v11 questions and smtpd.cfg problem

[TGuY]

This mail server is going to be hosting a lot of different domains email. It seems simple enough to add domains through the administration console. It does mention that users should only have one email alias, if they're setup as an external mail user. This server will be used almost exclusively as external mail, and many users have multiple alias accounts. I am wondering if the correct way to set these up, would be to just add all their email aliases onto their account?

I went to test recieving mail, and I'm unable to get anything to come in. I read a few posts about the smtpd.cfg, but none are very clear on what should actually be set, besides the server name using the fqdn. I setup the debug line, so I could try to get some more info, but it tells me exactly what I already knew:

speed:/var/opt/scalix/sd/s/tmp# tail -f smtpd-SMTP.log
SMTP Relay 11.0.0.431 started (5058): Mon, 29 Jan 2007 22:04:40 -0600 (CST) for SMTP
Accepted client 1 from (mail.SOURCE.com)
Cli 5058/1 sent : 220 speed.DESTINATION.com. ESMTP Scalix SMTP Relay 11.0.0.431; Mon, 29 Jan 2007 22:05:16 -0600 (CST)

Cli 5058/1 rcvd: 'EHLO mail.SOURCE.com'
Cli 5058/1 sent : 250-speed.DESTINATION.com. Hello mail.SOURCE.com [69.41.XXX.XXX], pleased to meet you
250-AUTH DIGEST-MD5 PLAIN LOGIN GSSAPI CRAM-MD5
250-AUTH=LOGIN
250-DSN
250 8BITMIME

Cli 5058/1 rcvd: 'MAIL FROM:<drew@SOURCE.com>'
Cli 5058/1 sent : 250 drew@SOURCE.com... Sender ok

Cli 5058/1 rcvd: 'RCPT TO:<drew@DESTINATION.com>'
Rejected relay attempt from drew@DESTINATION.com at 69.41.XXX.XXX to drew@DESTINATION.com
Cli 5058/1 sent : 550 Denied due to spam list

Cli 5058/1 rcvd: 'QUIT'
Cli 5058/1 sent : 221 speed.DESTINATION.com. closing connection

The entry's in my smtpd.cfg look like this:

DEBUG_LOG=TRUE

# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1
RELAY accept speed.DESTINATION.com.

this is the correct name:
speed:/var/opt/scalix/sd/s/sys# hostname --fqdn
speed.DESTINATION.com.


RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL



# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix

[ScalixSupport]

Hi,

Denied due to spam list always indicates that the IP address of the SWA server is not listed in the RELAY accept lines in /var/opt/scalix/<aa>/s/sys/smtpd.cfg Please make sure you update you smtpd.cfg file. Restart SMTP Relay and see if the issue is resolved.

Thanks,
Subir

[TGuY]

I already checked that. I even went as far as to try adding "ALL" to the allow relay section.

This post:
http://www.scalix.org/forums/viewtopic. ... e21f6dde07

seems to sum up my question, with a little bit more detail. I am looking to host a number of domains, and I don't see any clear documentation as to what needs to be done in order to add any beyond what the local fqdn turns out as? There is a section in the admin that allows you to add domains, is there anything else that needs to be done? The domain I'm working with, isn't the one that the machine has in its hosts file. I cannot move the mx for my main domain over, until I at least have my test domain working properly. The host inside the mx record, for the domain i'm testing with, is the fqdn for the system that is hosting scalix at the moment. Any input?

[mito]

Are you trying to send mail from within your own SWA to yourself, or from the internet to this server?

If you're trying to send from yourself to yourself, check and make sure that the name is resolving properly.

IE: try to ping speed.destination.com and make sure that the resolved IP address is the IP address of the mail server. If it's not, then that is more than likely the problem, I've had this happen to me before, where SWA sending to itself didn't send through the 127.0.0.1 IP, but via the external IP, and I dind't have the external IP in the smtpd.conf properly (a typo on my part that time, but still the same concept).

Mito

[TGuY]

Thanks for the response. I am testing internet -> scalix. It seems that all the functions within scalix work fine, as far as being able to transfer internally, and externally. It's when you try to recieve mail from an external source that it fails with the whole "config error: mail loops back to me (MX problem?)" error.

[ScalixSupport]

Hi!

The relay is acceptable only for speed.DESTINATION.com as suggested by your smtpd.cfg
file:

# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1
RELAY accept speed.DESTINATION.com.

