StevenHook
asked on
Please help with sendmail and my FQDN (HELO)
Hi,
I have set up sendmail on my Ubuntu web server to send mail from our website.
But lots of servers are rejecting mail like this:
So how do I get sendmail to "HELO" my FQDN?
It does show in my mail headers, but clearly not in my HELO
Also, how can I see what my HELO is?
Thanks
steve
PS. These look correct?
I have set up sendmail on my Ubuntu web server to send mail from our website.
But lots of servers are rejecting mail like this:
SMTP; 550 Access denied - Invalid HELO nameSo how do I get sendmail to "HELO" my FQDN?
It does show in my mail headers, but clearly not in my HELO
Also, how can I see what my HELO is?
Thanks
steve
PS. These look correct?
root@genius:~# hostname
genius
root@genius:~# hostname --fqdn
genius.bowens.co.za.ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What happens when you check from outside of the network, like a remote mail server would, or check with mxtoolbox.com...
ASKER
Hi,
I don't think port 25 is open for incoming connections on the firewall.
This server is only used to send, not to receive. I didn't think it was necessary to expose all that to the public?
I assumed because of NAT any transactions initiated by our server will be allowed?
Tx.
Steve
PS...
It's also got 6 IPs, 3 main ones and 3 failover ones - so at any time, 3 of them will be unavailable anyway. - I don't know if this is a bad thing too?
I don't think port 25 is open for incoming connections on the firewall.
This server is only used to send, not to receive. I didn't think it was necessary to expose all that to the public?
I assumed because of NAT any transactions initiated by our server will be allowed?
Tx.
Steve
PS...
It's also got 6 IPs, 3 main ones and 3 failover ones - so at any time, 3 of them will be unavailable anyway. - I don't know if this is a bad thing too?
Hmmm...
You should consider making a separate mx record for your server and make sure your PTR resolves back to that mx record as well.
Make an A record like mail.domain.com 194.0.0.1
then make an mx record pointing to the mail.domain.com
and a PTR for it as well ...
That will be better I think, having multiple IP's resolving to the same mx record might give problems.
You should consider making a separate mx record for your server and make sure your PTR resolves back to that mx record as well.
Make an A record like mail.domain.com 194.0.0.1
then make an mx record pointing to the mail.domain.com
and a PTR for it as well ...
That will be better I think, having multiple IP's resolving to the same mx record might give problems.
ASKER
Hi,
Yes, I have all of those resords set up for genius.bowens.co.za:
Type TTL Data
A 1 hour 196.213.216.227
A 1 hour 196.214.155.187
A 1 hour 196.214.155.179
A 1 hour 196.213.216.219
A 1 hour 196.214.155.195
A 1 hour 196.214.155.203
MX 1 hour 10 genius.bowens.co.za.
PTR 1 hour genius.bowens.co.za.
SPF 1 min v=spf1 a mx ip4:196.214.155.203 ~all
I have all 6 of those IPS under the PTR which was created by my ISP.
I have another record for the same server which is updated live with 2 live IPs that rotate. (webserver.bowens.c.za) should I point the mx to that rather? I just wanted to keep all the mail records under one hostname, the real hostname of the machine, so that it would be more stable, the web traffic is a lot less picky and I have a lot of other cnames pointing to webserver.bowens.co.za, so I wanted to leave that alone and create a fresh clean set of records for the mail.
Do you think it's because port 25 is blocked from incoming connections?
Steve
Yes, I have all of those resords set up for genius.bowens.co.za:
Type TTL Data
A 1 hour 196.213.216.227
A 1 hour 196.214.155.187
A 1 hour 196.214.155.179
A 1 hour 196.213.216.219
A 1 hour 196.214.155.195
A 1 hour 196.214.155.203
MX 1 hour 10 genius.bowens.co.za.
PTR 1 hour genius.bowens.co.za.
SPF 1 min v=spf1 a mx ip4:196.214.155.203 ~all
I have all 6 of those IPS under the PTR which was created by my ISP.
I have another record for the same server which is updated live with 2 live IPs that rotate. (webserver.bowens.c.za) should I point the mx to that rather? I just wanted to keep all the mail records under one hostname, the real hostname of the machine, so that it would be more stable, the web traffic is a lot less picky and I have a lot of other cnames pointing to webserver.bowens.co.za, so I wanted to leave that alone and create a fresh clean set of records for the mail.
