Solved

Linux /etc/hosts file entry help

Posted on 2004-09-02
68
514 Views
Last Modified: 2013-12-06
I currently have a linux webserver (55.55.55.2 = www.mywebsite.com) and I have a windows exchange server (55.55.55.3 = mail.mywebsite.com).

Becuase of the configuration of my watchguard firebox 1000 firewall appliance, I have to create an entry on the linux webserver that will tell it to send email to the windows exchange server.

Here's what I have created in my /etc/hosts file:
__________________________
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       www     localhost.localdomain   localhost
192.168.16.3    mail    mail.mywebsite.com
__________________________

Well, even after I restart the linux webserver, I will go to the website's contact form (I use sendmail) and fill out the contact us form and send it.  If the email address I use is: user@mywebsite.com, the email never goes through.  If the email address I use is from any other domain, the email does get sent!

Any ideas on what I can do to route 'internal' email correctly??
0
Comment
Question by:compinfo
  • 28
  • 24
  • 15
  • +1
68 Comments
 

Author Comment

by:compinfo
Comment Utility
Oh, yeah, and the firewall is configure to route email going to the external address of 55.55.55.3 to the internal address of 192.168.16.3.  And the linux webserver at 55.55.55.2 can ping 192.168.16.3.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
When you use an address of the form user@mywebsite.com the MTA (probably Sendmail) will do an MX lookup on the domain name to find out what mailserver to use. It won't use the hostname from the hosts file unless you send the mail to user@mail.mywebsite.com. In which case you have to tell exchange to listen from mail addressed to mail.mywebsite.com (that's just one of the ways that exchange is brain dead).

If you reall need to be able to use addresses of the form user@mywebsite.com you'll need to arrainge for the MX lookup to work and to point to 192.168.16.3. In a firewalled environment this usually means running a private DNS on the inside that equates the host names to private IP's. You can do this pretty easily on the Linux server.
0
 

Author Comment

by:compinfo
Comment Utility
Well, ok, so I went to dnsstuff.com and did a MX lookup on mywebsite.com and get this:

Domain Type Class TTL Answer
mywebsite.com. MX IN 7200 MAIL.mywebsite.com. [Preference = 10]
mywebsite.com. NS IN 7200 NS80.WORLDNIC.com.
mywebsite.com. NS IN 7200 NS79.WORLDNIC.com.
MAIL.mywebsite.com. A IN 7200 55.55.55.3
****************

So, does this matter?  I'm not sure I understand about how I could setup private DNS 'on the inside'  but I can try.  Right now, the exchange server is NAT'd through the firewall to a trusted lan, and the websever is in the DMZ of the firewall.
 
0
 

Author Comment

by:compinfo
Comment Utility
Just FYI:  The firewall is showing a message:

'arp called for own IP address'

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The problem here is that your Linux box and exchange server are located on RFC1918 private networks. When the linux box looks up the MX record for the domain it ultimately resolves to the public (Internet) IP of the exchange server. That means that a data connection to exchange would have to go out the firewall and back in, which is something that the majority of firewalls won't allow.

So what you need is a DNS server on the local LAN that has hostnames like are defined in your Outside (Internet accessible) DNS but that using private IP's.
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Why not just defer any mailing to the M-Sexchange? Set sendmail to use it as a smart relay host (DS in sendmail.cf.... Dunno in sendmail.mc... Jim does though:-).

BTW, what is the topology here? Is the website on the DMZ interfance and the exchange on the trusted?

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Oh, and I can attest that using a "local" DNS (set it so that it has your ISPs DNSes as forwarders, and define a zone for mywebsite.com that has all "local" addresses... effectively masking the "public" ones) is a very viable option.

-- Glenn
0
 

Author Comment

by:compinfo
Comment Utility
GNS:

"Right now, the exchange server is NAT'd through the firewall to a trusted lan, and the websever is in the DMZ of the firewall."
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
:-)
Sorry, I'm going blind....:-)

Ok, that only means that you'd need set up one DNS proxy from webserver->local DNS server on trusted (and of course just allow DNS from trusted to external for local DNS server) if you go with the local DNS server setup.

