Our backup mail server (which I have just re-configured) tries to contact the primary mail server, and fails. My log shows repeatedly "connection refused":
May 15 22:21:41 mx2 sm-mta-rx[8674]: q4FIhPij007483: makeconnection (mail.greenspot.fi. [83.143.217.182]) failed: Connection refused by mail.greenspot.fi. May 15 22:21:41 mx2 sm-mta-rx[8674]: q4FIhPij007483: to=myuser@mydomain.com, delay=00:38:16, xdelay=00:00:00, mailer=esmtp, pri=10021795, relay=mail.greenspot.fi. [83.143.217.182], dsn=4.0.0, stat=Deferred: Connection refused by mail.greenspot.fi.
But yet I can successfully telnet that host:
# telnet mail.greenspot.fi 25 Trying 83.143.217.182... Connected to mail.greenspot.fi (83.143.217.182). Escape character is '^]'. 220 mail.greenspot.fi ESMTP Sendmail; Tue, 15 May 2012 22:34:22 +0300
Also, the mailer-daemon *can* send automatic warning messages to mail.greenspot.fi just fine.
So, the error probably is in my sendmail configuration.
The error appeared as I today reconfigured the backup mail server to use a "dual sendmail" setup with amavis and greylisting. How could I proceed?
- Jussi
Am 15.05.2012 21:44, schrieb Jussi Hirvi:
Our backup mail server (which I have just re-configured) tries to contact the primary mail server, and fails. My log shows repeatedly "connection refused":
May 15 22:21:41 mx2 sm-mta-rx[8674]: q4FIhPij007483: makeconnection (mail.greenspot.fi. [83.143.217.182]) failed: Connection refused by mail.greenspot.fi. May 15 22:21:41 mx2 sm-mta-rx[8674]: q4FIhPij007483: to=myuser@mydomain.com, delay=00:38:16, xdelay=00:00:00, mailer=esmtp, pri=10021795, relay=mail.greenspot.fi. [83.143.217.182], dsn=4.0.0, stat=Deferred: Connection refused by mail.greenspot.fi.
But yet I can successfully telnet that host:
# telnet mail.greenspot.fi 25 Trying 83.143.217.182... Connected to mail.greenspot.fi (83.143.217.182). Escape character is '^]'. 220 mail.greenspot.fi ESMTP Sendmail; Tue, 15 May 2012 22:34:22 +0300
It is technically impossible that the telnet to target port 25 succeeds from the same system on which the Sendmail gets a connection refused, unless Sendmail is configured to use a non-standard target port.
Also, the mailer-daemon *can* send automatic warning messages to mail.greenspot.fi just fine.
So, the error probably is in my sendmail configuration.
The error appeared as I today reconfigured the backup mail server to use a "dual sendmail" setup with amavis and greylisting. How could I proceed?
Deeply inspect your sendmail.mc files. Provide them here if you like to get assistance.
- Jussi
Alexander
On 15.5.2012 23.22, Alexander Dalloz wrote:
It is technically impossible that the telnet to target port 25 succeeds from the same system on which the Sendmail gets a connection refused, unless Sendmail is configured to use a non-standard target port.
That is why I am baffled. :-/
I could use a way to see what port sendmail is actually using to make the contact. My assumption is that when the log entry (see my orig post) says "mailer=esmtp,", it implies port 25 - but then it really does not make sense that the connection is refused.
On the primary mail server (which I try in vain to contact) I see *nothing* about the failed connections in the maillog, even though I raised log_level to 19.
Below is my thishost-tx.mc. It looks totally ok to me, but maybe somebody else spots something there. This is a dual-sendmail setup, and this is the conf for the transmitting sendmail instance.
