That great 550 error... so amazingly frustrating

[bdinger]

Okay, I'm getting the old "The mail server responded: Denied due to spam list" message that I've read so much about . Here's the deal: it makes no sense and it's seemingly (so far) only happening to me.

First: the IP of the scalix server is in the config and the hostname is in /etc/hosts. Already did that a while ago when other users were having issues. From this laptop I previously could use scalix connect with Outlook 2003, but it's not starting and I prefer thunderbird anyway. I can send just fine using webaccess from this laptop.

Here's how it's so frustrating. I can log in to our offsite location and send email just fine. I can place a computer on our secondary internet connection at our office and send email just fine, which routes the little smtp packets all over the internet and back to across the office to the datacenter. And to make matters worse, I can VPN into the office, making me able to go over the local subnet to the scalix server, yet STILL unable to send mail.

Or, should I say, not all mail. I can send mail to any local user just fine. But if I try to send it to an address not hosted on the Scalix server.. that's when I get the error.

The client is Thunderbird 2.0.0.6.

I'm about ready to pull my hair out, but I still love this so much better than anything I've used before, and will definitely buy another year of support after our first is done. Great, great product.

[jaime.pinto]

if I try to send it to an address not hosted on the Scalix server.. that's when I get the error.

There are literally over 50 post on this forum exactly on that symptom, and the fix. Just do a search for all terms on "Denied due to spam list"

[bdinger]

Looked at probably all of them, tried literally everything suggested, no go.

I'll throw a email off to support and see what they have to say.

[jaime.pinto]

Sometimes that's the only option left. They are very good once you get a hold of them.

[btisdall]

Can you post your /etc/hosts and the output of:

Code: Select all

tail -n50 $(omrealpath "/sys")/smtpd.cfg

[bdinger]

Thanks for the quick reply! First, here is the relevant portion of smtpd.cfg:

Code: Select all

###############################################################################

# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1
RELAY accept .midmed.net
RELAY accept 67.52.54.126
RELAY accpet 192.168.1.17
RELAY accept 192.168.1.20
RELAY accept 192.168.1.4
RELAY accept 192.168.1.99
RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL



# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix


And.. /etc/hosts

Code: Select all

127.0.0.1       localhost
209.50.22.107   fax.midmed.net  fax
192.168.1.17    mail.midmed.net mail
192.168.1.17    mail.midmed.com


I realize there are several named relays in there, as I have some applications that require relay ability but don't have smtp auth capability. And, a test of my Treo attempting to send mail while connected via EDGE, well, no go. Same error.

I *know* I'm missing something, but with us pricing NotifyLink and really pushing the mobile email to mobile workers, I need to get this resolved.

[jaime.pinto]

RELAY accpet 192.168.1.17

127.0.0.1 localhost.localdomain localhost

[bdinger]

RELAY accpet 192.168.1.17

127.0.0.1 localhost.localdomain localhost

Oh man... thanks.. trying it now

[bdinger]

*sigh* still no luck. On the local network, it works fine. And anything that resolves with a reverse of *.midmed.net works fine. But anything else, no go. If I remove smtp authentication on a machine on the local network, that fails as well.

Anyway, here's what I'm getting in a scalix log when trying to send from my laptop:

Code: Select all

Rejected relay attempt from ben@midmed.com at 76.85.196.143 to bdinger@gmail.com


[jaime.pinto]

I believe your initial problem was related to syntax, and that is now fixed.
You now may have authentication problems on relay.

We have 2 components to this business of relaying: hosts/clients on your "internal network" and clients on the internet.

1) Internal network:
You definitely need to include all the subnets you use internally in the smptd.conf as well as the /etc/hosts/access file.
Then you must restart scalix for the changes to become effective.
You also need to type "make" inside /etc/mail and restart sendmail

In that scenario here is a question: is 76.85.196.143 part of your "internal" network?

2) For external clients relay is always denied, obviously, unless the client authenticates properly. For that there are 3 components to the equation:

a) the type of encryption mechanisms accepted by the server. That is defined into the sendmail.mc file. Below is an example:

dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
dnl

b) The way the client is attempting to authenticate. They have to match.
In your case that seems to the the problem now.

c) The SSL ports have to be open on the firewall AND the server has to be configured to accept SSL calls.

One thing I noticed with SSL setups on the IMAP/SMTP clients such at thunderbird, evolution and OL: if you're using SSL do not encrypt the password (there is always a checkbox for that, don't click on it). You would be "double" encrypting the password string and the server doesn't understand that.

Thunderbird settings with scalix IMAP
To receive email:
Server Settings
scalixserver.domain.com Port 993

Security Settings:
[x] SSL
[_] Use secure authentication (don't use)

To send emails:
Outgoing Server (SMTP)
scalixserver.domain.com Port 465

Security and Authentication:
[_] Use name and password (don't use)
[x] SSL

You can also try SSL OFF on the client just to debug.

You probably have enough to go with for now. Keep posting your progress.

[btisdall]

FYI no need to restart scalix after changes to smtpd.cfg, a:

Code: Select all

omoff -d0 smtpd && omon smtpd

Will achieve what you want much more quickly.

Also, the sendmail auth mechs aren't relevant on a standard Scalix install since omsmtpd is listening externally, not sendmail.

To see what's available telnet to port 25 on the external ip and do an:

Code: Select all

ehlo blah

Don't forget you need stunnel for SSL on scalix.