The problem you have seem to be that you have the 55.55/16 network (or whatever... the externally visible net) on one interface and as a related network on the other (for DMZ and external), but you can only set the static NAT from 55.55.55.3 for the external interface... So getting mail from DMZ to trusted becomes a routing/rule issue as well. The routing would be trivial (it knows all this:-), as would the rule for mail from DMZ->trusted/exchange too. Sorry for beuing a bit slow today:-).
Hm. The Local DNS server approach would handle this. As would a smarthost.

-- Glenn
0
 

Author Comment

by:compinfo
Comment Utility
JLEVIE:

"The problem here is that your Linux box and exchange server are located on RFC1918 private networks."

My linux box is in the DMZ of the firewall with an public IP address.  However, being in the DMZ, it has the ability to ping the local 'trusted' network as well.
0
 

Author Comment

by:compinfo
Comment Utility
Quick Note:

I control the DNS routing via the Advanced DNS service from Network Solutions.  
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Yes, but it goes to the "public" DNS for MX, so ends up with that address, which you cannot route through the FB1k.
Problem in a nutshell. I realize I might be misstaken about address assignment for the DMZ, and in actuality... That doesn't matter... now does it?

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Ah, crossing posts... The comment was to your comment to Jim.

-- Glenn
0
 

Author Comment

by:compinfo
Comment Utility
Also,  I see I have a ton of email requests in /var/spool/mail/root, how can I extract this to a TXT file to download it?

0
 

Author Comment

by:compinfo
Comment Utility
So, now that I've added a bit more information, what might I try to make this work?  

If the suggestion  "...is a DNS server on the local LAN that has hostnames like are defined in your Outside (Internet accessible) DNS but that using private IP's."

Isn't this done by the firebox already?  I have the firebox setup as the local DNS at 192.168.16.205.
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Hm, what version of the WFAS/WLS/whatchamacallitr do you have? 7.0?
If the FB is your DNS, then it has to be taught about the exchange MX.... Which it can't be, since it's really not a DNS server (I assume you've set the DNS info on the DNS/WINS tab of the Network->Configuration, right?)

Anyway, you sidestep this whole DNS/MX trouble by using a smart relay/ smart host. Either edit /etc/sendmail.cf, or better edit /etc/sendmail.mc and set a line like
define(`SMART_HOST', `mail.mywebsite.com')
(which will use the /etc/hosts entry if you have "order hosts,bind" in /etc/host.conf), then do
m4 ../m4/cf.m4 yourhost.m4 > yourhost.cf
Make a backup of your /etc/sendmail.cf and copy yourhost.cf to /etc/sendmail.cf.
(these lines were adapted from http://www.sendmail.org/~ca/email/offline_mailing.html)

Restart sendmail and you should be fine.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
About the /var/spool/mail/root file... that's probably an mbox-format textfile. All mails to root go there, and since one usually have an alias postmaster->root...
You can read them via the mail command logged on as root (or any other mail user agent you feel comfortable with.
If you install an IMAP service on the linux box and create appropriate rules for imap ... you could use OutLook to access the files content and even move it over to the exchange via drag'n'drop.

-- Glenn
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
So the Linux box is in a classical DMZ with public IP's and the mail server is behind a NAT'ing firewall. In that case you need to set up the firewall with either a port forward of the SMTP port to the exchange box or give the exchange box a static NAT translation. In both cases the hosts file entry on the Linux box will be the outside IP of the port forward or static NAT. You'll also need to allow the IP of the Linux box to open an SMTP connection through the firewall.
0
 

Author Comment

by:compinfo
Comment Utility
GNS:

Version 7.2 of the watchguard System Manager.  Yes, I have DNS set in the Network->Configuration to my ISP's primary and secondary DNS and the domain name is there too.

Let me try the sendmail function.

JLEVIE:  Yes, the firebox is setup like you're saying (I believe), it's just a bit different terminology in that I setup services for SMTP that state who is allow in, out, and who is NAT'd to where, etc...
0
 

Author Comment

by:compinfo
Comment Utility
GNS:

YOu lost me here:

m4 ../m4/cf.m4 yourhost.m4 > yourhost.cf
Make a backup of your /etc/sendmail.cf and copy yourhost.cf to /etc/sendmail.cf.

*what does this mean??

