Log issue question

[MB]

Sendmail 8.12 on redhat 9

I was having relaying denied probs but have seemed to resolve that cuurently
the following log entry is confounding sender is not reciveing an error
reciept but mail is not recieved on server. I have looked at the
litterature. Especially confusing is "defered connection refused " entry

ideas?

Thanks is advance

MB

sendmail 8.9 on redhat 9 with access.db

Apr 17 07:05:50 diskus sendmail[2372]: i3HDY9f5002243:
to=<test...@bunkieboy.com>, delay=00:31:40, xdelay=00:00:00, mai
ler=esmtp, pri=210661, relay=mail.bunkieboy.com., dsn=4.0.0, stat=Deferred:
Connection refused by mail.bunkieboy.com.
Apr 17 07:05:50 diskus sm-msp-queue[2380]: starting daemon (8.12.8):
queueing@01:00:00
Apr 17 07:05:51 diskus sendmail[2372]: i3HDW3kb002200:
to=<test...@bunkieboy.com>, delay=00:33:48, xdelay=00:00:00, mai
ler=esmtp, pri=300470, relay=mail.bunkieboy.com., dsn=4.0.0, stat=Deferred:
Connection refused by mail.bunkieboy.com.
Apr 17 07:05:51 diskus sendmail[2372]: i3HDW3kd002200:
to=<test...@bunkieboy.com>, delay=00:33:47, xdelay=00:00:00, mai
ler=esmtp, pri=300474, relay=mail.bunkieboy.com., dsn=4.0.0, stat=Deferred:
Connection refused by mail.bunkieboy.com.
Apr 17 07:06:13 diskus sendmail[2384]: i3HE6DDR002384:
from=<xx...@comcast.net>, size=662, class=0, nrcpts=1, msgid=<L
OENLMBBLELFAIKFI...@comcast.net>, proto=SMTP, daemon=MTA,
relay=sccrmhc11.comcast.net [204.127.202.55]
Apr 17 07:06:14 diskus sendmail[2386]: i3HE6DDR002384:
to=<test...@bunkieboy.com>, delay=00:00:01, xdelay=00:00:00, mai
ler=esmtp, pri=30661, relay=mail.bunkieboy.com. [24.6.120.220], dsn=4.0.0,
stat=Deferred: Connection refused by mail.bun
kieboy.com.

[Per Hedeland]

In article <RNcgc.161810$JO3.96391@attbi_s04> "MB" <net...@comcast.net>
writes:

>Sendmail 8.12 on redhat 9
>
>I was having relaying denied probs but have seemed to resolve that cuurently
>the following log entry is confounding sender is not reciveing an error
>reciept but mail is not recieved on server. I have looked at the
>litterature. Especially confusing is "defered connection refused " entry

I'm not sure what you find confusing about it. "Connection refused" is
the standard error message you get when connecting to a TCP port where
no-one is listening (try it with e.g. telnet). In terms of the protocol
it means that RST was received in response to SYN - in some cases
firewalls may be configured to do that too.

This is a "temporary failure" from the SMTP perspective, i.e. it is
assumed that the remote MTA isn't running at the moment but that it will
be fixed "soon". Hence the 4.x.x code and "Deferred" - the message stays
in the queue to be retried on subsequent queue runs until a configurable
time limit is exceeded (default with sendmail is 5 days) - a warning
message is sent to the sender after a likewise configurable time
(sendmail default is 4 hours).

As to the "root cause" of your problem, i.e. why sendmail can't connect,
that seems to be a local issue and/or you've already fixed it: The name
mail.bunkieboy.com doesn't exist in global DNS, so presumably you have
local DNS and/or /etc/hosts data that map that to 24.6.120.220. The A
record for bunkieboy.com does give that address though, and it seems
SMTP connections are happily accepted there.

However the MX record for bunkieboy.com gives
c-24-6-120-220.client.comcast.net, which again suggests that the choice
of mail.bunkieboy.com as "relay" is due to your local data, even if all
of the above happen to be the same host - which, btw, seems to think
that its name is "diskus", just like the host producing your log
entries...

