[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2192
  • Last Modified:

Sendmail not accepting connections outside corporate network

Hello Experts,

I run centos 5.2 (32 bit) named mail-2 and am trying to setup a simple sendmail server. I have followed all the steps necessary, however, I cannot receive any mail through it outside of our corporate network (172.20.x.x). I can telnet to mail-2 with no problems on the inside from any of the machines on that range.
I have boxes outside to test if I can send an old fashioned telnet message over port 25 and it fails to connect to it.

I have checked and double checked, and there are no iptables firewalls and have adjusted our firewall so that smtp traffic can pass through from outside.

It should be noted that we are using postini and this server is used only as a mail gateway front to the exchange server. IE simply passing mail out and taking mail in.

Any help is greatly appreciated!
[root@mail-2 mail]# more sendmail.mc
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
RELAY_DOMAIN(`obsmtp.com')
RELAY_DOMAIN(`postini.com')
define(`SMART_HOST', `outbounds5.obsmtp.com')
dnl #
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA
IN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 20.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl # DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
----------------------------------------------------------------------
[root@mail-2 mail]# ps -ax | grep sendmail
 
 2101 ?        Ss     0:01 sendmail: accepting connections
 2109 ?        Ss     0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
 9905 ?        Ss     0:00 sendmail: ./n1HICd06009903 outbounds5.obsmtp.com.: client DATA status
 9907 pts/0    S+     0:00 grep sendmail
 
------------------------------------------------------------------
If you take a look at sendmail.mc, I commented out:
DaemonPortOptions=Port=smtp,Addr=x.x.x.x, Name=MTA as recommended to accept any address.
-------------------------------------------------------------------
[root@mail-2 mail]# netstat -nltp | grep -E "(:25|:110)"
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      2101/sendmail: acce
 
-------------------------------------------------------------------

Open in new window

0
worpx
Asked:
worpx
  • 29
  • 26
4 Solutions
 
Dirtpatch-JenkinsCommented:
Many IPS'S block port 25 to reduce spam. make sure thats not the case with you.
0
 
worpxAuthor Commented:
We run dedicated fiber. Our ISP services are for corporate networks. We already run 4 other sendmail servers, but all are older distros. I setup this box with the latest linux kernel and 8.13 of sendmail.
0
 
fosiul01Commented:
Hi ya

you saying, you cant received any email from outside ??

if yes, then have you created aliases user name and define which domain they will recieved email

and also have you edited local-host-name with proper domain name ??
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
worpxAuthor Commented:
Yes, I can't get any email from outside. local-host-name is filled out with proper domain info.

Aliases usernames? You mean for the virt user table? I wouldn't use this because all sendmail is doing is passing mail from postini to exchange server and back again as a relay.

postini (outside) -> mail-2 -> exchange
0
 
fosiul01Commented:

its not the virtual table

its /etc/newliases

username:username@yourdomain.com

then : newaliases  


suppose username@yourdomain.com is the email account for the user "username" and email will come to this server mail2 for this user then you need to create newaliases  for username

does it make sense ??

other wise i didnot understand what you meant by " this server just working as relay"
 
0
 
worpxAuthor Commented:
Ah, I see what you mean now, but I do not have a file /etc/newaliases nor in /etc/mail. Any suggestions?
0
 
fosiul01Commented:
no its

cd /etc
vi aliases

then insert this

username:username@mydomain.com

then save the file

then type : newaliases

so it will create new aliases
0
 
worpxAuthor Commented:
"suppose username@yourdomain.com is the email account for the user "username" and email will come to this server mail2 for this user then you need to create newaliases  for username "

I did not have to do this on any of the other sendmail servers. If you look up at my config, I have a smart host defined for outbound and coming in, I have my exchange server defined in mailertable to forward all email there with mydomain.com.
mailertable:
mydomain.com esmtp:[172.20.1.x]

also, I tried inserting it into aliases just for a sample user and it did not work. This does not address the connectivity problem that I cannot simply telnet to mail-2 on 25 from outside as my problem states.
0
 
fosiul01Commented:
ommm
i am now confused about the setting...

my first question would be

if i sent an email to user@mydomain.com , which server would be responsible to recieved mail for this domain ??

what MX record saying ?? is this sendmail server or your exchange server ??
0
 
worpxAuthor Commented:
I download tcping which can ping on open ports over tcp; I have learned that this is strictly a port issue. How can I absolutely make sure sendmail is open on port 25 (besides what I already have up there in the code section).?