*how do I restart sendmail?
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
m4 is a "macro processor" that'll translate the "easy to understand" sendmail.mc into the "less easy to understand" sendmail.cf (which is the file sendmail reads). As said, those lines are quoted directly from a faq, so (I see now:) they don't really match too well:-). (Personally I _don't_ use sendmail, so I can't say for sure which files should be used... probably /etc/sendmail.mc or similar... Jim is the attested Guru when it comes to sendmail, and I'm sure he can guide you through the steps needed). If you'd like to set something up "quick", then edit /etc/sendmail.cf and change the line
DS
or mayby it is
# DS
to
DSmail.mywebsite.com
... and all mails should the be routed through exchange. Don't forget to set your exchange so that it allows this;-).

I realise we lack two bits of info. You say you use sendmail _in the webform_, but this doesn't necessarily mean you use the sendmail MTA(!), since most MTAs (Mail Transfer Agents) will have a "convenience sendmail command"... So even though the form uses the sendmail command, it might be Postfix, qmail, exim....;-). Could you tell us what distro you use on webserver, as well as what MTA?

-- Glenn
0
 
LVL 2

Expert Comment

by:garak1357
Comment Utility
If clients are using your local server for DNS, and it is not resolving by the host file, have your checked your resolv.conf file to make sure that it is pointed to your local DNS server?  You may also need to set the order in which it is resolved there.  Just a thought.
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Please read the entire question garak1357. Covered ground.

-- Glenn
0
 

Author Comment

by:compinfo
Comment Utility
Let me check out things today and get back with you guys.  Thanks!
0
 

Author Comment

by:compinfo
Comment Utility
It's Red Hat Enterprise Edition Version 3 with Up2date.

I went here:

http://linux-rep.fnal.gov/sundocs/Raven/EyeView/SSR03/SSR03-16.htm#ss16.5

(As instructed by Red Hat Support).

And found out the following:

ESMTP Sendmail 8.12.11/8.12.11;

****

So, how would I know which MTA is used on my distro?  I didn't setup anything different, so I'm assuming it's using whatever it's defaulted to use.



0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Hm, I don't remember... Jim? Wait a moment, you're saying you did the "telnet localhost 25" and got the above? Well, then you are running Sendmail version 8.12.11 ... And the advice pertaining to sendmail configuration above applies.

-- Glenn
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Since a 'telnet localhost 25' (I assume that's what you did) talks directly to the MTA, if it says Sendmail that's what your MTA is. But whether it is Sendmail, Postfix, Qmail, etc. doesn't really matter here if, as I think, the problem is a DNS/firewall issue. If it is a DNS and/or firewall issue nothing else matters until that is resolved.

From what you've said about the network topology I believe it looks like:

          Internet
                |
                |----- Web Server
                |
          Firewall
                |
                |------Mail Server
                |
        Local LAN

That would mean that the Web server has an Internet routable IP, as would the outside interface of the Firewall. So to be able to send an email to the mail server the firewall would have to allow inbound SMTP connections with a port forward or static NAT through the firewall to the mail server. For mail from Internet sites to work that port forward or static NAT translation would already have to be in place, assuming that the MX record for your domain directs mail to your mail server.

With that topology all that we need do is to tell Sendmail that it should forward local mail to your mail server, which we can accomplish by including:

define(`LUSER_RELAY', `mail.mywebsite.com')dnl

in /etc/mail/sendmail.mc, and restarting sendmail. That will tell sendmail to forward mail that looks like a local address (user@mywebsite.com) but that doesn't correspond to a local Linux account.

However, I could be confused about the topology and it might look like:

            Internet
                 |
            Firewall
             /          \
           /              \
Web Server    Local LAN

In this case everything has private IP's and the firewall will have to have ACL's that allow an SMTP connection from the DMZ to the mail server's IP. We can't use your Internet DNS records here for the mail server since they point to the outside IP, not the private IP. The solution to that is to either set up a priave DNS that equates names to private IP's or use a hosts file record. For a single domain the hosts solution is fine and we still need the LUSER_RELAY.
0
 

Author Comment

by:compinfo
Comment Utility
This is the topology:

     Internet
                 |
            Firewall
             /          \
           /              \
Web Server    Local LAN
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Exactly, and since there is no "local DNS" to query, one could (as I've said a couple of times before) resort to using the "smarthost" thing instead. And that is where the actual MTA becomes relevant:-).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Oh, and Jims note on there needing to be "ACLs for SMTP from DMZ to mailserver" is quite true... As I think we've already covered before:-). Easiest to add a SMTP filter (not the proxy, since that puts undue load on the FW... as well as being a bit ... picky:-) from DMZ to trusted.

