Re: relay problems due to "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA"
am 29.07.2005 23:52:49 von yossi
Hi Indo,
Thanks for your assistence.
What i did actually is a new installation of the machine with Fedora
Core 3 instead of 4 and there was no relay problem with the sendmail
version that comes with this OS.
I still get the error as described in my first post but relay to the
internal exchange server is working fine.
Please see below the configuration file that i have configured since i
would like to work with Fedora Core 4 in the future:
Access file
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
62.x.y.z RELAY
10.x1.y1.z1 RELAY
TO:ABC.co.il RELAY
TO:ABC.com RELAY
TO:EFG.co.il RELAY
TO:EFG.com RELAY
TO:H-ABC.com RELAY
TO:H-ABC.co.il RELAY
Mailertable file
ABC.co.il esmtp:[10.x1.y1.z1]
..ABC.co.il esmtp:[10.x1.y1.z1]
ABC.com esmtp:[10.x1.y1.z1]
..ABC.com esmtp:[10.x1.y1.z1]
DEF.co.il esmtp:[10.x1.y1.z1]
..DEF.co.il esmtp:[10.x1.y1.z1]
DEF.com esmtp:[10.x1.y1.z1]
..DEF.com esmtp:[10.x1.y1.z1]
H-ABC.co.il esmtp:[10.x1.y1.z1]
..H-ABC.co.il esmtp:[10.x1.y1.z1]
H-ABC.com esmtp:[10.x1.y1.z1]
..H-ABC.com esmtp:[10.x1.y1.z1]
sendmail.mc file
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make
changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf
package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs
to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`smtp.your.provider')
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS',
`authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and
disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used
by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs
do
dnl # use LOGIN. Other mechanisms should be used if the connection is
not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail
TLS:
dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/etc/pki/tls/certs')
dnl define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with
OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to
accept
dnl # incoming messages or process its message queues to 12.) sendmail
refuses
dnl # to accept connections once it has reached its quota of child
processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the
overhead
dnl # incurred due to forking new sendmail processes. May be useful
against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP
address
dnl # limit would be useful but is not available as an option at this
writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his
quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery
uncomment
dnl # the following 2 definitions and activate below in the MAILER
section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback
address
dnl # 127.0.0.1 and not on any other network devices. Remove the
loopback
dnl # address restriction to accept email from the internet or
intranet.
dnl #
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587
for
dnl # mail from MUAs that authenticate. Roaming users who can't reach
their
dnl # preferred sendmail daemon due to port 25 being blocked or
redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465,
but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587
followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook
Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use
STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses
smtps
dnl # when SSL is enabled-- STARTTLS support is available in version
1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6
loopback
dnl # device. Remove the loopback address restriction listen to the
network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6,
Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you
want to
dnl # protect yourself from spam. However, the laptop and users on
computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any
additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com
as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
Thanks for your help
Yossi
Ingo Freund wrote:
> yossi schrieb:
> > Hi forum,
> >
> > I quite new in sendmail configuration but i hope that you can help me
> > out.
> >
> > I have installed a new mail relay based on Fedora Core 4.0 with it's
> > default sendmail program. the mail relay is located on the DMZ segment
> > 62.x.y.x and should check incoming emails to the local lan. On the
> > local lan there is an eXchange server 2003 with ip address 10.x.y.z .
> >
> > in the access table i have allowed relay to mail domains that are
> > hosted on the exchange server and in the mailertable i have allowed
> > routing to the incoming mail server.
> >
> > The problem is that mails comes from outside are stucked in the queue
> > dou to the error above.
> >
> > What is interesting is that the mail relay try to relay to it's default
> > gateway address and not to the exchange internal address despite the
> > setting in the access and mailertable files.
> >
> > Why sendmail try to relay to the default GW and not the internal host?
> >
> > When i try to telnet to exchange server on port 25 it takes a long
> > time.
> >
> > Any one got an idea? maybe there is a known issue with the sendmail
> > version that comes with Fedora core 4
> >
> > I appriciate your assitence. This is quite importent.
> >
> > Kindly regards,
> >
> > Yossi Mor
> >
> I think there would be no help possible without knowing
> more about your config file(s)...(no need to be real data)
> sendmail.mc
> virtusertable
> mailertable
> access
>
> -Ingo.
Re: relay problems due to "did not issue MAIL/EXPN/VRFY/ETRN duringconnection to MTA"
am 02.08.2005 12:43:52 von Ingo Freund
yossi schrieb:
> Hi Indo,
it is Ingo.
>
> Thanks for your assistence.
>
[...]
Hi,
please don't top post, it is not of use here.
why didn't you take the config from your OS before
to migrate it to the new OS?
When sending the config file, omit the lines beginning
with "dnl", they are not active (will say: comments).
you still forgot to document the error by log entries
(hopefully from the sendmail running machine)
after changing the config files you do a "make -C /etc/mail"
and specially after changing sendmail.mc and "make" you
restart sendmail -do you?
from which machine is the error message in the subject?
so, what I would do in your case (considering outgoing mail
from your intranet, sent by the Exchange Server):
check the entries in your sendmail.mc file:
(I only document the changes I would do
concerning the mc-file you showed here before)
IMPORTANT: if you use your providers mail relay
you should change the SMART_HOST entry
to the real name if the gateway and
uncomment it by deleting the "dnl "
comment sign at the beginning.
(if your provider needs authentification
there is to put an entry in the access file)
if not, leave the line as it was
dnl define(`SMART_HOST',`smtp.your.provider')
dnl define(`confDONT_PROBE_INTERFACES',true)dnl
dnl define(`confAUTH_OPTIONS', `A')dnl
FEATURE(`mailertable')dnl
FEATURE(`virtusertable')dnl
dnl FEATURE(redirect)dnl
FEATURE(`access_db')dnl
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
your access + mailertable files seem to be ok.
this line might be nessary to put in access file:
AuthInfo:smtp.your.provider "I:" "P:" "M:PLAIN"
if not done already:
tell your exchange server to forward all mails to the Fedora box.
check if sendmail on Fedora is running
use "ps axf| grep sendmail" on the command line
output at least:
8042 ? S 0:00 sendmail: Queue control
8043 ? S 0:00 \_ sendmail: running queue: /var/spool/clientmqueue
8044 ? S 0:03 sendmail: accepting connections
check if sendmail is listening on port 25 on the intranet side
use "netstat -ln | grep 25" on the command line
output at least:
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
if the above is given, all should be ok.
If not, check your log file entries (mostly /var/log/mail)
hope this helps,
bye - ingo.