162-3
MASQUERADE_AS(`<domain_name>.com')dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`allmasquerade')dnl # page 176
FEATURE(`always_add_domain')dnl # page 176
FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`local_lmtp',`/usr/sbin/mail.local')dnl
FEATURE(`local_procmail')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
|
My <domain_name>.com.m4 file:
Code: |
divert(-1)
#
# Edited by ____
#
divert(0)
VERSIONID(`$Id: <domain_name>.com.m4, version 1.0, 8 July 2005 <handle> Exp $')
define(`confFORWARD_PATH', `$z/.forward.$w+$h:$z/.forward+$h:$z/.forward.$w:$z/.forward')dnl
define(`confMAX_HEADERS_LENGTH', `32768')dnl
FEATURE(`redirect')dnl
FEATURE(`use_cw_file')dnl
|
My *partial* /etc/mail/access file:
Code: |
From:localhost RELAY
From:<local_server_host_name>.<domain_name>.com RELAY
From:<domain_name>.com RELAY
From:<remote_sender_host_name>.<domain_name>.com RELAY
From:192.168.0.222 RELAY
From:<remote_sender_host_name>.<domain_name>.com RELAY
From:192.168.0 OK
From:<sender_email>@<domain_name>.com RELAY
|
I compile the above /etc/mail/access file using the following command then restart sendmail:
Code: |
# makemap hash /etc/mail/access.db < /etc/mail/access
|
Any insights are most appreciated!
Last edited by seifn06 on Thu Jun 06, 2024 6:53 pm; edited 1 time in total |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3439
|
Posted: Wed Jun 05, 2024 9:31 pm Post subject: |
|
|
Well, I use postfix rather than sendmail, but it's likely to be some common issue.
1) Which port do you use for sending your mail? SMPT or mail submission?
Some servers allow mail submission on either, some require you to use mail submission port for mail sent from its supported domain.
2) Are you sending your mail as an authenticated user? And I mean authenticated in SMTP connection. This is a common requirement, to avoid relying spam.
Are you using a valid accout? With/without domain? Aliases may or may not be considered for authentication, depending on your setup.
3) Do you connect with your mail client directly to the server in question, or does your mail go through another MTA first and then get rejected? Is that other MTA trusted by the server?
Postfix has mynetworks for that, I'd be surprised if sendmail didn't have an equivalent option. _________________ Make Computing Fun Again |
|
Back to top |
|
|
seifn06 Tux's lil' helper
Joined: 19 Sep 2004 Posts: 90 Location: Lowell, Michigan
|
Posted: Thu Jun 06, 2024 12:28 am Post subject: |
|
|
Hi szatox,
1) I use port 25 (SMTP) for mail submission and confirmed this by telnet'ing into port 25 on my server and interacting with Sendmail that way.
2) No, I'm not sending email as an authenticated user. This is a good idea. I'll look into whether Sendmail requires this now. It has not been a requirement in past versions.
3) I'm connecting directly to my sendmail server both with my Thunderbird email client and using telnet into port 25 on my server. Email sent in both methods is rejected in the same way. Interestingly, when I use telnet to connect to my sendmail server and submit an email message, Sendmail accepts the message but immediately generates a bounce/return message telling me the message was rejected. Whereas, when I try sending the message from Thunderbird, the message never successfully sends and I get a window popup telling me my message was rejected. (Same 550 rejection message in both cases.)
Code: |
<server_host_name> ~ # telnet 192.168.0.219 25
Trying 192.168.0.219...
Connected to 192.168.0.219.
Escape character is '^]'.
220 <server_host_name>.<domain_name>.com ESMTP Sendmail 8.17.1.9. Speak friend and enter:
HELO <server_host_name>
250 <server_host_name>.<domain_name>.com Hello <server_host_name>.<domain_name>.com [192.168.0.219], pleased to meet you
MAIL FROM:<sender_email>@<domain_name>.com
250 2.1.0 <sender_email>@<domain_name>.com... Sender ok
RCPT TO:<destination_email>@gmail.com
250 2.1.5 <destination_email>@gmail.com... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Subject: test message sent from telnet at Jun 5, 2024, 8:25 PM
Hello, world!
This message was sent on Jun 5, 2024 at 8:26 PM.
.
250 2.0.0 4560PBde008443 Message accepted for delivery
QUIT
221 2.0.0 <server_host_name>.<domain_name>.com closing connection
Connection closed by foreign host.
<server_host_name> ~ #
|
Thank you! |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3439
|
Posted: Thu Jun 06, 2024 1:27 am Post subject: |
|
|
I see. In this case, does your sendmail listen on port 587? If it's available, it is worth a try.
Being an anonymous user is the most likely reason for bounces though; if your server allowed that, it would essentially be an open relay and instantly get blacklisted into oblivion, so rejecting is the only possible sane default.