Of course it's not a bad idea to set up a local DNS server, so that you can draw benefit from the cache if nothing else, but... If those are all the hosts you have, it feels a bit like overkill:-):-). If your exchange server is part of an AD, then you already have a DNS server active on the trusted LAN .... At least one of the DCs would be a DNS server...

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Oh read Jims WHOLE message.... LUSER_RELAY it is:-)

-- Glenn
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Right! A SMART_HOST doesn't help in this case because presumably the web server is in the same domain as the mail server.  LUSER_RELAY will work because it says where to send "apparently local mail" that isn't an account on the web server.
0
 

Author Comment

by:compinfo
Comment Utility
From these discussions, here's what I was able to do:

1.  Add define(`LUSER_RELAY', `mail.mywebsite.com')dnl to /etc/sendmail.mc (using VI)
2.  Stop and start the sendmail (/etc/rc2.d/S88sendmail stop ; /etc/rc2.d/S88sendmail start)
3.  Deleted entry from the /etc/hosts file that stated:  55.55.55.2 mail.mywebserver.com (becuase it wasn't needed).

So far, this also did not work.  Am I missing anything?  Thanks!

0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Earlier you've stated you had
192.168.16.3    mail    mail.mywebsite.com
in /etc/hosts... You'll need something like that, so that you can find your way from webserver->exchange. If you allow ping between DMZ and trusted, you should test that you can ping it.

Also note you need a step 2a that converts the m4 macro file /etc/sendmail.mc into a working /etc/sendmail.cf (the latter is the only file that sendmail reads). I'm sure Jim has all details on how to go about that step (isn't there a makefile somewhere for that express purpose?).

-- Glenn
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:compinfo
Comment Utility
Also,  I noticed that I know have:

/etc/sendmail.cf
/etc/sendmail.mc

And:

/etc/mail/sendmail.cf
/etc/mail/sendmail.mc

Which copy should I work with??
0
 

Author Comment

by:compinfo
Comment Utility
In the /etc/mail directory, I have these files:

access          local-host-names  sendmail.mc         virtusertable
access.db       mailertable       statistics.rpmsave  virtusertable.db
domaintable     mailertable.db    submit.cf
domaintable.db  Makefile          submit.mc
helpfile        sendmail.cf       trusted-users


0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
if you do
ls -l /etc/sendmail.cf /etc/sendmail.mc /etc/mail/sendmail.cf /etc/mail/sendmail.mc
I'm guessing you'll see that the ones in /etc are symbolic links to the ones in /etc/mail ... And I'm further guessing that in /etc/mail you have a makefile (or Makefile) that will help you create a new sendmail.cf from sendmail.mc ... perhaps by just tyoping "cd /ect/mail;make" or somesuch (Jim will know this;).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Ah, crossing posts (again)... No need to guess about Makefile:-).

-- Glenn
0
 

Author Comment

by:compinfo
Comment Utility
does not look like symbolic links here:

-rw-r--r--    1 root     root            0 Sep  9 11:40 /etc/mail/sendmail.cf
-rw-r--r--    1 root     root         6146 Sep  9 11:25 /etc/mail/sendmail.mc
-rw-r--r--    1 root     root            1 Sep  8 11:38 /etc/sendmail.cf
-rw-r--r--    1 root     root           86 Sep  9 10:46 /etc/sendmail.mc
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
On an RHEL 3.0 system there should not be a /etc/sendmail.cf or /etc/sendmail.mc. RedHat finally got smart and followed the Sendmail.org default of the stuff being in /etc/mail (except for the aliases file). And, unless its been modified, the sendmail init script will execute /etc/mail/Makefile which will rebuild /etc/mail/sendmail.cf if /etc/mail/sendmail.mc is newer.

