Koozali.org: home of the SME Server

yahoo rejects email as "open resolver"

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
yahoo rejects email as "open resolver"
« on: December 30, 2021, 10:07:17 PM »
I recently set up SME 10 as a new email host. Today a client sent me the response from yahoo.com he got when he tried to send me another email earlier today. The earlier one was a reply to one I sent and the later one is a forward.

So I am needing to figure this out. Any ideas or suggestions are very welcome.

Happy new year!
- Mark

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: yahoo rejects email as "open resolver"
« Reply #1 on: December 30, 2021, 11:11:25 PM »
Going to need a lot more detail on your server, and the exact Yahoo mail error.

You can test your server via various online services.

But as it stands this is all far too vague.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: yahoo rejects email as "open resolver"
« Reply #2 on: January 04, 2022, 04:20:30 PM »
Sorry about the vague post. I am starting at the top of the investigation path as there is only one error report of this kind. The SME server involved is handling thousands of email with no similar reports. I will add to this post as I dig out relevant detail.
- Mark

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: yahoo rejects email as "open resolver"
« Reply #3 on: January 05, 2022, 11:36:27 PM »
So on 29 DEC 2021, yahoo sent this message to a colleague when he replied to an email I sent to him.

Quote
<my email address>: 550: Mail from HELO sonic307-10.consmr.mail.ne1.yahoo.com rejected because it Error: open resolver

My email address is working, and this kind of response from an entity like yahoo bugs me. So, I have been digging through articles about qmail and so on. A search of the logs on my server did not help; obviously the email sent to me never reached my server.

As I searched for clues and inspiring tips, I noticed that some email I have sent was not being received. Most was going out fine, but a few didn't make it. Back to my server logs. I found this:
Quote
(rcpt) check_goodrcptto: recipient mybuddy@gmail.com denied
(deny) logging::logterse: ` xxx.xxx.xxx.xxx   wsip-xxx-xxx-xxx.xxx.sd.sd.cox.net   smtpclient.apple   <myemail@mydomain.com>      check_goodrcptto   901   relaying denied mybuddy@gmail.com   msg denied before queued
550 relaying denied mybuddy@gmail.com

Of course, "mybuddy@gmail.com" is a placeholder for the real, and valid, email address.

This may not have anything to do with yahoo's 550 message, but then I don't know at this point. I further assume that the problem is very likely something I did... because I am not shy about modifying my servers, at least until SME becomes self-aware like Martha Wells' "Murderbot" and stops me.

- Mark

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: yahoo rejects email as "open resolver"
« Reply #4 on: January 06, 2022, 12:12:57 AM »
One thing at a time.

The apple issue you have raised in Rocket. I can't remember the outcome. Configuration or patch?

But I don't think it is related to the Yahoo issue.

Yahoo. That is a weird one.

Searched for:

550 "Error: open resolver"

https://duckduckgo.com/?q=550+%22Error%3A+open+resolver%22&t=ffab&ia=web

Found this. Just wondering if Yahoo got blocked due to a blocked spamhaus query by your SME?

https://community.sophos.com/utm-firewall/f/mail-protection-smtp-pop3-antispam-and-antivirus/129905/open-resolver-spamhaus

First, check the incoming mail from them and see if it is getting blocked and check any errors - watch the logs as he sends.

Next, are you using alternative DNS for your server eg Google or OpenDNS?

There is a thread here on using PiHole and ways to deal with this.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: yahoo rejects email as "open resolver"
« Reply #5 on: January 06, 2022, 01:29:59 AM »
your line says that the mail to your buddy was denied because it does not allow relay. 
SME does not allow relay if your are not authentified.

suspect your client was trying to sent unauthentified like it was possible on lan in the past.

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: yahoo rejects email as "open resolver"
« Reply #6 on: January 06, 2022, 06:53:22 PM »
1. The apple issue you have raised
-- The Apple mail.app sends an invalid HELO, as evidenced by this in this log:
Code: [Select]
dispatching EHLO smtpclient.appleApple said it not a problem for them and there is nothing to fix.  :?

2. I agree that yahoo is the source of the issue, not SME 10. ReetP wrote "Just wondering if Yahoo got blocked due to a blocked spamhaus query by your SME?" That is possible but I am not sure where to look for that.

3. First, check the incoming mail from them
-- I looked in the logs on SME. There are a good number of inbound email from yahoo passing muster on SME, but no sign of the email from my buddy.

4. are you using alternative DNS for your server eg Google or OpenDNS?
-- No. SME is set to its default for DNS.

5. There is a thread here on using PiHole
-- I will look into this

6. your line says that the mail to your buddy was denied because it does not allow relay. SME does not allow relay if you are not authenticated.
-- Understood. This seems odd because the 550 message was issued by yahoo and the notice sent to my buddy.
---- The flow of notes: I sent a note to my buddy. He replied to it. Yahoo complained, did not send the reply to me and returned a notice to my buddy.