Probing x.x48.7:22/tcp - Port is open (20 bytes read) - time=32ms
Probing x.x.48.7:22/tcp - Port is open (20 bytes read) - time=15ms
Probing x.x.48.7:25/smtp - Connection timed out
Probing x.x.48.7:25/smtp - Connection timed out
0
 
worpxAuthor Commented:
if i sent an email to user@mydomain.com , which server would be responsible to recieved mail for this domain ??
Postini handles the email then forwards all good mydomain.com email to the sendmail server. The sendmail server simply forwards (mailertable) it along to exchange.
0
 
fosiul01Commented:
you will have to open it via iptables

iptables -A INPUT -p tcp --dport 25 -j ACCEPT
0
 
fosiul01Commented:
also from postini server to do telnet to your sendmail server

telnet sendmailserer Ip 25

if postini server is responsible for forwarding email then i will have to say that to check if your postini server is forwarding email to sendmail server or not

because, if you create aliases and insert domain name local-host-names, sendmail should received email without any problem,

0
 
worpxAuthor Commented:
tried iptables -A INPUT -p tcp --dport 25 -j ACCEPT and no luck. I turned off SELinux firewall and all other firewall settings.
0
 
worpxAuthor Commented:
"also from postini server to do telnet to your sendmail server.."
thats what i'm trying to do..even from a simple machine outisde the company and I cannot telnet mail-2 25...connection refused...
0
 
fosiul01Commented:
ok can you telnet port 25 on sendmail server pc ??

try with any windows pc or any pc or from poshni pc, do telnet 25 to sendmail server
0
 
fosiul01Commented:
".even from a simple machine outisde the company and I cannot telnet mail-2 25...connection refused... "


ok lets do this one by one

1. do telnet from internal pc , not from outside of your network. suppose from poshni pc do telnet to your sendmail server
2. what is this poshni pc ?? is this mail server aswel ??at the time of receving email., you said poshni pc forward all the email to sendmail server so i guess poshni pc is also a mail server right , its receving email and then forward it to sendmail??
0
 
worpxAuthor Commented:
Its not poshni its postini (part of Google): http://www.google.com/postini/email.html
They do all the email filtering instead of us having to do spamassassin, clamav, etc.

1. I can telnet from any internal pc. No external pcs. The connection is refused.
2. Postini's are inbound mail servers that clean and check the mail then forward all the good mail to mail-2. Mail-2 is running sendmail that forward to the exchange box ( a front-end machine).

The problem is simply telnet over port 25 does not work. Which files govern telnetting over port 25? I need to check all the right spots.
0
 
fosiul01Commented:
to telnet from outside of your network :

do you have any firewall in your network ??

then from firewall you need to forward port 25 to your sendmail server
0
 
worpxAuthor Commented:
i have an asa; i already mentioned up above that i checked and double checked all firewall settings (SELinux, iptables, and hardware firewalls; I can confirm that it is OPEN).

It is something else that I am missing, either some other hosts file or setting that is preventing it from connecting on port 25.
0
 
fosiul01Commented:
you said, you can telnet 25 from internal pc , so that mean telnet port 25 is open in sendmail sErver

Now you saying, you cant telnet from outside, so that you mean Something firewall is giving this error

in your main firewal where Isp line is connected,

did you do portforward 25 to your sendmail server or not ??

it would be

firewall port ->25->sendmail server

you need define that port 25 will map to sendmail server

have you done this ??
0
 
worpxAuthor Commented:
yes it is port forwarded for both ssh and smtp, i have tested ssh and it works no problem (opened port 22) but i cannot connect to port 25.
0
 
fosiul01Commented:
Ok can i see the Iptables rules in your sendmail server pc

cd /etc/sysconfig/

vi iptables

copy and past the output here
0
 
worpxAuthor Commented:
[root@mail-2 ~]# more /etc/sysconfig/iptables-config
# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_netbios_ns"

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
#   Value: yes|no,  default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
#   Value: yes|no,  default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"
0
 
fosiul01Commented:
not iptables_config, its just iptables

there should be a file call  just iptables

which should be in /etc/sysconfig/iptables  
0
 
worpxAuthor Commented:
[root@mail-2 ~]# system-config-securitylevel
setenforce: SELinux is disabled

i don't have a /etc/sysconfig/iptables just that config file. i tried to find it and i don't have that file anywhere via "locate iptables"; just the program under /etc/init.d

Centos 5.2 = RHEL 5
0
 
worpxAuthor Commented:
[root@mail-2 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
 
fosiul01Commented:
Ok now this little bit of fraustating ....

there is someting wrong with your network setup .... which i am missing..

