Problems sending to psmtp (Postini)?

Folks,
In the last few days we've seen a LOT of errors
and lot of queued mail for servers at psmtp.com
A little sample below -- has anyone else seen this,
any explanation?

(reply: read error from sirote.com.mail5.psmtp.com.)
(reply: read error from kpmg.com.s8a1.psmtp.com.)
(reply: read error from iteontech.com.s8a1.psmtp.com.)
(reply: read error from rossenvironmental.com.s8a1.psmtp.com.)
(reply: read error from sportexapparel.com.s8a1.psmtp.com.)

Thanks!
--
John
____________________________________________________________ _______
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/

Re: Problems sending to psmtp (Postini)?

Hi John,

Yes we saw that as well.

Are you running sendmail with TLS with a recent openssl version and try
do deliver mails to them via STARTTLS?

Seems they have an issue with their TLS implementation there. We can
send everywhere via TLS except Postini. TLS handshake with them just fails.

So include the following in your access db:

Try_TLS:psmtp.com NO

as workaround.

Cheers
Matt



John Murtari wrote:
> Folks,
> In the last few days we've seen a LOT of errors
> and lot of queued mail for servers at psmtp.com
> A little sample below -- has anyone else seen this,
> any explanation?
>
> (reply: read error from sirote.com.mail5.psmtp.com.)
> (reply: read error from kpmg.com.s8a1.psmtp.com.)
> (reply: read error from iteontech.com.s8a1.psmtp.com.)
> (reply: read error from rossenvironmental.com.s8a1.psmtp.com.)
> (reply: read error from sportexapparel.com.s8a1.psmtp.com.)
>
> Thanks!

Re: Problems sending to psmtp (Postini)?

Matt writes:

>> In the last few days we've seen a LOT of errors
>> and lot of queued mail for servers at psmtp.com
>> A little sample below -- has anyone else seen this,
>> any explanation?
>> (reply: read error from sirote.com.mail5.psmtp.com.)
>> (reply: read error from kpmg.com.s8a1.psmtp.com.)
>> Thanks!

> Yes we saw that as well.
>
> Are you running sendmail with TLS with a recent openssl version and
> try do deliver mails to them via STARTTLS?
>
> Seems they have an issue with their TLS implementation there. We can
> send everywhere via TLS except Postini. TLS handshake with them just
> fails.
>
> So include the following in your access db:
>
> Try_TLS:psmtp.com NO
>

Thanks, but we are not using TLS. The same thing happened
about two weeks ago and then suddenly cleared up without us taking
any action (we told people to direct their questions to psmtp).
I've tried a few manual connections using telnet to port 25 and get
inconsistent results, sometimes I get an ESMTP greeting, sometimes
just:

Connected to kpmg.com.s8a1.psmtp.com.
Escape character is '^]'.
Connection closed by foreign host.

It may be a route problem between us and them. We're
going to reroute to a different outgoing router interface at our end
and see if that makes a difference if we connect via Sprint, v. At&T

--
John
____________________________________________________________ _______
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/

Re: Problems sending to psmtp (Postini)?

On Nov 30, 12:28 pm, John Murtari wrote:
> Matt writes:
> >> In the last few days we've seen a LOT of errors
> >> and lot of queued mail for servers at psmtp.com
> >> A little sample below -- has anyone else seen this,
> >> any explanation?
> >> (reply: read error from sirote.com.mail5.psmtp.com.)
> >> (reply: read error from kpmg.com.s8a1.psmtp.com.)
> >> Thanks!
> > Yes we saw that as well.
>
> > Are you running sendmail with TLS with a recent openssl version and
> > try do deliver mails to them via STARTTLS?
>
> > Seems they have an issue with their TLS implementation there. We can
> > send everywhere via TLS exceptPostini. TLS handshake with them just
> > fails.
>
> > So include the following in your access db:
>
> > Try_TLS:psmtp.com NO
>
> Thanks, but we are not using TLS. The same thing happened
> about two weeks ago and then suddenly cleared up without us taking
> any action (we told people to direct their questions to psmtp).
> I've tried a few manual connections using telnet to port 25 and get
> inconsistent results, sometimes I get an ESMTP greeting, sometimes
> just:
>
> Connected to kpmg.com.s8a1.psmtp.com.
> Escape character is '^]'.
> Connection closed by foreign host.
>
> It may be a route problem between us and them. We're
> going to reroute to a different outgoing router interface at our end
> and see if that makes a difference if we connect via Sprint, v. At&T
>
> --
> John
> ____________________________________________________________ _______
> John Murtari Software Workshop Inc.
> jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)http://thebook.com/- Hide quoted text -
>
> - Show quoted text -


