Solved

Linux CentOS sendmail queing some messages relaying others

Posted on 2013-01-13
10
974 Views
Last Modified: 2013-03-16
So our sendmail stopped sending out notifications for SVN service about a month ago.   So I've racked my brains trying to figure out why.   We recently deployed an exchange server (Exchange Enterprise 2010).  I've managed to get sendmail to run sendemail -v myname@mydomain.com and it it relays the message just fine, I can access the test message on my exchange server, but when I do the same process changing the email address to myname@gmail.com /tail reports the message stat=queued.

For security actual domain/address have been replaced with wildcards.

[root@PnPSamba mail]# sendmail -v myname@gmail.com
15 615 testing the st^H^Ht
.
myname@gmail.com... Connecting to [127.0.0.1] via relay...
220 PnPSamba.pnp?,????? ESMTP Sendmail 8.13.8/8.13.8; Sun, 13 Jan 2013 22:47:43
-0700
>>> EHLO PnPSamba.pnp?,?????
250-PnPSamba.pnp?,????? Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> MAIL From:<root@PnPSamba.pnp?,?????> SIZE=25
250 2.1.0 <root@PnPSamba.pnp?,?????>... Sender ok
>>> RCPT To:<myname@gmail.com>
>>> DATA
250 2.1.5 <myname@gmail.com>... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 r0E5lhF3009919 Message accepted for delivery
myname@gmail.com... Sent (r0E5lhF3009919 Message accepted for delivery
)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 PnPSamba.pnp?,????? closing connection
[root@PnPSamba mail]# tail -f /var/log/maillog
Jan 13 22:43:51 PnPSamba sendmail[9886]: r0E5ha76009884: r0E5hp76009886: DSN: ha
sh map "Alias1": unsafe map file /home/majordomo/majordomo-1.94.5/majordomo.alia
ses.db: Permission denied
Jan 13 22:43:51 PnPSamba sendmail[9886]: r0E5hp76009886: to=<root@PnPSamba.pnp?.
local>, delay=00:00:00, mailer=local, pri=31574, stat=queued
Jan 13 22:47:43 PnPSamba sendmail[9917]: r0E5lXvK009917: from=root, size=25, cla
ss=0, nrcpts=1, msgid=<201301140547.r0E5lXvK009917@PnPSamba.pnp?,?????>, relay=r
oot@localhost
Jan 13 22:47:43 PnPSamba sendmail[9919]: r0E5lhF3009919: from=<root@PnPSamba.pnp
i.?????>, size=326, class=0, nrcpts=1, msgid=<201301140547.r0E5lXvK009917@PnPSam
ba.pnp?,?????>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
Jan 13 22:47:43 PnPSamba sendmail[9917]: r0E5lXvK009917: to=jeremy.werderman@gma
il.com, ctladdr=root (0/0), delay=00:00:10, xdelay=00:00:00, mailer=relay, pri=3
0025, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (r0E5lhF3009919 Messag
e accepted for delivery)
Jan 13 22:47:43 PnPSamba sendmail[9921]: STARTTLS=client, relay=exchange.pnp?.??
???., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA, bits=128/128
Jan 13 22:47:48 PnPSamba sendmail[9921]: r0E5lhF3009919: to=<jeremy.werderman@gm
ail.com>, ctladdr=<root@PnPSamba.pnp?,?????> (0/0), delay=00:00:05, xdelay=00:00
:05, mailer=relay, pri=120326, relay=exchange.pnp?,?????. [192.168.15.35], dsn=5
.7.1, stat=User unknown
Jan 13 22:47:58 PnPSamba sendmail[9921]: r0E5lhF3009919: SYSERR(root): hash map
"Alias1": unsafe map file /home/majordomo/majordomo-1.94.5/majordomo.aliases.db:
 Permission denied
Jan 13 22:47:58 PnPSamba sendmail[9921]: r0E5lhF3009919: r0E5lwF3009921: DSN: ha
sh map "Alias1": unsafe map file /home/majordomo/majordomo-1.94.5/majordomo.alia
ses.db: Permission denied
Jan 13 22:47:58 PnPSamba sendmail[9921]: r0E5lwF3009921: to=<root@PnPSamba.pnp?.
local>, delay=00:00:00, mailer=local, pri=31573, stat=queued
0
Comment
Question by:OrderlyChoas
  • 5
  • 3
  • 2
10 Comments
 
LVL 18

Expert Comment

by:suriyaehnop
ID: 38773493
Do you mean when changing To: myname@gmail.com from sendmail, exchange not able to relay email to internet? If yes, and if To:your@internal.com from sendmail, you able to read the email on your exchange.

