Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Tracking down sending failures

  1. #1
    briansrapier's Avatar
    briansrapier is offline Active Member
    Join Date
    Apr 2007
    Location
    WV
    Posts
    49
    Rep Power
    8

    Default Tracking down sending failures

    I am in the process of tweaking a recent installation of ZCS 4.5.6 on CentOS 4.5. After rolling out early last month I encountered numerous issues having to do with sending to domains outside my own. I traced a majority of the issues back to the fact that, since I have running a Zimbra cluster in active/passive mode, even though I receive/listen on the IP address of the cluster, mail is being sent from the active node.

    Example:
    host internal external
    mx 10.10.22.10 xxx.xxx.xxx.99
    mx1 10.10.22.11 xxx.xxx.xxx.96 (no external DNS name)
    mx2 10.10.22.12 xxx.xxx.xxx.97 (no external DNS name)

    My MX record points to mx.domain.com and I have rDNS set up to point .96 and .97 back to mx.domain.com.

    I have an SPF record for my domain that states:

    domain.com. IN TXT "v=spf1 ip:xxx.xxx.xxx.96 ip:xxx.xxx.xxx.97 mx ptr ?all"
    mx.domain.com IN TXT "v=spf1 a -all"

    However, despite my best efforts, I still am getting a number of domains that are outright rejecting/refusing my connections or receiving messages like:

    "451 4.8.1 possibly forged hostname for xxx.xxx.xxx.96 (in reply to rcpt to command)"
    "451 could not complete sender verify callout (in reply to rcpt to command)"
    "450 client host rejected: cannot find your hostname. [xxx.xxx.xxx.96](in reply to rcpt to command)"

    Here is an example of a typical header:

    Delivered-To: xxxxxxx@gmail.com
    Received: by 10.78.198.12 with SMTP id v12cs184219huf;
    Tue, 4 Sep 2007 07:30:42 -0700 (PDT)
    Received: by 10.35.96.6 with SMTP id y6mr7418093pyl.1188916237540;
    Tue, 04 Sep 2007 07:30:37 -0700 (PDT)
    Return-Path: <user@domain.com>
    Received: from mx.domain.com ([xxx.xxx.xxx.96])
    by mx.google.com with ESMTP id f10si6827369pyh.2007.09.04.07.30.36;
    Tue, 04 Sep 2007 07:30:37 -0700 (PDT)
    Received-SPF: pass (google.com: domain of user@domain.com designates xxx.xxx.xxx.96 as permitted sender) client-ip=xxx.xxx.xxx.96;
    Authentication-Results: mx.google.com; spf=pass (google.com: domain of user@domain.com designates xxx.xxx.xxx.96 as permitted sender) smtp.mail=user@domain.com
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mx.domain.com (Postfix) with ESMTP id B528C1D787DB
    for <xxxxxxx@gmail.com>; Tue, 4 Sep 2007 10:23:11 -0400 (EDT)
    X-Virus-Scanned: amavisd-new at
    X-Spam-Score: -4.399
    X-Spam-Level:
    X-Spam-Status: No, score=-4.399 tagged_above=-10 required=4.2
    tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599]
    Received: from mx.domain.com ([127.0.0.1])
    by localhost (mx.domain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id JVMUUEQnKmgU for <xxxxxxxx@gmail.com>;
    Tue, 4 Sep 2007 10:23:11 -0400 (EDT)
    Received: from mx.domain.com (mx.domain.com [10.10.22.10])
    by mx.domain.com (Postfix) with ESMTP id 756181D787D9
    for <xxxxxxxxx@gmail.com>; Tue, 4 Sep 2007 10:23:11 -0400 (EDT)
    Date: Tue, 4 Sep 2007 10:23:11 -0400 (EDT)
    From: User Name <user@domain.com>
    To: XXXXXXX <xxxxxxxx@gmail.com>
    Message-ID: <24761011.169661188915791455.JavaMail.root@mx1.dom ain.com>
    Subject: Test
    MIME-Version: 1.0
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 7bit
    X-Originating-IP: [10.10.57.107]

    So, either I have DNS messed up somehow, or there is something that is not being properly passed to certain domains. Which is it?