The recipient of the mails are on DESTINATION.com, I assume the MX entry must be
saying mail for DESTINATION.com are handled by speed.DESTINATION.com. I would first
suggest replace the current RELAY accept line with as given below, so that users on
domain DESTINATION.com are allowed relaying:

RELAY accept .DESTINATION.com.

The line above would allow all hosts on domain DESTINATION.com would be allowed
to relay. Restart Relay, using commands below:

omoff -wd 0 smtpd
omon smtpd

Now you should not get "550 Denied due to spam list".

Please refer for smtpd.cfg configuration details on page#41 of the document:
http://www.scalix.com/documents/Scalix_Server_Setup_Guide_11.0_Draft.pdf

When you say:

I am looking to host a number of domains

do you mean you want to host more than one host on domain DESTINATION.com, if so the line I suggest would handle all hosts on DESTINATION.com.

If you want something like as below:

RELAY accept .domain1.com
RELAY accept .domain2.com
RELAY Log_Reject ALL

You can surely do that, but if you are a licenced user then all those domains you need to
work with should be in your licence. If not, please contact support@scalix.com for new
licence. If you do not have a licence and you are just using a community edition, you can
have more than one RELAY accept line for each domain.

Thanks,
Subir

[TGuY]

Thanks for the response... I did notice one thing, that I didn't note here.

I saw all the information on the configuration of the RELAY accept, and I made a note above that I even changed it to:

# NB Authenticated RELAYs are always allowed
RELAY accept ALL

I restarted the box completely, and this did produce a different output in my scalix smtp debug log. I'm still getting the 550 bounce, but now it's showing up in the sendmail log file /var/log/mail.err etc... I tried adding the domain to the /etc/mail/local-host-names, where only speed.DESTINATION.com was listed. I restarted everything again, and still get the same thing.

[ScalixSupport]

Hi!

Referring to the post:
viewtopic.php?t=3110

I would suggest you to try changing the SMTP greeting using the suggestions given in the
document "HowTos/ScalixSecurity" on Scalix wiki:
http://www.scalix.com/wiki/index.php?ti ... P_greeting

This should help you resolve the issue of "550 Denied due to spam list". I would suggest you
to not open relaying to all, instead restrict to domain(s).

Thanks,
Subir

[ScalixSupport]

The internet address field has a 512 byte limitation. This can fill up quickly especially if each alias is configured with the friendly name.

The easiest solution is to add:

Code: Select all

DOMAIN_NAME=primary.domain
LOCAL_NAMES=other.domain,other.domain,etc

to /var/opt/scalix/XX/s/sys/smtpd.cfg

It may also be necessary to add these aliases to your /etc/mail/local-host-names.

Regards,
Don

[TGuY]

I'm not sure why this I'm having so many problems with this!!!!

I decided to try setting up a new freshly installed linux machine... here at home, on my cable modem. I wanted to see if it made any difference to have a freshly loaded machine with nothing between it and the internet. I think everything is setup how it should be, but I still have never seen scalix recieve an email! This is very frustrating, as I've never had as many issues with an email service as this one. Scalix seems especially picky about host names, but why does it care? If the mx is pointing to you and you have the domain added listed in the domain list, should that email not simply direct it to the correct mailbox, or bounced????

Here is my configuration now.... the hostnames are all correct, both directions in dns. I am testing by sending email from external sources, more than one.. including my existing remote kerio installation.

host/ip/dns stuff

c-75-72-71-113:~# hostname
c-75-72-71-113
c-75-72-71-113:~# hostname --fqdn
c-75-72-71-113.hsd1.mn.comcast.net.

c-75-72-71-113:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:09:6B:71:E0:7C
inet addr:75.72.71.113 Bcast:255.255.255.255 Mask:255.255.252.0

c-75-72-71-113:~# nslookup 75.72.71.113
113.71.72.75.in-addr.arpa name = c-75-72-71-113.hsd1.mn.comcast.net.

c-75-72-71-113:~# nslookup c-75-72-71-113.hsd1.mn.comcast.net.
Name: c-75-72-71-113.hsd1.mn.comcast.net
Address: 75.72.71.113

c-75-72-71-113:~# nslookup
> set q=mx
> onyxs10.com
onyxs10.com mail exchanger = 10 c-75-72-71-113.hsd1.mn.comcast.net.

