SMTP Relay problem

Discuss the Scalix Server software

Moderators: ScalixSupport, admin

Valerion
Scalix Star
Scalix Star
Posts: 2730
Joined: Thu Feb 26, 2004 7:40 am
Location: Johannesburg, South Africa
Contact:

Postby Valerion » Mon Jan 14, 2008 10:30 am

Then you will have to try and track the process. Google suggested that something may be trying to authenticate and failing. Check the other Scalix components for a SMTP server (like Scalix Mobile, etc)

techsharp
Posts: 436
Joined: Tue Jan 16, 2007 9:01 pm

Postby techsharp » Mon Jan 14, 2008 11:00 am

OK sounds good - I will try to track it down!

I will let you know how it works out - thank you

techsharp
Posts: 436
Joined: Tue Jan 16, 2007 9:01 pm

Postby techsharp » Mon Jan 14, 2008 11:11 am

Valerion -

I think its nagios - I started nagios on my test server w/ the changes made to smtpd.cfg etc. and!

Jan 14 10:01:59 mars sendmail[26004]: m0EF1xqv026004: mars.blueslate.net [172.xx.1.xxx] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

If I turn it off it goes away-- however nagios messages do go to my inbox - but now that I know what it is - do you know how I can get nagios to authenticate?

Thanks

Valerion
Scalix Star
Scalix Star
Posts: 2730
Joined: Thu Feb 26, 2004 7:40 am
Location: Johannesburg, South Africa
Contact:

Postby Valerion » Mon Jan 14, 2008 11:22 am

Nagios does this (but it should only every 5 mins by default, not as frequently as you stated before). Nagios checks SMTP by doing a TCP connect to port 25 and seeing if there's a response, then closing the socket. Sendmail sees an incoming connection, sends its banner and then gets a connection close. It does this and logs the warning you listed in your maillog. So what you see is consistent with normal nagios operations.

The way to address this is to use a check_smtp plugin instead of one that calls check_tcp. You will also have to check the parameters passed to check_smtp to ensure it sends a correct SMTP envelope. You will have to check sendmail and nagios online resources to get this properly sorted out, I haven't done it this far myself.

techsharp
Posts: 436
Joined: Tue Jan 16, 2007 9:01 pm

Postby techsharp » Mon Jan 14, 2008 11:34 am

OK Valerion - yeah its popping up every 5 seconds - I wonder why? Will that have any impact on the server or is that OK?

Thanks!

techsharp
Posts: 436
Joined: Tue Jan 16, 2007 9:01 pm

Postby techsharp » Mon Jan 14, 2008 12:00 pm

Easy answer - I had check_smtp running every 5 seconds in case it got shut down so it would alert me.

I turned that off and now not even seeing the message. OK will be going back to the production box to make the changes and see if things work out - will update.

techsharp
Posts: 436
Joined: Tue Jan 16, 2007 9:01 pm

Postby techsharp » Mon Jan 14, 2008 1:33 pm

OK made the changes and mail coming in and out fine but seeing a few of these:

Jan 14 12:32:35 mars sendmail[9222]: m0EHWZli009222: [78.162.141.215] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 14 12:32:40 mars sendmail[9236]: m0EHWexV009236: 60.88.broadband.iol.cz did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

I am also seeing a ton of these:
Jan 14 13:24:27 mars sendmail[24958]: m0EIOQog024958: lost input channel from 84-72-196-156.dclient.hispeed.ch [84.72.196.156] to MTA after rcpt
Jan 14 13:24:31 mars sendmail[25073]: m0EIOUFx025073: lost input channel from p3EE27630.dip.t-dialin.net [62.226.118.48] to MTA after rcpt

Never saw them before - are these just spammers now getting blocked?

Is that OK - looks like addresses that are not good- but want to make sure we are not missing mail.