  2. #2
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Do you have a reverse lookup record?

  3. #3
    briansrapier's Avatar
    briansrapier is offline Active Member
    Join Date
    Apr 2007
    Location
    WV
    Posts
    49
    Rep Power
    8

    Default

    Yes, though I didn't explicitly state it above, my DNS/rDNS is as follows:

    Forward Lookup:

    IN MX 10 mx.domain.com
    mx IN A xxx.xxx.xxx.99

    Reverse Lookup:

    96.xxx.xxx.xxx.IN-ADDR.ARPA. IN PTR mx.domain.com
    97.xxx.xxx.xxx.IN-ADDR.ARPA. IN PTR mx.domain.com
    99.xxx.xxx.xxx.IN-ADDR.ARPA. IN PTR mx.domain.com

  4. #4
    briansrapier's Avatar
    briansrapier is offline Active Member
    Join Date
    Apr 2007
    Location
    WV
    Posts
    49
    Rep Power
    8

    Default

    Bump, please.

  5. #5
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Can you send me an e-mail from your domain?
    jholder@zimbra.com

    I want to look at the headers

  6. #6
    briansrapier's Avatar
    briansrapier is offline Active Member
    Join Date
    Apr 2007
    Location
    WV
    Posts
    49
    Rep Power
    8

    Default

    I noticed that, when running a manual connection (`telnet mx.server.com 25`) and issue `helo domain.com` my mail is accepted as opposed to `helo mx.domain.com`. When I built the cluster, ZCS automatically populated my cluster name `mx.domain.com` as my 'smtp_helo_name'.

    Does anyone know if it's acceptable to use 'domain.com' instead of 'mx.domain.com' and still be in compliance with the RFCs?

  7. #7
    briansrapier's Avatar
    briansrapier is offline Active Member
    Join Date
    Apr 2007
    Location
    WV
    Posts
    49
    Rep Power
    8

    Default

    Bump, please.

  8. #8
    briansrapier's Avatar
    briansrapier is offline Active Member
    Join Date
    Apr 2007
    Location
    WV
    Posts
    49
    Rep Power
    8

    Default

    Bump, please.

  9. #9
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Hi Brian-
    5.2.5 HELO Command: RFC-821 Section 3.5

    The sender-SMTP MUST ensure that the <domain> parameter in a HELO command is a valid principal host domain name for the client host. As a result, the receiver-SMTP will not have to perform MX resolution on this name in order to validate the HELO parameter.

    The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification.

    DISCUSSION:

    Verifying the HELO parameter requires a domain name lookup and may therefore take considerable time. An alternative tool for tracking bogus mail sources is suggested below (see "DATA Command").

    Note also that the HELO argument is still required to have valid <domain> syntax, since it will appear in a Received: line; otherwise, a 501 error is to be sent.

    IMPLEMENTATION:

    When HELO parameter validation fails, a suggested procedure is to insert a note about the unknown authenticity of the sender into the message header (e.g., in the "Received:" line).
    Judging by that, I would say it is acceptable.

    Best,
    john

  10. #10
    briansrapier's Avatar
    briansrapier is offline Active Member
    Join Date
    Apr 2007
    Location
    WV
    Posts
    49
    Rep Power
    8

    Default

    So, if I were planning on changing the smtp_helo_name, is it the MTA hostname setting under global or server settings? If I can avoid it, I don't like playing around with the main.cf or zmlocalconfig settings if I can help it. With the cluster, it has produced some interesting results.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Logwatch stops sending mail?
    By byte in forum Administrators
    Replies: 4
    Last Post: 12-18-2010, 08:57 AM
  2. Replies: 4
    Last Post: 02-20-2009, 01:29 AM
  3. Limiting External Sending per Account
    By dmg in forum Administrators
    Replies: 1
    Last Post: 07-23-2007, 11:45 AM
  4. Replies: 3
    Last Post: 07-19-2007, 02:00 AM
  5. Problem sending and Receiving mail
    By geroshea in forum Installation
    Replies: 3
    Last Post: 03-06-2006, 10:16 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •