Received From IP from behind router
Barry Veinotte
I have a FreeBSD machine running sendmail and a DNS server behind a linksys
cable router. All has been well when using a "Smart Host" but for many
reasons I want to stop using my providers smtp server. Without it however, I
cannot send mail out - deffered opperation timed out, and sometimes I am
lucky enough to get once bounce back to me. The internal IP address in the
Received From header cannot be reverse looked up of course, so the mail is
not being accepted.
Is there a way around this? My DNS is fine, internal ip's are reolved by
sendmail, etc. I just need my real IP address send in the Received From
header, and it seems it can't be done.
I have read hundreds of pages on this, and still no solutions. I even tried
to assign my real IP's to the router, which was a disaster I don't soon want
to relive.
Any help would be appreciated.
Barry
Dennis Willson
you will be blocked.
Also many cable and DSL providers don't allow outbound email except through their server as a smart host. They actively block port
25. Can you telnet to other mail servers on port 25?
If there's no reverse DNS or the reverse "looks" like a dynamic IP address it will be blocked by many mail servers.
Dennis
Barry Veinotte
No, I have a static. Actually, a range of five, but the first is the one
I am trying to make appear in the Received From headers. I have since
recompiled sendmail with some changes that made no difference.
No, with my account (overpriced) I don't have any blocks. I called them to
make them check that they were not blocking outbound port 25.
My DNS seems fine. Reverse lookups on the domain in the headers works
fine: ns1.veinotte.net But of course the corresponding IP address is
internal
so can't work.
Anyone have any ideas on how I might get this happening?
Dennis Willson
up. As many mail servers will not accept mail from a server without a valid reverse.
Did you double check that telnet on port 25 works to a couple of different mail servers? It's possible that there's something in
your firewall that is preventing the connection. If you can telnet to a couple of different mail servers and you cannot get Sendmail
to send to those same mail servers (so pick a couple that have accounts you would normally send to). If you can telnet and manually
send an email then the eliminates all network related issues.
Barry Veinotte
address.
>> Your provider will probably be the one to have to set it
>> up. As many mail servers will not accept mail from a server without a
valid reverse.
You are right on the money Dennis. I found out that my reverse is in fact
pointing at my ISP, even though they
assured me they had set it up for me. Instead of returning ns1.veinotte.net
it comes back as
blabla.static.eastlink.ca
I found that out after a spam attack tonight from one of my contact forms...
that is another story.
Got my blocked from AOL though. Looks like it will be a long night since the
spambots have
quite a few other forms on my sites to find, so I have to get them fixed
first.
I plan to call them in the am and get them to set it. I have wasted days on
this. Wish I could send
them a bill for it!
Barry Veinotte
> Be sure that there is a external reverse DNS for your external IP address.
Your provider will probably be the one to have to set it
Okay, I got my ISP to reverse map to my domain name (ns1.veinotte.net)
Once that propogates, how do I get sendmail to add the "real" IP address to
the Received From headers instead of the internal IP addres assigned by my
router?
Looks like I am back to square one, just with more bases covered.
J.O. Aho
Think you need to setup some rules that rewrites the header and I don't think
this is the place where you will get the answer how to write the proper rule,
as it's been asked before without anything else than it's dangerous if som
spammer can use your machine as relay and you don't see from where he sent the
mail from the beginning.
//Aho
J.O. Aho
> On 16 Nov 2005 J.O. Aho entered comp.mail.sendmail and left
> news:3u12ejF...@individual.net:
>> Barry Veinotte wrote:
>>> Okay, I got my ISP to reverse map to my domain name
>>> (ns1.veinotte.net) Once that propogates, how do I get sendmail to add
>>> the "real" IP address to the Received From headers instead of the
>>> internal IP addres assigned by my router?
>>>
>>> Looks like I am back to square one, just with more bases covered.
>> Think you need to setup some rules that rewrites the header and I
>> don't think this is the place where you will get the answer how to
>> write the proper rule, as it's been asked before without anything else
>> than it's dangerous if som spammer can use your machine as relay and
>> you don't see from where he sent the mail from the beginning.