Another thing that usually is not allowed is plaintext login over insecure channel, so you might need to configure SSL. I don't see any obvious indicators that you already have it. Alternatively, CHAP should be OK-ish even unencrypted, if your server supports it
I don't know why tb and telnet give you different results, you could snoop on the conversation with tcpdump or something, but it would probably be just for sake of curiosity rather than to solve the problem. _________________ Make Computing Fun Again |
|
Back to top |
|
|
Ralphred l33t
Joined: 31 Dec 2013 Posts: 654
|
Posted: Thu Jun 06, 2024 11:17 am Post subject: |
|
|
There are a bunch of "reasons" for a 5.7.1/550 rejection (just grep 550 sendmail.cf). If you are not getting the full message in the rejection you may be better served temporarily altering some of the error codes to distinguish between them. Unless you have confAUTH_OPTIONS set, setting up auth at this stage would just frustrate things. It might also be worth temporarily setting FEATURE(`accept_unresolvable_domains') to give a direction to start looking in if it works. |
|
Back to top |
|
|
seifn06 Tux's lil' helper
Joined: 19 Sep 2004 Posts: 90 Location: Lowell, Michigan
|
Posted: Thu Jun 06, 2024 3:24 pm Post subject: |
|
|
After some more testing, I determined I'm able to send outgoing email to a hotmail.com email address when I telnet into my Sendmail server's port 25 from the server #/$ prompt (i.e. when my email message originates on and is sent from my local server). I'm still unable to send email to other addresses including Gmail, but this is due to a reverse DNS problem I believe I've fixed. On past working Sendmail servers, I had to make sure I had a correctly configured reverse DNS PTR record setup which mapped my subdomain.domain.com to the static IPv4 address I get from my ISP. I updated this rDNS record this morning through my server's ISP and confirmed that a reverse DNS lookup run on mxtoolbox.com confirmed this record has been updated though I know it can take time for a DNS update to propogate out through the internet.
What tool can I use on my server to test/check reverse DNS? I use nslookup on my Windows computers and can google reverse DNS lookup, but my Gentoo box has no GUI and I want to know if the relaying denied error is due to DNS issues. I don't have nslookup or host commands on my Gentoo box. And emerge --search nslookup does not return anything useful.
I think what's happening is that my Sendmail server is blocking relaying from my Thunderbird mail client running on a separate host on the same LAN as the server AND Gmail is also blocking mail from my domain because until this morning I did not have reverse DNS correctly configured. My suspicion is that when the reverse DNS record is fully updated that I'll be able to send email to Gmail addresses using telnet or a local mail client like alpine running on my server. I understand that my Sendmail access db governs whether/what senders Sendmail allows to relay email. So I'm back to suspecting my sendmail configuration and concerns around my access file causing the relaying denied messages on my Thunderbird client. Is there a way I can get Sendmail to spit out/echo what it read from my access db file?
I tried adding FEATURE(`accept_unresolvable_domains') to my sendmail.mc file, then re-compiled the sendmail.mc to sendmail.cf file with # m4 sendmail.mc > sendmail.cf and restarted sendmail. I still got the same relaying denied message/behavior. (Is this how you would test this feature, Ralphred? If not, can I ask you to elaborate on how I would use this feature to troubleshoot, please?)
How do I use the output from 'grep 550 sendmail.cf' to troubleshoot? Only the third line in the output from that command that seems to match my situation, but I don't know what to do with that information. Would I try to find that particular line in the sendmail.cf file and look for comments around that line to inform my troubleshooting? Can I invoke/run sendmail from the command line to get more debugging information, and if so, how?
Code: |
<server_host_name> ~ # grep 550 /etc/mail/sendmail.cf
R<REJECT> <$*> $#error $@ 5.7.1 $: "550 Access denied"
R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
R$* $#error $@ 5.7.1 $: "550 Relaying denied"
R<FORGED> $#error $@ 5.7.1 $: "550 Relaying denied. IP name possibly forged " $&{client_name}
R<FAIL> $#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{client_name}
R$@ $| $* $#error $@ 5.7.1 $: "550 not authenticated"
R$* $#error $@ 5.7.1 $: "550 " $&{auth_authen} " not allowed to act as " $&{auth_author}
R<NO>$* $#error $@ 5.7.1 $: "550 do not try TLS with " $&{server_name} " ["$&{server_addr}"]"
<server_host_name> ~ #
|
Thank you for the ideas and help! |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3439
|
Posted: Thu Jun 06, 2024 3:46 pm Post subject: |
|
|
Hold on, what machine generates bounces?
I thought it was your server that refused to send mail, not the remote server that refused to accept it. PTR-related issues would suggest the latter case.
The package with DNS-related stuff you're looking for is called "bind-tools" _________________ Make Computing Fun Again |
|
Back to top |
|
|
seifn06 Tux's lil' helper
Joined: 19 Sep 2004 Posts: 90 Location: Lowell, Michigan
|
Posted: Thu Jun 06, 2024 3:52 pm Post subject: |
|
|
Hi szatox,
Both local and remote servers are bouncing my emails.
