We help IT Professionals succeed at work.

Server refusing SMTP connection requests

Lunch2000
Lunch2000 asked
on
735 Views
Last Modified: 2013-12-15

I have a Fedora Core 1.0 server set up with Lotus Domino 6.0.2 CF2 installed.

I can start the server fine
The mail router and SMTP listener task start without problems
The server can send SMTP mail without problems
When attempting to test SMTP by telneting to port 25 from another machine I get "connection refused"
When I try to telnet 127.0.0.1 25 I get "Connection refused"
When I try to telnet localhost 25 I get "Connection refused"
I have altered the hosts.allow file, the only line is ALL:ALL (I am unfamiller with this new hosts.allow/hosts.deny config so this may not be implemented correctly).

Any Ideas?


Lunch
Comment
Watch Question

Commented:
Did you enable firewall support?  If so do iptables -L and see if anything relating to port 25 or smtp is being denied...

What does your hosts.deny read?

Also I had a problem once due to another package using port 25 so my SMTP agent would not start... Check with NMAP to see if port 25 is in use... Maybe worth a shot...

-Ryan

Author

Commented:

Nothing shows up in IPtables, I installed without any firewall, the hosts.deny is empty, but to make sure I moved the hosts.allow and hosts.deny to my user directory. According to the documentation this *should* open up the machine. It did not make a difference. As far as I can tell nothing else is using port 25, I am however getting some weird TCP stack errors on the Domino console when shutting down. In particular they are showing up in the SMTP and IMAP listeners. I'm going to try reinstalling domino and see if that helps.

Commented:
Silly question, can you start sendmail?  If so what happens if you telnet to port 25?  I would be curious to narrow down to something in the OS or in Domino...

-Ryan
I dont think your problem is with linux it may well be with your notes configuration. Check the server document in your address book and check the smtp configuration pretty much most of the configuration is configurations settinmgs and the Router/SMTP tab.

Author

Commented:
I think my notes config is fine, I've setup a number of Domino servers before and this is the first time I've come accross this. It would be one thing if refused to relay mail, after making a connection, but it won't accept port 25 connections period. The fact that it can't won't take port 25 connections from 127.0.0.1, screams TCP stack issue to me
Ok on the linux box use the following command
#lsof | grep LISTEN

This will give you a list of ip ports the server has bound too see if smtp is listed. Also on your notes console type >sh tasks  and check that notes has an smtp task running.

 

Author

Commented:
SMTP Listener is running at console, doing a netstat -l neither SMTP or IMAP come up as active

Author

Commented:
Tried running sendmail, smtp shows up as a listening port. For some reason Domino SMTP is not binding to port 25?
Ok lets see if it is the stack. edit /etc/sshd/sshd.conf and change the port to 25. stop the notes server. restart sshd and try to connect with an ssh client to port 25. If this works I would think the problem is with notes.

Author

Commented:
When I ran sendmail I was able to telnet to port 25 and SSH can bind to port 25.  I don't think the problem is with Domino, or I should say the Domino config . Is it possible there is a major change in security and in what/who is allowed to bind to a port or where it goes to bind ? At this point I've configured my Dom server so that it is wide open. For some reason it looks as if the SMTP and IMAP listeners are not able to hook into the TCP stack. becuase Sendmail (when run) shows an active port 25 and you can telnet into it, I'm guessing there is some new incompabiblity between the Domino Listener tasks and Fedora. At this point I've messed around enough, I'm going to install RH 9 and see what happens. I'll post the results.
"Connection refused" is either a firewall, or the listening server denies access.
So please post result of:
  netstat -pan|grep 25

Probably your Domino is configured to listen on the IP only, but not the loopback device

Author

Commented:
No it refuses connections from everywhere local lan and outside servers,there is no firewall installed or configured on the server its self. As I said in my earlier posts the listener is not active on port 25, according to netstat when I run the domino listener. It is active when I run sendmail, the domino smtp config document has SMTP pointed to port 25. We'll see what happens under RH 9. I'm convinced there is some incompatiblity there.

Author

Commented:
Same deal with RH 9, for some reason the Domino ESMTP won't bind to port 25. The listener is enabled and the server is supposed to allow anonymous access on that port. But the port is not even showing up as an active listening port! GRRRRRRR! Frustrated!!
well I am lost now I have both version 5 and version 6 notes servers running on redhat 9. Have not had a problem like this on any of them. I dont know the exact versions I am running but I will check. Have you tried a different version or different media. It has got to be a problem with the notes install cant see it can be anything else.