>>
>>
>
>
> having local network IPs, what's important is the IP and the PTR, that's
> what the receiving server sees, the internal IPs in the headers won't be
> blocked (otherwise that would block most all eMail).
> I would just set the EHLO name to your domain (which should be close to the
> rDNS of your IP), and leave it at that, all bases covered.
There are SMTPs that do check the whole relay line and block mail if they
can't resolve the ip-names. I'm not saying it's common.
You may not want to show how your internal network looks like for strangers.
> Certainly if you tried to rewrite something like 10.0.1.2 to one of the
> veinotte.net IPs, that would be false, trace incorrectly and look like a
> forgery, which would make matters worse.
I wouldn't call it forgery, the point is really just to rewrite those mails
that comes from the internal network to look like they got directly from the
mail server. The trace wouldn't look incorrect if you strip the first Received
from the header of the mail.
//Aho
Barry Veinotte
> to block a server, and I will block them at the firewall, and any server
> that doesn't write any received header at all (which is what you are
> essentially suggesting) get's blocked or at the very least never white-
> listed. I don't care about private IPs, only public IPs.
> I really doubt that the header that Sendmail was writing is the problem,
it
> looks to me like the problem is with his DNS. Look it up in
> http://www.dnsreport.com/ , for one there's no MX record for the eMail
> address he's using here, which is a good enough reason to get rejected, I
> don't reject based on senders with no MX, but I'd like to.
> I'm no expert on DNS, but at one time I probably found enough info to
> figure it out on either Windows or UNIX, all I can recover right now is
> http://www.dnsstuff.com/info/revdns.htm
> http://www.garykessler.net/library/dns.html
> http://www.hostlibrary.com/BasicDNSPTRRecordsAndWhyYouCare-reverse-ip.html
>
> and a bunch other DNS BIND stuff. I'm sure there's better info, like a
> book.
>
I have tons of rejected mail due to timeouts when the receiving end looks to
be trying to resolve the internal IP in the received from header. Some
actually
bounce with "Config error - mail loops back to me..." because they are
trying
to resolve 192.168.1.1
I have "DNS and BIND" in front of me, and admit I should go back to page
one and start over. However, I do have (obviously wrong) MX records in
place.
Could you tell me what is wrong with this entry? Don't be gentle - I know I
don't
know what I am doing!
$TTL 86400
@ IN SOA ns1.veinotte.com. webmaster.veinotte.com. (
1038079814 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum
veinotte.com. IN NS ns1.veinotte.com.
veinotte.com. IN NS ns2.veinotte.com.
veinotte.com. IN A 24.222.94.162
ns1.veinotte.com. IN A 24.222.94.162
ns2.veinotte.com. IN A 24.222.94.163
mail.veinotte.com. IN A 24.222.94.162
*.veinotte.com. IN A 24.222.94.162
veinotte.com. IN MX 10 mail.veinotte.com.
J.O. Aho
> On 16 Nov 2005 J.O. Aho entered comp.mail.sendmail and left
>>> Certainly if you tried to rewrite something like 10.0.1.2 to one of
>>> the veinotte.net IPs, that would be false, trace incorrectly and look
>>> like a forgery, which would make matters worse.
>> I wouldn't call it forgery, the point is really just to rewrite those
>> mails that comes from the internal network to look like they got
>> directly from the mail server. The trace wouldn't look incorrect if
>> you strip the first Received from the header of the mail.
>>
>
> to block a server, and I will block them at the firewall
Blocking at firewall level can cause you to get into some nice lists, as it do
break some rfc which states that SMTP connection should always be accepted.
> and any server
> that doesn't write any received header at all (which is what you are
> essentially suggesting) get's blocked or at the very least never white-
> listed. I don't care about private IPs, only public IPs.
No, if you had read it a bit slower I'm talking about the Received that comes
from the internal network, eg 192.168.x.x, which are those that can lead to
mail rejections at some SMTPs.
//Aho
Barry Veinotte
>> internal network, eg 192.168.x.x, which are those
>> that can lead to mail rejections at some SMTPs.
