[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 680
  • Last Modified:

Please help with sendmail and my FQDN (HELO)

Hi,
I have set up sendmail on my Ubuntu web server to send mail from our website.
But lots of servers are rejecting mail like this:
SMTP; 550 Access denied - Invalid HELO name

Open in new window

I have only my hostname "genius" in my /etc/hostname file - I believe this is correct for ubuntu?
So how do I get sendmail to "HELO" my FQDN?
It does show in my mail headers, but clearly not in my HELO
Also, how can I see what my HELO is?
Thanks
steve

PS. These look correct?
root@genius:~# hostname
genius
root@genius:~# hostname --fqdn
genius.bowens.co.za.

Open in new window

0
StevenHook
Asked:
StevenHook
  • 16
  • 13
1 Solution
 
Zephyr ICTCloud ArchitectCommented:
What is the output when you connect to your server through telnet?

i.e.: telnet <yourserver> 25

Open in new window


Then just type "HELO me@somedomain.com" to see if you get a reply.

To configure the fqdn in sendmail, this could be the way: http://serverfault.com/questions/205271/how-to-specify-outgoing-helo-with-sendmail
0
 
StevenHookAuthor Commented:
Hi,
Thanks
Before I started, here's my telnet results: - seems to be OK to me - I don't understand why I am getting the bounced mail?
root@genius:/etc/mail# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 genius.bowens.co.za. ESMTP Sendmail 8.14.3/8.14.3/Debian-9.4; Thu, 27 Jun 2013 16:47:20 +0200; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
HELO rapidstudio.co.za
250 genius.bowens.co.za. Hello localhost [127.0.0.1], pleased to meet you

Open in new window


I did try that solution, but it just gave me errors:
root@genius:/etc/mail# m4 sendmail.mc > sendmail.cf
*** ERROR: FEATURE() should be before MAILER()
*** MAILER(`local') must appear after FEATURE(`always_add_domain')*** ERROR: FEATURE() should be before MAILER()
*** MAILER(`local') must appear after FEATURE(`allmasquerade')*** ERROR: FEATURE() should be before MAILER()

Open in new window

So I swapped the last 2 sections: http://linux.koolsolutions.com/2010/10/14/tip-fixing-sendmail-configuration-error/
and added line at the bottom of the file.
seemed to work
restarted sendmail ...

telnet seems to be the same: (except I left off the trailing . from the FQDN - as I understand an FQDN should have a trailing . at the end?

root@genius:/etc/mail# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 genius.bowens.co.za ESMTP Sendmail 8.14.3/8.14.3/Debian-9.4; Thu, 27 Jun 2013 16:50:37 +0200; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
HELO rapidstudio.co.za
250 genius.bowens.co.za Hello localhost [127.0.0.1], pleased to meet you

Open in new window


But I don't see why I'm getting the 505 bounces.
0
 
Zephyr ICTCloud ArchitectCommented:
What happens when you check from outside of the network, like a remote mail server would, or check with mxtoolbox.com...
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
StevenHookAuthor Commented:
Hi,
I don't think port 25 is open for incoming connections on the firewall.
This server is only used to send, not to receive. I didn't think it was necessary to expose all that to the public?
I assumed because of NAT any transactions initiated by our server will be allowed?
Tx.
Steve

PS...
It's also got 6 IPs, 3 main ones and 3 failover ones - so at any time, 3 of them will be unavailable anyway. - I don't know if this is a bad thing too?
0
 
Zephyr ICTCloud ArchitectCommented:
Hmmm...

You should consider making a separate mx record for your server and make sure your PTR resolves back to that mx record as well.

Make an A record like mail.domain.com 194.0.0.1
then make an mx record pointing to the mail.domain.com
and a PTR for it as well ...

That will be better I think, having multiple IP's resolving to the same mx record might give problems.
0
 
StevenHookAuthor Commented:
Hi,
Yes, I have all of those resords set up for genius.bowens.co.za:
Type      TTL      Data      
A       1 hour       196.213.216.227      
A       1 hour       196.214.155.187      
A       1 hour       196.214.155.179      
A       1 hour       196.213.216.219      
A       1 hour       196.214.155.195      
A       1 hour       196.214.155.203      
MX       1 hour       10 genius.bowens.co.za.      
PTR       1 hour       genius.bowens.co.za.      
SPF       1 min       v=spf1 a mx ip4:196.214.155.203 ~all      
I have all 6 of those IPS under the PTR which was created by my ISP.

I have another record for the same server which is updated live with 2 live IPs that rotate. (webserver.bowens.c.za) should I point the mx to that rather? I just wanted to keep all the mail records under one hostname, the real hostname of the machine, so that it would be more stable, the web traffic is a lot less picky and I have a lot of other cnames pointing to webserver.bowens.co.za, so I wanted to leave that alone and create a fresh clean set of records for the mail.