Author

Commented:
Have tried two different versions of Dom 6.0.2cf2 and latest 6.5, My current working server is old RH 7.2 with Dom 6.0.2cf2. Could it be a problem with the network card or card driver? The card in the machine is an old no-name. Could it affect the tcp stack enough to create problems for Domino?
Its the only variable in all this that has not been changed.

Tim

Author

Commented:
As a further note, as of now none of the Domino services besides http and the notes port 1375 are binding to their appropriate sockets. LDAP, POP3, IMAP and SMTP are all failing to setup active listening ports on the server, even though the Domino server has those listening tasks running.

Tim
sounds to me like you are missing a library all my notes servers are running imap pop3 etc . don’t suppose you have inetd running. But hay its easy enough to switch a network card just in case its that.

Author

Commented:
No don't think its that either, RH 9 is a fresh download. The tasks start normally on the console, no errors show up in the logs. When attempting to restart the a particular socket based task from the console I get a message stating that it is waiting to finish all its tasks. I think the task starts, attempts to bind to the socket and never does. If it were a libarary issue I would get errors in the log and on the console yes/no?
ok, you have not posted what was asked for. Hope you know what you're talking about.
If ther is no listener on port 25 (however you identified that), have you checked that it is not started via portmaper, for example via /etc/inetd.conf?

Author

Commented:
There is no seperate SMTP program or startup, the SMTP listener task is controlled by Domino. All access to the SMTP task is through the Domino Console or Admin Client. I know I did not post what is asked for, but that's because no SMTP task was showing up for any command PERIOD. When Sendmail was started port 25 would show up as an active port. When Sendmail was shutdown and Domino started no port 25. There is no direct access (to my knowledge) to the SMTP listener except through Domino. What I may be missing on the linux side (I think) is some aspect of configuration that is keeping Domino from binding from port 25, it is also having trouble binding to the IMAP, POP3, and LDAP ports. It can however bind to port 80 for http. This whole thing makes no sense at all....

Tim

Author

Commented:
More details...this just gets weirder and wierder

If I change the port that inbound SMTP should bind too (I used port 2000), the SMTP listener is able to bind to the port on TCP, however doing so unbound the http port (port 80 was the only service port being bound, besides the lotus notes port). So Domino is only binding to one other port besides its propritary port, or Linux is preventing it from binding to more than one standard service port?

WTF!

Tim

Author

Commented:
And More.....

I rebooted the server and Domino came up with both the port 80 (http) and 2000 (smtp) active, however when I switched smtp back to port 25 it would not bind to the socket. Is there some security I'm missing here, maybe something involved with the tcpwrapper?
How does Domino serve SMTP: via portmapper/inetd, or as daemon?
Do you start Domino as user root?
Is there probably another MTA running when you start Domino?
What do the Domino logfiles tell you?

Please post results of following commands, post *all* results vervatim:

  netstat -pan|egrep '25|80|110|111|143|389'
  egrep -i '25|80|110|111|143|389|smtp|mail|imap|pop|ldap|http' /etc/inetd.conf

oops, you said RH, then you probably have xinetd. In this case we need to check /etc/xinetd.d:

  egrep -i -l '25|80|110|111|143|389|smtp|mail|imap|ldap' /etc/xinetd.d/*

Author

Commented:
I believe that Domino serves SMTP as a daemon, it runs under its own user id and as far as I can tell there is no other MTA running, checked using service --status-all, and checked run level config using chkconfig.
Domino log files don't have anything, they just tell me that the SMTP(IMAP,LDAP,etc.) service has started and is listening on port x. Here are the results of your requested data

netstat -pan|egrep '25|80|110|111|143|389'
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1507/              
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1808/X              
udp        0      0 0.0.0.0:111             0.0.0.0:*                           1507/              
unix  2      [ ACC ]     STREAM     LISTENING     2080   1654/gpm            /dev/gpmctl
unix  2      [ ACC ]     STREAM     LISTENING     2304   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2333   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2329   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2312   1808/X              
unix  3      [ ]         STREAM     CONNECTED     2315   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2307   1807/              
unix  2      [ ]         DGRAM                    2252   1732/              

I had checked xinetd.d before to make sure anything that could interefere was disabled. These services showed up, as far as I can tell they all have a 'disabled' line active in their startup scripts.