A lot of SMTPs as I am finding out. That is the heart of my
problem, and I think that even if I get my DNS straightened
out I will still not be in much better shape. This is rejected from
a LOT of mail servers:
Received: from ns1.veinotte.net (ns1.veinotte.net [192.168.1.1])
They try to do a reverse lookup on the ip section to make sure it
matches the sending domain name, and of course it can't.
So without messing with rewrite rules and such things that I really
don't want to get into, there is no way from behind a router to have
the real IP address appear in that header. Is that right?
J.O. Aho
>>> I'm talking about the Received that comes from the
>>> internal network, eg 192.168.x.x, which are those
>>> that can lead to mail rejections at some SMTPs.
>
> A lot of SMTPs as I am finding out. That is the heart of my
> problem, and I think that even if I get my DNS straightened
> out I will still not be in much better shape. This is rejected from
> a LOT of mail servers:
>
> Received: from ns1.veinotte.net (ns1.veinotte.net [192.168.1.1])
fix your /etc/hosts and remove the ns1.veinotte.net from the line with
127.0.0.1. If this ains't the case, then see to that your DNS don't server
internal ip-numbers for external ip-names.
//Aho
Barry Veinotte
> > Received: from ns1.veinotte.net (ns1.veinotte.net [192.168.1.1])
>
> fix your /etc/hosts and remove the ns1.veinotte.net from the line with
> 127.0.0.1. If this ains't the case, then see to that your DNS don't server
> internal ip-numbers for external ip-names.
Thanks. I tried removing ns1.veinotte.net from the localhost line, now it
just reads: 127.0.0.1 localhost
Didn't work though, so I suspect I am still looking for a DNS issue, if this
can infact be acheived. I did mention earlier that this is a cable router
right?
It is the routers ip that is added to the headers, and that sendmail
considers
it's realy address.
Does this make sense, or shoud it be full domain names? I used this on a
server before and it worked fine - that was without a router in the way
though.
IN NS ns1.veinotte.net.
162 IN PTR ip-162.veinotte.net.
163 IN PTR ip-163.veinotte.net.
164 IN PTR ip-164.veinotte.net.
165 IN PTR ip-165.veinotte.net.
166 IN PTR ip-166.veinotte.net.
Barry
Dennis Willson
server that is contacting them. Some, in addition to that then take what they received in the reverse lookup and do a forward look
up and compare the IP addresses to see if they match.
Some are configured to need an MX record but not most as the larger ISPs use different mail servers for sending than receiving and
don't have mx records for the sending server (mine work that way as well).
I know a lot of mail servers sitting behind NAT that have internal addresses and work just fine so that in itself isn't the problem.
Also have you looked at what your HELO statement is? Is this a FQDN or an internal IP address? While IP addresses are legal, if it's
an internal address that could be a problem.
One thing I recommend is to try and send an email to somewhere you would normally send (A friend or so forth) and when that fails
check the logs very closely. Then use telnet to send an email manually to the same server and see what actual responses and what
stage the error occurs in. Best to do this from the same computer that your mail server is running on.
Dennis
Robert Harker
change the format
in the received header?
In your host.mc file add:
define (`confRECEIVED_HEADER',`id $i; $b')
Which would generate a minimal header:
Received: id jACJAPcx01119; Sat, 12 Nov 2005 11:10:25 -0800
Or if you wanted it to look more like normal header:
define (`confRECEIVED_HEADER',`from intmail.your.dom
(intmail.your.dom [1.2.3.4])
by extmail.your.dom ($v/$Z)$?r with $r$. id $i;
$b')
Where 1.2.3.4 is an external IP address that can be resolved via a PTR
record to the hostname:
intmail.your.dom and extmail.your.dom is the hostname of the external
sendmail relay you install
this Recevied: header on.
RLH
> For info about our "Managing Internet Mail, Setting Up and Trouble <
> Shooting sendmail and DNS" and a schedule of dates and locations, <
> please send email to in...@harker.com, or visit www.harker.com <
Kari Hurtta
Are you sure that this error is not from your sendmail?