Perhaps you are trying to tell "diskus" to make an SMTP connection to
itself, using a public IP address that is actually the result of NAT?
This won't work in most setups - if the host is supposed to deliver mail
for bunkieboy.com locally, just add that name to
/etc/mail/local-host-names (and don't forget to restart the daemon).

--Per Hedeland
p...@hedeland.org

[MB]

Per Thanks for your response.

I already have the host name along with the domain name in the hosts file. I
am having the same problem regardless of weather i send from a host within
my lan or from one outside. If you would like a try test...@bunkieboy.com
The host diskus and mail are one and the same. I can refer to the mail host
by domain or ip and the same result

Thanks

Mike

"Per Hedeland" <p...@hedeland.org> wrote in message
news:c5ten4$16a3$1...@hedeland.org...

[Per Hedeland]

In article <Y_vgc.160135$w54.1087278@attbi_s01> "MB"

<net...@comcast.net> writes:
>
>I already have the host name along with the domain name in the hosts file. I
>am having the same problem regardless of weather i send from a host within
>my lan or from one outside. If you would like a try test...@bunkieboy.com
>The host diskus and mail are one and the same. I can refer to the mail host
>by domain or ip and the same result

Please don't top-post. What do you mean with "the hosts file"? Normally
it means /etc/hosts, but that's not the file you need to have the domain
name in:

>> Perhaps you are trying to tell "diskus" to make an SMTP connection to
>> itself, using a public IP address that is actually the result of NAT?
>> This won't work in most setups - if the host is supposed to deliver mail
>> for bunkieboy.com locally, just add that name to
>> /etc/mail/local-host-names (and don't forget to restart the daemon).

^^^^^^^^^^^^^^^^^^^^^^^^^^

If you actually have it in there, run

echo '$=w' | sendmail -bt

to verify that sendmail picks it up (i.e. it should be listed in the
output). If it is in the file but not listed by sendmail, post your .mc
(not .cf!) file.

--Per Hedeland
p...@hedeland.org

[MB]

"Per Hedeland" <p...@hedeland.org> wrote in message

news:c5u7o3$4dl$1...@hedeland.org...

>
> --Per Hedeland
> p...@hedeland.org

OK I got it, I did not have bunkieboy.com in the file you specify, just the
names mail.bunkieboy.com smtp.bunkieboy.com etc

when I added bunkieboy.com works well

Thanks for all of your help

MB

Here is the contents of the hosts file you specify

mail
diskus
smtp
#### HAD TO ADD THIS NEXT LINE
bunkieboy.com
mail.bunkieboy.com
diskus.bunkieboy.com
smtp.bunkieboy.com

Here is the .mc

[root@diskus mail]# cat sendmail.mc
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package
is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`smtp.your.provider')
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
define(`confTRUSTED_USER', `smmsp')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his
quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback
address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected
find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587
followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express
can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6
loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl # a kernel patch
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want
to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl #FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as
well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

Thanks again

MB

[MB]

"MB" <net...@comcast.net> wrote in message
news:vIAgc.155789$gA5.1854567@attbi_s03...

OK well, just as that is fixed I find another when trying to send mail using
the server from a local host

ideas on the (may be forged) entry?

