SMTP stops periodicaly - again..

[ScalixSupport]

Hi Peter,

This would certainly be easier if I could get VNC or ssh access to your server. However, in order to do that, we would really need to open a Support Incident for this. The advantage of this is that we can take this offline and there will be an SLA. If that's something you're interested in, let me know and I'll send you the forms purchase that. If not, we can continue to work through this on the forum.

So, the next time this happens, can you type:

Code: Select all

lsof -i:25

and post the results. It still sounds like something is looping.

As far as messages being sent to root via the Mail command, those don't even go through Scalix so that means sendmail is queuing those messages.

Thanks,
Rachel

[peterz]

Rachel:

I appreciate your suggestion. For the time being, I'd like to continue this forum approach, with the hope it addresses problems for others. Since I have a pure vanilla install of Scalix 10.0, I have to assume that I'm not the only one who has, or will have this problem I'm experiencing.

As soon as I get a SMTP stoppage, I'll perform the lsof -i:25 command.



However, I think I either have a misconception about Scalix or I'm not understanding the big picture.

In the context that I see the Mail Subsystem delivering messages found in the mqueue folder (which are building rapidly) and messages found going to root@mail.egad.com, I've come to the following conclusion. Please, correct me if I'm wrong.

Original Assumption:
Scalix was a full, turnkey email package. (i.e. handles all aspects of mail processing)

Observation:
It appears that Scalix is only a front end mail handling package (user interface) and that actual mail handling is done by sendmail, which setup is not handled or supported directly by Scalix.


Original Assumption:
Scalix would handle email management and security issues.

Observation:
Sendmail appears to be handling the actual SMTP and security issues regarding RELAY, and SMTP authentication. So far, it seems that users using outgoing mail SMTP, don't even require the authentication used on the POP3 side in order to send mail out. If this is actually the case, then my Scalix 'email server' is totally wide open unless I get up to speed on sendmail protocols, administration and script programming.



Original Assumption:
That since Scalix provided a SUSE installer, that support tools would be SUSE friendly.

Observation:
It appears that Scalix is totally Red Hat centric. Hints, Tools and Knowledgebase that provide examples for Clam, SpamAssassin, LVN, etc., are all in Red Hat configuration and are not applicable (as is) in the SUSE environment. I recently tried putting in the SpamAssassion configuration as per the Knowledgebase notes, and found that even the simplest commands didn't match SUSE (i.e. services, smtpd, etc.)

If this last observation is correct, then It appears that Scalix is to be only used reliably with Red Hat. I wish I knew this going in.

Don't get me wrong. I think Scalix is a great product. I just don't want to have a major misinterpretation of what I'm working with.



My biggest concern, beyond the SMTP stoppages, is that:

a) SMTP doesn't seem to be authentication controlled, and I don't have a clue how to change it.
b) That my SMTP services are being hijacked from the outside and I don't know how to stop it.

These last two points are based on initially looking into Sendmail, and not knowing where Sendmail ends and Scalix starts (I don't want to break anything), and finding Sendmail almost overwhelming in terms of learning another new technology.

Remember, I just wanted to setup an email server and pretty well walk away from it.

Please let me know where I'm wrong and what your thoughts are.

Regards,

- Peter

[ScalixSupport]

Hi Peter,

I did some testing against mail.egad.com by telneting to socket 25 of your machine. The most obvious issue I see is that your server is having problems resolving your address. If I put in:

Code: Select all

RCPT TO: xyzabc@egad.com

It takes about five seconds for it to come back with:

Code: Select all

550 5.1.1 xyzabc@egad.com... User unknown

Now, this could be when it's trying to resolve egad.com or when it's trying to resolve localhost (when the SMTP Relay hands the message off to Sendmail). First, can you use nslookup and try to resolve egad.com, then type "set type=mx" and try to resolve egad.com. Next, can you post your /etc/hosts file?

Regarding your assuptions about Scalix, I would rather not go off on that tangent right now while we're in the middle of debugging this. Do you mind if I address these once we've resolved these issues?

Thanks,
Rachel

[peterz]

Rachel:

I have no problem postponing my assumption discussion. I would be quite happy just resolving the current problems.