When Postini filters incoming messages, it starts a session with the
receiving and sending MTA's. If the recipient is not in the Postini
data base, whereas they lock down the relay to only users within the
DB, it will close the session. Depending on the Postini user, they may
have additional filtering and blocks setup to reduce unwanted
messages. You may need to contact the recipient to have them add your
domain and IP to an approved senders list.

Re: Problems sending to psmtp (Postini)?

FrankM-Postini Partner wrote:

>> Connected to kpmg.com.s8a1.psmtp.com.
>> Escape character is '^]'.
>> Connection closed by foreign host.

[...]

> When Postini filters incoming messages, it starts a session with the
> receiving and sending MTA's. If the recipient is not in the Postini
> data base, whereas they lock down the relay to only users within the
> DB, it will close the session.

But that couldn't be happening here... the Postini machine just
closed the connection before it even knew the recipient.
Besides, Postini should issue a 5xx code in reponse to an invalid RCPT.
It shouldn't just shut down the connection.

> Depending on the Postini user, they may
> have additional filtering and blocks setup to reduce unwanted
> messages. You may need to contact the recipient to have them add your
> domain and IP to an approved senders list.

Sounds like someone (either KPMG or Postini) needs to read a few RFCs...

-- David.

Re: Problems sending to psmtp (Postini)?

On Dec 1, 11:06 pm, "David F. Skoll" wrote:
> FrankM-Postini Partner wrote:
> >> Connected to kpmg.com.s8a1.psmtp.com.
> >> Escape character is '^]'.
> >> Connection closed by foreign host.
>
> [...]
>
> > When Postini filters incoming messages, it starts a session with the
> > receiving and sending MTA's. If the recipient is not in the Postini
> > data base, whereas they lock down the relay to only users within the
> > DB, it will close the session.
>
> But that couldn't be happening here... the Postini machine just
> closed the connection before it even knew the recipient.
> Besides, Postini should issue a 5xx code in reponse to an invalid RCPT.
> It shouldn't just shut down the connection.
>
> > Depending on the Postini user, they may
> > have additional filtering and blocks setup to reduce unwanted
> > messages. You may need to contact the recipient to have them add your
> > domain and IP to an approved senders list.
>
> Sounds like someone (either KPMG or Postini) needs to read a few RFCs...
>
> -- David.


Postini is only doing what the customer has set up in their system. In
Postini we have the option of sending 5xx codes or blackhole depending
on the type of filtering. Secondly, Postini does not store, filter &
forward messages and starts the process knowing whether the recipient
is valid or not within the DB, and if its garbage, it most likely will
be blackholed.

I would assume if these messages were for real users and if the sender
is having issues sending to KPMG, I would suggest contacting KPMG.

Re: Problems sending to psmtp (Postini)?

FrankM-Postini Partner wrote:

> Postini is only doing what the customer has set up in their system.

RFCs exist for a reason: To ensure interoperability on the Internet.
If Postini wants to simply shut down the connection, there is an
RFC-sanctioned way to do it: With a "421 Connection Closing" response.

Perhaps KPMG and Postini should look at Section 3.9 of RFC 2821:

An SMTP server MUST NOT intentionally close the connection except:

- After receiving a QUIT command and responding with a 221 reply.

- After detecting the need to shut down the SMTP service and
returning a 421 response code. This response code can be issued
after the server receives any command or, if necessary,
asynchronously from command receipt (on the assumption that the
client will receive it after the next command is issued).

By simply closing the connection in the manner indicated by the OP,
Postini is violating a MUST NOT clause in a standards-track RFC.
That's not good form.

-- David.

Re: Problems sending to psmtp (Postini)?