From your last comment I'd say that you have an error in /etc/mail/sendmail.mc since /etc/mail/sendmail.cf is of zero length. To easily see what the error is execute:

cd /etc/mail
m4 sendmail.mc >sendmail.cf
0
 

Author Comment

by:compinfo
Comment Utility
yes, here's the error I get:

sendmail.mc:10: m4: Cannot open /usr/share/sendmail-cf/m4/cf.m4: No such file or directory


I do have the /usr/share directory, but there's not a /usr/share/sendmail-cf/m4/cf.m4 directory, do I need to make one?
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
That means that you haven't installed the sendmail-cf package. Since the system is registered with up2date the easy fix would be to do 'up2date -i sendmail.cf'.
0
 

Author Comment

by:compinfo
Comment Utility
ok, I updated:

up2date sendmail
up2date sendmail.cf

both OK.

_____

I restarted sendmail and got this:

[root@www rc2.d]# /etc/rc2.d/S80sendmail stop
Shutting down sendmail:                                    [  OK  ]
Shutting down sm-client:                                   [FAILED]

and -

[root@www rc2.d]# /etc/rc2.d/S80sendmail start
Starting sendmail:                                         [  OK  ]
Starting sm-client:                                        [  OK  ]
______________________



0
 

Author Comment

by:compinfo
Comment Utility
I tried my email out again, this time, again, I email a message to john@mywebsite.com and one to mary@yahoo.com.  Mary got her email, John did not.

Is there another /etc/hosts file somewhere else?  I also checked with this again:

220 www.mywebsite.com ESMTP Sendmail 8.12.11/8.12.11; Thu, 9 Sep 2004 16:44:54 -0400
HELO mail.mywebsite.com
250 www.mywebsite.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
HELO www.mywebsite.com
250 www.mywebsite.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
HELO mywebsite.com
250 www.mywebsite.com Hello localhost.localdomain [127.0.0.1], pleased to meet you

*****************

Shouldn't it say for HELO mail.mywebsite.com, something like 250 mail.mywebsite.com and show the internal IP address (192.168.16.3)??


0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Oops, I had a typo... That should have been 'up2date -i sendmail-cf' and it should tell you that it is installing the sendmail-cf package.

An update of sendmail, and there is one that might have been installed if you haven't run up2date in a while, would have installed a new sendmail.cf & sendmail.mc. So sendmail would have started up okay, but not with a sendmail.cf built from your modified sendmail.mc. Check the files in /etc/mail...
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
> Shouldn't it say for HELO mail.mywebsite.com, something like 250 mail.mywebsite.com and show the
> internal IP address (192.168.16.3)??

Only if you went to the exchange server and executed the 'telnet www.mywebsite.com 25' from there. If you execute the telnet command on the mail server itself (telnet localhost 25) it will always report the connection as coming from localhost.

See my comment before your last one, please.
0
 

Author Comment

by:compinfo
Comment Utility
Yes, I actually had the typo too, I did in fact up2date both sendmail and sendmail-cf, then stopped and started sendmail.

I'm assuming that:
/etc/rc2.d/S80sendmail stop

will stop sendmail, including sendmail-cf.  So, I'll try again tomorrow morning with a clear head...

I'd like to run a packet sniffer on it to see what is happening when mail is sent...

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
sendmail-cf is not something that runs, but rather it is data that's used when building a sendmail.cf from a sendmail.mc file. So you need to verify that the change you made to /etc/mail/sendmail.mc is still in the file and that /etc/mail/sendmail.cf has a later timestamp. If sendmail was updated by up2date you change may not be there and you'll need to put it back in the file, execute the m4 command, and restart sendmail.
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Um, compinfo... When you tested to send mail to john@mywebsite.com there shou've been _something_ about it put in mail logfile. Could you quote that to us? And did you define the firewall rule so that you can perform "telnet <ip-address of exchange server> 25" on the webserver?

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Oh, and thanks Jim for contributing your vast sendmail knowhow.

-- Glenn
0
 

Author Comment

by:compinfo
Comment Utility
GNS:

Yes, I have a huge maillog file, filled with the following entry:

Sep 10 09:09:07 www sendmail[12161]: i85Jd5KT015067: to=<tsmith@mywebsite.com>, ctladdr=<apache@www.mywebsite.com> (48/48), delay=4+17:30:02, xdelay=00:00:00, mailer=esmtp, pri=10470537, relay=mail.mywebsite.com., dsn=4.0.0, stat=Deferred: Connection refused by mail.mywebsite.com.

