Topic: please help me with my e-mail server?

[Tom]

I can send from e-smith 5.1 webmail, but I cannot receive.  WIll you assist?

When I send a test message from hotmail to my e-smith email server ("yyy@xxx.com"), it gets bounced back pretty fast and says:


*******************************************************************************************
This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

       yyy@xxx.com



 
Reporting-MTA: dns;hotmail.com
Received-From-MTA: dns;mail.hotmail.com
Arrival-Date: Sat, 11 May 2002 20:40:14 -0700

Final-Recipient: rfc822;yyy@xxx.com
Action: failed
Status: 5.0.0
Diagnostic-Code: smtp;551 Sorry f165.pav2.hotmail.com(64.4.37.165), I don't
allow unauthorized relaying. Please use another SMTP host to mail from
to
*******************************************************************************************
 
I have delegated DNS duties to ZoneEdit.com.  I told them my web server, domain, and email server all share the same ip address.  I set this in the MX record section at ZoneEdit, i.e., it says "xxx.com handles mail 1st for domain xxx.com".

My e-smith settings:

Email Retrieval
*Standard
*(so all other fields here are irrelevant)

Other Email Settings
*Return to Sender
*POP adn IMAP set to "Public"
*HTTPS enabled

No Information Bays
Only One :Update" Blade

I really have no idea what to do here.  How can I receive mail?

TT

[Terry Brummell]

Only thing that I can see that may be wrong here....

Does your "Primary Domain Name" you setup during installation match the domain that your DNS uses and to which you are emailing?

Terry

[Tom]

I told ZoneEdit.com that I only have one static IP, and to associate mail.xxx.com, www.xxx.com and xxx.com all with that IP.  Esmith is configured with xxx.com, mail.xxx.com, proxy.xxx.com, and ftp.xxx.com.  So this is right, right?

[Terry Brummell]

That will only work if xxx.com is set up as the Primary Domain or a Virtual Domain.  Is it?

[Tom]

Yes, this is what I have:

Domain information
Primary domain -- xxx.com
Virtual domains No virtual domains defined
Primary web site http://www.xxx.com/

So you this is configured correctly?

[Terry Brummell]

Sounds correct to me.  Apart from running the configuration again and rebooting I have no idea what the trouble is.  Was this ever working?  Has something else been installed that may have messed with a config file somewhere?

Terry

[Tom]

It has never worked.  But notice from the reject message that it is Hotmail's dns that is rejecting the message.  It's not bouncing off of my server.  that makes me think it is a dns/mx problem.

[Tom]

Under "hostnames and addresses" in the configuration panel, all services were set to local.  Should I change mail and www to global?

[Terry Brummell]

Mine are all "local" too.  The bounce message looks like a SME message so I really do think it's a server issue.  What is your domain name so your MX and DNS settings can be checked?

[Tom]

van-buskirk.com

[Terry Brummell]

I sent an email to admin@van-buskirk.com at 6:41, it hasn't bounced yet, it's now 8:40.....

[Tom]

Quoting Terry Brummell :

> just a test email....
>
> Terry
>


Hmmm....it worked!  Now, I never checked or tested this account.  I guess I
feel like it is obvious that I try *this* one, but I just didn't.  I'm kinda
silly now.  Ha!  That is pretty cool.

But I still don't get it.  When I configured this server, I set up two user
accounts.  And those are the ones I have been testing from outside places
like
hotmail.  I am going to create a new account and try it from hotmail,
hushmail,
et al.  We'll see why is the difference between "admin" and "$user".

Thanks for that.

NEW USER: "norm"

!!!

[Tom]

Ok , i created a new account: "norm"

"norm@van-buskirk.com" bounced too.  When I created the account, I made it a
member of the only group existent.  Now I'll make new user "norm1" a member
of no group.

[Tom]

"norm1" bounced too.  4 for 4 users bounce.   All admin succeed.

[Dan Brown]

The problem seems to be that your SMTP server doesn't seem to know who it is:

[dan@e-smith home]$ telnet van-buskirk.com 25
Trying 216.19.216.10...
Connected to van-buskirk.com.
Escape character is '^]'.
220 216-19-216-10.getnet.net SMTP daemon ready.
helo familybrown.org
250 216-19-216-10.getnet.net pleased to meet you, familybrown.org

...It seems to think its name is "216-19-216-10.getnet.net".  Users and groups are irrelevant here; IMO you're wasting your time going down that path.

Try this: grep getnet.net /var/qmail/control/*

[Dan Brown]

Um, never mind that last bit--it's not the qmail files, it's the obtuse SMTPd that's your problem.  Take a look in /var/spool/smtpd/etc/smtpd_check_rules and see what it has listed for domains.

[Tom]

That returns the members of the null set.  I mean it returned nothing.  Is there something Dan you know that I don't know that you could share?

T

[Tom]

#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# e-smith server and gateway software. Instead, modify the source
# template in the /etc/e-smith/templates directory. For more
# information, see http://www.e-smith.org.
#
# copyright (C) 1999, 2000 e-smith, inc.
#------------------------------------------------------------


# Don't allow bang paths via us
noto:ALL:ALL:*!*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.

# Don't allow two @s (equivalent to %hack) via us
noto:ALL:ALL:*@*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.

# Don't allow %hack relay via us
noto:ALL:ALL:*%*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.


# Allow relaying from the local network
allow:127.0.0.1:ALL:ALL
allow:10.0.0.0/8:ALL:ALL

# Prohibit access to these addresses from the outside world
noto:ALL:ALL:everyone@*.van-buskirk.com everyone@van-buskirk.com:551 Sorry %H (%I), you cannot send mail to %T from outside our loca
l network.
noto:ALL:ALL:shared@*.van-buskirk.com shared@van-buskirk.com:551 Sorry %H (%I), you cannot send mail to %T from outside our local ne
twork.