On Dec 2, 10:19 am, "David F. Skoll" wrote:
> FrankM-PostiniPartner wrote:
> >Postiniis only doing what the customer has set up in their system.
>
> RFCs exist for a reason: To ensure interoperability on the Internet.
> IfPostiniwants to simply shut down the connection, there is an
> RFC-sanctioned way to do it: With a "421 Connection Closing" response.
>
> Perhaps KPMG andPostinishould look at Section 3.9 of RFC 2821:
>
> An SMTP server MUST NOT intentionally close the connection except:
>
> - After receiving a QUIT command and responding with a 221 reply.
>
> - After detecting the need to shut down the SMTP service and
> returning a 421 response code. This response code can be issued
> after the server receives any command or, if necessary,
> asynchronously from command receipt (on the assumption that the
> client will receive it after the next command is issued).
>
> By simply closing the connection in the manner indicated by the OP,Postiniis violating a MUST NOT clause in a standards-track RFC.
> That's not good form.
>
> -- David.


Who is to say Postini is not? The original post did not provide an
error code, e.g. 451 4.4.1 if available and could still possibly be a
network issue, MTU setting, etc.

Re: Problems sending to psmtp (Postini)?

FrankM-Postini Partner wrote:

> Who is to say Postini is not?

The original poster!!!

Take a look at the article :

>>> Connected to kpmg.com.s8a1.psmtp.com.
>>> Escape character is '^]'.
>>> Connection closed by foreign host.

> The original post did not provide an
> error code, e.g. 451 4.4.1 if available and could still possibly be a
> network issue, MTU setting, etc.

Very unlikely. What we're seing is the three-way TCP handshake followed
by the Postini server sending a FIN.

-- David.

Re: Problems sending to psmtp (Postini)?

On Dec 2, 9:06 pm, "David F. Skoll" wrote:
> FrankM-Postini Partner wrote:
> > Who is to say Postini is not?
>
> The original poster!!!
>
> Take a look at the article :
>
> >>> Connected to kpmg.com.s8a1.psmtp.com.
> >>> Escape character is '^]'.
> >>> Connection closed by foreign host.
> > The original post did not provide an
> > error code, e.g. 451 4.4.1 if available and could still possibly be a
> > network issue, MTU setting, etc.
>
> Very unlikely. What we're seing is the three-way TCP handshake followed
> by the Postini server sending a FIN.
>
> -- David.

If that is true, the senders MTA is throwing the error back and not
Postini. If Postini was having an issue with the receiving MTA, an
error code similiar to; "451 Failed in remote data - psmtp" would be
received back to the sending MTA telling them that the receiving MTA
had an issue. Here I'll assume the sending MTA may be having an issue
with their connection with Postini. But I am not discounting there may
have not been a temporary problem with Postini either, e.g., the
switiching of data from the primary to secondary data centers.

Re: Problems sending to psmtp (Postini) - solved?

John Murtari writes:

>>
>> Are you running sendmail with TLS with a recent openssl version and
>> try do deliver mails to them via STARTTLS?
>>
>> Seems they have an issue with their TLS implementation there. We can
>> send everywhere via TLS except Postini. TLS handshake with them just
>> fails.
>>
>> So include the following in your access db:
>>
>> Try_TLS:psmtp.com NO
>>
>
> Thanks, but we are not using TLS. The same thing happened
> about two weeks ago and then suddenly cleared up without us taking
> any action (we told people to direct their questions to psmtp).
> I've tried a few manual connections using telnet to port 25 and get
> inconsistent results, sometimes I get an ESMTP greeting, sometimes
> just:
>
> Connected to kpmg.com.s8a1.psmtp.com.
> Escape character is '^]'.
> Connection closed by foreign host.
>
> It may be a route problem between us and them. We're
> going to reroute to a different outgoing router interface at our end
> and see if that makes a difference if we connect via Sprint, v. At&T
>

Okay, after the intermittent connection problems above
we did make a route change. We are multi-homed through ATT & SPRINT,
we noticed the router selected SPRINT for our PSMTP connections.
We put in a static route for ATT and everything started working
as normal. With just a static route forcing to SPRINT, we had the
problems again. So.... it appears something between us and them
on that route was causing a problem, at least for a while.

We'll leave the change in for a while and then try
taking it out. Very strange..

--
John
____________________________________________________________ _______
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/