Network_Padawan
asked on
SMTP Helo commands not recognised
Hi guys,
Confused here.
Trying to do some smtp tests on our centos 5.3 mail gateway (postfix). Tried to do some smtp tests via a telnet session, and I cant get any of the commands work.
Ive tried ehlo, hello, helo, and none of these works. All say "error: command not recognised"
Do i need to install or enable something to allow this work?
Confused here.
Trying to do some smtp tests on our centos 5.3 mail gateway (postfix). Tried to do some smtp tests via a telnet session, and I cant get any of the commands work.
Ive tried ehlo, hello, helo, and none of these works. All say "error: command not recognised"
Do i need to install or enable something to allow this work?
ASKER
Hi,
[root@corpmail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
Can't connect locally....
[root@corpmail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
Can't connect locally....
OK this means that your postfix is not running or has a problem
run this command /etc/init.d/postfix status and post the output please
also do in another terminal tail -f /var/log/miallog
run this command /etc/init.d/postfix status and post the output please
also do in another terminal tail -f /var/log/miallog
ASKER
Hi, Postfix is running...
login as: root
root@203.38.180.X password:
Last login: Fri Oct 23 15:42:55 2009 from 10.X.X.X
[root@corpmail ~]# /etc/init.d/postfix status
master (pid 27900) is running...
[root@corpmail ~]#
Not sure how much logs you want but it seems to be processing mail just fine:
Here is a sample of the logs that are being generated...
login as: root
root@203.38.180.201's password:
Last login: Fri Oct 23 15:42:55 2009 from 10.152.0.52
[root@corpmail ~]# /etc/init.d/postfix status
master (pid 27900) is running...
[root@corpmail ~]# telnet localhost 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@corpmail ~]# tail -f /var/log/maillog
Oct 25 20:29:00 corpmail postfix/smtpd[20423]: 8F4803E7004F: client=exprod7mx185 .postini.com[64.18.2.192]
Oct 25 20:29:01 corpmail postfix/smtpd[20423]: CAF7E3E7004F: client=exprod7mx185 .postini.com[64.18.2.192]
Oct 25 20:29:02 corpmail postfix/cleanup[20483]: CAF7E3E7004F: message-id=<0P0H5 3Q779W29429.WBCFOUJKRT.A98 7A51C37@an ula>
Oct 25 20:29:02 corpmail postfix/qmgr[27903]: CAF7E3E7004F: from=<+._-customerca retl@unitedwholesale.com.a u>, size=3955, nrcpt=1 (queue active)
Oct 25 20:29:02 corpmail postfix/smtpd[20423]: disconnect from exprod7mx185.post ini.com[64.18.2.192]
Oct 25 20:29:02 corpmail postfix/smtp[20471]: CAF7E3E7004F: to=<customercaretl@u nitedwholesale.com.au>, relay=10.152.0.104[10.152. 0.104]:25, delay=1.2, delays=0 .84/0/0.05/0.28, dsn=2.6.0, status=sent (250 2.6.0 <0P0H53Q779W29429.WBCFOUJK RT. A987A51C37@anula> Queued mail for delivery)
Oct 25 20:29:02 corpmail postfix/qmgr[27903]: CAF7E3E7004F: removed
Oct 25 20:29:04 corpmail postfix/smtpd[20482]: connect from exprod7mx260.postini .com[64.18.2.114]
Oct 25 20:29:05 corpmail postfix/smtpd[20482]: 3E4783E7004F: client=exprod7mx260 .postini.com[64.18.2.114]
Oct 25 20:29:07 corpmail postfix/smtpd[20482]: disconnect from exprod7mx260.post ini.com[64.18.2.114]
Oct 25 20:30:01 corpmail postfix/anvil[20382]: statistics: max connection rate 2/60s for (smtp:211.47.217.7) at Oct 25 20:24:26
Oct 25 20:30:01 corpmail postfix/anvil[20382]: statistics: max connection count 2 for (smtp:211.47.217.7) at Oct 25 20:24:26
Oct 25 20:30:01 corpmail postfix/anvil[20382]: statistics: max cache size 1 at Oct 25 20:24:26
Now, I can telnet to the server on port 25 from any other machine...so not sure if this means that postfix has an issue...
login as: root
root@203.38.180.X password:
Last login: Fri Oct 23 15:42:55 2009 from 10.X.X.X
[root@corpmail ~]# /etc/init.d/postfix status
master (pid 27900) is running...
