Sendmail refuses from outside addresses

[dougp23]

Sending email from outside is bouncing. For instance, if I send a message to me from my gmail account, I get an error like this (at my Gmail Inbox):

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

dsomeone@example.com
Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 13): 553 5.1.8 <doug@gmail.com>... Domain of sender address doug@gmail.com does not exist

Asking the mailserver this:

$ nslookup -sil -query=MX gmail.com

Produices this:
Server: 206.152.180.10
Address: 206.152.180.10#53

Non-authoritative answer:
*** Can't find gmail.com: No answer

Authoritative answers can be found from:
gmail.com nameserver = ns2.google.com.
gmail.com nameserver = ns3.google.com.
gmail.com nameserver = ns4.google.com.
gmail.com nameserver = ns1.google.com.
ns1.google.com internet address = 216.239.32.10
ns2.google.com internet address = 216.239.34.10
ns3.google.com internet address = 216.239.36.10
ns4.google.com internet address = 216.239.38.10

I see the non-authoritative fails, but still using A records, it seems like it can get there. Any ideas?

[jaime.pinto]

If you do a "whois" on gmail you can find the admin and tech contacts. Send them an email. It's *their* problem.

[dougp23]

I would think so too....

But I am seeing this from a LOT of outside email addresses.....
It seems to be something bigger. I restarted sendmail, but not sure if it has cleared up.

If yoou have any other ideas, please let me know.

[jaime.pinto]

I've been seeing *a lot of* problems from gmail, and other companies that appear to be using the sendmail.com/gmail appliance, or somethig like it.

[dougp23]

Hmm....good point. I mean, I can email me from Yahoo, Hotmail, some free Linux accounts, mailing lists getting through.....I don't know just yet! Still digging!
Thanks for the input Jaime.
I have PM'd you also.

[btisdall]

Gmail may have some issues with regard to their mail handling, but the fact that you or sendmail can't verify the domain gmail.com almost certainly points to a problem with YOUR dns config.

Try querying one of opendns's nameservers to be certain:

Code: Select all

dig @208.67.222.222 -t mx gmail.com

[dougp23]

Btisdall,

You are right. The dig you gave me points out just fine the gmail servers. When I

tail -f /var/log/maillog

I see LOTS of these 5.1.8 errors....LOTS. So I know the issue is on my end. Now, the question becomes WHERE is the problem.....

Please help anyone! This is a production box, and I am just getting back from a week's vacation...I don't need this sort of welcome back, lol!!!

[btisdall]

Well, I would start by checking my /etc/resolv.conf.

If the entry is 127.0.0.1 then check that BIND or whatever other nameserver you're using is running by doing:

Code: Select all

lsof -i:53

If you're using a nameserver somewhere else then make sure you can ping it &, if you can, that the nameserver dameon is running.

[dougp23]

This is what I have in /etc/resolv.conf

; generated by /sbin/dhclient-script
search mydomain.com
nameserver 68.87.71.226
nameserver 68.87.73.242

Both nameservers are def pingable. Do you mean named should be running on MY box or the nameserver's boxes???

[dougp23]

Thihnk I might be fixed.

My ISP changed their DNS servers (good thing they didn't bother to tell me, lol). And three parts of the email server (service router, CDA Server and Item structure Server) were off. Even though I rebooted the server, these were strill off. I guess it's time to look at some fatal logs!!!

Doug

[les]

This is what I have in /etc/resolv.conf

; generated by /sbin/dhclient-script
search mydomain.com
nameserver 68.87.71.226
nameserver 68.87.73.242

Both nameservers are def pingable. Do you mean named should be running on MY box or the nameserver's boxes???

you dont really need named running on the box, mind you it helps to run internal zone files. Your problem is the nameservers you are querying are not reliable.

Are they your isp's nameservers? depending on where you are you might try some other common name servers.

I recently came across some problems just like this and i found out the DNS queries can be made on low ports as well as high ports.
Some remote dns servers, like gmail may block low port dns requests, hence why you get the timeout. Using another name server which works probably means they do a standard dns lookup.

You can alert the people who provide the nameserver that you use (probably your isp) and get them to check things. They should be able to figure it out.

Good luck.

[BaldBoy]

you dont really need named running on the box,

Well, it's not mandatory to have named running, but ... why not ?
I mean if you can have a service relying on your structure, which does not cost a dime, and can help prevent service outages from your ISP (very frequent) you'll gain more than the little time you loose for initial setup.

Here a good howto for your setup:
http://langfeldt.net/DNS-HOWTO/BIND-9/DNS-HOWTO-3.html

[les]

you dont really need named running on the box,

Well, it's not mandatory to have named running, but ... why not ?
I mean if you can have a service relying on your structure, which does not cost a dime, and can help prevent service outages from your ISP (very frequent) you'll gain more than the little time you loose for initial setup.

yes i know that and i sort of aluded to it being useful for an internal zone. What i wanted to do was "ignore" that so that everyone stopped thinking it was the problem and looked more at the real problem.

We just need to fix the real problem first, not change 100 things and potentially find or cause other issues which may cloud the original problem.

In any event if you had named running locally only, like i do for all my sites, you would have it answer internal queries and then forward any queries to an external dns nameserver which could handle those. And that ultimately is the same as just saying to resolv.conf..."ask these external nameservers". Normally you still forward through your ISP's dns servers anyway.

so the problem, as i see it, not whether or not named is running locally. It is that the dns server being used for queries has a problem looking up certain domains, which are valid and do exist.

the solution...get the maintainer of the dns servers to check out why this is happening, they should be able to fix it, or switch and use other dns servers that can do the lookup.

[BaldBoy]

yes i know that and i sort of aluded to it being useful for an internal zone. What i wanted to do was "ignore" that so that everyone stopped thinking it was the problem and looked more at the real problem.
<cut>
the solution...get the maintainer of the dns servers to check out why this is happening, they should be able to fix it, or switch and use other dns servers that can do the lookup.

You're right but from my, very humble, point of view things can be done faster.
I mean : given the fact it's clear that error is due to name resolving problem by the adressee MTA I think it's faster to have the things done in-house rather than trying to speak with someone at the ISP. Switching to another *external* DNS server it's not, for me, a viable solution as it might happen the problem to rise again. ISPs' DNSs are always overcrowded and not always properly dimensioned: in the various efforts they put in place to allow access only from their networks they often cut-off some customers (this is my experience so maybe I've been very unlucky).

I really do think having an in-house DNS server is fast, quick, cheap and ... may help troubleshooting problems: if (almost) anything I need is-on-my-system then there is no need to look elsewhere.

My two cents.