Try check at on Exchange's Send Connector. You have to put * so that any email that not match your internal domain/accepted domain name, the email will route to DNS/Smart host before sending to internet
0
 

Author Comment

by:OrderlyChoas
ID: 38773506
Where exactly does the * go?
0
 
LVL 18

Expert Comment

by:suriyaehnop
ID: 38773538
It is not Exchange server. You log on to your Exchange server | Run Exchange Management Console.

I'm not sure expand on Organization or Server level (current not able access the Exchange server). Click on Hub Transport and you will see the "Send Connector" tab
0
 
LVL 76

Expert Comment

by:arnold
ID: 38773768
Based on sendmail log, your exchange server seems to treat gmail.com as a local domain or is a result of failing to establish a TLS session,
Jan 13 22:47:43 PnPSamba sendmail[9921]: STARTTLS=client, relay=exchange.pnp?.??
???., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA, bits=128/128
Jan 13 22:47:48 PnPSamba sendmail[9921]: r0E5lhF3009919: to=<jeremy.werderman@gm
ail.com>, ctladdr=<root@PnPSamba.pnp?,?????> (0/0), delay=00:00:05, xdelay=00:00
:05, mailer=relay, pri=120326, relay=exchange.pnp?,?????. [192.168.15.35], dsn=5
.7.1, stat=User unknown

One option would be to setup a transport rule for gmail.com destined recipients to avoid being sent through the exchange server.
0
 

Author Comment

by:OrderlyChoas
ID: 38774416
It may be worth mentioning that exchange seems to have no problem sending its own mail to the outside world.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 76

Expert Comment

by:arnold
ID: 38775066
The issue is with the interaction between sendmail and exchange. Note there is a response coming from exchange to sendmail 5.7.1 User Unknown.

Try the following.  From the system on which sendmail is running. telnet 192.168.15.35 25
and perform a simple SMTP session.
Anything after the command needs to be replaced with appropriate data
ehlo sendmail_server
mail from: <sender_email_address>
rcpt to: <recipient_email_address.
data
From: <sender_email_address>
To: <recipient_email_address>
Subject: testing

This is a test to ...
.

upon the last entry (.) you should get a response from your exchange in the form of 2xx that it accepted the message. If you get anything else, it means exchange rejected the attempt.
One thing to make sure is that exchange is configured to allow relaying from the sendmail system in addition to authenticated relaying which is likely why you can send through the exchange using an email client.

Presumably if you attempt a telnet session as described above from your local workstation, you may encounter a similar situation whereby exchange rejects the submission of an email to an external destination.
0
 

Author Comment

by:OrderlyChoas
ID: 38789365
So when trying to send to an external address the log is reporting 5.7.1 and 5.1.1 error.  Is there a way to use specific credentials that sendmail should use?
0
 
LVL 76

Expert Comment

by:arnold
ID: 38790121
A Local account defined on the system can be used.
A log entry means that the server to which your server is trying to deliver the message is not allowed to do it.  The complete error message should include a description of the error
5.7.1 realying denied
5.1.1 Not authorized

Without knowing what server your system was accessing it is impossible for me to know what is missing.  If sendmail on external connection has to authenticate, it is a configuration option.
0
 

Accepted Solution

by:
OrderlyChoas earned 0 total points
ID: 38975631
We ended up abandoning the Linux mail transport client and just routed everything through our exchange server.
0
 

Author Closing Comment

by:OrderlyChoas
ID: 38991451
Question ended up not being answered and an alternative method of circumventing the linux sendmail client was found.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now