Do you think it's because port 25 is blocked from incoming connections?
Steve
Normally, to only send mail, port 25 shouldn't need to be open.
I think there is an issue with the multitude of IPs...
Normally a PTR record should look something like this:
xxx.xxx.xxx.xxx.in-addr.ar
So in other words, pointing to 1 IP-address...
Maybe the problem is that the mail goes outside 1 IP-address but when the receiving mail server does a reverse lookup it doesn't compute... And when it doesn't compute, the mail isn't delivered.
I think there is an issue with the multitude of IPs...
Normally a PTR record should look something like this:
xxx.xxx.xxx.xxx.in-addr.ar
So in other words, pointing to 1 IP-address...
Maybe the problem is that the mail goes outside 1 IP-address but when the receiving mail server does a reverse lookup it doesn't compute... And when it doesn't compute, the mail isn't delivered.
ASKER
Hi,
Just FYI, here's a transaction I copied from sendmail -v -q to double check the FQDN:
Just FYI, here's a transaction I copied from sendmail -v -q to double check the FQDN:
Running /var/spool/mqueue/r5PIXPNu017732 (sequence 105 of 116)
<*****@e****em.co.za>... Connecting to mx01.uk***a.co.za. via esmtp...
220 mx01.uk***a.co.za ESMTP CanIt-Appliance
>>> EHLO genius.bowens.co.za
250-mx01.uk***a.co.za Hello genius.bowens.co.za [196.214.155.179], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> MAIL From:<bounced@bowens.co.za> SIZE=6919
250 2.1.0 <bounced@bowens.co.za>... Sender ok
>>> RCPT To:<*****@e****em.co.za>
>>> DATA
451 4.7.1 Timeout checking verification server
<*****@e****em.co.za>... Deferred: 451 4.7.1 Timeout checking verification server
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset stateDeferred: 451 4.7.1 Timeout checking verification serverI think that means the message has been denied at the destination, maybe because of grey/blacklisting ...
503 5.0.0 Need RCPT (recipient)Does the user exist? Might be a problem on the receiving end as well ...
What version of Sendmail are you using? Is any email being delivered or is most of it failing? Since you're not receiving mail you're obviously aren't seeing any NDR's... hmmm
ASKER
What are NDRs?
I do recieve on this domain and the "reply to" and "from" email addresses - so I get all the "Mail delivery subsystem" and "postmaster" addresses. - we use google apps, so they all go to a "bounced" address I set up there.
I'm not concerned with the fact that that example message didn't send, there's a very good chance that email address doesn't exist as it was sitting in sendmail's queue for re-delivery.
What I wanted to see was how they were talking - if the HELO was looking right in a real mail transaction.
Most of the mail goes fine, I would guess it's only a small percentage that's bouncing with that error, I don't know how to get real accurate stats though.
I just know that when we send a mailshot of a promo we always get a very good response, so people must be getting and reading a good portion of them. It's just a few who complain they never receive promotions or updates, and when I check for them in the bounced folder, most of them have that 505 HELO error. there are some "user doesn't exist" or "mailbox full" or "domain doesn't exist" bounces too, but I think the 505 one is the only one I have any direct control over.
Steve
I do recieve on this domain and the "reply to" and "from" email addresses - so I get all the "Mail delivery subsystem" and "postmaster" addresses. - we use google apps, so they all go to a "bounced" address I set up there.
I'm not concerned with the fact that that example message didn't send, there's a very good chance that email address doesn't exist as it was sitting in sendmail's queue for re-delivery.
What I wanted to see was how they were talking - if the HELO was looking right in a real mail transaction.
Most of the mail goes fine, I would guess it's only a small percentage that's bouncing with that error, I don't know how to get real accurate stats though.
I just know that when we send a mailshot of a promo we always get a very good response, so people must be getting and reading a good portion of them. It's just a few who complain they never receive promotions or updates, and when I check for them in the bounced folder, most of them have that 505 HELO error. there are some "user doesn't exist" or "mailbox full" or "domain doesn't exist" bounces too, but I think the 505 one is the only one I have any direct control over.
Steve
Ok...
Just to recap:
What do you have in your /etc/hosts file?