- Jussi
divert(-1)dnl include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`MTA-TX jh-2012-05')dnl OSTYPE(`linux')dnl define(`confSMTP_LOGIN_MSG', `$w.tx.$m Sendmail $v/$Z; $b')dnl MTA-TX define(`confLOG_LEVEL', `19')dnl define(`confDEF_USER_ID', ``8:12'')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST', `True')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnldefine(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun,restrictmai lq')dnl define(`confAUTH_OPTIONS', `A')dnl define(`confTO_QUEUEWARN', `2h')dnl define(`confTO_QUEUERETURN', `2d')dnl define(`confREFUSE_LA', `999')dnl disabled; limiting belongs to MTA-RX define(`confTO_IDENT', `0')dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`nocanonify')dnl host/dom names considered caninical at MTA-TX FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash /etc/mail/mailertable.db')dnl FEATURE(`virtusertable', `hash /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl (= local-host-names) FEATURE(use_ct_file)dnl define(`confMAX_DAEMON_CHILDREN', `0') dnl disabled; limiting belongs to MTA-RX FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl EXPOSED_USER(`root')dnl DAEMON_OPTIONS(`Addr=127.0.0.1,Port=10025,Name=MTA-TX')dnl FEATURE(`accept_unresolvable_domains')dnl LOCAL_DOMAIN(`localhost.localdomain')dnl LOCAL_DOMAIN(`[127.0.0.1]')dnl LOCAL_DOMAIN(`127.0.0.1')dnl MAILER(smtp)dnl
Am 15.05.2012 22:48, schrieb Jussi Hirvi:
Below is my thishost-tx.mc. It looks totally ok to me, but maybe somebody else spots something there. This is a dual-sendmail setup, and this is the conf for the transmitting sendmail instance.
- Jussi
divert(-1)dnl include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`MTA-TX jh-2012-05')dnl OSTYPE(`linux')dnl define(`confSMTP_LOGIN_MSG', `$w.tx.$m Sendmail $v/$Z; $b')dnl MTA-TX define(`confLOG_LEVEL', `19')dnl define(`confDEF_USER_ID', ``8:12'')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST', `True')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnldefine(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun,restrictmai lq')dnl define(`confAUTH_OPTIONS', `A')dnl define(`confTO_QUEUEWARN', `2h')dnl define(`confTO_QUEUERETURN', `2d')dnl define(`confREFUSE_LA', `999')dnl disabled; limiting belongs to MTA-RX define(`confTO_IDENT', `0')dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`nocanonify')dnl host/dom names considered caninical at MTA-TX FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash /etc/mail/mailertable.db')dnl FEATURE(`virtusertable', `hash /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl (= local-host-names) FEATURE(use_ct_file)dnl define(`confMAX_DAEMON_CHILDREN', `0') dnl disabled; limiting belongs to MTA-RX FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl EXPOSED_USER(`root')dnl DAEMON_OPTIONS(`Addr=127.0.0.1,Port=10025,Name=MTA-TX')dnl FEATURE(`accept_unresolvable_domains')dnl LOCAL_DOMAIN(`localhost.localdomain')dnl LOCAL_DOMAIN(`[127.0.0.1]')dnl LOCAL_DOMAIN(`127.0.0.1')dnl MAILER(smtp)dnl
What is the content of the submit.mc? Your previous log snipplet showed
May 15 22:21:41 mx2 sm-mta-rx[8674]: q4FIhPij007483: makeconnection
So there must be "sm-mta-rx" be defined somewhere.
Alexander
On 15.5.2012 23.54, Alexander Dalloz wrote:
What is the content of the submit.mc? Your previous log snipplet showed
May 15 22:21:41 mx2 sm-mta-rx[8674]: q4FIhPij007483: makeconnection
So there must be "sm-mta-rx" be defined somewhere.
Yes. In a dual sendmail setup there are two instances of sendmail. The receiving one ("rx") dumps all email to amavis (TCP 10024), and then amavis hauls everything back again to the other instance ("tx") (using TCP 10025), which sends it away over net or piles it up in local mailboxes.
My conf for the "rx" instance is probably not important, as the "rx" instance does not actually contact anything outside localhost. The submit conf is for mail submission, so it is probably not used here.
- Jussi
Jussi Hirvi wrote:
On 15.5.2012 23.54, Alexander Dalloz wrote:
What is the content of the submit.mc? Your previous log snipplet showed
May 15 22:21:41 mx2 sm-mta-rx[8674]: q4FIhPij007483: makeconnection
So there must be "sm-mta-rx" be defined somewhere.