Thanks

Valerion
Scalix Star
Scalix Star
Posts: 2730
Joined: Thu Feb 26, 2004 7:40 am
Location: Johannesburg, South Africa
Contact:

Postby Valerion » Tue Jan 15, 2008 3:47 am

Offhand that seems to be portscanning (especially the first bunch). The second group could be attempts to enumerate your email addresses (crude, but doable) or point to netword errors. Looking at the machines, however, they seem to be all dialup users, or users that don't have proper reverse DNS entries. I would be VERY tempted to write them off as spammers. I suspect a DNS blacklist will kill off those connections anyway.

If they really are mail failures, they will generally try at fixed or increasing intervals to deliver (usually an hour) for a few days. If it is spammers, they would either connect a lot or at irregular intervals.

techsharp
Posts: 436
Joined: Tue Jan 16, 2007 9:01 pm

Postby techsharp » Tue Jan 15, 2008 9:35 am

Valerion -

Thanks!

I checked a lot of the second bunch and yup they are all spammers. Sendmail is kicking them off right at the door and they are not even reaching spamassassin.

We actually saw a lot less spam yesterday which was good. As of now everything is looking to be working well - if anything else comes up I will let you know.

Thanks again for all your help.

Valerion
Scalix Star
Scalix Star
Posts: 2730
Joined: Thu Feb 26, 2004 7:40 am
Location: Johannesburg, South Africa
Contact:

Postby Valerion » Tue Jan 15, 2008 9:41 am

I would also suggest a DNS Blacklist, if you don't have one yet. The last few lines of my sendmail.mc reads as follows:

Code: Select all

FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl

INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=,T=C:15m;S:4m;R:4m;E:10m')dnl

MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
MAILER(scalix)dnl


There are more blacklists out there (and in the forum), but I like spamcop.

Of course, bear in mind that like spam filtering blacklisting will create false positives and you will lose email. I find the percentage of mail affected to be low, though, but YMMV, as always.

techsharp
Posts: 436
Joined: Tue Jan 16, 2007 9:01 pm

Postby techsharp » Tue Jan 15, 2008 9:55 am

Valerion-

OK I will check w/ our team and see if they would like to do that - sounds like a good idea.

Thank you

techsharp
Posts: 436
Joined: Tue Jan 16, 2007 9:01 pm

Postby techsharp » Wed Jan 16, 2008 12:01 pm

OK the problem now is that our phones are unable to send email.

If I uncheck - outgoing email server requires authentication it works only for internal mail so we need auth to work correctly.

What do I need to do to be able to send through the Qphones again? Should I put outgoing mail server as mail.blueslate.net:587?

Thanks

Valerion
Scalix Star
Scalix Star
Posts: 2730
Joined: Thu Feb 26, 2004 7:40 am
Location: Johannesburg, South Africa
Contact:

Postby Valerion » Thu Jan 17, 2008 3:43 am

You will have to set the outgoing SMTP server on port 587 on the phone. Some can handle this, and some not, depends on the phone.

If you can't get this to work you can try one of the following:

1) Set up a redirect on port 25 on a different IP to forward to port 587 on the Scalix server (if you have more than 1 IP available)

2) Set up a static set of usernames and passwords in sendmail and SASL (maybe getting from /etc/password?) and use that instead of the Scalix credentials. There are some resources on the sendmail.org site for setting this up. I haven't done it in a while, so I can't give you specifics.

techsharp
Posts: 436
Joined: Tue Jan 16, 2007 9:01 pm

Postby techsharp » Thu Jan 17, 2008 9:44 am

OK Valerion- thank you!

techsharp
Posts: 436
Joined: Tue Jan 16, 2007 9:01 pm

Postby techsharp » Tue Jan 22, 2008 3:15 pm

Valerion-

Back to the phones- I set up port 587 for the outgoing mail server and when trying to send it says can not connect to the server.

If I switch back to 25 it would give me a relay error- any reason why on 587 it will not connect to the server to send mail?

Thanks


Return to “Scalix Server”



Who is online

Users browsing this forum: No registered users and 7 guests