I only now see you have mentioned your hostname is genius, is that also what is in the hostname file? /etc/hostname?
Just to recap:
What do you have in your /etc/hosts file?
I only now see you have mentioned your hostname is genius, is that also what is in the hostname file? /etc/hostname?
ASKER
Hi,
Here it is:
should I maybe have all my external IPs in there too?
Steve
Here it is:
should I maybe have all my external IPs in there too?
Steve
root@genius:/etc/mail# cat /etc/hosts
127.0.0.1 localhost
10.0.0.157 genius.bowens.co.za. genius
127.0.0.1 mdb.rapidstudio.co.za
192.168.10.24 ftplocal.rapidstudio.co.za
168.144.171.104 ftp.rapidstudio.co.za
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allroutersroot@genius:/etc/mail# cat /etc/hostname
geniusroot@genius:/etc/mail# hostname --fqdn
genius.bowens.co.za.
root@genius:/etc/mail# hostname
geniusshould I maybe have all my external IPs in there too?
I would opt for that yes ... Or at least the IP used by the mail server.
I would also change your hostname to the fqdn, I have it like that on all my servers running Ubuntu.
ASKER
I should put the FQDN in /etc/hostname?
Isn't that going to make the fqdn be like genius.bowens.co.za.bowens
here's my new hosts file - is this looking better?
Isn't that going to make the fqdn be like genius.bowens.co.za.bowens
here's my new hosts file - is this looking better?
127.0.0.1 localhost
10.0.0.157 genius.bowens.co.za. genius
196.213.216.227 genius.bowens.co.za. genius
196.214.155.187 genius.bowens.co.za. genius
196.214.155.179 genius.bowens.co.za. genius
196.213.216.219 genius.bowens.co.za. genius
196.214.155.195 genius.bowens.co.za. genius
196.214.155.203 genius.bowens.co.za. genius
192.168.10.157 genius.bowens.co.za. genius
127.0.0.1 mdb.rapidstudio.co.za
192.168.10.24 ftplocal.rapidstudio.co.za
168.144.171.104 ftp.rapidstudio.co.za
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
That looks fine ...
I've never had that happen to me ... But in your case it should be fine with the hosts file like this, at least your hostname -f results are fine... I have both, my hosts-file is like yours and I put the fqdn in hostname as well ...
Isn't that going to make the fqdn be like genius.bowens.co.za.bowens.co.za.?
I've never had that happen to me ... But in your case it should be fine with the hosts file like this, at least your hostname -f results are fine... I have both, my hosts-file is like yours and I put the fqdn in hostname as well ...
ASKER
Cool.
Do I need to restart anything after editing hosts?
And what do you think I should do about the PTRs?
Steve
Do I need to restart anything after editing hosts?
And what do you think I should do about the PTRs?
Steve
No, restart will not be necessary ...
Well, if it were up to me, like I said earlier, I would change the PTR.
The thing is, when the rDNS lookup is performed, it should point back to the original IP-address.
E.g:
- www.domain.com and x.domain.com both resolve to 10.10.1.1.
- The PTR for 10.10.1.1 is host.domain.com.
- host.domain.com resolves to 10.10.1.1.
Something like that ... Having multiple PTR's is also not recommended and leads to issues in a lot of cases.
Well, if it were up to me, like I said earlier, I would change the PTR.
The thing is, when the rDNS lookup is performed, it should point back to the original IP-address.
E.g:
- www.domain.com and x.domain.com both resolve to 10.10.1.1.
- The PTR for 10.10.1.1 is host.domain.com.
- host.domain.com resolves to 10.10.1.1.
Something like that ... Having multiple PTR's is also not recommended and leads to issues in a lot of cases.
ASKER
So how would you say I can get this right with sending over several addresses?
It's one server, it's just load-balanced over 3 lines - with 3 failover lines.
I can set up live a records that change dynamically based on criteria and always reflect a live IP - but PTR are set up by my ISP, it takes like a day to get a change processed.
Steve
It's one server, it's just load-balanced over 3 lines - with 3 failover lines.
I can set up live a records that change dynamically based on criteria and always reflect a live IP - but PTR are set up by my ISP, it takes like a day to get a change processed.
Steve
I think the best solution would be to make 1 PTR record for each IP-address...
An IP address can only point to one domain. You can host multiple domains a single IP, but an IP can only point back to one domain...