Yes. In a dual sendmail setup there are two instances of sendmail. The receiving one ("rx") dumps all email to amavis (TCP 10024), and then amavis hauls everything back again to the other instance ("tx") (using TCP 10025), which sends it away over net or piles it up in local mailboxes.
My conf for the "rx" instance is probably not important, as the "rx" instance does not actually contact anything outside localhost. The submit conf is for mail submission, so it is probably not used here.
Hmmm... dumb question: is anything out of disk space?
mark
Am 15.05.2012 23:19, schrieb Jussi Hirvi:
On 15.5.2012 23.54, Alexander Dalloz wrote:
What is the content of the submit.mc? Your previous log snipplet showed
May 15 22:21:41 mx2 sm-mta-rx[8674]: q4FIhPij007483: makeconnection
So there must be "sm-mta-rx" be defined somewhere.
Yes. In a dual sendmail setup there are two instances of sendmail. The receiving one ("rx") dumps all email to amavis (TCP 10024), and then amavis hauls everything back again to the other instance ("tx") (using TCP 10025), which sends it away over net or piles it up in local mailboxes.
My conf for the "rx" instance is probably not important, as the "rx" instance does not actually contact anything outside localhost. The submit conf is for mail submission, so it is probably not used here.
- Jussi
And exactly somewhere there is your issue!
sm-mta-rx is failing according to your log. We can't judge if more is failing as you did not post any further log content showing connection problems.
I know what the dual Sendmail setup is, used it some time in the past, dropped it when the milter came out.
Repeated, your issue at this point is the sm-mta-rx instance. Unfortunately you did not provide the complete configuration, especially not the config with the sm-mta-rx definition. At least sm-mta-rx does not transport the mail to amavis but tries to deliver it to the primary mail server.
Alexander
On 15.5.2012 23.54, Alexander Dalloz wrote:
So there must be "sm-mta-rx" be defined somewhere.
Just in case, here is my conf for the rx instance. To repeat, this sendmail instance sends everything to amavisd at port 10024. - Jussi
divert(-1)dnl include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`MTA-RX jh-2012-05')dnl OSTYPE(`linux')dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl define(`confLOG_LEVEL', `19')dnl # default: 9 INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-greylist.sock') define(`confDEF_USER_ID', ``8:12'')dnl define(`confTO_INITIAL', `6m')dnl define(`confTO_CONNECT', `1m')dnl define(`confTO_HELO', `5m')dnl define(`confTO_HOSTSTATUS', `2m')dnl define(`confTO_DATAINIT', `6m')dnl define(`confTO_DATABLOCK', `60m')dnl define(`confTRY_NULL_MX_LIST', `True')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,noverb,needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictmailq')dnl define(`confAUTH_OPTIONS', `A')dnl define(`confCRL', `/etc/mail/certs/revoke.crl')dnl define(`confTO_QUEUEWARN', `5m')dnl define(`confTO_QUEUERETURN', `2d')dnl define(`confDELAY_LA', `12')dnl added by jh, see batbook 1002 define(`confREFUSE_LA', `20')dnl