I'm very new to sendmail administration. I have been successfully running sendmail on Linux for about a month now but have noticed that a few remote servers timeout during the connection. I am using WebMin to view the contents of the mail queue and notice that the time outs always occur with the same few servers from some of our business clients. The error I get is "connection deferred," but its deferred forever until the queue finally bounces the mail back to the sender. What would cause this connection to be deferred? I can succesfully send to these remote servers using hotmail. I can ping them and telnet into port 80, so I don't think I'm being blocked at the packet-level. ANy help would be appreciated.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
timout with remote server
- Thread starter tolstoy
- Start date
Hey Tolstoy,
The first thing I would check is to verify your connection from the mail server to the remote servers. From your mail server, use telnet to connect to port 25 instead of port 80. Port 25 is the port used by mail servers and could be blocked even though port 80 is open. You should see some sort of greeting message from the remote mail server. If you get this, just type "quit" as that would show that you have a valid connection. If however you do not get the message or it times out trying to connect, I would suspect that the remote mail server may be trying to do a reverse lookup on your mail server's ip. If you don't have a reverse dns lookup for your IP, some mail servers might have trouble accepting your connection.
If you're not sure of how to verify the reverse, let me know the IP and I can verify it for you.
Let me know what you find,
GJ
The first thing I would check is to verify your connection from the mail server to the remote servers. From your mail server, use telnet to connect to port 25 instead of port 80. Port 25 is the port used by mail servers and could be blocked even though port 80 is open. You should see some sort of greeting message from the remote mail server. If you get this, just type "quit" as that would show that you have a valid connection. If however you do not get the message or it times out trying to connect, I would suspect that the remote mail server may be trying to do a reverse lookup on your mail server's ip. If you don't have a reverse dns lookup for your IP, some mail servers might have trouble accepting your connection.
If you're not sure of how to verify the reverse, let me know the IP and I can verify it for you.
Let me know what you find,
GJ
- Thread starter
- #3
Thanks for the reply. I meant 25, not 80, Sorry for the confusion. I can telnet into 25, but get a 20 followed by astricks, rather than an intelligible message. As for reverse look-up, I'll have to check that with my ISP, as they host all of our DNS services.
- Thread starter
- #4
I spoke with our ISP and they verified that reverse lookup is setup for our domain. The ip or our mailserver is the external ip of our firewall which if forwarding traffic on 25 to our mailserver. Could this have any effect? I'm not sure how to check reverse lookup myself, but imagine I would use nslookup. What do I need to enter at the prompt>
Hey Tolstoy,
Sorry for the delay, been busy. I would check to see if your firewall uses a single IP for outbound traffic or whether it has a pool. If it's configured as a pool, your mail server could be connecting with a different IP at different times. Depending on how your reverse is setup, this could cause a reverse lookup to fail.
I would verify which IP that the outside world sees for your mail server and check the reverse to see if it resolves.
To check the reverse in nslookup, issue the following commands at a shell prompt where a.b.c.d is the IP address the outside world sees for your mail server:
nslookup<return>
set type=ptr<return>
d.c.b.a.in-addr.arpa.<return>
You should then see something like:
d.c.b.a.in-addr.arpa name = mail.myDomain.com
followed by possible nameserver information. The "mail.myDomain.com" is the reverse lookup and indicates the reverse exists. If the reverse is not properly set, you should see a message like "Non-existent host/domain".
Hope this helps,
GJ
Sorry for the delay, been busy. I would check to see if your firewall uses a single IP for outbound traffic or whether it has a pool. If it's configured as a pool, your mail server could be connecting with a different IP at different times. Depending on how your reverse is setup, this could cause a reverse lookup to fail.
I would verify which IP that the outside world sees for your mail server and check the reverse to see if it resolves.
To check the reverse in nslookup, issue the following commands at a shell prompt where a.b.c.d is the IP address the outside world sees for your mail server:
nslookup<return>
set type=ptr<return>
d.c.b.a.in-addr.arpa.<return>
You should then see something like:
d.c.b.a.in-addr.arpa name = mail.myDomain.com
followed by possible nameserver information. The "mail.myDomain.com" is the reverse lookup and indicates the reverse exists. If the reverse is not properly set, you should see a message like "Non-existent host/domain".
Hope this helps,
GJ
- Thread starter
- #6
Thanks for the help again. Someone who had a similar problem suggested that the remote server may being checking my authenticity by connecting to ident, which is not running on my machine, nor allowed at the firewall. In your opinion, do you think this could be the case? Our firewall uses one IP, not a pool, and is what is listed in DNS records. I'll check for the reverse lookup tomorrow and post back if I find out anything else. Again, thanks for all your help. I really do appreciate it. As I said, this is my first real crack at running sendmail and though its been going somewhat smoothe so far, I'm still pretty green.
Hey Tolstoy,
I don't run ident either but I'm sure that it's possible although I would suspect unlikely to be the cause. If you want, I can try sending a message through my server (no ident) and see if it gets rejected as well. This would rule out the ident issue.
Just let me know.
GJ
I don't run ident either but I'm sure that it's possible although I would suspect unlikely to be the cause. If you want, I can try sending a message through my server (no ident) and see if it gets rejected as well. This would rule out the ident issue.
Just let me know.