[root@crashzone tnorwood]# egrep -i '25|80|110|111|143|389|smtp|pop|ldap|http' / etc/xinetd/.d/*
/etc/xinetd.d/ipop2:# description: The POP2 service allows remote users to access their mail \
/etc/xinetd.d/ipop2:#              using an POP2 client such as fetchmail.  In most cases, clients \
/etc/xinetd.d/ipop2:#              support POP3 instead of POP2, so enabling this service is rarely \
/etc/xinetd.d/ipop2:service pop2
/etc/xinetd.d/ipop2:server  = /usr/sbin/ipop2d
/etc/xinetd.d/ipop3:# description: The POP3 service allows remote users to access their mail \
/etc/xinetd.d/ipop3:#              using an POP3 client such as Netscape Communicator, mutt, \
/etc/xinetd.d/ipop3:service pop3
/etc/xinetd.d/ipop3:server  = /usr/sbin/ipop3d
/etc/xinetd.d/pop3s:# description: The POP3S service allows remote users to access their mail \
/etc/xinetd.d/pop3s:#              using an POP3 client with SSL support such as fetchmail.
/etc/xinetd.d/pop3s:service pop3s
/etc/xinetd.d/pop3s:server  = /usr/sbin/ipop3d

Author

Commented:
The first post is without Domino running, here is the result with Domino running with editied ports

[root@crashzone tnorwood]# netstat -pan|egrep '25|80|110|111|143|389'
tcp        0      0 0.0.0.0:5025            0.0.0.0:*               LISTEN      2336/smtp          
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1507/              
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2321/http          
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1808/X              
tcp        0      0 0.0.0.0:5110            0.0.0.0:*               LISTEN      2335/pop3          
tcp        0      0 0.0.0.0:5143            0.0.0.0:*               LISTEN      2334/imap          
udp        0      0 0.0.0.0:111             0.0.0.0:*                           1507/              
unix  2      [ ACC ]     STREAM     LISTENING     2080   1654/gpm            /dev/gpmctl
unix  2      [ ACC ]     STREAM     LISTENING     2304   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2333   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2329   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2312   1808/X              
unix  3      [ ]         STREAM     CONNECTED     2315   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2307   1807/              
unix  2      [ ]         DGRAM                    2252   1732/              


and these are the results with Domino running using standard ports

netstat -pan|egrep '25|80|110|111|143|389'
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1507/              
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2920/http          
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1808/X              
udp        0      0 0.0.0.0:111             0.0.0.0:*                           1507/              
unix  2      [ ACC ]     STREAM     LISTENING     2080   1654/gpm            /dev/gpmctl
unix  2      [ ACC ]     STREAM     LISTENING     2304   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2333   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2329   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2312   1808/X              
unix  3      [ ]         STREAM     CONNECTED     2315   1808/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     2307   1807/              
unix  2      [ ]         DGRAM                    2252   1732/              

seems to me that despite the fact that nothing else is using these ports Domino is somehow prevented from using them. As another aside, the server also seems to have a hard time with DNS resolution, it often times has trouble communicating with my DNS server, I don't know if its related or not.

Tim
ok, so we see that there is a listener on 111 (probably ipop2d).
And there're the listeners on 5025, 5110, 5143 (probably those of domino).
The netstat -pan output is a bit strange ..
According the ports used by domino, you need to adapt the port for telnet too.
It's strange that you got response on port 25, did you use 5025 instead?

So, if tere is a smtp on 5025 already, why do you want to have an additional MTA on port 25?

Author

Commented:
I edited the Domino config to bind to alternate ports to show that Domino is installed correctly and can bind to ports. I would rather have my server run on standard ports. My current router (a simple netgear cable deal) can not translate external port 25 requests to 5025 for me soooo.... I know I *could* add a second nic to my linux box and use it as the router/NAT service but besides being a pain in the rear, I just don't want to rely so much on one box.

I'm confused by your comment I get *no* response on port 25 period. The SMTP listener will respond on port 5025 but only because that is where I pointed it. The first netstat -pan is with Domino config edited to use port 5025 for inbound SMTP instead of port 25. The second
netstat -pan is with Domino configed to use port 25 for inbound SMTP. As you can see, it seems to have no trouble binding to port 5025 but does not seem to be able to bind to 25. For further examiniation if go:

 netstat -anp  

with domino setup to use port 25 I get this

unix 3            [   ]            stream            connected      53910  2901/smtp
unix 3            [   ]            stream            connected      53909  2901/smtp

but no active port using TCP
> .. but does not seem to be able to bind to 25
This is definitely a domino problem.
Check the logfiles as already suggested.