upped by jh from 18 define(`confTO_IDENT', `0')dnl 0 = ident disabled define(`confTO_RESOLVER_RETRANS_FIRST', `2')dnl define(`confTO_RESOLVER_RETRANS_NORMAL', `10')dnl define(`confTO_RESOLVER_RETRY_FIRST', `2')dnl define(`confTO_RESOLVER_RETRY_NORMAL', `5')dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash /etc/mail/mailertable.db')dnl FEATURE(`virtusertable', `hash /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(nocanonify)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl define(`confMAX_DAEMON_CHILDREN', `130')dnl define(`confMIN_FREE_BLOCKS', `10000')dnl added by jh (see dual-readme) define(`confCONNECTION_RATE_THROTTLE', `3')dnl FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl FEATURE(`greet_pause',`1000')dnl FEATURE(`compat_check')dnl EXPOSED_USER(`root')dnl FEATURE(`dnsbl', `blackholes.mail-abuse.org', `"550 Email rejected due to sending server misconfiguration - see http://blackholes.mail-abuse.org/faq/#why_rejected%22%27)dnl FEATURE(`dnsbl', `bl.spamcop.net', `"550 Email rejected due to sending server misconfiguration - see: http://spamcop.net/bl.shtml?%22$&%7Bclient_addr%7D%27)dnl DAEMON_OPTIONS(`Port=smtp,Name=MTA25-RX,M=SA')dnl FEATURE(`accept_unresolvable_domains')dnl LOCAL_DOMAIN(`localhost.localdomain')dnl define(`confPID_FILE', `/var/run/sendmail-rx.pid')dnl define(`STATUS_FILE', `/etc/mail/stat-rx')dnl define(`QUEUE_DIR', `/var/spool/mqueue-rx')dnl define(`confQUEUE_SORT_ORDER', `Modification')dnl QUEUE_GROUP(`mqueue',``P=/var/spool/mqueue-rx,R=4,F=f'')dnl FEATURE(stickyhost)dnl Keep env addr "u@local.host" when fwd to MAIL_HUB define(`MAIL_HUB', `esmtp:[127.0.0.1]')dnl fw all local mail to amavisd define(`SMART_HOST', `esmtp:[127.0.0.1]')dnl fw all other mail to amavisd define(`LOCAL_RELAY',`esmtp:[127.0.0.1]')dnl define(`confDELIVERY_MODE',`q')dnl a must, if u want to specify nr of q runners define(`ESMTP_MAILER_ARGS',`TCP $h 10024')dnl define(`SMTP_MAILER_MAXMSGS',`10')dnl Max no. of msgs in a single connection define(`ALIAS_FILE', `/etc/aliases')dnl dnl # three undefines for dual-sendmail setup - jh undefine(`UUCP_RELAY')dnl undefine(`BITNET_RELAY')dnl undefine(`DECNET_RELAY')dnl MAILER(smtp)dnl
on 5/15/2012 2:39 PM Jussi Hirvi spake the following:
On 15.5.2012 23.54, Alexander Dalloz wrote:
So there must be "sm-mta-rx" be defined somewhere.
Just in case, here is my conf for the rx instance. To repeat, this sendmail instance sends everything to amavisd at port 10024.
- Jussi
<snip>
EXPOSED_USER(`root')dnl FEATURE(`dnsbl', `blackholes.mail-abuse.org', `"550 Email rejected due to sending server misconfiguration - see
http://blackholes.mail-abuse.org/faq/#why_rejected%22%27)dnl
Trend micro bought this blackholes list a while back... is it still working? I thought it moved to a dot com domain...
Am 15.05.2012 23:39, schrieb Jussi Hirvi:
On 15.5.2012 23.54, Alexander Dalloz wrote:
So there must be "sm-mta-rx" be defined somewhere.
Just in case, here is my conf for the rx instance. To repeat, this sendmail instance sends everything to amavisd at port 10024.
- Jussi
Ah, here it is. Sorry, did not see this mail.