GJ
- Thread starter
- #8
- Thread starter
- #9
I just sent a test message to someuser@glmshows.com so it doesn't appear to be ident related. I also telnetted in to their mail server and I got the 200 ************** response as well. They've just masked their mail server name for security reasons. If you type "mail from: test@glmshows.com" and hit return, you should see a normal smtp acknowledgement message. Try to send another message and do a "tail /var/log/maillog". You should see two entries related to your message. If you could post those, that might help shed some light on this.
I'm not sure about the reverse being a problem since it exists. I think that the server will just check to make sure it knows who that IP is, I don't think it has any way to know what the machine's real hostname is. I could be wrong on this but you could change your mail server's host name temporarily to check. I wouldn't do this if your mail server is a critical machine as this may impact other services.
GJ
I'm not sure about the reverse being a problem since it exists. I think that the server will just check to make sure it knows who that IP is, I don't think it has any way to know what the machine's real hostname is. I could be wrong on this but you could change your mail server's host name temporarily to check. I wouldn't do this if your mail server is a critical machine as this may impact other services.
GJ
- Thread starter
- #11
I didn't think it was an ident issue since I didn't see any dropped packets on that port in my firewall logs. Here is the contents of my maillog when I grep it for glmshows when attempting to send to a user:
Apr 20 09:48:57 mail sendmail[9957]: f3KDlWP09955: to=deborah_hilfman@glmshows.com, ctladdr=ndelo@limcollege.edu (156684107/45), delay=00:01:25, xdelay=00:01:10, mailer=esmtp, pri=30307, relay=mail1.glmshows.com. [63.65.25.199], dsn=4.0.0, stat=Deferred: Connection timed out with mail1.glmshows.com.
Apr 20 10:28:31 mail sendmail[10109]: f3KDlWP09955: to=deborah_hilfman@glmshows.com, ctladdr=ndelo@limcollege.edu (156684107/45), delay=00:40:59, xdelay=00:01:10, mailer=esmtp, pri=120307, relay=mail1.glmshows.com. [63.65.25.199], dsn=4.0.0, stat=Deferred: Connection timed out with mail1.glmshows.com.
Again, thanks for the help and the speedy responses. A little more info that may or may not help-- I'm running this on RH7, kernel 2.4.0, and am using the precompiled binary version of sendmail that ships with the OS.
Apr 20 09:48:57 mail sendmail[9957]: f3KDlWP09955: to=deborah_hilfman@glmshows.com, ctladdr=ndelo@limcollege.edu (156684107/45), delay=00:01:25, xdelay=00:01:10, mailer=esmtp, pri=30307, relay=mail1.glmshows.com. [63.65.25.199], dsn=4.0.0, stat=Deferred: Connection timed out with mail1.glmshows.com.
Apr 20 10:28:31 mail sendmail[10109]: f3KDlWP09955: to=deborah_hilfman@glmshows.com, ctladdr=ndelo@limcollege.edu (156684107/45), delay=00:40:59, xdelay=00:01:10, mailer=esmtp, pri=120307, relay=mail1.glmshows.com. [63.65.25.199], dsn=4.0.0, stat=Deferred: Connection timed out with mail1.glmshows.com.
Again, thanks for the help and the speedy responses. A little more info that may or may not help-- I'm running this on RH7, kernel 2.4.0, and am using the precompiled binary version of sendmail that ships with the OS.
Sorry for the delayed response but I've been swamped the past few days. At this point, I would try to connect via telnet and issue the mail commands manually and see what happens. I would look to see if one of the commands causes the other side to stop responding. If so, that should give you some clue. IE if the other side stops responding after sending the recipient's address, I would try other recipients and see if the same thing happens. If it stops responding on the sender's address, I would try different senders to see if I could find one that worked. If however you're able to send messages fine through telnet from your mail server, I would then try to mail a simple message from the command prompt with "mail" and see if a simple one line message fails as well. If so, I would then feel that it's something to do with your sendmail config or possibly a corrupt or buggy version.
I would either try installing a current version of Sendmail or installing Sendmail on another machine and see what happens.
Sorry but this one's kinda got me stumped at the moment.
GJ
I would either try installing a current version of Sendmail or installing Sendmail on another machine and see what happens.
Sorry but this one's kinda got me stumped at the moment.
GJ
- Thread starter
- #13
Thanks for all the help. I'll try what you suggested, and also installing the current from binary rather than RPM if all the above fails. I have heard that sendmail.cf gets buggy from linuxconf on RedHat, though I have not used linuxconf at all on this machine. Thanks again. I'll post back if I get this one solved.
- Thread starter
- #14
Believe it or not I found some facts at sendmail.org stating a kernel-level problem with linux and sendmail that returns a "connection timed out", though the error message I have looks a bit different it. The problem is with kernel 2.0, I believe. I'm using 2.4.0 currently, but for the heck of it I booted off my old kernel, 2.2.16, and the problem seems to have dissapeared! Don't ask me why. I'll try 2.4.2 when it becomes availible, if it already isn't. If not, I'll just stick with the old kernel. Thanks for helping me narrow down some of the causes of the problem. As I said, I am still very green in reguards to sendmail. 
- Thread starter
- #16
- Status
Similar threads
- Locked
- Question
- Locked
- Question