Email sent from outside domain not recieved

[jrwired]

Having trouble getting DNS / firewall configured properly. I can send an email to an account outside the domain, however when I reply & try to send the email back it never arrives.

I have opened ports 25, 110, 143 & 389 to forward to my scalix server. As well as setting up an alias ( "A" entry ) in my DNS.

Being a new Scalix user, I guess I must be overlooking why the email is not able to route it's way back to the originating server. Any help would be appreciated.

[ltward]

When you click "reply" is your reply addressed to the host name you expected it to be addressed to? Your use of an "A" record in your DNS suggests the wrong host name might be getting used for the reply-to address.

When you reply, does the reply get returned to you with a non-delivery notification? If so, what does it say?

What happens when you try to telnet to port 25 on your Scalix server from a remote host (telnet scalix.server.com 25)?

[jrwired]

ltward,

Q1) Yes, the reply to ( @cal.structuralcomponents.net ) is showing up when clicked upon.

Q3) telnet (from inside the firewall & via our public side IP results in:)

Code: Select all

Trying 10.0.1.132...
Connected to cal.structuralcomponents.net.
Escape character is '^]'.
220 server3.iad7387den.den0.cbeyond.net ESMTP Scalix SMTP Relay 11.2.0.11121; Tue, 15 Jan 2008 12:48:05 -0700 (MST)

Q2) All but one email disappeared into the vast nothingness, below is the header of the only non-delivery we've seen to date. The assumption is the others haven't timed out & been returned yet.

One last thought, we contacted Cbeyond to help us (I know that didn't get us far)... they setup a PTR record, Reverse DNS I've been told. We have confirmed our A record points to the internal IP address.

If you look at the code below it appears the port & IP in the mail header is different than what we've opened on the firewall (currently we have Port 25 going to 10.0.1.132 which is where the testing server resides) The header shows Port 51769 & 10.0.1.110)

Thanks in advance for you help...
- Jr

Code: Select all

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

 joseph.rajewski@cal.structuralcomponents.net
   retry timeout exceeded

------ This is a copy of the message, including all the headers. ------
------ The body of the message is 50142 characters long; only the first
------ 16384 or so are included here.

Return-path: <jrajewski@structuralcomponents.net>
Received: from [72.54.218.241] (port=51769 helo=[10.0.1.110])
   by mx.cbeyond.com with esmtpsa (TLSv1:AES128-SHA:128)
   (Exim 4.62)
   (envelope-from <jrajewski@structuralcomponents.net>)
   id 1JERgP-0005P8-F8
   for joseph.rajewski@cal.structuralcomponents.net; Mon, 14 Jan 2008 10:57:06 -0500
Message-Id: <8D46E8C2-D281-4866-AA44-8D940140C985@structuralcomponents.net>
From: Joseph Rajewski <jrajewski@structuralcomponents.net>
To: Joseph Rajewski <joseph.rajewski@cal.structuralcomponents.net>
In-Reply-To: <H0000067000004b7.1200326047.server3.iad7387den.den0.cbeyond.net@MHS>
Content-Type: multipart/alternative; boundary=Apple-Mail-1-828497363
Mime-Version: 1.0 (Apple Message framework v915)
Subject: Re: test
Date: Mon, 14 Jan 2008 09:01:53 -0700
References: <H0000067000004b7.1200326047.server3.iad7387den.den0.cbeyond.net@MHS>
X-Mailer: Apple Mail (2.915)

[ltward]

Okay, nslookup doesn't know about any MX records for you:

Code: Select all

# nslookup
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
> set query=MX
> cal.structuralcomponents.net
Server:         192.168.222.1
Address:        192.168.222.1#53

Non-authoritative answer:
*** Can't find cal.structuralcomponents.net: No answer

Authoritative answers can be found from:
structuralcomponents.net
        origin = structuralcomponents.net
        mail addr = hostmaster.cbeyond.com
        serial = 2006120100
        refresh = 86400
        retry = 1800
        expire = 604800
        minimum = 3600


When other mail systems don't find an MX record for you, they'll try to connect directly. When I try to telnet to your port 25, I get:

Code: Select all

# telnet cal.structuralcomponents.net 25
Trying 10.0.1.132...
telnet: connect to address 10.0.1.132: Connection timed out


So, your MX record isn't propagating and it's not possible to connect to your host directly from "the internet". That's why messages aren't getting to your server.

[jrwired]

Your results make sense, since our only 'A' record was setup for 'internal' testing. ie: cal.structuralcomponents.net > 10.0.1.132 AND tests to work properly 'internally'.

So if I switch that to our public IP, it would suggest that things would begin working on the return trip, as long as we send outside the domain. ie: joe@cal.struc... > joe@yahoo.com & back.

FYI: the real Domain name (privately assigned to the 10.0.1.132 box) is something like server3.iadXXXXden.cbeyond.com

Our concern with that was that email transmitted only on the private side would no longer resolve properly, since users on the inside of the firewall can't access the public IP. And therefor internal emails would stop flowing. ie: joe@cal.structu.... > dan@cal.structu... would fail.

I guess it's a novice question on my behalf, but how do we set or DNS records properly so emails flow on both sides of the firewall?

PS: we just switched our A record for Cal.str.... to the public IP, it may take 2-4hrs to resolve & likely longer to propigate.

UPDATE (2:48pm MST): as a result of updating the A record, we've lost the ability to connect (with outlook clients) to the mail server internally.. (which we expected) Administrative console & webmail only accessible via internal IP address.

Thx again for your guidance...

[grahamk]

I've done this using an internal DNS Server.

External requests get resolved by the public DNS servers, internal requests get resolved by your internal server (cause all of your clients would be pointed to it). Not sure if this has any flaws in it, or if there is a better way, but thats how I do it.

[jrwired]

We had the same revelation around 4pm, after realizing we could change the priority of DNS servers on our IAD (via Cbeyond). So we'll try that tomorrow, setting up an internal NS & placing that as priority #1 for those within the 'office bubble'. Should take care of us...

Thanks again for helping however...

[grahamk]

Sounds like a better way that i've done it. I just set DNS using DHCP internally to point to our internal dns.

[mikevl]

Hi

Is your mail SERVER using DHCP????


Mike

[Valerion]

Mmm ... if it is using DHCP you need to ensure that the mail server will be guaranteed to get the same IP every time. Even if the DHCP server is unavailable for some reason.

[grahamk]

Sorry, I wasnt clear. I set our DHCP Server to point workstations to our Internal DNS. Scalix Server has a static ip, both internal and external interface.

[mikevl]

Hi

There is the issue. Two Nics.

Now if you telnet to the "external" nic what doe you see
telnet ServerExternalIP 25

Mike

[ltward]

IExternal requests get resolved by the public DNS servers, internal requests get resolved by your internal server (cause all of your clients would be pointed to it). Not sure if this has any flaws in it, or if there is a better way, but thats how I do it.

The only problem with this is if your internal DNS server is down or inaccessible for some reason, your clients inside the office bubble will then go to the external DNS and things will fail for your clients.

You could use a hosts file on your clients; that works well until you change a host name or IP address and have to update all those hosts files.