Sendmail running on my local server is rejecting outgoing emails sent from a Thunderbird client running on a host on the same LAN as my server for which the destination email address is not on my local network.
And Gmail is rejecting emails my server relays to Gmail addresses due to the reverse DNS issue.
I expect the second issue to be resolved as my reverse DNS record updates take effect. I'm still troubleshooting the first issue.
Thank you for the bind-tools suggestion! |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1922
|
Posted: Thu Jun 06, 2024 4:08 pm Post subject: |
|
|
While you are at it, setup OpenDKIM and publish DKIM records. The larger companies like Yahoo (and all the branded emails they host) actually require it to receive messages. Gmail highly suggests it and has been enforcing when possible. Not setting up DKIM may cause rejections at any time. |
|
Back to top |
|
|
seifn06 Tux's lil' helper
Joined: 19 Sep 2004 Posts: 90 Location: Lowell, Michigan
|
Posted: Thu Jun 06, 2024 6:47 pm Post subject: |
|
|
Solved!
After some googling, I had to create a new text file in /etc/mail/relay-domains and list my LAN subnets (C network number) as well my domain name I'm masquerading. I'm unsure if it was necessary, but I also revised my /etc/mail/access file.
/etc/mail/relay-domains
Code: |
192.168.0.
192.168.1.
<first three octets of public-facing static WAN IPv4 address>
<domain_name>.com
|
/etc/mail/access
Code: |
From:localhost RELAY
From:127.0.0.1 RELAY
From:192.168.0 RELAY
From:192.168.1 RELAY
From:<domain_name>.com RELAY
|
Re-munge/compile the access database and sendmail.cf files and restart Sendmail:
Code: |
# makemap hash /etc/mail/access </etc/mail/access
# m4 sendmail.mc > sendmail.cf
# /etc/init.d/sendmail restart
|
And now relaying through my Sendmail server is not immediately rejected by my server. I still have issues sending/relaying email to Gmail, but that is a separate problem I hope to resolve with the DKIM recommendations from grknight.
I'm still puzzled because I think that my Sendmail is not actually reading my access db which is what I used in the past to enable relaying, but the relay-domains file I mention above seems to have bypassed this problem.
Am I correctly interpreting the sendmail -bt command below that sendmail is not finding a match in my access file for my sender IP address 192.168.0.222? I had copied my /etc/mail/sendmail.mc file from an older server to setup this new server and did not know about the relay-domains file. I'm wondering if I got the access db working if relaying would work without the relay-domains file?
Code: |
# sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> /map access 192.168.0.222
map_lookup: access (192.168.0.222) no match (0)
|
With the /etc/mail/relay-domains file, sendmail -bt -d21.4 shows relaying approved:
Code: |
# sendmail -bt -d21.4
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> .D{client_addr}192.168.0.222
> .D{client_name}<sender_host_name>.<domain_name>.com
> check_rcpt <destination@gmail.com>
...
Rcpt_ok returns: destination < @ gmail . com >
rewritten as: < destination @ gmail . com > $| @ destination < @ gmail . com >
Relay_ok input: < destination @ gmail . com >
rewrite: RHS $&{client_addr} => "192.168.0.222"
rewritten as: 192 . 168 . 0 . 222
rewritten as: RELAY
Relay_ok returns: RELAY
rewritten as: O $| RELAY
rewritten as: RELAY
Basic_check_rcpt returns: RELAY
rewritten as: RELAY
check_rcpt returns: RELAY
|
And in case anyone else runs into problems, I found the following sites helpful in troubleshooting this issue:
https://www.sendmail.org/~ca/email/chk-89f.html
* https://www.sendmail.org/~ca/email/chk-dbg.html#ACCESS
http://shebangme.blogspot.com/2010/10/sendmail-rebuild-and-sendmail-access.html
https://www.sendmail.org/~ca/email/relayingdenied.html
* The Debugging check_rcpt (Anti-Relay) section of this one was particularly helpful
grknight, I will be looking into OpenDKIM shortly as I'm seeing a lot of info on Gmail's mail servers about needing it. Thank you for the recommendation! |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3439
|
Posted: Thu Jun 06, 2024 8:17 pm Post subject: |
|
|
Cool, great that you got it. And talking about DKIM, set SPF and DMARC records too.
In theory having either DKIM or SPF should be sufficient, but some big providers require both, and DMARK may or may not give the messages authorized by dkim and spf more credibility in the eyes of spam filters.
AFAIR gmail even has it's own sender's domain authentication method which requires you to add a TXT record provided by them to your DNS to prove that you're the owner, which is functionally a crippled, inferior version of SPF... They used to link to their relevant documentation inside bounce reports; get ready for that too. _________________ Make Computing Fun Again |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|