DNSBL + Sendmail + Scalix - localhost.localdomain problem

Discuss the Scalix Server software

Moderators: ScalixSupport, admin

William
Posts: 314
Joined: Fri Jun 02, 2006 8:28 am
Location: British Isles

DNSBL + Sendmail + Scalix - localhost.localdomain problem

Postby William » Mon Sep 11, 2006 11:43 am

Hi,

In the sendmail logs the source of all external email is 127.0.0.1 (localhost.localdomain), this means that any DNSBL's installed into sendmail do not work.

"Sep 11 16:10:11 mail sendmail[7623]: NOQUEUE: connect from localhost.localdomain [127.0.0.1]"

I have done the following:
SMTPFILTER=TRUE in smtpd.cfg
sudo service sendmail restart
sudo omoff -d0 smtpd
sudo omon smtpd

Port forwading is setup on a firewall so the sending MTA's are actually connecting to the mailserver and their IP/hostname is available to the sendmail server.

What do I need to change to get sendmail to see the real IP address of the sending mailserver, so that sendmail can checkit it against some DNSBLs?

How would I check to see what is listening to port 25 if that is an isse?
I suspect that the order of systems for incoming email now is:
Somesort of Scalix Passthrough -> Sendmail -> Scalix

florian
Scalix
Scalix
Posts: 3852
Joined: Fri Dec 24, 2004 8:16 am
Location: Frankfurt, Germany
Contact:

Postby florian » Mon Sep 11, 2006 2:01 pm

I believe your latter assumption is correct.

Code: Select all

lsof -i :25


should help confirm this.

If you want sendmail and your milter to be able to see the actual incoming connection, you will have to make sendmail your primary SMTP listener. This is fairly easy, just setup sendmail to listen externally (it isn't by default, for security reasons) and make sendmail start before the scalix SMTP relay (which is the "forwarder" you've been describing) as SMTP relay will only bind to unbound IP addresses.

You might actually want to make the SMTP relay listen on another port (such as the 587 submission port) so that you can still use authenticated SMTP against it to use it from IMAP/SMTP clients.

Cheers,
Florian.
Florian von Kurnatowski, Die Harder!

William
Posts: 314
Joined: Fri Jun 02, 2006 8:28 am
Location: British Isles

Postby William » Tue Sep 12, 2006 5:14 am

The output of : lsof -i :25 is:

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
omsmtpd 6297 root 4u IPv4 8041798 TCP mail.ourdomainname.com:smtp (LISTEN)
omsmtpd 6297 root 5u IPv4 8041799 TCP 192.168.99.1:smtp (LISTEN)
sendmail 9840 root 4u IPv4 8054025 TCP localhost.localdomain:smtp (LISTEN)



I changed sendmail.mc file as follows (via webmin):

from: DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
to: DAEMON_OPTIONS(`Port=smtp,Addr=192.168.102.1, Name=MTA')dnl


sudo omoff -d0 smtpd
omsendin
sudo omon smtpd
lsof -i :25 then shows:

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sendmail 18105 root 4u IPv4 8125751 TCP mail.ourdomainname.com:smtp (LISTEN)
omsmtpd 18137 root 4u IPv4 8125863 TCP 192.168.99.1:smtp (LISTEN)

In the Sendmail logs Sendmail was seeing the IP addresses etc - however Scalix was not working it seems with Sendmail:

Sep 12 09:39:19 mail sendmail[18078]: k8C8dJ3A018078: to=root@ourdomainname.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30062, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]

And email to normal users were being reported as unknown. (email to Scalix email address aliases).

We only have Outlook (via Scalix Connect) and Webmail clients (SWA) connecting.

I think I need to get omsmtp to listen on 127.0.0.1 (localhost.locadomain) like sendmail was?

florian
Scalix
Scalix
Posts: 3852
Joined: Fri Dec 24, 2004 8:16 am
Location: Frankfurt, Germany
Contact:

Postby florian » Tue Sep 12, 2006 5:20 am

No, I think your sendmail configuration change is wrong.

How you setup sendmail to listen to the external IP address depends on your distro (which is it?), but you should not stop it from listening on 127.0.0.1:25.

sendmail 8.12 consists of 2 parts, the actual MTA and the submission MTA (you see 2 sendmail processes running). These als communicate via SMTP and use the localhost:25 bridge for that.

The way you changed the config broke the sendmail2sendmail communication. you should also be unable to send mail to the outside world from the command line, using e.g. "mail billg@microsoft.com".