--------------------------------------------------------------------------------------
Here's the nslookup and it is obviously looking at the Primary DNS provided by
our ISP, speakeasy.net.

mail:~ # nslookup
> set type=mx
> resolve egad.com
Server: 64.81.45.2
Address: 64.81.45.2#53

** server can't find resolve: NXDOMAIN

----------------------------------------------------------------------------------------
/etc/hosts contents are as follows:


#
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#

127.0.0.1 localhost

# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback

fe00::0 ipv6-localnet

ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
66.93.64.35 mail.egad.com mail

------------------------------------------------------------------------------------

For what it's worth, I don't believe I'm running any local DNS, as YAST indicates that
the DNS service has not been started.

By the way, thanks for working with me through this.

Regards,

- Peter

[ScalixSupport]

Hi Peter,

I should have been more explicit. With nslookup, once you get the "> " prompt, type:

Code: Select all

egad.com
set type=mx
egad.com


and also how long it took for the server to respond.

Thanks,
Rachel

[peterz]

Rachel:

Here's the results of NSlookup per our instructions:

----------------------------------------------------------------------------------
mail:~ # nslookup
> egad.com
Server: 64.81.45.2
Address: 64.81.45.2#53

Non-authoritative answer:
*** Can't find egad.com: No answer
> set type=mx
> egad.com
Server: 64.81.45.2
Address: 64.81.45.2#53

Non-authoritative answer:
egad.com mail exchanger = 0 mail.egad.com.

Authoritative answers can be found from:
> exit
--------------------------------------------------------------------------------

Hope this helps.

Regards,
- Peter

[ScalixSupport]

Hi Peter,

How long did it take for it to return those answers? Could you try the following from your Scalix server. First:

Code: Select all

telnet mail.egad.com 25


then type:

Code: Select all

HELO localhost
MAIL FROM: root@localhost
RCPT TO: username@egad.com
QUIT

where username is one of your users. How long did it take to come back after you put in the RCPT TO: line? Now, type:

Code: Select all

telnet localhost 25

then type:

Code: Select all

HELO localhost
MAIL FROM: root@localhost
RCPT TO: username@egad.com
QUIT

and send me the same information as above. Lastly, type in:

Code: Select all

sendmail -bt

then type:

Code: Select all

3,0 username@egad.com
Ctrl-D


How long did that take?

Thanks,
Rachel

[peterz]

Rachel:

I ran the following twice, to verify perceived delays:

----------------------------------------------------------------------------------------------------
mail:~ # telnet mail.egad.com 25
Trying 66.93.64.35...
Connected to mail.egad.com.
Escape character is '^]'.
220 mail.egad.com ESMTP Scalix SMTP Relay 10.0.0.175; Wed, 12 Apr 2006 17:28:35 -0700 (PDT)
HELO localhost
250 mail.egad.com Hello mail.egad.com [66.93.64.35], pleased to meet you
MAIL FROM: root@localhost
250 root@localhost... Sender ok
RCPT TO: peter.zaharkiv@egad.com
250 Ok
QUIT
221 mail.egad.com closing connection
Connection closed by foreign host.
mail:~ #

All above were instant. No perceived delays after hitting return.




mail:~ # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.egad.com ESMTP Sendmail 8.13.4/8.13.4/SuSE Linux 0.7; Wed, 12 Apr 2006 17:30:50 -0700
HELO localhost
250 mail.egad.com Hello localhost [127.0.0.1], pleased to meet you
MAIL FROM: root@localhost
250 2.1.0 root@localhost... Sender ok
RCPT TO: peter.zaharkiv@egad.com
250 2.1.5 peter.zaharkiv@egad.com... Recipient ok
QUIT
221 2.0.0 mail.egad.com closing connection
Connection closed by foreign host.
mail:~ #


telnet localhost 25 has a 2 to 3 second delay before following responses.
Other commands after that were almost instant.