> I have "DNS and BIND" in front of me, and admit I should go back to page
> one and start over. However, I do have (obviously wrong) MX records in
> place.
> Could you tell me what is wrong with this entry? Don't be gentle - I know I
> don't
> know what I am doing!
>
>
> $TTL 86400
>
> @ IN SOA ns1.veinotte.com. webmaster.veinotte.com. (
> 1038079814 ; Serial
> 10800 ; Refresh
> 3600 ; Retry
> 604800 ; Expire
> 86400 ) ; Minimum
>
> veinotte.com. IN NS ns1.veinotte.com.
> veinotte.com. IN NS ns2.veinotte.com.
> veinotte.com. IN A 24.222.94.162
> ns1.veinotte.com. IN A 24.222.94.162
> ns2.veinotte.com. IN A 24.222.94.163
> mail.veinotte.com. IN A 24.222.94.162
> *.veinotte.com. IN A 24.222.94.162
> veinotte.com. IN MX 10 mail.veinotte.com.
I think that it is cleaner, if you drop mail.veinotte.com
and make
veinotte.com. IN MX 10 ns1.veinotte.com.
After all it is:
[hurtta@attruh hurtta]$ host 24.222.94.162
162.94.222.24.in-addr.arpa domain name pointer ns1.veinotte.net.
In other words make MX point to actual hostname.
And there is danger that *.veinotte.com may cause problems.
/ Kari Hurtta
Kari Hurtta
And if 24.222.94.162 is not actually be one address of some interface
of ns1.veinotte.net there need some extra configuration.
In other words if you have actually 192.168.1.1 as address of interface.
You you address translate 192.168.1.1 to 24.222.94.162 on some NAT
device.
What is that network ?
24.222.94.160 network address
24.222.94.167 broadcast address
> And there is danger that *.veinotte.com may cause problems.
Your subject was "Received From IP from behind router", but I think that
your network setup is NOT for example following
+--------------+ +--------------+
| ISP | some unrouteable network | your router | 24.222.94.160/19
--- | router |--------------------------------- | | -----
| | for example 10.1.1.0/30 | | |
+--------------+ +--------------+ 24.222.94.162
ns1.veinotte.com
/ Kari Hurtta
Kari Hurtta
<...>
> What is that network ?
> 24.222.94.160 network address
> 24.222.94.167 broadcast address
>
> > And there is danger that *.veinotte.com may cause problems.
>
>
> Your subject was "Received From IP from behind router", but I think that
> your network setup is NOT for example following
>
> +--------------+ +--------------+
> | ISP | some unrouteable network | your router | 24.222.94.160/19
> --- | router |--------------------------------- | | -----
> | | for example 10.1.1.0/30 | | |
> +--------------+ +--------------+ 24.222.94.162
> ns1.veinotte.com
>
Oops. typo 24.222.94.160/19 was supposed to be 24.222.94.160/29
/ Kari Hurtta
Barry Veinotte
send mail out without a smarthost. I get:
"stat=Deferred: Operation timed out with..."
Can you give me some ideas on where to look for the cause? This is
happening with all servers, not just some. The maillog won't give me
any more info so I will see if changing the log level helps. Sending
mail from the command line using -v doesn't help either, as it seems to
send fine, but then sendmail times out with the connection to the
receiving mail server open:
sendmail: ./jAMH7Nxq000961
mx4.hotmail.com.: user open (sendmail)
Thanks,
Barry
"Dennis Willson" <giga...@taz-mania.com> wrote in message
news:ktWdnQ9AD6N...@baytsp.com...
Dennis Willson
find a mail server you're trying to communicate with and do a "telnet <mailserver name> 25"
If the ports are open the mail server will respond with a welcome message you can read. Try this on several
different mail servers and if they all won't respond at all, then you're blocked.
Dennis
Barry Veinotte
> It really sounds like port 25 is blocked.
Yes, it was. After calling them twice to check on it, they found tonight
that it was being filtered.
Oh well, I learned a lot about sendmail and dns that I didn't know before.
A week of hell, but that comes with the territory I guess.
Thanks much!
Barry