Bottom line is : if you can telnet sendmail server from internal pc , and if you have done portforward 25 to that sendmail server, you should be able to telnet from outside. but you cant

when you are telneting from outside are you doing like this : telnet your isp ip [publicip] 25  ??

go to this site http://www.canyouseeme.org/

check which ports are open

0
 
worpxAuthor Commented:
i can't browse to it bc i don't have x installed. is there another way?

[root@mail-2 ~]# netstat -anp | grep 25
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      2101/sendmail: accept


[root@mail-2 ~]# netstat -anp | grep 22
tcp        0      0 :::22                       :::*                        LISTEN      2021/sshd

0
 
fosiul01Commented:
there is no point of check in sendmail server because its listing port 25 , because you can telnet 25 from any internal pc

its not your sendmail server , i can gurantee you.

its your network or firewall or something which is not right.. which we need find out..

do you have any windows pc in your internal network ??  from that windows pc go to that site, and look for open port
0
 
worpxAuthor Commented:
Ok, I used: http://www.yougetsignal.com/tools/open-ports/
to check the firewall settings. I assigned a different static nat'd outside IP, forwarded ports 22 and 25.
22:
 Port 22 is open on x.x.48.15.
25:
 Port 25 is closed on x.x.48.15.
I verified 25 is open on other mail servers with no problems. It seems to be blocking it at the box, the question is what.....
0
 
fosiul01Commented:
Port 25 is closed on x.x.48.15. so that mean its closed from out side

now your comments : I verified 25 is open on other mail servers with no problems.

so can you telnet other sendmail server from outside ??

how many public ip you got which is connected to your network ??


0
 
worpxAuthor Commented:
Yes if i open it up, I can telnet to the mail servers from the outside. We have an entire subnet to ourselves (0-255) ip addresses.
0
 
fosiul01Commented:
you meant "if you open it up", so that mean those mailserver is not running is that right ??

telme something,
you said that email will go to poshni first then will be scanned then will go to sendmail right ??

so sendmail server is not directory connected to firewall to received email is it ??

or do you have someting setup so that email will go to poshini first then fromt their to go to sendmail ??

i need to make this clear ommm

0
 
worpxAuthor Commented:
no, open it up to the public vs just postini. it is normally only open to postini because it would be an open relay if it was open to all ip addresses, so as a quick test i opened it to all ip address so that I may perform that test to verify port 25 is open on those sendmail machines.

on this sendmail machine, it is closed, but port 22 is answering.

mail-2 sendmail is directly connected to the firewall and has an outside ip address to recieve the mail from postini, but for now, i cannot communicate with the outside world because postini is saying that they cannot connect on port 25. port 25 is refusing connections. i have outside machines that cannot telnet mail-2 25 because of connection refused, but ssh port 22 works fine outside.

so i am still at the same place...the firewall is open, there is no SELinux firewall, no iptables and yet something is refusing connections on 25. Thats why I said is there any other spots that I should check that might be refusing telnet connections on 25?
0
 
fosiul01Commented:
you know this would be a problem because.....

about your this comments :

"Thats why I said is there any other spots that I should check that might be refusing telnet connections on 25?"  : as i said earlier, if you can telnet 25  to sendmail server from Internal pc then port 25 is opended.

now 2 options :

1. sometime , iptables only allow incomming port from internal network but it will not alow any thing comming from outside.

suppose if i type this  [ please ignore iptables sysntax]

iptables -A INPUT -P tcp -s 192.168.1./24 --dport 25 -j ACCEPT , it will only allow connection to port 25 from INternal network, outside network will not get any connection

but you saying you dont have any iptables rules

2. you  saying : "cannot communicate with the outside world because postini is saying that they cannot connect on port 25. port 25 is refusing connections."

but earlier you said that you can telnet from posini to your sendmail server ...

now you saying : sendmail is directly connected to the firewall which is fine

but again you saying email would be forwared to sendmail server from posini
so that mean he poshin is workign as a receving server then forwarding the email to sendmail.

so from my points of view you should do port forward to posini server rather then sendmail server.