mail:~ # sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> 3,0 peter.zaharkiv@egad.com
canonify input: peter . zaharkiv @ egad . com
Canonify2 input: peter . zaharkiv < @ egad . com >
Canonify2 returns: peter . zaharkiv < @ egad . com . >
canonify returns: peter . zaharkiv < @ egad . com . >
parse input: peter . zaharkiv < @ egad . com . >
Parse0 input: peter . zaharkiv < @ egad . com . >
Parse0 returns: peter . zaharkiv < @ egad . com . >
ParseLocal input: peter . zaharkiv < @ egad . com . >
ParseLocal returns: peter . zaharkiv < @ egad . com . >
Parse1 input: peter . zaharkiv < @ egad . com . >
Parse1 returns: $# scalix $@ mail $: peter . zaharkiv < @ egad . com . >
parse returns: $# scalix $@ mail $: peter . zaharkiv < @ egad . com . >
> mail:~ #


The sendmail -bt and the following commands were instant. No delays at all.

------------------------------------------------------------------------------------------

regards.

- Peter

[ScalixSupport]

Hi Peter,

Okay, this is good, I think we're getting close to nailing this down. So, what I've done is telnet'ed to your server and tested your address which resolves quickly. I then tried a bogus address and it takes several seconds to resolve. I then put in invalid Scalix address, but a valid Linux address and it also took several seconds to resolve. So that means it's either on the hand-off to sendmail or sendmail.

So, now could you type:

sendmail -bt

and at the "> " prompt type:

3,0 root@egad.com
3,0 bogus_addr@egad.com
ctrl-D

and tell me how long it takes to return from each of those and between which lines did it have the biggest delay?

Thanks,
Rachel

[ScalixSupport]

BTW, the reason we're going down this road with this is because in your smtpd.log files, each time the SMTP Relays goes into the partially aborted state, it had just received a RCPT TO command. Here are the snippets from your smtpd.log file:

Code: Select all

Cli 2459/14 rcvd: 'RCPT TO: <fmehrmtin@egad.com>'
SMTP Relay 10.0.0.175 finished (2459): Thu, 06 Apr 2006 03:06:32 -0700 (PDT)

Cli 10318/2 rcvd: 'RCPT TO: <wudoku@egad.com>'
SMTP Relay 10.0.0.175 finished (10318): Thu, 06 Apr 2006 20:01:23 -0700 (PDT)

Cli 27045/1 rcvd: 'RCPT To:<poop@egad.com>'
SMTP Relay 10.0.0.175 finished (27045): Tue, 11 Apr 2006 21:36:34 -0700 (PDT)


Thanks,
Rachel

[peterz]

And each one of those is a bogus account.

I've seen emails like this before, and they're definitely SPAM, but not, to my knowledge, originating from the authenticated users. Unless I have a user(s) who are now trojan cpu's for a spammer.

Just a thought....

[ScalixSupport]

Hi Peter,

Anyone can attempt to send you (when I say "you", I mean egad.com) mail. Authenticated users can relay mail through your server, non-authenticated users (and other MTAs) can only send to your users.

Thanks,
Rachel

[peterz]

Rachel:

The SMTP stopped last night, and since ommaint was running, it was caught by ommaint. Unfortunately, it SMTP was restarted automatically by ommaint, and therefore no 'lsof -i:25' was run at an appropriate time.

I was thinking of adding the 'lsof -i:25' to the ommaint script when it catches the smtp stoppage, and adding it to the message log. What do you think?

In the meantime, ommaint did report the following, shortly after the stoppage last night:

-----------------------------------------------------------------------------------------------
ommaint -frequent --- report from shortly after the smtp stopped:


--Performing Port Check on localhost:25-----
Error: Timeout on port mail:25
-------------------------------------------
The following text is the output from omshowlog -s SMTP Relay -l 99

REPORT SMTP Relay (SMTPD Relay Pr) 03.30.06 01:36:54
[OM.DMON 2172] SMTP: Rejected relay attempt from hamlu@guyville.com at 85.97.181.164 to 9361775646.19990311000417@graphicapplications.com


REPORT SMTP Relay (SMTPD Relay Pr) 03.30.06 01:37:57
[OM.DMON 2172] SMTP: Rejected relay attempt from at 205.252.14.37 to allen@graphicapplications.com


REPORT SMTP Relay (SMTPD Relay Pr) 03.30.06 01:38:02
[OM.DMON 2172] SMTP: Rejected relay attempt from fullidon@tue.nl at 85.137.52.189 to davidnicol@graphicapplications.com


REPORT SMTP Relay (SMTPD Relay Pr) 03.30.06 01:39:47
[OM.DMON 2172] SMTP: Rejected relay attempt from rhotoedgardo@lago.com at 81.198.189.186 to guerard@graphicapplications.com

.....
.....
(Hundreds more messages here)
.....
.....