[root@corpmail ~]#
Not sure how much logs you want but it seems to be processing mail just fine:
Here is a sample of the logs that are being generated...
login as: root
root@203.38.180.201's password:
Last login: Fri Oct 23 15:42:55 2009 from 10.152.0.52
[root@corpmail ~]# /etc/init.d/postfix status
master (pid 27900) is running...
[root@corpmail ~]# telnet localhost 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@corpmail ~]# tail -f /var/log/maillog
Oct 25 20:29:00 corpmail postfix/smtpd[20423]: 8F4803E7004F: client=exprod7mx185 .postini.com[64.18.2.192]
Oct 25 20:29:01 corpmail postfix/smtpd[20423]: CAF7E3E7004F: client=exprod7mx185 .postini.com[64.18.2.192]
Oct 25 20:29:02 corpmail postfix/cleanup[20483]: CAF7E3E7004F: message-id=<0P0H5 3Q779W29429.WBCFOUJKRT.A98
Oct 25 20:29:02 corpmail postfix/qmgr[27903]: CAF7E3E7004F: from=<+._-customerca retl@unitedwholesale.com.a
Oct 25 20:29:02 corpmail postfix/smtpd[20423]: disconnect from exprod7mx185.post ini.com[64.18.2.192]
Oct 25 20:29:02 corpmail postfix/smtp[20471]: CAF7E3E7004F: to=<customercaretl@u nitedwholesale.com.au>, relay=10.152.0.104[10.152.
Oct 25 20:29:02 corpmail postfix/qmgr[27903]: CAF7E3E7004F: removed
Oct 25 20:29:04 corpmail postfix/smtpd[20482]: connect from exprod7mx260.postini .com[64.18.2.114]
Oct 25 20:29:05 corpmail postfix/smtpd[20482]: 3E4783E7004F: client=exprod7mx260 .postini.com[64.18.2.114]
Oct 25 20:29:07 corpmail postfix/smtpd[20482]: disconnect from exprod7mx260.post ini.com[64.18.2.114]
Oct 25 20:30:01 corpmail postfix/anvil[20382]: statistics: max connection rate 2/60s for (smtp:211.47.217.7) at Oct 25 20:24:26
Oct 25 20:30:01 corpmail postfix/anvil[20382]: statistics: max connection count 2 for (smtp:211.47.217.7) at Oct 25 20:24:26
Oct 25 20:30:01 corpmail postfix/anvil[20382]: statistics: max cache size 1 at Oct 25 20:24:26
Now, I can telnet to the server on port 25 from any other machine...so not sure if this means that postfix has an issue...
Ok maybe you have it on certain interfaces
under /etc/postfix/main.cf
interfaces=
The value to this directive should correspond to the interfaces you want postfix to listen to so if you have
interfaces=all
you should telnet to it locally and remotely
Also do the following to check what ports are open on your interfaces
nmap 127.0.0.1 and
nmap local.server.ip.addr
Note: you need to have sendmail off , maybe previously you had sendmail running which will stop your postfix, anyway to make sure that it does not come up suddenly
/etc/init.d/sendmail stop
chkconfig sendmail off
chkconfig --add postfix
chkconfig postfix on
under /etc/postfix/main.cf
interfaces=
The value to this directive should correspond to the interfaces you want postfix to listen to so if you have
interfaces=all
you should telnet to it locally and remotely
Also do the following to check what ports are open on your interfaces
nmap 127.0.0.1 and
nmap local.server.ip.addr
Note: you need to have sendmail off , maybe previously you had sendmail running which will stop your postfix, anyway to make sure that it does not come up suddenly
/etc/init.d/sendmail stop
chkconfig sendmail off
chkconfig --add postfix
chkconfig postfix on
ASKER
Hey you are right...inet_interfaces is set to only the public IP address.....
Ok, does this really affect the HELO command from an external connection though?
I may be able to telnet locally but I'm not sure how that affects the smtp test commands.
Ok, does this really affect the HELO command from an external connection though?
I may be able to telnet locally but I'm not sure how that affects the smtp test commands.
Yes it does
It does effect that local mails will not be relayed which is a bad idea
set inet_interfaces = 127.0.0.1 and the ip of your interface
If the Helo command does not work it means your mail will not receive mail when connected to it.
In simple words when other mail servers send your server a message or a client is sending from your server ( one of your own clients) they will issue a Helo command to the server so if it does not answer they operation will break.