i've been able to get past the 550 spam list error, but i had to set the relay accept to all. i most definately wouldn't want to leave that set. if you're accepting email from the internet, does it have to be set to all? it seems that all email coming in, gets relayed through sendmail?

c-75-72-71-113:~# tail -n 35 /var/opt/scalix/c3/s/sys/smtpd.cfg
###############################################################################

DEBUG_LOG=TRUE

# NB Authenticated RELAYs are always allowed
RELAY accept ALL
RELAY Log_Reject ALL

DOMAIN_NAME=hsd1.mn.comcast.net
LOCAL_NAMES=onyxs10.com

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

even with it set to relay all, it just loops in sendmail.. i setup the local-host-names file, every different way i could think of (".onyxs10.com.", "onyxs10.com.", ".onyxs10.com", "onyxs10.com") doesn't seem to matter. i'ved cycled the services, cycled the whole server... nothing. is it just not possible to deliver mail to a scalix mailbox that isn't on the domain the machines fqdn is set to?

c-75-72-71-113:~# cat /etc/mail/local-host-names
localhost
c-75-72-71-113.hsd1.mn.comcast.net.
onyxs10.com.

what a bounced email looks like

c-75-72-71-113:/var/opt/scalix/c3/s/tmp# cat /var/log/mail.err
Feb 3 01:08:12 c-75-72-71-113 sm-mta[8870]: l1378C9c008862: SYSERR(root): MX list for onyxs10.com. points back to c-75-72-71-113.hsd1.mn.comcast.net

c-75-72-71-113:/var/opt/scalix/c3/s/tmp# cat /var/log/mail.info
Feb 3 01:08:12 c-75-72-71-113 sm-mta[8840]: l1378Bsn008840: from=drew@SOURCE.com, size=0, class=0, nrcpts=1, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
Feb 3 01:08:12 c-75-72-71-113 sm-mta[8862]: l1378C9c008862: from=<drew@SOURCE.com>, size=1350, class=0, nrcpts=1, msgid=<20070203070927.6eef4406@SOURCE.com>, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
Feb 3 01:08:12 c-75-72-71-113 sm-mta[8870]: l1378C9c008862: SYSERR(root): MX list for onyxs10.com. points back to c-75-72-71-113.hsd1.mn.comcast.net
Feb 3 01:08:12 c-75-72-71-113 sm-mta[8870]: l1378C9c008862: to=<test@onyxs10.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=121350, relay=onyxs10.com., dsn=5.3.5, stat=Local configuration error
Feb 3 01:08:12 c-75-72-71-113 sm-mta[8870]: l1378C9c008862: l1378C9c008870: DSN: Local configuration error
Feb 3 01:08:12 c-75-72-71-113 sm-mta[8870]: l1378C9c008870: to=drew, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=60000, dsn=2.0.0, stat=Sent
Feb 3 01:09:13 c-75-72-71-113 sm-mta[8870]: STARTTLS=client, relay=mail.SOURCE.com., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Feb 3 01:09:13 c-75-72-71-113 sm-mta[8870]: l1378C9c008870: to=<drew@SOURCE.com>, delay=00:01:01, xdelay=00:01:01, mailer=esmtp, pri=60000, relay=mail.SOURCE.com. [69.41.xxx.xxx], dsn=2.0.0, stat=Sent (45c43566-00006535 Message accepted for delivery)

c-75-72-71-113:/var/opt/scalix/c3/s/tmp# cat smtpd-SMTP.log
Accepted client 1 from (mail.SOURCE.com)
Cli 7551/1 sent : 220 c-75-72-71-113.hsd1.mn.comcast.net. ESMTP Scalix SMTP Relay 11.0.0.431; Sat, 03 Feb 2007 01:08:11 -0600 (CST)

Cli 7551/1 rcvd: 'EHLO SOURCE.com'
Cli 7551/1 sent : 250-c-75-72-71-113.hsd1.mn.comcast.net. Hello mail.SOURCE.com [69.41.xxx.xxx], pleased to meet you
250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
250-AUTH=LOGIN
250-DSN
250 8BITMIME

Cli 7551/1 rcvd: 'MAIL FROM:<drew@SOURCE.com>'
Cli 7551/1 sent : 250 drew@SOURCE.com... Sender ok

Cli 7551/1 rcvd: 'RCPT TO:<test@onyxs10.com>'
... new process 8860
7551: Allocate new unix.in process 8860
Cli 7551/1 rcvd U: '220 Scalix ESMTP Ready.'
Cli 7551/1 rcvd U: '250 Ok'
Cli 7551/1 sent U: rcpt to: <test@onyxs10.com>