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Connection refused by mail.mywebsite.com

Which indicates that the problem is either with your firewall not permitting an SMTP connection to mail.mywebsite.com or with mail server.

On the linux machine try a 'telnet mail.mywebsite.com 25' and see if you get an SMTP welcome banner. You'll be able to verify that the Linux box is using the private because telnet will tell you what IP it is connecting to. Remember that the IP has to be the private IP, not the public Internet IP.
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Exactly. Couldn't have saidf it better... (and in part already did:-).
Thank you compinfo for sharing that crucial bit of info.

If it is the firewall rules giving you grief, remember that you need two SMTP rules, one for the regular thing between internet<->exchange, and one between DMZ<->exchange (or if you like from webserver<->exchange... and you might make it unidirectional from DMZ -> echange too). Is your FB set as a drop-in "transparent" firewall or a routed config? (For Jim, this is either proxyarp "semi-bridging", or traditional routed configuration)... Easy way to know is if all interfaces share the same IP address (and have the public network adress as a "related network") or have separate addresses.

-- Glenn
0
 

Author Comment

by:compinfo
Comment Utility
JLEVIE:

Ok, from the linux (webserver) box, I *CAN* telenet to both the private IP address (192.168.16.3) and the DNS name (mail.mywebserver.com) and get a banner indicating the exchange box.

GNS:  

This FB is configured in drop-in mode.  I'm also working with Watchgaurd tech support on this issue and they seem to think it's from the linux webserver!  I am in the process of getting packet sniffing on both the trusted and the optional interfaces to show them what is going on.  I think once I get the trusted packet sniffing complete, we'll know a litt bit more about what is going on here.  Incidently, the optional packet sniffing has produced the "Connection Refused" log entry too.

Furthermore,  the public IP address is configured at the firewall level and NAT'd to the exchange mail server (55.55.55.3 --> 192.168.16.3).

Thanks to you BOTH for staying with me through this problem.  It is an interesting one!
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
The question is _why_ would the exchange server refuse the webserver connection...
Could you simulate a mail transfer session like this:

# telnet mail.mywebserver.com 25
EHLO www.mywebsite.com
MAIL FROM: <root@www.mywebsite.com>
RCPT TO: <john@mywebsite.com>
DATA
From: root@www.mywebsite.com
To: john@mywebsite.com
Subject: "test"

This is a testmessage.... Terminated by a "." by itself on a line (just below this one:-)...
.
QUIT
#

Does this work? If not, where does it fail?

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Oh, and did you configure an SMTP proxy or filter?

-- Glenn
0
 

Author Comment

by:compinfo
Comment Utility
GNS:

Ok, Here's what I got (telnetting from the linux webserver to the microsoft exchange server):

[root@www root]# telnet mail.mywebsite.com 25
Trying 192.168.16.3...
Connected to mail.mywebsite.com (192.168.16.3).
Escape character is '^]'.
220 mywebsite.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at  Mon, 13 Sep 2004 10:00:33 -0400

(When I did EHLO www.mywebsite.com, I got the following:)

EHLO mywebsite.com
250- mywebsite.com Hello [55.55.55.2]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK

MAIL FROM: <root@www.mywebsite.com>
250 2.1.0 root@www.mywebsite.com....Sender OK
RCPT TO: <jsmith@mywebsite.com>
250 2.1.5 jsmith@mywebsite.com
DATA
354 Start mail input; end with <CRLF>.<CRLF>
From: root@www.mywebsite.com
To: jsmith@mywebsite.com
Subject: "test"

This is a test message
.
250 2.6.0 <S04SBSvOIxJ2gWG6yhv00000653@mywebsite.com> Queued mail for delivery
QUIT
***********************

Proxy Services:

I have the following SERVICES configured on the firewall:

SMTP:  
INCOMING enabled and allowed from ANY to OPTIONAL
OUTGOING enabled and allowed from OPTIONAL and TRUSTED to ANY

SMTP SBS_2003:
INCOMING enabled and allowed from ANY to (55.55.55.3 -> 192.168.16.3)
OUTGOING enabled and allowed from ANY to ANY
 
***************************
0
 

Author Comment

by:compinfo
Comment Utility
Oh!  And BTW, the test email DID SEND SUCCESSFULLY from the test above...
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Ok, splendid... Now we should focus on what _doesn't work_ instead:-). (Btw, I'd do the OUTGOING a bit more specific (I'm allergic to "Any" specifications:-), but (obviously) that works, so no real need to munge it).