divert(-1)dnl include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`MTA-RX jh-2012-05')dnl OSTYPE(`linux')dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl define(`confLOG_LEVEL', `19')dnl # default: 9 INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-greylist.sock') define(`confDEF_USER_ID', ``8:12'')dnl define(`confTO_INITIAL', `6m')dnl define(`confTO_CONNECT', `1m')dnl define(`confTO_HELO', `5m')dnl define(`confTO_HOSTSTATUS', `2m')dnl define(`confTO_DATAINIT', `6m')dnl define(`confTO_DATABLOCK', `60m')dnl define(`confTRY_NULL_MX_LIST', `True')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,noverb,needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictmailq')dnl define(`confAUTH_OPTIONS', `A')dnl define(`confCRL', `/etc/mail/certs/revoke.crl')dnl define(`confTO_QUEUEWARN', `5m')dnl define(`confTO_QUEUERETURN', `2d')dnl define(`confDELAY_LA', `12')dnl added by jh, see batbook 1002 define(`confREFUSE_LA', `20')dnl upped by jh from 18 define(`confTO_IDENT', `0')dnl 0 = ident disabled define(`confTO_RESOLVER_RETRANS_FIRST', `2')dnl define(`confTO_RESOLVER_RETRANS_NORMAL', `10')dnl define(`confTO_RESOLVER_RETRY_FIRST', `2')dnl define(`confTO_RESOLVER_RETRY_NORMAL', `5')dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash /etc/mail/mailertable.db')dnl FEATURE(`virtusertable', `hash /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(nocanonify)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl define(`confMAX_DAEMON_CHILDREN', `130')dnl define(`confMIN_FREE_BLOCKS', `10000')dnl added by jh (see dual-readme) define(`confCONNECTION_RATE_THROTTLE', `3')dnl FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl FEATURE(`greet_pause',`1000')dnl FEATURE(`compat_check')dnl EXPOSED_USER(`root')dnl FEATURE(`dnsbl', `blackholes.mail-abuse.org', `"550 Email rejected due to sending server misconfiguration - see http://blackholes.mail-abuse.org/faq/#why_rejected%22%27)dnl FEATURE(`dnsbl', `bl.spamcop.net', `"550 Email rejected due to sending server misconfiguration - see: http://spamcop.net/bl.shtml?%22$&%7Bclient_addr%7D%27)dnl DAEMON_OPTIONS(`Port=smtp,Name=MTA25-RX,M=SA')dnl FEATURE(`accept_unresolvable_domains')dnl LOCAL_DOMAIN(`localhost.localdomain')dnl define(`confPID_FILE', `/var/run/sendmail-rx.pid')dnl define(`STATUS_FILE', `/etc/mail/stat-rx')dnl define(`QUEUE_DIR', `/var/spool/mqueue-rx')dnl define(`confQUEUE_SORT_ORDER', `Modification')dnl QUEUE_GROUP(`mqueue',``P=/var/spool/mqueue-rx,R=4,F=f'')dnl FEATURE(stickyhost)dnl Keep env addr "u@local.host" when fwd to MAIL_HUB define(`MAIL_HUB', `esmtp:[127.0.0.1]')dnl fw all local mail to amavisd define(`SMART_HOST', `esmtp:[127.0.0.1]')dnl fw all other mail to amavisd define(`LOCAL_RELAY',`esmtp:[127.0.0.1]')dnl define(`confDELIVERY_MODE',`q')dnl a must, if u want to specify nr of q runners define(`ESMTP_MAILER_ARGS',`TCP $h 10024')dnl
Right, here you modify the target port of that Sendmail instance. And I bet $1.000 that if you tcpdump on the main mail server you will see the sending attempt to come in there at port 10024 and thus Sendmail (this one here) gets a connection refused.
define(`SMTP_MAILER_MAXMSGS',`10')dnl Max no. of msgs in a single connection define(`ALIAS_FILE', `/etc/aliases')dnl dnl # three undefines for dual-sendmail setup - jh undefine(`UUCP_RELAY')dnl undefine(`BITNET_RELAY')dnl undefine(`DECNET_RELAY')dnl MAILER(smtp)dnl
Alexander
On 16.5.2012 1.03, Alexander Dalloz wrote:
define(`ESMTP_MAILER_ARGS',`TCP $h 10024')dnl
Right, here you modify the target port of that Sendmail instance. And I bet $1.000 that if you tcpdump on the main mail server you will see the sending attempt to come in there at port 10024 and thus Sendmail (this one here) gets a connection refused.
Looks like you are right - and that's a breakthrough! I checked on the primary mail server using simply tcpdump host 83.143.217.179 and I noticed connections to port 10024.
I should have used tcpdump earlier in this process - but better late than never.
Now I just have to fix the sendmail ("rx" instance) config so that it really sends the email to localhost (where amavis is listening), instead of trying to send directly to the final destination. So far no luck. A similar setup works ok on the primary mail server, so I don't know why this one does not work.
- Jussi
On 16.5.2012 2.42, Jussi Hirvi wrote:
Now I just have to fix the sendmail ("rx" instance) config so that it really sends the email to localhost (where amavis is listening), instead of trying to send directly to the final destination.