Cli 7551/1 rcvd U: '250 Ok'
Cli 7551/1 sent : 250 Ok

Cli 7551/1 rcvd: 'DATA'
Cli 7551/1 sent : 354 Enter mail, end with "." on a line by itself (relay)

Cli 7551/1 sent U: data

Cli 7551/1 rcvd U: '354 Enter mail, end with "." on a line by itself.'
Cli 7551/1 sent U: Received: from SOURCE.com (mail.SOURCE.com [69.41.xxx.xxx])
by c-75-72-71-113.hsd1.mn.comcast.net. (Scalix SMTP Relay 11.0.0.431)
via ESMTP; Sat, 03 Feb 2007 01:08:12 -0600 (CST)
Received: from 75.72.71.113 ([75.72.71.113])
by SOURCE.com (Kerio MailServer 6.1.0)
for drew@SOURCE.com;
Sat, 3 Feb 2007 01:09:27 -0600
From: drew@SOURCE.com
To: test@onyxs10.com
Subject: test
Message-ID: <20070203070927.6eef4406@SOURCE.com>
Date: Sat, 03 Feb 2007 01:09:27 -0600
X-Mailer: Kerio MailServer 6.1.0 WebMail
X-User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
MIME-Version: 1.0
Content-Type: multipart/alternative;

Cli 7551/1 got .
Cli 7551/1 sent U: boundary="----------flower-power-ef3ec2fc1af1af2d965aefaecffdb36b"

This is a multi-part message in MIME format.

------------flower-power-ef3ec2fc1af1af2d965aefaecffdb36b
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit


test
------------flower-power-ef3ec2fc1af1af2d965aefaecffdb36b
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html>
<head>
<meta http-equiv='Content-Type' content='text/html;charset=us-ascii'>
<style>BODY{font:10pt Tahoma, Verdana, sans-serif;}</style>
</head>
<body>
<DIV>test</DIV></body></html>
------------flower-power-ef3ec2fc1af1af2d965aefaecffdb36b--

.

Cli 7551/1 rcvd U: '250 Ok'
Cli 7551/1: Submitted message ': <20070203070927.6eef4406@SOURCE.com>' to unix.in.
response: '250 Ok'
Cli 7551/1 Finished submitting msg : <20070203070927.6eef4406@SOURCE.com>
Cli 7551/1 sent : 250 Ok

Cli 7551/1 rcvd: 'QUIT'
Cli 7551/1 sent : 221 c-75-72-71-113.hsd1.mn.comcast.net. closing connection

here is the user i created in sca



Please tell me I'm missing something simple! The web interface for this product is great, especially for opensource! I would really like to get this working, but I need something soon.

Thanks for the reply's. I think it's a great thing that Scalix has not only made this community addition, but that there is msg board to ask questions! I sure hope this works out.

[florian]

you are missing something simple, yet fundamental..... but i'll keep the tension up for two more lines to throw in a mini marketing pitch!

especially from your perspective, scalix is by far easier to setup than ANY other email system you will know, because for most purposes, it doesn't even have the concept of domains - once a user has a valid email address and is local to the server, it will happily accept mail for that user unless configuration says otherwise. no per-domain, relay, accept, local-hostname, whatever setup needed at all.

the prerequisite for this is that every email address assigned to the user, including domain, must exactly match what's coming in, i.e. you can't have a user with a name like "florian" and then just say in some global config that he has email @microsoft.com, @ibm.com and @lotus.com, you'll actually need to assign him 3 addresses, i.e. florian@microsoft.com, florian@ibm.com, florian@lotus.com [disclaimer: I own neither of these...].

Your user does. almost. see the little "." at the end of your email address in the SAC screenshot you posted? Don't know where this comes from, but probably you setup your email address generation domain wrongly during installation (and we have a minor bug that allows this to be entered). that's wrong. you'll need to fix up whatever generates these and then reassign the address to all your users.

i assume you should be fine then?

Please confirm,
Florian.

[TGuY]

Bummer, I already tried that both ways....