REPORT SMTP Relay (SMTPD Relay Pr) 04.13.06 04:55:38
[OM.DMON 2172] SMTP: Rejected relay attempt from salingdem@nkp.cz at 80.33.165.18 to berry@rrawards.com


REPORT SMTP Relay (SMTPD Relay Pr) 04.13.06 04:57:46
[OM.DMON 2172] SMTP: Rejected relay attempt from lablanc@westga.edu at 61.173.157.253 to jrv@graphicapplications.com


REPORT SMTP Relay (SMTPD Relay Pr) 04.13.06 04:58:03
[OM.DMON 2172] SMTP: Rejected relay attempt from gia@gdz.com at 83.50.161.86 to warner@rrawards.com


REPORT SMTP Relay (SMTPD Relay Pr) 04.13.06 04:58:14
[OM.DMON 2172] SMTP: Rejected relay attempt from fenleyy@texasccim.com at 193.126.195.101 to meyer@rrawards.com

End of output from omshowlog
-----------------------------------------

Attempting to stop the SMTP service with omoff -d0 -s SMTP Relay
SMTP Relay Stopped

Disabling 1 subsystem(s).
-----------------------------------------
Attempting to start the SMTP service with omon -s SMTP Relay

Enabling 1 subsystem(s).
-----------------------------------------
Thu Apr 13 05:00:16 PDT 2006
****** SCALIX -- ommaint - frequent EXECUTED ******
SMTP Relay Stopped
SMTP Relay Stopped


----------------------------------------------------------------------------------------------

Note: the number of REPORT...SMTP Relay messages were in the hundreds.

It appears that all of these Relay messages are reporting on messages that were trying to relay through the mail.egad.com smtp server.

I therefore question whether Scalix has setup sendmail to truly require authentication to use the outgoing smtp server. Or, am I misinterpreting these messages?

Regards,

- Peter

[ScalixSupport]

Hi Peter,

The messages are being rejected which is the correct behavior of the SMTP Relay. It's saying that a non-authenticated user is attempting to relay through your site and it's kicking all of those back.

I still need you to run the sendmail -bt test for me and send me the timing results.

Thanks,
Rachel

[peterz]

Rachel:

Sorry, I missed the last sendmail -bt request. Here's the results.

The delay time on the following commands was imperceptible. The results appeared as soon as I typed the return key.

------------------------------------------------------------------------------------------------
mail:~ # sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> 3,0 root@egad.com
canonify input: root @ egad . com
Canonify2 input: root < @ egad . com >
Canonify2 returns: root < @ egad . com . >
canonify returns: root < @ egad . com . >
parse input: root < @ egad . com . >
Parse0 input: root < @ egad . com . >
Parse0 returns: root < @ egad . com . >
ParseLocal input: root < @ egad . com . >
ParseLocal returns: root < @ egad . com . >
Parse1 input: root < @ egad . com . >
Parse1 returns: $# local $: root
parse returns: $# local $: root
> 3,0 bogus_address@egad.com
canonify input: bogus_address @ egad . com
Canonify2 input: bogus_address < @ egad . com >
Canonify2 returns: bogus_address < @ egad . com . >
canonify returns: bogus_address < @ egad . com . >
parse input: bogus_address < @ egad . com . >
Parse0 input: bogus_address < @ egad . com . >
Parse0 returns: bogus_address < @ egad . com . >
ParseLocal input: bogus_address < @ egad . com . >
ParseLocal returns: bogus_address < @ egad . com . >
Parse1 input: bogus_address < @ egad . com . >
Parse1 returns: $# local $: bogus_address
parse returns: $# local $: bogus_address
>
------------------------------------------------------------------------------------------------

Regards,

- Peter