Hope it helped.
It does effect that local mails will not be relayed which is a bad idea
set inet_interfaces = 127.0.0.1 and the ip of your interface
If the Helo command does not work it means your mail will not receive mail when connected to it.
In simple words when other mail servers send your server a message or a client is sending from your server ( one of your own clients) they will issue a Helo command to the server so if it does not answer they operation will break.
Hope it helped.
ASKER
Hi smallstudent, sorry was away for a week and could not reply.
Mail is not relayed locally, it is just a gateway that forwards mail to our exchange server. There are no mailboxes on this box. Should I still change the inet interface to 127.0.0.1?
Mail is not relayed locally, it is just a gateway that forwards mail to our exchange server. There are no mailboxes on this box. Should I still change the inet interface to 127.0.0.1?
Yes because you need your system to send local emails to root for notifications and cron jobs that the system needs.
ASKER
k thanks will do now and report
ASKER
I did as you said, I did the following
inet_interfaces = 127.0.0.1, 203.38.X.X
then I did "postfix reload"
Still same issue. Mail is coming and outgoing just fine. This is so wierd.
inet_interfaces = 127.0.0.1, 203.38.X.X
then I did "postfix reload"
Still same issue. Mail is coming and outgoing just fine. This is so wierd.
run netstat -an | grep ':25'
See to which IP/interface postfix is bound.
ifconfig -a
lsof -p <pid_postfix> see which TCP port it is listenting on.
Could it be that you configured postfix to listen on an alternate port (not 25)?
See to which IP/interface postfix is bound.
ifconfig -a
lsof -p <pid_postfix> see which TCP port it is listenting on.
Could it be that you configured postfix to listen on an alternate port (not 25)?
Hi,
please set your
inet_interfaces = all
please set your
inet_interfaces = all
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The issue could be that when you hit <enter> it is not sent as a <carriage return><line Feed>
but as a <line feed> or <carriage return> alone.
The other issue is whether during your typing of helo hostname or ehlo hostname (the difference deals with whether the session is SMTP or ESMTP) you hit the backspace where there is an extraneous character in the stream while one is not seen on the screen.
A backspace in a data stream is a control character (^H) or (^~) The interface you use to establish the connection on port 25 will interpret the backspace as a deletion and will move the cursor accordingly, the stream however includes the complete set of keystrokes typed.
but as a <line feed> or <carriage return> alone.
The other issue is whether during your typing of helo hostname or ehlo hostname (the difference deals with whether the session is SMTP or ESMTP) you hit the backspace where there is an extraneous character in the stream while one is not seen on the screen.
A backspace in a data stream is a control character (^H) or (^~) The interface you use to establish the connection on port 25 will interpret the backspace as a deletion and will move the cursor accordingly, the stream however includes the complete set of keystrokes typed.
ASKER
>>> Although "502 5.5.2 Error: command not recognized" is indeed the postfix response to an unknown command
Thats exactly what I am getting. I type the correct hostname and still got the same error. I am going through an ASA which one poster said could be changing the packet, which seems to be the issue as I was able get the HELO command working from with in the the same subnet, in other words, went I dont go through the ASA/PIX it works, otherwise I get the error.
I'm glad Ive been able to find out the issue so thank you. Is there any change in the ASA I need to make to ensure that the HELO commands work?
Thats exactly what I am getting. I type the correct hostname and still got the same error. I am going through an ASA which one poster said could be changing the packet, which seems to be the issue as I was able get the HELO command working from with in the the same subnet, in other words, went I dont go through the ASA/PIX it works, otherwise I get the error.
I'm glad Ive been able to find out the issue so thank you. Is there any change in the ASA I need to make to ensure that the HELO commands work?
ASKER
It was infact the ASA causing this. In the ASA we removed the "inspect esmtp" command and now the HELO command works.
Thanks all for you input.
Thanks all for you input.
HELO commands should work through an ASA if the syntax is 100% correct as per the RFC. This may be a little difficult to do via telnet, as mentioned if you are missing a parameter, or type the command as "Helo" or "helo" instead of "HELO"....
Mail servers like Postfix are permissive and may accept the command anyways, but not a firewall or strict mail server.
What the ASA does is it passes all the SMTP commands entered through a simple state machine.
If the command isn't something it recognizes as a valid SMTP command, or it sees a sequence of commands that aren't a valid sequence for the SMTP protocol as specified in the RFC, or sees an invalid progression.., it censors the command text with "*"s.