Hope this helps,
Florian.
Florian von Kurnatowski, Die Harder!

William
Posts: 314
Joined: Fri Jun 02, 2006 8:28 am
Location: British Isles

Postby William » Tue Sep 12, 2006 6:56 am

Distro: RedHat EL4.

I commented out the sendmail line entirely and the situation became worse.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl


lsof -i :25
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sendmail 20357 root 4u IPv4 8133802 TCP *:smtp (LISTEN)

The smtp relay would not start:

sudo omon smtpd
Enabling 1 subsystem(s).
omstat -a
SMTP Relay Partially Abor
sudo omon smtpd
omon : Please wait ...omon : [OM 4826] Can't abort process 23598 of
part aborted subsystem SMTP Relay.

florian
Scalix
Scalix
Posts: 3852
Joined: Fri Dec 24, 2004 8:16 am
Location: Frankfurt, Germany
Contact:

Postby florian » Tue Sep 12, 2006 7:08 am

Well, if there is no more address left to listen to, the SMTP relay is basically no longer needed and can be disabled. :-) it does that for you as it is useless.

If you want to keep it, I would suggest that you change the port number it listens on to be the standard SMTP submission port (that's 587/TCP)

Cheers,
Florian.
Florian von Kurnatowski, Die Harder!

William
Posts: 314
Joined: Fri Jun 02, 2006 8:28 am
Location: British Isles

Postby William » Tue Sep 12, 2006 8:55 am

Florian,

You are quite right.

I had a slight panic when I saw some 550 ..not authenticated messages - but these emails get passed on to Scalix anyway - A sendmail problem that is safe to ignore for the time being apprently.

Code: Select all

Sep 12 11:43:17 mail sendmail[23528]: ruleset=trust_auth, arg1=root@mail.ourdomainname.com, relay=localhost.localdomain [127.0.0.1], reject=550 5.7.1 <root@mail.ourdomainname.com>... not authenticated



---on another note:---
If anyone knows how to respond slowly to a positive blacklisted connection I would be greatful. My thinking is that rather than simply telling the spamming IP that 'we know' they are a spammer, I would like to pause say n seconds before telling them this.

Here is the current sendmail DNSBL code in sendmail:
FEATURE(`dnsbl')dnl
define(`EDNSBL_TO',2)dnl
FEATURE(`enhdnsbl',`bl.spamcop.net', `"550 Delivery Error: Your IP[" $&{client_addr} "] is black listed by http://www.spamcop.net', `t')dnl
FEATURE(`enhdnsbl',`dnsbl.sorbs.net', `"550 Delivery Error: Your IP[" $&{client_addr} "] is black listed by http://www.sorbs.net', `t')dnl
FEATURE(`enhdnsbl',`sbl-xbl.spamhaus.org', `"550 Delivery Error: Your IP[" $&{client_addr} "] is black listed by http://www.spamhaus.org', `t')dnl
FEATURE(`enhdnsbl',`relays.ordb.org', `"550 Delivery Error: Your IP[" $&{client_addr} "] is black listed by http://www.ordb.org', `t')dnl
EXPOSED_USER(`root')dnl

Thank you.

William

mito
Posts: 194
Joined: Fri Mar 24, 2006 11:33 am

Postby mito » Fri Oct 27, 2006 3:41 pm

florian wrote:I believe your latter assumption is correct.

Code: Select all

lsof -i :25


should help confirm this.

If you want sendmail and your milter to be able to see the actual incoming connection, you will have to make sendmail your primary SMTP listener. This is fairly easy, just setup sendmail to listen externally (it isn't by default, for security reasons) and make sendmail start before the scalix SMTP relay (which is the "forwarder" you've been describing) as SMTP relay will only bind to unbound IP addresses.

You might actually want to make the SMTP relay listen on another port (such as the 587 submission port) so that you can still use authenticated SMTP against it to use it from IMAP/SMTP clients.

Cheers,
Florian.


I'm running into the same problems as this post in the sense that all email is being seen as from 127.0.0.1 and I too have setup SMTPFILTER=TRUE so that I can use MailScanner. You had mentioned that it would be fairly easy to setup the system so that sendmail is in front? Specifically, how would you change it to where you can still use SMTP authentication as you mentioned? I'm still kinda new to mail server administration and am still getting familiarized with how to do these things.

If you could just point me towards some documentation or something, that would be wonderful!

Thanks!

[edit] Oh, and I'm using Redhat FC4


Return to “Scalix Server”



Who is online

Users browsing this forum: No registered users and 1 guest