Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: Shilotsugu on June 13, 2011, 12:01:40 AM
-
After looking at hundreds of similar threads regarding this topic, and after several variations of "try this, try that', I find that each one is agonizingly different to my own problem in some minor way and the email section on the contribs wiki is less than helpful. So despite the risk of provoking the advanced users' ire again, I decided to open yet another thread.
I have a registered domain "mydomain.net" pointing to the the IP on my SME. In the past six months that IP has changed three times and ISPs twice. While the web and other services seem to update with no trouble, I can't seem to get the right combination of settings to get the email working this time. I was originally using the provider's mail server and both send/receive worked fine. The second change their server was rejecting all mails. I was able to fix this with a combination of certification and no longer using the provider's server. This time I tried the following:
Update new IP with domain registrar (load zone and all services to a single IP)
Revoke/delete and subsequently publish new CA cert.
Restart SME.
This was over a month ago. As I mentioned, all services updated/resolved almost immediately with the exception of email. I have SMTP sending on 465 as the current ISP blocks port 25, but that seems to be standard these days.
Any help is appreciated.
-
You have to be systematic and investigate step by step. Outbound and inbound are independent - investigate each and report problems with each separately.
For outbound to work you need either port 25 access to every mail server on the Internet (i.e you need your ISP not to block port 25 outbound) or you need to use your ISP's mail server. Failures with outbound will appear in your qmail logs, and in the smtp-auth-proxy log if you are using your ISP's mail server with authentication.
For inbound to work, you need your domain's DNS to be correct, and you need your ISP to allow port 25 traffic to reach your SME server. If your SME server is behind a NAT router, you need port-forwarding settings to be correct on your router, and you need working Internet access from your SME server. If there is a problem with any of these things, you probably won't see anything in your logs - the qpsmtpd log will show there are no connections inbound from the Internet.
-
Thanks for your reply. I changed the email settings to use the ISP's mail server on port 587, and outbound emails are now working. This wasn't necessary for the previous ISP for some reason, even though they also blocked port 25.
For inbound, the ISP recommends port 110 or 995 with SSL, so looks like I will need to search the forums to see how to get that working (unless you have some quick pointers). In the meantime, I looked at the qpsmtpd/recent log. It shows there are some connections from the internet, but I don't think I like what they are:
2011-05-28 03:24:22.051685500 20440 dispatching DATA
2011-05-28 03:24:22.054253500 20440 354 go ahead
2011-05-28 03:24:22.331832500 20440 spooling message to disk
2011-05-28 03:24:22.676934500 20440 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
2011-05-28 03:24:22.704729500 20440 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1306578262:20440:0: OK
2011-05-28 03:24:22.709820500 20440 logging::logterse plugin (queue): ` 93.87.201.65 93-87-201-65.dynamic.isp.telekom.rs moscow-trade.ru <dypokow@moscow-trade.ru> <some email account on my domain> queued <201105281223.41394.dypokow@moscow-trade.ru>
2011-05-28 03:24:22.718280500 20445 queue::qmail_2dqueue plugin (queue): (for 20440 ) Queuing qp 20445 to /var/qmail/bin/qmail-queue
2011-05-28 03:24:22.773503500 20440 250 Queued! 1306578262 qp 20445 <201105281223.41394.dypokow@moscow-trade.ru>
2011-05-28 03:24:22.998715500 20440 dispatching QUIT
2011-05-28 03:24:22.998722500 20440 221 #######.net closing connection. Have a wonderful day.
2011-05-28 03:24:22.998726500 20440 click, disconnecting
2011-05-28 03:24:23.316330500 4465 cleaning up after 20440
2011-05-28 08:28:13.911608500 23427 Accepted connection 0/40 from 90.183.115.33 / gw03.ecic.cz
2011-05-28 08:28:13.912333500 23427 Connection from gw03.ecic.cz [90.183.115.33]
2011-05-28 08:28:13.927615500 23427 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-05-28 08:28:14.982999500 23427 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2011-05-28 08:28:14.993237500 23427 220 benten.drifand.net ESMTP
2011-05-28 08:28:15.427383500 23427 dispatching HELO gw03.ecic.cz
2011-05-28 08:28:15.433827500 23427 250 #########.net Hi gw03.ecic.cz [90.183.115.33]; I am so happy to meet you.
2011-05-28 08:28:15.927704500 23427 dispatching MAIL FROM:<amarkova@jnelectric.com>
2011-05-28 08:28:15.928993500 23427 full from_parameter: FROM:<amarkova@jnelectric.com>
2011-05-28 08:28:15.942568500 23427 getting mail from <amarkova@jnelectric.com>
2011-05-28 08:28:15.943002500 23427 250 <amarkova@jnelectric.com>, sender OK - how exciting to get mail from you!