Author

Commented:
I did check the Domino logs, there are no events/errors/messages as relates to the SMTP and mail router except for the startup and shutdown. Is linux log I should check?
yes, probably something in /var/log/messages
Or use
  ls -ltr /var/log
after Domino start, and check which files have been touched last

Author

Commented:
Nothing shows up, the messages just shows my login as the "notes" user (Domino will *not* run as root) to start up the console. Other than that , nothing. I did try seeing which of the logs was touched last but again it was only messages. Talked to my boss, he seems to think something is convincing Linux that the mail ports are in use, or reserved. So a program may be holding the ports but not listeneing on them. How would this work, how would I figure out what's sitting on the ports without actually bringing them active?

Tim
> ..  something is convincing Linux  ..
don't blame the wrong thing
If Domino does not do what it should do, *and* does not tell you what is wrong, then Domino is the guilty.
But I think that it's a configuration problem of Domino somehow, first try to enable logging/debugging ..

Author

Commented:

I'm not blaming anything, I've set Domino up on linux serveral times before (granted earlier versions) and never had this trouble. There is no real configuration involved for the SMTP listener, you turn the listener on and it listens, without proper configuration it may or may not accept mail but it will respond to SMTP requests. When the SMTP listener starts, it attempts to bind to port 25, from what I can tell it gets convinced its in the process of binding to 25 but never times out. It just keeps ticking along, if you try to get the listener to restart it basically tells you its in the middle of something, my guess is that its in the middle of trying to bind to port 25. I've been told that things like xinet can be configured to provide a buffer between a port and an application so that a daemon is inactive until a request comes in on a particular port, then it activates the daemon. It must reserve the port in some way yes/no? If it were 'reserving' a port its possible that the port would be in use but nothing would be listening on it, right?
Domino logs are usually pretty good about reporting problems. I started Domino with Sendmail running, it popped up an error right away stating "Unable to bind SMTP to port 25, port in use".
The task is able to bind to other ports besides 25 and respond properly, so I don't think its the domino config. This fact combined with the fact that Sendmail IS able to bind to port 25 has me convinced I've missed something in the linux config or there is some application besides domino sitting on the port but not listening.
 
> I'm not blaming anything ..
fine.

> .. things like xinet can be configured ..
xinetd/portmaper does that. But you have checked that there is nothing configured for port 25 (see my grep example, and your post).
You also see with netstat -pan that there is nothing on 25.

As you said that you're not root, so Domino cannot bind to 25. That's why you configured 5025. OK.
If Domino does not work on 5025 (and 5025 was not in use before starting Domino), then I'm out of ideas

Author

Commented:

Domino does work on 5025 ( it was a random port that I picked), and works on any other random port that I choose but it won't bind to port 25. Are you saying that Domino can't bind to port 25 because it is not Root? Domino won't run as root, if you try, it won't start and will display the message "Don't run Domino as Root", I'm guessing if I could run as root , I would not have this binding problem. Is there a group I should add the "notes" user to? notes being the user account Domino runs under.

Author

Commented:
Finale

I'm buggered, I put a fresh install of Fedora down, stripped to just core elements and Domino still won't work. Pulled off sendmail and installed Exim, Exim works fine, still no Domino. I'm just going to use Exim as my inbound SMTP and let it forward to the ports on Domino. Thanks for all your help,
still wish I knew why this doesn't work.
> Are you saying that Domino can't bind to port 25 because it is not Root?
yes.
ports up to 1023 can only be used as root.
That's why most daemons must be started as root, then switch to another user themselfs.

Think you need to check your Domino docs again.
Notes must have the a user account notes and a group called notes. And the notes server MUST be started from the user notes. All files in notesdata must be owned by notes and the group notes.

 

Author

Commented:

I know, actually it does'nt have to be "notes", it just has to be whatever user account you specified during the install. It just can't be root.

Author

Commented:
Actually....

It doesn't make sense that it can't bind to 25 because its not root. It seems to bind to port 80 without any trouble, is port 80 an exception to the rule?
no
The statment about only root binding to lower ports is not true. Most of the the port owners below 1023 are not run as root. Example Postfix, Sendmail, Bind etc. The fact the port is below 1023 and is not run as root has no bearing on the problem.
only root (uid 0 for being exact) can use ports 0..1023. Only root can grant access to those ports for other users.
There is no way around this in Unix/Linux. Dot.
This enforces that any process using such a port *must* be started as root.
Postfix, sendmail, bind (apache, imapd, etc.) just can be configured that they switch to another user after binding to the port.
Well, I'm not 101% shure for some securite enhanced kernels (using CAPABILITIES), it might be diferent there if the CAPABILITY allows it.

Author

Commented:
All moot, I fixed the problem by a) doing a barebones install of Fedora (no extra rpms, no gui) and adding a line to .bash_profile in the roots directory.

export LD_ASSUME_KERNEL=2.2.5

Everything ran after that
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.