As ReetP pointed out, there is more than one issue in this one post. I apologize for that.
1. yahoo's "open resolver" complaint
2. The check_goodrcptto: recipient mybuddy@gmail.com denied I found in the mail log.

Re: 1. I am going to check with my colleague who uses yahoo to see if he can replicate the alert. He is not at all technical.

Re: 2. I am continuing to research this. I don't understand what SME is telling me.
- Mark

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: yahoo rejects email as "open resolver"
« Reply #7 on: January 07, 2022, 01:44:52 AM »
in what log is check_goodrcptto refusal?

show us a full transaction with this issue. with only pieces of info we can just give pieces if answers

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: yahoo rejects email as "open resolver"
« Reply #8 on: January 09, 2022, 08:10:04 PM »
in what log is check_goodrcptto refusal?
qpsmtpd.log

show us a full transaction with this issue. with only pieces of info we can just give pieces if answers
[/quote]
Here is one from 5 JAN 21.
Code: [Select]
29647 Accepted connection 0/40 from yy.yyy.yyy.yyy / wsip-xx-xxx-xxx-xxx.sd.sd.cox.net
29647 Connection from wsip-xx-xxx-xxx-xxx.sd.sd.cox.net [yy.yyy.yyy.yyy]
29647 (connect) karma: karma 1 (1)
29647 (connect) karma: pass, no penalty (0 naughty, 92 nice, 435 connects)
29647 (connect) earlytalker: skip, karma 92
29647 (connect) relay: skip, no match
29647 (connect) dnsbl: pass
29647 220 myserver.mydomain.com ESMTP
29647 dispatching EHLO smtpclient.apple
29647 (ehlo) whitelist: karma 5 (6)
29647 (ehlo) whitelist: helo host smtpclient.apple in whitelisthelo
29647 250-mydomain.com Hi wsip-xx-xxx-xxx-xxx.sd.sd.cox.net [yy.yyy.yyy.yyy]
29647 250-PIPELINING
29647 250-8BITMIME
29647 250-SIZE 30000000
29647 250 STARTTLS
29647 dispatching STARTTLS
29647 220 Go ahead with TLS
29647 (unrecognized_command) tls: TLS setup returning
29647 dispatching EHLO smtpclient.apple
29647 (ehlo) whitelist: karma 5 (11)
29647 (ehlo) whitelist: helo host smtpclient.apple in whitelisthelo
29647 250-mydomain.com Hi wsip-xx-xxx-xxx-xxx.sd.sd.cox.net [yy.yyy.yyy.yyy]
29647 250-PIPELINING
29647 250-8BITMIME
29647 250-SIZE 30000000
29647 250 AUTH PLAIN LOGINnowata
29647 dispatching MAIL FROM:<myaccount@mydomain.com>
29647 (mail) resolvable_fromhost: pass, mydomain.com has MX at myserver.mydomain.com
29647 (mail) rhsbl: pass
29647 (mail) sender_permitted_from: skip, tolerated, none, mydomain.com: No applicable sender policy available
29647 (mail) naughty: pass
29647 250 <myaccount@mydomain.com>, sender OK - how exciting to get mail from you!
29647 dispatching RCPT TO:<mybuddy@gmail.com>
29647 (rcpt) badrcptto: pass
29647 (rcpt) check_goodrcptto: stripping '-' extensions
29647 (rcpt) check_goodrcptto: recipient mybuddy@gmail.com denied
29647 (deny) logging::logterse: ` yy.yyy.yyy.yyy wsip-xx-xxx-xxx-xxx.sd.sd.cox.net smtpclient.apple <myaccount@mydomain.com> check_goodrcptto 901 relaying denied mybuddy@gmail.com msg denied before queued
29647 550 relaying denied mybuddy@gmail.com
29647 dispatching DATA
29647 503 RCPT first
29647 dispatching QUIT
29647 221 mydomain.com closing connection. Have a wonderful day.
29647 click, disconnecting
29647 (disconnect) karma: positive, (msg: 11, his: 92)
- Mark

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: yahoo rejects email as "open resolver"
« Reply #9 on: January 20, 2022, 10:31:23 PM »
Regarding the original post; my colleague has not been able to replicate the "open resolver" issue. So, the latest update for SME 10 appears to have set things right, or the original problem was a one off thing.

Regarding the check_goodrcptto comments, I am reviewing that again and will file a submit a report with details to bugzilla.
- Mark

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: yahoo rejects email as "open resolver"
« Reply #10 on: January 20, 2022, 11:49:24 PM »
Your bug.

https://bugs.koozali.org/show_bug.cgi?id=11851

Please check that check_goodrcptto plugin - I'm not sure why you are using it.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation