Solved

Please help with sendmail and my FQDN (HELO)

Posted on 2013-06-27
29
620 Views
Last Modified: 2013-07-09
Hi,
I have set up sendmail on my Ubuntu web server to send mail from our website.
But lots of servers are rejecting mail like this:
SMTP; 550 Access denied - Invalid HELO name

Open in new window

I have only my hostname "genius" in my /etc/hostname file - I believe this is correct for ubuntu?
So how do I get sendmail to "HELO" my FQDN?
It does show in my mail headers, but clearly not in my HELO
Also, how can I see what my HELO is?
Thanks
steve

PS. These look correct?
root@genius:~# hostname
genius
root@genius:~# hostname --fqdn
genius.bowens.co.za.

Open in new window

0
Comment
Question by:StevenHook
  • 16
  • 13
29 Comments
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 500 total points
ID: 39281402
What is the output when you connect to your server through telnet?

i.e.: telnet <yourserver> 25

Open in new window


Then just type "HELO me@somedomain.com" to see if you get a reply.

To configure the fqdn in sendmail, this could be the way: http://serverfault.com/questions/205271/how-to-specify-outgoing-helo-with-sendmail
0
 

Author Comment

by:StevenHook
ID: 39281604
Hi,
Thanks
Before I started, here's my telnet results: - seems to be OK to me - I don't understand why I am getting the bounced mail?
root@genius:/etc/mail# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 genius.bowens.co.za. ESMTP Sendmail 8.14.3/8.14.3/Debian-9.4; Thu, 27 Jun 2013 16:47:20 +0200; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
HELO rapidstudio.co.za
250 genius.bowens.co.za. Hello localhost [127.0.0.1], pleased to meet you

Open in new window


I did try that solution, but it just gave me errors:
root@genius:/etc/mail# m4 sendmail.mc > sendmail.cf
*** ERROR: FEATURE() should be before MAILER()
*** MAILER(`local') must appear after FEATURE(`always_add_domain')*** ERROR: FEATURE() should be before MAILER()
*** MAILER(`local') must appear after FEATURE(`allmasquerade')*** ERROR: FEATURE() should be before MAILER()

Open in new window

So I swapped the last 2 sections: http://linux.koolsolutions.com/2010/10/14/tip-fixing-sendmail-configuration-error/
and added line at the bottom of the file.
seemed to work
restarted sendmail ...

telnet seems to be the same: (except I left off the trailing . from the FQDN - as I understand an FQDN should have a trailing . at the end?

root@genius:/etc/mail# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 genius.bowens.co.za ESMTP Sendmail 8.14.3/8.14.3/Debian-9.4; Thu, 27 Jun 2013 16:50:37 +0200; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
HELO rapidstudio.co.za
250 genius.bowens.co.za Hello localhost [127.0.0.1], pleased to meet you

Open in new window


But I don't see why I'm getting the 505 bounces.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39281626
What happens when you check from outside of the network, like a remote mail server would, or check with mxtoolbox.com...
0
 

Author Comment

by:StevenHook
ID: 39281651
Hi,
I don't think port 25 is open for incoming connections on the firewall.
This server is only used to send, not to receive. I didn't think it was necessary to expose all that to the public?
I assumed because of NAT any transactions initiated by our server will be allowed?
Tx.
Steve

PS...
It's also got 6 IPs, 3 main ones and 3 failover ones - so at any time, 3 of them will be unavailable anyway. - I don't know if this is a bad thing too?
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39281778
Hmmm...

You should consider making a separate mx record for your server and make sure your PTR resolves back to that mx record as well.

Make an A record like mail.domain.com 194.0.0.1
then make an mx record pointing to the mail.domain.com
and a PTR for it as well ...

That will be better I think, having multiple IP's resolving to the same mx record might give problems.
0
 

Author Comment

by:StevenHook
ID: 39283523
Hi,
Yes, I have all of those resords set up for genius.bowens.co.za:
Type      TTL      Data      
A       1 hour       196.213.216.227      
A       1 hour       196.214.155.187      
A       1 hour       196.214.155.179      
A       1 hour       196.213.216.219      
A       1 hour       196.214.155.195      
A       1 hour       196.214.155.203      
MX       1 hour       10 genius.bowens.co.za.      
PTR       1 hour       genius.bowens.co.za.      
SPF       1 min       v=spf1 a mx ip4:196.214.155.203 ~all      
I have all 6 of those IPS under the PTR which was created by my ISP.

I have another record for the same server which is updated live with 2 live IPs that rotate. (webserver.bowens.c.za) should I point the mx to that rather? I just wanted to keep all the mail records under one hostname, the real hostname of the machine, so that it would be more stable, the web traffic is a lot less picky and I have a lot of other cnames pointing to webserver.bowens.co.za, so I wanted to leave that alone and create a fresh clean set of records for the mail.

Do you think it's because port 25 is blocked from incoming connections?

Steve
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39283625
Normally, to only send mail, port 25 shouldn't need to be open.

I think there is an issue with the multitude of IPs...

Normally a PTR record should look something like this:

xxx.xxx.xxx.xxx.in-addr.arpa      IN      PTR mail.domain.com

So in other words, pointing to 1 IP-address...

Maybe the problem is that the mail goes outside 1 IP-address but when the receiving mail server does a reverse lookup it doesn't compute... And when it doesn't compute, the mail isn't delivered.
0
 

Author Comment

by:StevenHook
ID: 39283844
Hi,
Just FYI, here's a transaction I copied from sendmail -v -q to double check the FQDN:
Running /var/spool/mqueue/r5PIXPNu017732 (sequence 105 of 116)
<*****@e****em.co.za>... Connecting to mx01.uk***a.co.za. via esmtp...
220 mx01.uk***a.co.za ESMTP CanIt-Appliance
>>> EHLO genius.bowens.co.za
250-mx01.uk***a.co.za Hello genius.bowens.co.za [196.214.155.179], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> MAIL From:<bounced@bowens.co.za> SIZE=6919
250 2.1.0 <bounced@bowens.co.za>... Sender ok
>>> RCPT To:<*****@e****em.co.za>
>>> DATA
451 4.7.1 Timeout checking verification server
<*****@e****em.co.za>... Deferred: 451 4.7.1 Timeout checking verification server
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state

Open in new window

0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39283857
Deferred: 451 4.7.1 Timeout checking verification server
I think that means the message has been denied at the destination, maybe because of grey/blacklisting ...

503 5.0.0 Need RCPT (recipient)
Does the user exist? Might be a problem on the receiving end as well ...

What version of Sendmail are you using? Is any email being delivered or is most of it failing? Since you're not receiving mail you're obviously aren't seeing any NDR's... hmmm
0
 

Author Comment

by:StevenHook
ID: 39283883
What are NDRs?
I do recieve on this domain and the "reply to" and "from" email addresses - so I get all the "Mail delivery subsystem" and "postmaster" addresses. - we use google apps, so they all go to a "bounced" address I set up there.

I'm not concerned with the fact that that example message didn't send, there's a very good chance that email address doesn't exist as it was sitting in sendmail's queue for re-delivery.
What I wanted to see was how they were talking - if the HELO was looking right in a real mail transaction.

Most of the mail goes fine, I would guess it's only a small percentage that's bouncing with that error, I don't know how to get real accurate stats though.

I just know that when we send a mailshot of a promo we always get a very good response, so people must be getting and reading a good portion of them. It's just a few who complain they never receive promotions or updates, and when I check for them in the bounced folder, most of them have that 505 HELO error. there are some "user doesn't exist" or "mailbox full" or "domain doesn't exist" bounces too, but I think the 505 one is the only one I have any direct control over.

Steve
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39283904
Ok...

Just to recap:

What do you have in your /etc/hosts file?

I only now see you have mentioned your hostname is genius, is that also what is in the hostname file? /etc/hostname?
0
 

Author Comment

by:StevenHook
ID: 39283987
Hi,
Here it is:
should I maybe have all my external IPs in there too?
Steve


root@genius:/etc/mail# cat /etc/hosts
127.0.0.1       localhost
10.0.0.157      genius.bowens.co.za. genius
127.0.0.1       mdb.rapidstudio.co.za
192.168.10.24   ftplocal.rapidstudio.co.za
168.144.171.104 ftp.rapidstudio.co.za

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Open in new window


root@genius:/etc/mail# cat /etc/hostname
genius

Open in new window


root@genius:/etc/mail# hostname --fqdn
genius.bowens.co.za.
root@genius:/etc/mail# hostname
genius

Open in new window

0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39284000
should I maybe have all my external IPs in there too?

I would opt for that yes ... Or at least the IP used by the mail server.

I would also change your hostname to the fqdn, I have it like that on all my servers running Ubuntu.
0
 

Author Comment

by:StevenHook
ID: 39284048
I should put the FQDN in /etc/hostname?
Isn't that going to make the fqdn be like genius.bowens.co.za.bowens.co.za.?

here's my new hosts file - is this looking better?

127.0.0.1       localhost
10.0.0.157      genius.bowens.co.za. genius
196.213.216.227 genius.bowens.co.za. genius
196.214.155.187 genius.bowens.co.za. genius
196.214.155.179 genius.bowens.co.za. genius
196.213.216.219 genius.bowens.co.za. genius
196.214.155.195 genius.bowens.co.za. genius
196.214.155.203 genius.bowens.co.za. genius
192.168.10.157  genius.bowens.co.za. genius
127.0.0.1       mdb.rapidstudio.co.za
192.168.10.24   ftplocal.rapidstudio.co.za
168.144.171.104 ftp.rapidstudio.co.za

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Open in new window

0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39284071
That looks fine ...