Do you think it's because port 25 is blocked from incoming connections?

Steve
0
 
Zephyr ICTCloud ArchitectCommented:
Normally, to only send mail, port 25 shouldn't need to be open.

I think there is an issue with the multitude of IPs...

Normally a PTR record should look something like this:

xxx.xxx.xxx.xxx.in-addr.arpa      IN      PTR mail.domain.com

So in other words, pointing to 1 IP-address...

Maybe the problem is that the mail goes outside 1 IP-address but when the receiving mail server does a reverse lookup it doesn't compute... And when it doesn't compute, the mail isn't delivered.
0
 
StevenHookAuthor Commented:
Hi,
Just FYI, here's a transaction I copied from sendmail -v -q to double check the FQDN:
Running /var/spool/mqueue/r5PIXPNu017732 (sequence 105 of 116)
<*****@e****em.co.za>... Connecting to mx01.uk***a.co.za. via esmtp...
220 mx01.uk***a.co.za ESMTP CanIt-Appliance
>>> EHLO genius.bowens.co.za
250-mx01.uk***a.co.za Hello genius.bowens.co.za [196.214.155.179], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> MAIL From:<bounced@bowens.co.za> SIZE=6919
250 2.1.0 <bounced@bowens.co.za>... Sender ok
>>> RCPT To:<*****@e****em.co.za>
>>> DATA
451 4.7.1 Timeout checking verification server
<*****@e****em.co.za>... Deferred: 451 4.7.1 Timeout checking verification server
503 5.0.0 Need RCPT (recipient)
>>> RSET
250 2.0.0 Reset state

Open in new window

0
 
Zephyr ICTCloud ArchitectCommented:
Deferred: 451 4.7.1 Timeout checking verification server
I think that means the message has been denied at the destination, maybe because of grey/blacklisting ...

503 5.0.0 Need RCPT (recipient)
Does the user exist? Might be a problem on the receiving end as well ...

What version of Sendmail are you using? Is any email being delivered or is most of it failing? Since you're not receiving mail you're obviously aren't seeing any NDR's... hmmm
0
 
StevenHookAuthor Commented:
What are NDRs?
I do recieve on this domain and the "reply to" and "from" email addresses - so I get all the "Mail delivery subsystem" and "postmaster" addresses. - we use google apps, so they all go to a "bounced" address I set up there.

I'm not concerned with the fact that that example message didn't send, there's a very good chance that email address doesn't exist as it was sitting in sendmail's queue for re-delivery.
What I wanted to see was how they were talking - if the HELO was looking right in a real mail transaction.

Most of the mail goes fine, I would guess it's only a small percentage that's bouncing with that error, I don't know how to get real accurate stats though.

I just know that when we send a mailshot of a promo we always get a very good response, so people must be getting and reading a good portion of them. It's just a few who complain they never receive promotions or updates, and when I check for them in the bounced folder, most of them have that 505 HELO error. there are some "user doesn't exist" or "mailbox full" or "domain doesn't exist" bounces too, but I think the 505 one is the only one I have any direct control over.

Steve
0
 
Zephyr ICTCloud ArchitectCommented:
Ok...

Just to recap:

What do you have in your /etc/hosts file?

I only now see you have mentioned your hostname is genius, is that also what is in the hostname file? /etc/hostname?
0
 
StevenHookAuthor Commented:
Hi,
Here it is:
should I maybe have all my external IPs in there too?
Steve


root@genius:/etc/mail# cat /etc/hosts
127.0.0.1       localhost
10.0.0.157      genius.bowens.co.za. genius
127.0.0.1       mdb.rapidstudio.co.za
192.168.10.24   ftplocal.rapidstudio.co.za
168.144.171.104 ftp.rapidstudio.co.za

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Open in new window


root@genius:/etc/mail# cat /etc/hostname
genius

Open in new window


root@genius:/etc/mail# hostname --fqdn
genius.bowens.co.za.
root@genius:/etc/mail# hostname
genius

Open in new window

0
 
Zephyr ICTCloud ArchitectCommented:
should I maybe have all my external IPs in there too?

I would opt for that yes ... Or at least the IP used by the mail server.

I would also change your hostname to the fqdn, I have it like that on all my servers running Ubuntu.
0
 
StevenHookAuthor Commented:
I should put the FQDN in /etc/hostname?
Isn't that going to make the fqdn be like genius.bowens.co.za.bowens.co.za.?

here's my new hosts file - is this looking better?