2011-05-28 08:28:16.428201500 23427 dispatching RCPT TO:<different_user@mydomain.net>
2011-05-28 08:28:16.438454500 23427 check_goodrcptto plugin (rcpt): stripping '-' extensions
2011-05-28 08:28:16.467805500 23427 250 <different_user@mydomain.net>, recipient ok
2011-05-28 08:28:16.925829500 23427 dispatching DATA
2011-05-28 08:28:16.928363500 23427 354 go ahead
2011-05-28 08:28:17.429429500 23427 spooling message to disk
2011-05-28 08:28:17.503068500 23427 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
2011-05-28 08:28:17.527750500 23427 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1306596497:23427:0: OK
2011-05-28 08:28:17.532635500 23427 logging::logterse plugin (queue): ` 90.183.115.33 gw03.ecic.cz gw03.ecic.cz <amarkova@jnelectric.com> <different_user@mydomain.net> queued <000a01c40b73$c2b5dea0$507b2a59@stevef577bc085dprll>
2011-05-28 08:28:17.540641500 23433 queue::qmail_2dqueue plugin (queue): (for 23427 ) Queuing qp 23433 to /var/qmail/bin/qmail-queue
2011-05-28 08:28:17.600063500 23427 250 Queued! 1306596497 qp 23433 <000a01c40b73$c2b5dea0$507b2a59@stevef577bc085dprll>
2011-05-28 08:28:17.932333500 23427 dispatching QUIT
2011-05-28 08:28:17.932341500 23427 221 #######.net closing connection. Have a wonderful day.
2011-05-28 08:28:17.932346500 23427 click, disconnecting
2011-05-28 08:28:18.935744500 4465 cleaning up after 23427
2011-05-28 10:56:44.811590500 4474 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-05-28 10:56:44.966383500 4474 Listening on 0.0.0.0:25
2011-05-28 10:56:44.966390500 4474 Running as user qpsmtpd, group qpsmtpd
2011-05-28 10:56:44.966394500 4474 Initializing spool_dir
2011-05-28 10:56:44.966398500 4474 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
2011-05-28 10:56:44.966402500 4474 size_threshold set to 0
2011-05-28 16:41:58.172947500 4476 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-05-28 16:41:58.242911500 4476 Listening on 0.0.0.0:25
2011-05-28 16:41:58.242919500 4476 Running as user qpsmtpd, group qpsmtpd
2011-05-28 16:41:58.242923500 4476 Initializing spool_dir
2011-05-28 16:41:58.242927500 4476 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
2011-05-28 16:41:58.242931500 4476 size_threshold set to 0
2011-05-29 12:36:33.111213500 4479 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-05-29 12:36:33.325379500 4479 Listening on 0.0.0.0:25
2011-05-29 12:36:33.326838500 4479 Running as user qpsmtpd, group qpsmtpd
2011-05-29 12:36:33.327185500 4479 Initializing spool_dir
2011-05-29 12:36:33.329976500 4479 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
2011-05-29 12:36:33.330862500 4479 size_threshold set to 0
2011-05-30 14:23:49.216612500 4479 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-05-30 14:23:49.224640500 4479 Initializing spool_dir
2011-05-30 14:23:49.224646500 4479 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
2011-05-30 14:23:49.224651500 4479 size_threshold set to 0
2011-05-30 15:14:31.033047500 4479 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-05-30 15:14:31.040117500 4479 Initializing spool_dir
2011-05-30 15:14:31.040123500 4479 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
2011-05-30 15:14:31.040128500 4479 size_threshold set to 0
2011-05-30 15:39:04.896941500 4479 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-05-30 15:39:04.896951500 4479 Initializing spool_dir
2011-05-30 15:39:04.900205500 4479 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
2011-05-30 15:39:04.900212500 4479 size_threshold set to 0
2011-05-30 17:56:37.499279500 4479 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-05-30 17:56:37.505181500 4479 Initializing spool_dir
2011-05-30 17:56:37.507777500 4479 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
2011-05-30 17:56:37.508568500 4479 size_threshold set to 0
2011-06-12 19:33:09.752967500 4479 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-06-12 19:33:09.822195500 4479 Initializing spool_dir
2011-06-12 19:33:09.822202500 4479 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
2011-06-12 19:33:09.822207500 4479 size_threshold set to 0
2011-06-12 22:46:35.388267500 4474 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-06-12 22:46:35.443557500 4474 Listening on 0.0.0.0:25
2011-06-12 22:46:35.443565500 4474 Running as user qpsmtpd, group qpsmtpd
2011-06-12 22:46:35.443569500 4474 Initializing spool_dir
2011-06-12 22:46:35.443572500 4474 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
2011-06-12 22:46:35.443577500 4474 size_threshold set to 0
2011-06-13 22:53:47.023284500 4474 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2011-06-13 22:53:47.028060500 4474 Initializing spool_dir
2011-06-13 22:53:47.028066500 4474 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
2011-06-13 22:53:47.028070500 4474 size_threshold set to 0
What does it mean by "Changing permissions on file to permit scanner access"? Also it looks like it's trying to send email from one account to another.