So if the ip 10.10.1.1 is active and sends emails, it should have a PTR that points back to the correct A-record/Domain ...
If tomorrow the ip is 10.10.1.2 it too should have a PTR that points back to the correct A-record/Domain ...
Hope that makes sense...
An IP address can only point to one domain. You can host multiple domains a single IP, but an IP can only point back to one domain...
So if the ip 10.10.1.1 is active and sends emails, it should have a PTR that points back to the correct A-record/Domain ...
If tomorrow the ip is 10.10.1.2 it too should have a PTR that points back to the correct A-record/Domain ...
Hope that makes sense...
ASKER
yes.
I think that's how it is.
6 X PTR records, one for each IP, each pointing to genius.bowens.co.za
- Let me ask my ISP to show me how they look...
Steve
I think that's how it is.
6 X PTR records, one for each IP, each pointing to genius.bowens.co.za
- Let me ask my ISP to show me how they look...
Steve
ASKER
I tried this:
http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a196.213.216.227&run=toolpage
It's the same kind of result on all 6 addresses.
Am I misunderstanding?
Steve
http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a196.213.216.227&run=toolpage
It's the same kind of result on all 6 addresses.
Am I misunderstanding?
Steve
I think the PTR records look fine ... In any case, the error was pointing to the HELO name, your domain name, so initially I thought it could be PTR... How soon can you tell if the issue is still occurring?
ASKER
Hi,
We should do mailer before the end of the week, that'll give me a big batch to check in.
I haven't had any in the last few days.
Thanks
Steve
We should do mailer before the end of the week, that'll give me a big batch to check in.
I haven't had any in the last few days.
Thanks
Steve
ASKER
I did also see that my server was listed here: http://www.sys2.de/mod.php?mod=rbl
if 25 is blocked from the internet how can they pick it up as a relay?
Can I safely just ask them to remove it?
Thanks
Steve
if 25 is blocked from the internet how can they pick it up as a relay?
Can I safely just ask them to remove it?
Thanks
Steve
Last time I checked your server with MXtoolbox it wasn't listed on any blacklists, so it would be strange you are on this one, besides, like you said, there's no way they can connect to port 25 of your server.
You can ask them to remove it yes ... Maybe it's an old entry, or a dodgy site?
You can ask them to remove it yes ... Maybe it's an old entry, or a dodgy site?
ASKER
I think it's a very old database - and they seem to have a very extensive list simply blocking anything that seems like it might be dynamic - mine aren't dynamic, but it's from a small ISP - I've asked them to remove them from the RBL.
Thanks
Steve
Thanks
Steve
ASKER
Thanks - we ran a newsletter, and none of them bounced for this reason anymore.
ASKER
Just as a side (I will post a question about it too, but I wanted to ask you as you seem to know these tools well)
I have a windows program that checks my "bounced" mailbox and creates a csv file of all the bounced email addresses and the reasons that we can use to exclude them from the send lists.
Do you know of any tools that can run server side - check and filter the mail and update a mysql table of bad bounced addresses?
Thanks
Steve
I have a windows program that checks my "bounced" mailbox and creates a csv file of all the bounced email addresses and the reasons that we can use to exclude them from the send lists.
Do you know of any tools that can run server side - check and filter the mail and update a mysql table of bad bounced addresses?
Thanks
Steve
Glad it got solved ...
I don't really know any kind of tool like that specifically, there are tools that can do bounce management or email verification, the quality of these tools vary accordingly though ...
Some of these tools are available as appliances as well ...
I don't really know any kind of tool like that specifically, there are tools that can do bounce management or email verification, the quality of these tools vary accordingly though ...
Some of these tools are available as appliances as well ...
ASKER
Thanks
Before I started, here's my telnet results: - seems to be OK to me - I don't understand why I am getting the bounced mail?
Open in new window
I did try that solution, but it just gave me errors:
Open in new window
So I swapped the last 2 sections: http://linux.koolsolutions.com/2010/10/14/tip-fixing-sendmail-configuration-error/and added line at the bottom of the file.
seemed to work
restarted sendmail ...
telnet seems to be the same: (except I left off the trailing . from the FQDN - as I understand an FQDN should have a trailing . at the end?
Open in new window
But I don't see why I'm getting the 505 bounces.