Isn't that going to make the fqdn be like genius.bowens.co.za.bowens.co.za.?

I've never had that happen to me ... But in your case it should be fine with the hosts file like this, at least your hostname -f results are fine... I have both, my hosts-file is like yours and I put the fqdn in hostname as well ...
0
 

Author Comment

by:StevenHook
ID: 39284102
Cool.
Do I need to restart anything after editing hosts?
And what do you think I should do about the PTRs?
Steve
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39284128
No, restart will not be necessary ...

Well, if it were up to me, like I said earlier, I would change the PTR.

The thing is, when the rDNS lookup is performed, it should point back to the original IP-address.

E.g:

- www.domain.com and x.domain.com both resolve to 10.10.1.1.
- The PTR for 10.10.1.1 is host.domain.com.
- host.domain.com resolves to 10.10.1.1.

Something like that ... Having multiple PTR's is also not recommended and leads to issues in a lot of cases.
0
 

Author Comment

by:StevenHook
ID: 39284151
So how would you say I can get this right with sending over several addresses?
It's one server, it's just load-balanced over 3 lines - with 3 failover lines.
I can set up live a records that change dynamically based on criteria and always reflect a live IP - but PTR are set up by my ISP, it takes like a day to get a change processed.
Steve
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39284190
I think the best solution would be to make 1 PTR record for each IP-address...
An IP address can only point to one domain. You can host multiple domains a single IP, but an IP can only point back to one domain...

So if the ip 10.10.1.1 is active and sends emails, it should have a PTR that points back to the correct A-record/Domain ...

If tomorrow the ip is 10.10.1.2 it too should have a PTR that points back to the correct A-record/Domain ...

Hope that makes sense...
0
 

Author Comment

by:StevenHook
ID: 39284234
yes.
I think that's how it is.
6 X PTR records, one for each IP, each pointing to genius.bowens.co.za
- Let me ask my ISP to show me how they look...
Steve
0
 

Author Comment

by:StevenHook
ID: 39284254
I tried this:
http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a196.213.216.227&run=toolpage

It's the same kind of result on all 6 addresses.
Am I misunderstanding?

Steve
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39284359
I think the PTR records look fine ... In any case, the error was pointing to the HELO name, your domain name, so initially I thought it could be PTR... How soon can you tell if the issue is still occurring?
0
 

Author Comment

by:StevenHook
ID: 39289833
Hi,
We should do mailer before the end of the week, that'll give me a big batch to check in.
I haven't had any in the last few days.
Thanks
Steve
0
 

Author Comment

by:StevenHook
ID: 39290086
I did also see that my server was listed here: http://www.sys2.de/mod.php?mod=rbl
if 25 is blocked from the internet how can they pick it up as a relay?
Can I safely just ask them to remove it?
Thanks
Steve
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39290111
Last time I checked your server with MXtoolbox it wasn't listed on any blacklists, so it would be strange you are on this one, besides, like you said, there's no way they can connect to port 25 of your server.

You can ask them to remove it yes ... Maybe it's an old entry, or a dodgy site?
0
 

Author Comment

by:StevenHook
ID: 39290156
I think it's a very old database - and they seem to have a very extensive list simply blocking anything that seems like it might be dynamic - mine aren't dynamic, but it's from a small ISP - I've asked them to remove them from the RBL.
Thanks
Steve
0
 

Author Closing Comment

by:StevenHook
ID: 39310930
Thanks - we ran a newsletter, and none of them bounced for this reason anymore.
0
 

Author Comment

by:StevenHook
ID: 39310940
Just as a side (I will post a question about it too, but I wanted to ask you as you seem to know these tools well)
I have a windows program that checks my "bounced" mailbox and creates a csv file of all the bounced email addresses and the reasons that we can use to exclude them from the send lists.
Do you know of any tools that can run server side - check and filter the mail and update a mysql table of bad bounced addresses?
Thanks
Steve
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39311035
Glad it got solved ...

I don't really know any kind of tool like that specifically, there are tools that can do bounce management or email verification, the quality of these tools vary accordingly though ...

Some of these tools are available as appliances as well ...
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Microsoft has released various new features which are capable of handling various tasks. One of these tasks is ‘Migration from pop3 to Exchange Server’. Pop3 data stores various data along mailboxes like contacts, tasks, etc. So, it becomes the need…
Import PST to Exchange using Power Shell new-mailboximportrequest command, you can simply import the PST file into Exchange mailbox or archived. To know How to import PST into Exchange  2013 read the complete article.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now