# Allow any of our valid e-mail accounts to any of our domains
allow:ALL:ALL:admin@*.van-buskirk.com admin@van-buskirk.com:
allow:ALL:ALL:mailer-daemon@*.van-buskirk.com mailer-daemon@van-buskirk.com:
allow:ALL:ALL:postmaster@*.van-buskirk.com postmaster@van-buskirk.com:

# Just say no to anything else, we won't relay for people we don't know.
noto:ALL:ALL:ALL:551 Sorry %H(%I), I don't allow unauthorized relaying. Please use another SMTP host to mail from %F to %T

#------------------------------------------------------------
# TEMPLATE END
#------------------------------------------------------------
~
~
~

[Dan Brown]

I really don't know the syntax of that file, but as I read it, it's set to only allow e-mail to the admin (or postmaster) users.  The only guess I have as to the reason for that is the smtpdcheckrules RPM you installed from myezserver.com (I don't know why it would do this, but it's the only reason I can think of that you'd be seeing any usernames at all in that file).  Try removing that RPM and see if that fixes things.

[Tom]

"rpm -q --all | grep smtp*"  shows "obtuse-smtpd-qmail-2.0.33, dmc-mitel-smtpdcheckrules-0.0.1-5, e-smith-obtuse smtpd-16.0-01,

But "rpm -e dmc-mitel-s*" says its not installed.

So I "rpm -Uvh --force ./dmc-mitel-s*" and it installed.  Then I tried to erase it and it says it's not installed.

[Dan Brown]

Don't use the asterisk; do rpm -e dmc-mitel-smtpdcheckrules, and it should remove it.  Then be sure to do /sbin/e-smith/expand-template /var/spool/smtpd/etc/smtpd_check_rules.

[Tom]

That is so awesome! all accounts worked.  I guess I had a misconfigurted smtpd-check-rules? Because how it is uninstalled, I did that command, and it works!

After I rpm'd it in originally, I did not perform any further configuration. Maybe I should have.  Maybe I should have followed the how-to at

http://myezserver.com/downloads/mitel/howto/smtp-restrict-howto.html

Maybe I should have rpm'd it and followed the whole how-to, instead of simply rpm'ing it alone.

SO I guess at this point, with dmc-smtpd-check-rules uninstalled, anyone can use my server to spam.  Is that right?

Thank you Dan and Terry for all your help!!!

TomTom

[Dan Brown]

Well, if there's documentation out there, it's always a good idea to follow it, but in this case, that HOWTO doesn't seem to say anything about using the RPM.

Your server is not now an open relay by virtue of having removed this RPM.  To explain why requires a bit of discussion of how the SME mail system works, and what this RPM  tries to do:

When incoming mail arrives via SMTP, it's first processed by Obtuse SMTPd.  Once obtuse is finished with it, it hands it off to qmail, which delivers it to the appropriate mailbox.  Obtuse handles things like obvious spam checks and anti-relaying, but doesn't (by default) verify that the message is addressed to a valid user--qmail does that.  This is acceptable for normal e-mail--qmail will generate a bounce message and send it back to the person who sent the message.  It uses a little more bandwidth than if obtuse just stopped it at the gate, but it works.

The problem with this approach comes when the return address is bogus, as is almost invariably the case with spam.  In that case, the administrator gets a message saying, "the bounce bounced!"  A common spamming technique is to send messages to lots of random addresses at a domain.  With the default configuration, this will result in _lots_ of double-bounce messages to the postmaster.

IMO, this is a serious deficiency in the SME mail setup.  It's not really insecure, but it can be very inconvenient, and it seems that obtuse _should_ be able to verify the addresses before handing the message off to qmail (note that I know almost nothing about obtuse smtpd; it just seems that this is a capability that it should have).

Darrell seems to agree that this is a problem, and the RPM you installed is one way of addressing it.  I don't know why your system was just listing the admin and postmaster accounts, but I'll assume that it's supposed to have all valid accounts listed.  What it does is cause obtuse to bounce any message addressed to an address that isn't in the "OK" list.  Doesn't look like an exceptionally elegant way of solving the problem, but it also seems that it should work (again, if all valid accounts were actually listed--maybe Darrell can chime in with suggestions as to why that wasn't the case).

I also see a fairly serious problem with this approach, though (or at least this implementation): mail to an invalid user bounces with an anti-relaying message, which is inappropriate.  It should bounce with a user unknown message.  I'd think a line like this should solve that problem:

noto:ALL:ALL:*@*.van-buskirk.com:500 User Unknown.  Sorry %H (%I), the mailbox %T doesn't exist here.

The syntax here is only a wild guess, and I'm not 100% sure of the error number either.  The idea, though, is to generate a more useful bounce message.  This would be added after all the specific users are listed.

[Darrell May]

Dan Brown wrote:
> (again, if all valid accounts were actually listed--maybe
> Darrell can chime in with suggestions as to why that wasn't
> the case).

Sounds like this fellow might have installed the rpm incorrectly.  In any event to rebuild smtpd_check_rules at any time you simply need to execute:

/sbin/e-smith/signal-event email-update

Regards,

Darrell