Thanks again

MB

Apr 18 12:27:42 diskus sendmail[6332]: i3IJRfvk006332:
from=<test...@bunkieboy.com>, size=0, class=0, nrcpts=0, proto=S
MTP, daemon=MTA, relay=herbert.bunkieboy.com [10.10.10.70] (may be forged)
Apr 18 12:27:42 diskus ipop3d[6333]: pop3 service init from 10.10.10.70
Apr 18 12:27:42 diskus ipop3d[6333]: Login user=testuser
host=herbert.bunkieboy.com [10.10.10.70] nmsgs=0/0
Apr 18 12:27:42 diskus ipop3d[6333]: Logout user=testuser
host=herbert.bunkieboy.com [10.10.10.70] nmsgs=0 ndele=0
Apr 18 12:32:44 diskus sendmail[6335]: i3IJWivk006335: ruleset=check_rcpt,
arg1=<tedpa...@copper.net>, relay=herbert.
bunkieboy.com [10.10.10.70] (may be forged), reject=550 5.7.1
<tedpa...@copper.net>... Relaying denied. IP name possi
bly forged [10.10.10.70]
Apr 18 12:32:44 diskus sendmail[6335]: i3IJWivk006335:
from=<test...@bunkieboy.com>, size=0, class=0, nrcpts=0, proto=S
MTP, daemon=MTA, relay=herbert.bunkieboy.com [10.10.10.70] (may be forged)
Apr 18 12:32:44 diskus ipop3d[6336]: pop3 service init from 10.10.10.70
Apr 18 12:32:44 diskus ipop3d[6336]: Login user=testuser
host=herbert.bunkieboy.com [10.10.10.70] nmsgs=0/0
Apr 18 12:32:44 diskus ipop3d[6336]: Logout user=testuser
host=herbert.bunkieboy.com [10.10.10.70] nmsgs=0 ndele=0
[root@diskus mail]#

[Per Hedeland]

In article <IRAgc.164236$K91.418415@attbi_s02> "MB"
<net...@comcast.net> writes:

[snip mega-quote]

Uh, thanks for not top-posting anymore:-), but proper posting also
includes not including *all* text from previous messages, just the parts
you are commenting on...

>OK well, just as that is fixed I find another when trying to send mail using
>the server from a local host
>
>
>ideas on the (may be forged) entry?

>Apr 18 12:27:42 diskus sendmail[6332]: i3IJRfvk006332:

>from=<test...@bunkieboy.com>, size=0, class=0, nrcpts=0, proto=S
>MTP, daemon=MTA, relay=herbert.bunkieboy.com [10.10.10.70] (may be forged)

This means that reverse- and forward-resolution don't match - i.e.
sendmail looks up 10.10.10.70 and gets herbert.bunkieboy.com, but a
lookup of herbert.bunkieboy.com doesn't return 10.10.10.70 (perhaps it
doesn't return anything at all).

You should get that fixed, but it doesn't necessarily prevent relaying
from working - what sendmail is telling you is basically that "since I
can't reliably get a host name for the SMTP client, any rules based on
that are ignored". I.e. if you want to relay for all hosts in the
bunkieboy.com domain, you could do that with (e.g.) a rule in access db:

Connect:bunkieboy.com RELAY

*if* your reverse/forward lookup stuff was setup right. However you can
alternatively do it based on the client IP address, e.g.

Connect:10 RELAY

will allow all hosts with a 10.x.x.x address to relay - regardless of
the "may be forged".

--Per Hedeland
p...@hedeland.org

[MB]

>
> This means that reverse- and forward-resolution don't match - i.e.
> sendmail looks up 10.10.10.70 and gets herbert.bunkieboy.com, but a
> lookup of herbert.bunkieboy.com doesn't return 10.10.10.70 (perhaps it
> doesn't return anything at all).
>
> You should get that fixed, but it doesn't necessarily prevent relaying
> from working - what sendmail is telling you is basically that "since I
> can't reliably get a host name for the SMTP client, any rules based on
> that are ignored". I.e. if you want to relay for all hosts in the
> bunkieboy.com domain, you could do that with (e.g.) a rule in access db:
>
> Connect:bunkieboy.com RELAY
>
> *if* your reverse/forward lookup stuff was setup right. However you can
> alternatively do it based on the client IP address, e.g.
>
> Connect:10 RELAY
>
> will allow all hosts with a 10.x.x.x address to relay - regardless of
> the "may be forged".
>
> --Per Hedeland
> p...@hedeland.org

Thanks The 10 Relay entry did the trick. I am working on the DNS issue.

I was curious, for testing purposes only, what could one add to access.db to
allow all relay attempts?

Thanks for all of your help and patience

MB