BUT, when I setup the application, the default domain (the one in /etc/hosts) ends in a period, so when I added that for the domain I added the period at the end as well. I wasn't completely sure if scalix wanted that or not. It's not totally clear when it's appropriate, as it seems like you're to prefix the domain with a period, to make it a wild card, just like when you specify a network address by writing 192.168.0. instead of of 192.168.0.*. I take it you can add a domain through sca and not have to cycle any services for it to be able to pick that up? I'll test that as well, once I get this setup. Back to the period, I am now wondering, if part of the problem, is that when I installed the application, many of the files that require you fill in the fqdn, also got the period at the end. I'll reload the system completely, and make sure that the period is on none of those entry's. This might be a common problem at least with people that are using Debian, as when you setup the hostname during installation, it defialts to leave the period on the end. I thought that was good practice, as it assures the system, that you entered the fqdn, as the period designates the end of all domain names.

I'm keeping bloody detailed records on everything I do, so hopefully if this works, I'll have a good record one what needs to be done next time.

I guess the last question I have, relates back to the fqdn for the server again. I know the documentation says you need to have everything proper for this to work. I have one instance of this, where I might not be able to control the in-addr.arpa, does that mean I won't be able to have it recieve mail? If what you say is true, it sure seems like the system is very pick about hosts matching exactly. If the reverse dns doesn't match, it would seem that would render it worthless.

Thanks again guys!

[florian]

BUT, when I setup the application, the default domain (the one in /etc/hosts) ends in a period, so when I added that for the domain I added the period at the end as well.

The fully-qualified hostname in /etc/hosts should also not have a dot at the end. The place where this is appropriate is actually only DNS config files on a DNS server; there, the . indicates to the server that the zone (might be top-level domain or so) should NOT be appended, i.e. it is a full name. The hostname "per se" does not have a dot at the end anywhere.

I take it you can add a domain through sca and not have to cycle any services for it to be able to pick that up?

Well, yes. The list in SAC is not a domain acceptance list or anything, it's just a list of domains to choose from when creating a user, i.e. a convenience function. If you empty the list, you will be able to manually type the domain name when adding a user.

Back to the period, I am now wondering, if part of the problem, is that when I installed the application, many of the files that require you fill in the fqdn, also got the period at the end. I'll reload the system completely, and make sure that the period is on none of those entry's. This might be a common problem at least with people that are using Debian, as when you setup the hostname during installation, it defialts to leave the period on the end. I thought that was good practice, as it assures the system, that you entered the fqdn, as the period designates the end of all domain names.

That sounds like a good idea. Was this a debian install? OK, in that case it makes sense. I wonder if our installer (on RedHat/Fedora/SuSE platforms) would actually find the problem in it's network checks, which are pretty extensive. Maybe you want to add a remark to that fact to the system network requirements in the Manual Install Wiki for debian.

I guess the last question I have, relates back to the fqdn for the server again. I know the documentation says you need to have everything proper for this to work. I have one instance of this, where I might not be able to control the in-addr.arpa, does that mean I won't be able to have it recieve mail? If what you say is true, it sure seems like the system is very pick about hosts matching exactly. If the reverse dns doesn't match, it would seem that would render it worthless.

Well, Scalix won't fall over that one IF you have the correct IP address/hostname mapping in the /etc/hosts file on the Scalix server as this will take precedence over what's in DNS. However, if the server is available from the Internet and is setup as a MX for a domain, you might want to take sure that the reverse record is correct. Some receiving mail servers do double reverse lookup on server names and IP addresses they talk to to reduce the likelyhood they are being talked to from a spam box. So if this isn't right, the most probable issue could be that some people won't be receiving mail from you as it might be silently dropped. That one has nothing to do with Scalix, though.

Cheers,
Florian.

[TGuY]

Holy ####!!! It works!

hours and hours and hours.... for a freakin period.

I tried taking it off the domains, but never removed it completely from all the config files/hosts file.

I am a happy camper now. I will be sure to make a note of this in the wiki, hopefully saves some pain in the future!

[mito]

For future reference, I had my server up and running for a while (over a month) without a functional reversible DNS (I had to go a few rounds with AT&T to get them to properly setup the reverse DNS (problems with the T1 documentation etc etc etc). My point though, is that mail works without it.

I will also point out though, that as Florian suggested... some mail servers don't like you if you don't have it. We couldn't send any mail to aol.com during that time, and occasionally if we sent mail to sbcglobal.net the recipient would recieve the mail over and over and over and over again, once every 2 seconds for an exact 24 hour period.

BUT, email worked, and we were fully (with only the two exceptions above that I'd noticed) functional during that time.