Topic: Error: can't establish smtp connection (4.4.1)

[Frank VB]

This morning my SME 7.1.3. started to behave strangely. I think my server was used for sending spam. I saw numerous messages in the qmail queue which were very suspect. I stopped qmail and qpsmtpd and deleted everything in the queue. I disconnected the computer that I suspect to be the cause of the problem. To be sure I completely restarted the server. After rebooting I'm noticing that messages are building up in the remote queue with the above error.

I've checked my IP-address in spamhause.org and njabl.org but it is not listed.

I'm apparently able to receive incoming mail. All services are running normally at the moment.

What can I do to get outgoing mail going again?

I don't think this is an SME server problem, but a spam problem so I'm posting it here, not in the bug tracker.

[cactus]

This morning my SME 7.1.3. started to behave strangely. I think my server was used for sending spam. I saw numerous messages in the qmail queue which were very suspect. I stopped qmail and qpsmtpd and deleted everything in the queue. I disconnected the computer that I suspect to be the cause of the problem. To be sure I completely restarted the server. After rebooting I'm noticing that messages are building up in the remote queue with the above error.

I've checked my IP-address in spamhause.org and njabl.org but it is not listed.

I'm apparently able to receive incoming mail. All services are running normally at the moment.

What can I do to get outgoing mail going again?

I don't think this is an SME server problem, but a spam problem so I'm posting it here, not in the bug tracker.

Most likely one of the systems on your network is infected and sending spam. You should report a bug, if you are concerned about security issues the dev team can modify your bug so it does not appear public AFAIK.

Perhpas the iptraf program can help you find the system quickly when logged in as root on your server.

[CharlieBrady]

What can I do to get outgoing mail going again?

You first need to work out why it is not going.

"Can't establish smtp connection" means just what it says. If you have a "Smart host" configured, then that Smart host is no longer accepting SMTP (i.e. outgoing mail) connections from your server. Talk to your ISP.

If you do not have a "Smart host" configured, then your SMTP connections will be going to various places. If all those are failing, then either your Internet link isn't working (which I think you would have noticed and told us about), or your ISP has started to block outbound SMTP connections - in which case you'll need to switch to using your ISP's mail server as "Smart host".

If your server has been used to send spam, you should figure out why/how and fix that problem before you bother to fix the outdoing SMTP problem.

[Frank VB]

You're right, Charlie. I removed my ISP's smtp server as outgoing smtp server (In Server Manager > Configuration > E-mail: Address of Internet provider's mail server). After a while mail started flowing out again. Only Yahoo seems to be a little reluctant in accepting mail coming from my server. Mails are being temporarily deferred (error 4.16.50) or there have been too many connections (4.4.5). I'll contact my ISP to sort out the issue.

The suspected computer is off-line and being scanned. No results so far of an infection, but I hope I've got the culprit.

Thank you all for the feedback and keep up the good work!

[raem]

frankvb

Only Yahoo seems to be a little reluctant in accepting mail coming from my server. Mails are being temporarily deferred (error 4.16.50) or there have been too many connections (4.4.5). I'll contact my ISP to sort out the issue.

You need to sort this out with yahoo tech support as they are blocking servers quite agressively, and you will need to have your servers IP or your ISP's IP(s) unblocked.

[Frank VB]

I've been contacted by my ISP. They've forbidden me to use their SMTP servers again. Apparently a heavy spam run was going on through my server. I detected it only after two hours (because I was out of office). SME server is now sending out all mails by itself. I'll contact Yahoo in order to clear up the situation with them.

Going a little bit off topic now ...

I'm just now trying to find out how this all happened. Log files get quickly filled up during a spam run, so I'm backing up for forensics. AFAIK the spam was initiated from a local computer (Windows XP machine with all Windows patches applied and McAfee Antivirus and firewall). I've checked this particular computer with Clamwin and Mcafee and nothing turned up! Could this be initiated from the browser (IE7), Outlook, Word document?

I've yet have to thoroughly question the user that was using the affected computer. If anyone got some pointers where to look further I'd be grateful.

[CharlieBrady]

Could this be initiated from the browser (IE7), Outlook, Word document?

Yes, yes and yes. Add MSN messenger to that list, and probably dozens of others.

[CharlieBrady]

Only Yahoo seems to be a little reluctant in accepting mail coming from my server. Mails are being temporarily deferred (error 4.16.50) or there have been too many connections (4.4.5). I'll contact my ISP to sort out the issue.

I think that yahoo are using graylisting, and your ISP won't be able to change that, nor is it a problem that you have to fix - it'll work itself out.

[Frank VB]

Thanks Charlie for the information!

I've just been on the phone with my ISP helpdesk and they've advised me to do a trace of my network (he advised backtrack and wireshark). The technician (a very helpful man) asked if my server acts as a "catch all" server. I said I didn't think so because all mail to non-existant users is rejected as far I can tell. He also said that the iptables firewall can be beaten by a brute force attack, especially if you have a rather slow server (my PIII 1000 Mhz, 512 MB RAM has a rather heavy load). Well, that's his opinion, don't know what you think of it.

[CharlieBrady]

He also said that the iptables firewall can be beaten by a brute force attack, especially if you have a rather slow server (my PIII 1000 Mhz, 512 MB RAM has a rather heavy load). Well, that's his opinion, don't know what you think of it.

Not much Even if true, I don't know how the iptables firewall being "beaten" would have anything to do with this issue.

Don't worry about wireshark - it won't tell you anything new. You know that you can connect to yahoo, and you know that they sometimes defer mail from your server. Your mail is eventually getting through, isn't it?

[Frank VB]

Mail is flowing normally, generally speaking. I have only 6 messages left in the queue (5 of them were sent out today, after the spamming incident and after my ISP blocked my server from using his SMTP server). There are mainly 3 errors for those messages:

1) Deferral: connected to nnn.nnn.nnn.nnn but greeting failed. Remote host said: 421 message from (zzz.zzz.zzz.zzz = my IP) temporarily deferred -4.16.50

2) Deferral: connected to ooo.ooo.ooo.ooo but connection died. Possible duplicate - 4.4.2

3) Deferral: ppp.ppp.ppp.ppp does not like recipient host said recipient address rejected: Greylisting in action, please try again later

I guess they will eventually be sent. Anyway, I'll keep an eye on the queue.