-
What does it mean by "Changing permissions on file to permit scanner access"? Also it looks like it's trying to send email from one account to another.
Exacty what it says, it is log noise. The mail is stored in the filesystem and the ownership of that file is changed so the virus scanner which is running as a different user can access it.
-
For inbound, the ISP recommends port 110 or 995 with SSL, ...
No, that is IMAP, which mail clients use to fetch messages. That's not inbound mail to your domain, which uses SMTP on port 25.
If your ISP blocks port 25 inbound (although it looks like they do not), then you either need to use an external relay service, or you need to use multi-drop fetchmail. Or you need to change ISP.
-
So how can I verify the ISP is not blocking port 25? I have all domain services (including MX) pointing to the external IP (mail.xxxxxx.net --> ###.###.###.###). The SME is in server-gateway mode behind a bridged modem. Again, I had this similar setup working once before with the previous ISP who also claimed to block port 25. But it was difficult and I can't seem to recall which combination of magic commands I used to do so.
Fetchmail looks to be rather complicated for what should be a simple solution on SME. I don't really have the time to manually input and manage all the possible external mailboxes that may want to send to the accounts on the server. Sometimes I want to send from hotmail or gmail, multi-drop doesn't appear to handle that.
Or you need to change ISP.
I really don't understand how this suggestion can be continually given so cavalierly as a catch all recommendation - like it was as simple as changing shoes. There is either the cable monopoly which caps data and charges excessively for overages (and don't seem to like having servers on their network), or the DSL monopoly which are also now charging for data caps. I was lucky enough to come across this ISP which provides 'dumb' pipe but apparently don't like port 25 on dynamic IPs (can't afford a static plan at the moment).
It's just frustrating that things which worked fine before no longer do so in ways that seem simple enough to fix on the surface.
-
Shilotsugu
So how can I verify the ISP is not blocking port 25?
Do a port scan from a workstation behind the sme server
http://www.grc.com/intro.htm
I have all domain services (including MX) pointing to the external IP (mail.xxxxxx.net --> ###.###.###.###). The SME is in server-gateway mode behind a bridged modem.
That is only good where you have a static IP issued by your ISP.
You say you have a dynamic service implying a dynamic or changing "public" IP.
You need to configure a dynamic client to update the external records each time the IP changes.
SME server has that by default (for the one main domain), step through the Configure this server options in the console (log in as admin).
Otherwise you can install the ddclient contrib to manage multiple hosted domains on the dynamic IP.
I was lucky enough to come across this ISP which provides 'dumb' pipe but apparently don't like port 25 on dynamic IPs (can't afford a static plan at the moment).
If your ISP is truly blocking port 25 then you could try this
http://wiki.contribs.org/PortRedirect
The additional cost may not be worth the effort or be desirable for your pocket. As suggested, it may be better to pay more for a ISP who does not block port 25, and this may actually turn out to be be the cheaper overall option.
If you want to run a mail server, then there are certain technical requirements that must be met, it's as simple as that.
-
Do a port scan from a workstation behind the sme server
http://www.grc.com/intro.htm
grc.com is actually doing the port scan from the Internet side, not from a workstation. You would be initiating the scan from the workstation. The scan option is hidden under Services->Shields Up!
Alternatively, you can use an online service to verify DNS and port 25 access, for example http://www.mxtoolbox.com.
-
OK, I give up. It sounds like everyone is telling me what I want is not technically possible. It must have been some kind of fluke then that I was able to do so for a couple years on the other ISP's dynamic plan. And despite being dynamic, the IP did not change - which I would make sure from time to time by looking at GRC. I asked how to verify if port 25 was blocked because it seemed you were able to tell from the logs I posted.
At any rate, I've shelled out for the static plan. It's much more expensive now, but at least the headaches have stopped. Also, email in both directions succeeds. Thanks for your help.