It can be a very good thing, or just an annoying thing, depending on your mail server, and your needs. For the average SMTP server that only exists to accept outbound mail for a locally hosted domain it's generally a good thing.
This was especially useful with mail servers that have commands that are a security risk... for example "EXPN" pr "VRFY" to see the real-name of a user, or to validate that an e-mail account exists without attempting to send a message.
KILL / WIZ commands, etc
In case you were unaware... various mail servers have commands that are dangerous. Public mail servers are at constant risk of attack, so usually mail-guard is a good thing (except when you need the advanced features, such as ESMTP pipelining, DSN, or TLS authenticated SMTP sessions, and the need is important enough that it's worth the risk).
KILL / WIZ were the extreme examples, that allowed arbitrary command execution as root, once upon a time.. in Sendmail's dark days...
Mail servers like Postfix are permissive and may accept the command anyways, but not a firewall or strict mail server.
What the ASA does is it passes all the SMTP commands entered through a simple state machine.
If the command isn't something it recognizes as a valid SMTP command, or it sees a sequence of commands that aren't a valid sequence for the SMTP protocol as specified in the RFC, or sees an invalid progression.., it censors the command text with "*"s.
It can be a very good thing, or just an annoying thing, depending on your mail server, and your needs. For the average SMTP server that only exists to accept outbound mail for a locally hosted domain it's generally a good thing.
This was especially useful with mail servers that have commands that are a security risk... for example "EXPN" pr "VRFY" to see the real-name of a user, or to validate that an e-mail account exists without attempting to send a message.
KILL / WIZ commands, etc
In case you were unaware... various mail servers have commands that are dangerous. Public mail servers are at constant risk of attack, so usually mail-guard is a good thing (except when you need the advanced features, such as ESMTP pipelining, DSN, or TLS authenticated SMTP sessions, and the need is important enough that it's worth the risk).
KILL / WIZ were the extreme examples, that allowed arbitrary command execution as root, once upon a time.. in Sendmail's dark days...
ASKER
Thanks Mysida, we have removed the "inspect ESMTP" from the ASA. Do you advise against this then?
I wouldn't necessarily recommend against removing ESMTP inspection.
It would be more a concern about (any) other mail servers on your network that you allow remote access to, other than this postfix server.
You are running postfix, is very safe. The source code is available, applying patches should be very simple (an apt-get upgrade or yum update in most distros).
Postfix doesn't run as root, it utilizes insulation, processes can run as different users, and be chrooted. If you need ESMTP, features, especially, there are good reasons to remove the inspect esmtp.
However, if you have an Exchange server, other proprietary, or old sendmail servers on your network that you allow port 25 connections to from untrusted hosts across this same ASA, you might really have some use for mailguard.
There can be significant mitigation of security risks in SMTP software such as Exchange that is difficult to update, or that updates are infrequently available for.
That's all.
Unfortunately, in current versions of the PIX, mailguard is basically all-or-nothing Originally you could select your mailhosts using the "mailhost" command, but in the last versions of the PIX, it was "fixup" instead
With ASA, you could be in luck in that regard..
On ASA 8.2, documentation shows the ability to use "inspect esmtp [map name]", if needed, from class config mode.
Through which I believe a more granular policy can be mapped to inspect.
It would be more a concern about (any) other mail servers on your network that you allow remote access to, other than this postfix server.
You are running postfix, is very safe. The source code is available, applying patches should be very simple (an apt-get upgrade or yum update in most distros).
Postfix doesn't run as root, it utilizes insulation, processes can run as different users, and be chrooted. If you need ESMTP, features, especially, there are good reasons to remove the inspect esmtp.
However, if you have an Exchange server, other proprietary, or old sendmail servers on your network that you allow port 25 connections to from untrusted hosts across this same ASA, you might really have some use for mailguard.
There can be significant mitigation of security risks in SMTP software such as Exchange that is difficult to update, or that updates are infrequently available for.
That's all.
Unfortunately, in current versions of the PIX, mailguard is basically all-or-nothing Originally you could select your mailhosts using the "mailhost" command, but in the last versions of the PIX, it was "fixup" instead
With ASA, you could be in luck in that regard..
On ASA 8.2, documentation shows the ability to use "inspect esmtp [map name]", if needed, from class config mode.
Through which I believe a more granular policy can be mapped to inspect.
Also check /var/log/maillog and post here what the error are