Ok, I found it, and it is *so* obvious. Still it took me hours to find it.
I had this in my config for the "rx" instance of sendmail.
FEATURE(`mailertable', `hash /etc/mail/mailertable.db')
And my mailertable contained static routing for all domains that are local to our primary mail server. Example:
greenspot.fi esmtp:[mail.greenspot.fi]
So sendmail was only following orders. Solution: comment out the mailertable line from the sendmail config.
Thanks to everyone, and especially to Alexander for reading so carefully my emails and giving the breakthrough tip. I love you!
- Jussi 4.55 AM local time
On 5/15/2012 4:48 PM, Jussi Hirvi wrote:
On 15.5.2012 23.22, Alexander Dalloz wrote:
It is technically impossible that the telnet to target port 25 succeeds from the same system on which the Sendmail gets a connection refused, unless Sendmail is configured to use a non-standard target port.
That is why I am baffled. :-/
I could use a way to see what port sendmail is actually using to make the contact. My assumption is that when the log entry (see my orig post) says "mailer=esmtp,", it implies port 25 - but then it really does not make sense that the connection is refused.
On the primary mail server (which I try in vain to contact) I see *nothing* about the failed connections in the maillog, even though I raised log_level to 19.
You could use wireshark to monitor the network traffic and determine exactly what happens when sendmail tries to make the connection.
On 5/15/2012 4:57 PM, Bowie Bailey wrote:
On 5/15/2012 4:48 PM, Jussi Hirvi wrote:
On 15.5.2012 23.22, Alexander Dalloz wrote:
It is technically impossible that the telnet to target port 25 succeeds from the same system on which the Sendmail gets a connection refused, unless Sendmail is configured to use a non-standard target port.
That is why I am baffled. :-/
I could use a way to see what port sendmail is actually using to make the contact. My assumption is that when the log entry (see my orig post) says "mailer=esmtp,", it implies port 25 - but then it really does not make sense that the connection is refused.
On the primary mail server (which I try in vain to contact) I see *nothing* about the failed connections in the maillog, even though I raised log_level to 19.
You could use wireshark to monitor the network traffic and determine exactly what happens when sendmail tries to make the connection.
A couple of things to check. I don't know if these servers are in the same location or not but it is possible if not, that your provider blocks port 25. Here are two configs to check.
dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
If this is not done on the primary, it will not listen to anything but itself.... so the backup wouldn't be able to contact it.
dnl # dnl # The following causes sendmail to additionally listen to port 587 for dnl # mail from MUAs that authenticate. Roaming users who can't reach their dnl # preferred sendmail daemon due to port 25 being blocked or redirected find dnl # this useful. dnl # DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
and this if it is possible that port 25 is blocked.
Sorry if this has already been discussed. I stepped in late on the conversation.
On 16.5.2012 0.18, John Hinton wrote:
A couple of things to check. I don't know if these servers are in the same location or not but it is possible if not, that your provider blocks port 25. Here are two configs to check.
Thanks for input. I can make the contact from the backup-mailserver to the primary mailserver manually using telnet (details in previous posts), which proves that 25 is not blocked.
BTW, the two servers are virtual machines in one and the same physical box.
- Jussi
On Wed, 16 May 2012 00:31:22 +0300 Jussi Hirvi wrote:
BTW, the two servers are virtual machines in one and the same physical box.
What's the point of that? (Genuine question.)
One server here, one across town, or even two separate boxes in a single room -- sure. But in the same box? If the the box is on fire, now you're out both your main and your backup server.
I must be missing something; what is it?
On Tue, May 15, 2012 at 3:37 PM, Frank Cox theatre@melvilletheatre.com wrote:
On Wed, 16 May 2012 00:31:22 +0300 Jussi Hirvi wrote:
BTW, the two servers are virtual machines in one and the same physical box.
What's the point of that? (Genuine question.)
One server here, one across town, or even two separate boxes in a single room -- sure. But in the same box? If the the box is on fire, now you're out both your main and your backup server.
I must be missing something; what is it?
I've never been a fan of doing that, but I've recently been seeing it at a lot of clients. They have 2 older machines each running its own app. They get a new honking big box with enough HP to run both apps and they create 2 VMs one for each app.