127.0.0.1       localhost
10.0.0.157      genius.bowens.co.za. genius
196.213.216.227 genius.bowens.co.za. genius
196.214.155.187 genius.bowens.co.za. genius
196.214.155.179 genius.bowens.co.za. genius
196.213.216.219 genius.bowens.co.za. genius
196.214.155.195 genius.bowens.co.za. genius
196.214.155.203 genius.bowens.co.za. genius
192.168.10.157  genius.bowens.co.za. genius
127.0.0.1       mdb.rapidstudio.co.za
192.168.10.24   ftplocal.rapidstudio.co.za
168.144.171.104 ftp.rapidstudio.co.za

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Open in new window

0
 
Zephyr ICTCloud ArchitectCommented:
That looks fine ...

Isn't that going to make the fqdn be like genius.bowens.co.za.bowens.co.za.?

I've never had that happen to me ... But in your case it should be fine with the hosts file like this, at least your hostname -f results are fine... I have both, my hosts-file is like yours and I put the fqdn in hostname as well ...
0
 
StevenHookAuthor Commented:
Cool.
Do I need to restart anything after editing hosts?
And what do you think I should do about the PTRs?
Steve
0
 
Zephyr ICTCloud ArchitectCommented:
No, restart will not be necessary ...

Well, if it were up to me, like I said earlier, I would change the PTR.

The thing is, when the rDNS lookup is performed, it should point back to the original IP-address.

E.g:

- www.domain.com and x.domain.com both resolve to 10.10.1.1.
- The PTR for 10.10.1.1 is host.domain.com.
- host.domain.com resolves to 10.10.1.1.

Something like that ... Having multiple PTR's is also not recommended and leads to issues in a lot of cases.
0
 
StevenHookAuthor Commented:
So how would you say I can get this right with sending over several addresses?
It's one server, it's just load-balanced over 3 lines - with 3 failover lines.
I can set up live a records that change dynamically based on criteria and always reflect a live IP - but PTR are set up by my ISP, it takes like a day to get a change processed.
Steve
0
 
Zephyr ICTCloud ArchitectCommented:
I think the best solution would be to make 1 PTR record for each IP-address...
An IP address can only point to one domain. You can host multiple domains a single IP, but an IP can only point back to one domain...

So if the ip 10.10.1.1 is active and sends emails, it should have a PTR that points back to the correct A-record/Domain ...

If tomorrow the ip is 10.10.1.2 it too should have a PTR that points back to the correct A-record/Domain ...

Hope that makes sense...
0
 
StevenHookAuthor Commented:
yes.
I think that's how it is.
6 X PTR records, one for each IP, each pointing to genius.bowens.co.za
- Let me ask my ISP to show me how they look...
Steve
0
 
StevenHookAuthor Commented:
I tried this:
http://mxtoolbox.com/SuperTool.aspx?action=ptr%3a196.213.216.227&run=toolpage

It's the same kind of result on all 6 addresses.
Am I misunderstanding?

Steve
0
 
Zephyr ICTCloud ArchitectCommented:
I think the PTR records look fine ... In any case, the error was pointing to the HELO name, your domain name, so initially I thought it could be PTR... How soon can you tell if the issue is still occurring?
0
 
StevenHookAuthor Commented:
Hi,
We should do mailer before the end of the week, that'll give me a big batch to check in.
I haven't had any in the last few days.
Thanks
Steve
0
 
StevenHookAuthor Commented:
I did also see that my server was listed here: http://www.sys2.de/mod.php?mod=rbl
if 25 is blocked from the internet how can they pick it up as a relay?
Can I safely just ask them to remove it?
Thanks
Steve
0
 
Zephyr ICTCloud ArchitectCommented:
Last time I checked your server with MXtoolbox it wasn't listed on any blacklists, so it would be strange you are on this one, besides, like you said, there's no way they can connect to port 25 of your server.

You can ask them to remove it yes ... Maybe it's an old entry, or a dodgy site?
0
 
StevenHookAuthor Commented:
I think it's a very old database - and they seem to have a very extensive list simply blocking anything that seems like it might be dynamic - mine aren't dynamic, but it's from a small ISP - I've asked them to remove them from the RBL.
Thanks
Steve
0
 
StevenHookAuthor Commented:
Thanks - we ran a newsletter, and none of them bounced for this reason anymore.
0
 
StevenHookAuthor Commented:
Just as a side (I will post a question about it too, but I wanted to ask you as you seem to know these tools well)
I have a windows program that checks my "bounced" mailbox and creates a csv file of all the bounced email addresses and the reasons that we can use to exclude them from the send lists.
Do you know of any tools that can run server side - check and filter the mail and update a mysql table of bad bounced addresses?
Thanks
Steve
0
 
Zephyr ICTCloud ArchitectCommented:
Glad it got solved ...

I don't really know any kind of tool like that specifically, there are tools that can do bounce management or email verification, the quality of these tools vary accordingly though ...

Some of these tools are available as appliances as well ...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 16
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now