Like , our network, we hhave exchage setup and the same pc we have email virus checking software , so email is entering to virus checkign software first then its going to exchagne server.

for you it sould be samethign is nto it : email should go to poshini server from their it would be filter to sendmail server ..
ommmm

let me have a look to pohini web site to see how this works

i am just imaginnign yoru setup but i can tell problem is beween your poshini server and sendmail server

..
0
 
fosiul01Commented:
Ok tel me something

do you install this postini in a local pc ?? does it a software that installed on a pc or its like you will pay postini , and change the MX record to the posini server [ which is the vendor]

email will go to postini server from their it will refer to your network via public Ip ??


i got this idea from this post

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23584204.html 
0
 
fosiul01Commented:
sorry do this

i know what happneded!!!

you need to enable this ine in sendmail

dnl # DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

then  type make command
then restart senmdail

it will work 100 %
0
 
fosiul01Commented:
check line 120

dnl # DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

you need to uncomment this line

then  type  make command

then restart sendmail server
0
 
fosiul01Commented:
are you there!!

in your other post you said

DaemonPortOptions=Port=smtp,Addr=x.x.x.x, Name=MTA as recommended to accept any address.


this line would be

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl


so you will be able to telnet from outside

have you done this


0
 
worpxAuthor Commented:
uncommented so it says:
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

and did make -C /etc/mail

restarted sendmail, still same problem.
0
 
fosiul01Commented:
in your other post you said you have this line enalbed

DaemonPortOptions=Port=smtp,Addr=x.x.x.x, Name=MTA as recommended to accept any address.


have you disable  that line ?

if you enabled this way
DaemonPortOptions=Port=smtp,Addr=85.69.65.33, Name=MTA as recommended to accept any address.

then you would be able to telnet from that Ip only,

so you need to disable that line
0
 
worpxAuthor Commented:
yes, i had it disabled by commented
dnl #DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
and did make -C /etc/mail
restarted sendmail, still same problem.

so i uncommented to test if it was only that and:
uncommented so it says:
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

and did make -C /etc/mail

restarted sendmail, still same problem.
0
 
fosiul01Commented:
Ok can you attached your sendmail file again  please



also

go to : cd /etc/mail

then type

make

if there is no change it should tell you nothing to make , does it saying that ??
0
 
fosiul01Commented:
i will be off for 1 hour,

if your firewall is fine, if your iptables is fine
then only options is that line

but make sure you dont have this line

DaemonPortOptions=Port=smtp,Addr=x.x.x.x, Name=MTA

Delete this line if you have,

only line would be
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

from my pc if type Make -C /etc/mail it does nto work
thats why i said

go to /etc/mail

then type make

if you dinot chagne anything it will say " nothign to make"
if you have change anything it will just execute command

also please copy and past your sendmail file



0
 
worpxAuthor Commented:
[root@mail-2 mail]# more sendmail.mc | grep DAEMON
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')

[root@mail-2 mail]# more sendmail.mc
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
RELAY_DOMAIN(`obsmtp.com')
RELAY_DOMAIN(`postini.com')
define(`SMART_HOST', `outbounds5.obsmtp.com')
dnl #
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA
IN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 20.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl

Open in new window

0
 
fosiul01Commented:
ommmm your sendmail file is looks allright now

if you make it and restart sendmail after that if you are unable to telnet ommm

 i am stuck .... something we are missing.... it cant be sendmail server because you said no iptables...

if you go to

cd /etc/mail

then type

make

1.what does it say ?

also :

if you type

service iptables restart

2.does it show anything ??
0
 
worpxAuthor Commented:
[root@mail-2 mail]# make
make: Nothing to be done for `all'.