Am 15.05.2012 23:42, schrieb Larry Martell:
On Tue, May 15, 2012 at 3:37 PM, Frank Cox theatre@melvilletheatre.com wrote:
On Wed, 16 May 2012 00:31:22 +0300 Jussi Hirvi wrote:
BTW, the two servers are virtual machines in one and the same physical box.
What's the point of that? (Genuine question.)
One server here, one across town, or even two separate boxes in a single room -- sure. But in the same box? If the the box is on fire, now you're out both your main and your backup server.
I must be missing something; what is it?
I've never been a fan of doing that, but I've recently been seeing it at a lot of clients. They have 2 older machines each running its own app. They get a new honking big box with enough HP to run both apps and they create 2 VMs one for each app.
Yes, one point is to consolidate using virtualization. It is done in small environments and in really large ones. A very different thing is to run a main and a backup mail server on the same virtualization host as 2 VMs. Alone the fact to build up a setup with a backup mail server is nowadays to 99% a design flaw and non-optimal.
Alexander
Am 15.05.2012 23:37, schrieb Frank Cox:
On Wed, 16 May 2012 00:31:22 +0300 Jussi Hirvi wrote:
BTW, the two servers are virtual machines in one and the same physical box.
What's the point of that? (Genuine question.)
One server here, one across town, or even two separate boxes in a single room -- sure. But in the same box? If the the box is on fire, now you're out both your main and your backup server.
I must be missing something; what is it?
I feld exactly the same when I saw both mail servers where in the same subnet. No point in doing that.
Jussi should run 2 identical setups in 2 hosts as MX with same priority if redundancy is desired. Of course, having them as VMs on the same hosts limits the redundancy quite a bit as the host is the single point of failure here.
Alexander
On 16.5.2012 0.37, Frank Cox wrote:
What's the point of that? (Genuine question.)
One server here, one across town, or even two separate boxes in a single room -- sure. But in the same box? If the the box is on fire, now you're out both your main and your backup server.
I must be missing something; what is it?
No, you are right. However, two servers still are better than one. There are cases when one of them is down but not the other. And later, if I get another box, I can move the vm there easily.
However, let's not get sidetracked too deep in this.
- Jussi
Some more info. Below is a more complete telnet session from backup mail server (mx2.greenspot.fi) to primary mail server (mail.greenspot.fi).
It only proves that sending mail works fine from command-line. But my sendmail setup cannot do the same.
I wrote that MAILER-DAEMON can get mail through. I am not actually sure about that. (One warning message did come through, but maybe it was because something I changed in the config - not sure anymore.)
Here's the successful telnet session:
[root@mx2 ~]# telnet mail.greenspot.fi 25 Trying 83.143.217.182... Connected to mail.greenspot.fi (83.143.217.182). Escape character is '^]'. 220 mail.greenspot.fi ESMTP Sendmail; Tue, 15 May 2012 23:17:59 +0300 HELO mx2.greenspot.fi 250 mail.greenspot.fi Hello mx2.greenspot.fi [83.143.217.179], pleased to meet you MAIL FROM: me1@domain.com 250 2.1.0 me1@domain.com... Sender ok RCPT TO: me2@domain.com 250 2.1.5 me2@domain.com... Recipient ok DATA 354 Enter mail, end with "." on a line by itself Testing testing . 250 2.0.0 q4FKHxf7012785 Message accepted for delivery QUIT 221 2.0.0 mail.greenspot.fi closing connection Connection closed by foreign host.
- Jussi
Jussi Hirvi wrote:
Some more info. Below is a more complete telnet session from backup mail server (mx2.greenspot.fi) to primary mail server (mail.greenspot.fi).
It only proves that sending mail works fine from command-line. But my sendmail setup cannot do the same.
<snip> Is there any chance that your sendmail is sending an invalid id?
mark
-
Alexander Dalloz -
Bowie Bailey -
Frank Cox -
John Hinton -
Jussi Hirvi -
Larry Martell -
m.roth@5-cent.us -
Scott Silva