Hum, so for some reason the LUSER_RELAY don't seem to do what it should.
I might be intollerably dense, but how is the sendmail at www.mywebsite.com to understand that recipients in "mywebsite.com" are "semi-local recipients"....? I'm leaning towards you trying to set a SMART_HOST instead of the LUSER_RELAY, just to see what gives.

-- Glenn
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Okay... That says that mail can be sent to if the Sendmail config is correct. I'd like to see what you currently have in /etc/hosts, /etc/mail/local-host-names, what 'hostname' returns, and what 'grep LUSER_RELAY /etc/mail/sendmail.mc' returns.
0
 

Author Comment

by:compinfo
Comment Utility
BTW:  service sendmail restart  (restarts sendmail on RH ES 3) ;-)
0
 

Author Comment

by:compinfo
Comment Utility
GLENN:

Well, I've tried both LUSER and SMART (Red Hat Tech support recommended to start with SMART and comment out LUSER).  Then restarted sendmail, still no go!

JLEVIE:

/etc/hosts:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain   localhost
192.168.16.3   mail.mywebsite.com

/etc/mail/local-hosts-names = empty, no entries.

Grep gives:

define('LUSER_RELAY', 'mail.mywebsite.com.com')dnl

* I just noticed the xtra '.com' above, is that a typo?




0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
With that error in the define() and nothing in local-host-names and mail sent to an address like tsmith@mywebsite.com, I think Sendmail is using what an MX lookup for the domain returns. That would be the outside IP and you can't connect to it.

Since this box is a web server and since that implies a static IP and a hostname within mydomain (perhaps www.mywebsite.com) there should be an entry in /etc/hosts for that name/IP. Without it it's hard to say what Sendmail "thinks" its domain is.  And of course 'hostname' should also return that same name. Even when that's been attended to one should have all of the names/domains in /etc/mail/local-host-names that this system is known by so that Sendmail can unambiguously determine what it is supposed to handle mail for. In this case that means that the file should contain at least:

localhost.localdomain
localdomain
www.mywebsite.com
mywebsite.com

And sendmail.mc needs to contain:

define('LUSER_RELAY', 'mail.mywebsite.com')dnl
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
> is that a typo?
Yes compinfo, as implied (if not expressly stated) by Jim.

> mywebsite.com
Jim, why do you insist on this? The webservers sendmail is _not_ responsible for that domain, the exchange server is... True, the LUSER_RELAY will not work without it, but I see it as ... "intentionally wrong":-). As I would do things, the webserver shouldn't be sending mails directly to the internet at all, but rather relay all non-local nails through the exchange server, thus making it easier to apply corpotate mailing policies and restrictions.
Oh well, i guess one can make it any way one wants:-)

-- Glenn
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
> Jim, why do you insist on this? The webservers sendmail is _not_ responsible for that domain

If the host name of the machine is in the mywebsite.com domain, or the reverse lookup of one of the IP's that sendmail binds to points to that name Sendmail will presume that it is the mail server for the domain. It is possible to set up a web server in a completely different domain and have that hiddent from sendmail, but the usual config will wind with Sendmail thinking that it is the mail server for the domain. In that case SMART_HOST won't work because it only forwards non-local mail. The solution is to remove any doubt as to what domains Sendmail serves by listing all of them in local-host-names and use LUSER_RELAY
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Ok. I'll willingly defer to your expertise here (since I've left the sendmail sphere since a wile back:-). Sounds a bit stupid, or at least "overoptimistic" on endmails part.

-- Glenn
0
 

Author Comment

by:compinfo
Comment Utility
Hey, I just want this stuff to work!!!  :)
0
 
LVL 40

Accepted Solution

by:
jlevie earned 500 total points
Comment Utility
It will, I promise... It's just a matter of getting the system and Sendmail config into the correct form.

Have you adjusted things to match my earlier comment?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now