[root@mail-2 mail]# service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: nat filter                [  OK  ]
Unloading iptables modules:                                [  OK  ]




0
 
fosiul01Commented:
also :

in sendmail.cf file

look if this line is allright

O DaemonPortOptions=Port=smtp, Name=MTA

bash-3.2# cat sendmail.cf | grep  DaemonPortOption
O DaemonPortOptions=Family=inet, Port=465, Name=MTA-SSL, M=s
O DaemonPortOptions=Port=smtp, Name=MTA


0
 
worpxAuthor Commented:
[root@mail-2 mail]# cat sendmail.cf | grep  DaemonPortOption
O DaemonPortOptions=Port=smtp, Name=MTA
0
 
fosiul01Commented:
whats the output of this commmand, why i am thinking you have

chkconfig --list

to see if there is any userdefined firewall is runnign or not...


also : IPtables -A input - p tcp --dport 25 -j ACCEPT

then service iptables save
then service iptables restart

now show the  ouput of
iptables -L
0
 
worpxAuthor Commented:
[root@mail-2 ~]# chkconfig --list
NetworkManager  0:off   1:off   2:off   3:off   4:off   5:off   6:off
NetworkManagerDispatcher        0:off   1:off   2:off   3:off   4:off   5:off  6                             :off
acpid           0:off   1:off   2:off   3:on    4:on    5:on    6:off
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off
apmd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off
avahi-daemon    0:off   1:off   2:off   3:on    4:on    5:on    6:off
avahi-dnsconfd  0:off   1:off   2:off   3:off   4:off   5:off   6:off
bluetooth       0:off   1:off   2:on    3:on    4:on    5:on    6:off
capi            0:off   1:off   2:off   3:off   4:off   5:off   6:off
conman          0:off   1:off   2:off   3:off   4:off   5:off   6:off
cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
cups            0:off   1:off   2:on    3:on    4:on    5:on    6:off
dhcdbd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
dund            0:off   1:off   2:off   3:off   4:off   5:off   6:off
firstboot       0:off   1:off   2:off   3:on    4:off   5:on    6:off
gpm             0:off   1:off   2:on    3:on    4:on    5:on    6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
hidd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
ibmasm          0:off   1:off   2:off   3:off   4:off   5:off   6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
irda            0:off   1:off   2:off   3:off   4:off   5:off   6:off
irqbalance      0:off   1:off   2:on    3:on    4:on    5:on    6:off
isdn            0:off   1:off   2:on    3:on    4:on    5:on    6:off
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
lvm2-monitor    0:off   1:on    2:on    3:on    4:on    5:on    6:off
mcstrans        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
microcode_ctl   0:off   1:off   2:on    3:on    4:on    5:on    6:off
multipathd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
netplugd        0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfslock         0:off   1:off   2:off   3:on    4:on    5:on    6:off
nscd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
ntpd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
oddjobd         0:off   1:off   2:off   3:off   4:off   5:off   6:off
pand            0:off   1:off   2:off   3:off   4:off   5:off   6:off
pcscd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
portmap         0:off   1:off   2:off   3:on    4:on    5:on    6:off
psacct          0:off   1:off   2:off   3:off   4:off   5:off   6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
readahead_early 0:off   1:off   2:on    3:on    4:on    5:on    6:off
readahead_later 0:off   1:off   2:off   3:off   4:off   5:on    6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
rpcgssd         0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcidmapd       0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcsvcgssd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
saslauthd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
smartd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
smb             0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
winbind         0:off   1:off   2:off   3:off   4:off   5:off   6:off
wpa_supplicant  0:off   1:off   2:off   3:off   4:off   5:off   6:off
ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
yum-updatesd    0:off   1:off   2:on    3:on    4:on    5:on    6:off

[root@mail-2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@mail-2 ~]# iptables -A input -p tcp --dport 25 -j ACCEPT
iptables: No chain/target/match by that name

Open in new window

0
 
worpxAuthor Commented:
You had an error in syntax, I corrected it.
[root@mail-2 ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
[root@mail-2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@mail-2 ~]#

Open in new window

0
 
fosiul01Commented:
ok any luck after that ?? i guess no

this one is making me mad

can you email the domain name to me ??[ if you want, i just want to check the domain with dnsstaff website]

my mail address is fosiul at gmail dot com
0
 
worpxAuthor Commented:
I solved it!!
For reference, look at your sendmail.swp file; it had an old host-name and that was the entire problem. Shutdown sendmail, removed the swap, and start sendmail. Everything works great. Thanks for all the clues!
0
 
fosiul01Commented:
there is no sendmail.swp file in my mechine

its something your company doing by them self!!!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 29
  • 26
Tackle projects and never again get stuck behind a technical roadblock.
Join Now