Re: Help Needed: My RHEL5 box suddenly stopped accepting e-mails



Hi Robert,


On Sun, May 8, 2011 at 4:09 AM, lists-redhat <
replies-lists-b3z1-redhat@xxxxxxxxxxxxxxxxxxxxx> wrote:

I don't think that you explicitly responded to the status of
iptables. I use the "old-fashioned" way to control services ..

/etc/rc.d/init.d/iptables status
... stop (if it's running)


My apologies for missing that. Here is the output of the 'iptables status'
command:
Firewall is stopped.




[this is done as root of course.] If you have iptables running
you'll want to only have it off for testing periods.

If iptables was on, try telnetting to port 25 from off-host again.

If that (still) failes, do you have access to another machine on the
same subnet? If so, try telnetting to port 25 on your machine from
there. If you get the sendmail herald, then the issue is definitely
off-host (and you just proved it). By being on the same subnet, with
no serious network hardware between the machines, you're avoiding
policy stuff they your networking types may have put in place in
routers.


Okay, so to do a checkpoint here: since my firewall is off, *and* because
other Linux
boxes on the same subnet as my box _can_ successfully telnet into port 25
of my box, that implies the issue is not with my box, right?



If things fail to this point (e.g., you don't have access to another
machine on your subnet), there are still a few things to do.

From another machine try telnetting to ports on your machine where
you don't have a service running - e.g., 1025, 2025, 3080, etc.,
until you get a "Connection refused" response. That will tell you
that your machine is reachable on that port, but you don't have
anything running there. If that's successful (i.e., they haven't
totally firewalled you off), you can start up sendmail on this other
port (this requires a one-line modification to your sendmail.cf so
make certain you have a copy of your current sendmail.cf. **this is
only to prove a point, and won't work for general mail delivery**.


Following up on a few points in other threads:

An entry in hosts.deny (or a deny entry in hosts.allow) will still
get you a sendmail connection herald. You'll just get a rejection
when you try to submit a message (with a "550 5.0.0 Access denied"
error on it). Your issue is that the message delivery is timing out,
so this isn't related to the host.deny/allow settings.


Thanks for the explanation.



You don't need to prove that your machine will deliver mail (yet),
as the issue is that connections to it are timing out. So, don't
worry about trying to have a chat with sendmail in order to submit a
message manually. Once you can reach sendmail/port 25 from a machine
off your subnet, if it still has issues with accepting/delivering
mail, then those issues can be addressed.


I see. So does the fact that I get a "Connection timed out." when I try to
telnet into port 25 from a machine
from a different subnet than my machine imply the company has something
mis-configured
somewhere?



If you have SELinux enabled (and there were some updates on it
recently), that would effect sendmail's ability to start and run,
but you've proved that it's running (you're getting the herald from
on-host connections).

The smarthost entry applies to how outbound mail is handled, not
inbound, so of no effect here.


Oh, okay.

Thanks very much for all the help (everyone!). I'd be lost without you
folks.

Kind regards,

--
Mun





- Richard



------------ Original Message ------------
Date: Saturday, May 07, 2011 09:51:53 PM -0700
From: Mun <mjelists@xxxxxxxxx>
To: redhat-list@xxxxxxxxxx
Subject: Re: Help Needed: My RHEL5 box suddenly stopped accepting
e-mails

Hi Richard,

On Sat, May 7, 2011 at 1:50 PM, lists-redhat <
replies-lists-b3z1-redhat@xxxxxxxxxxxxxxxxxxxxx> wrote:

if you're telnetting specifically to port 25, the smtp port (not
generically to the machine, which will get you to port 23) and
you're getting "connection lost" or "connection timed out", then
you most likely have some type of a firewall issue.


Yes, for the experiment I was telnetting specifically to port 25.
Your assessment of the issue does appear to have merit: Note that
when I sent
an email from my gmail account to my workstation, gmail eventually
sent me a warning
stating that "The recipient server did not accept our requests to
connect." Which
seems to reinforce your theory.


from the machine itself, try telnetting to its port 25 *by
ipnumber* (not name). make certain that you see that it's not
trying to connect to 127.0.0.1 (which will probably happen if you
try by name). if you get a connect, then it's likely an off-host
firewall/routing issue.


I got a connection to sendmail.



then, try telnetting to "127.0.0.1 25" -- you should get sendmail
connect.


I got a connection to sendmail.


if the telnetting to port 25 by the machine's ipnumber gets a hang
then you likely have an on-host firewall issue. iptables is the
most likely machine-specific firewall. you can look in
/etc/sysconfig to see if you have an iptables setup. if so, turn
iptables off and try telnetting in to port 25 (by ipnumber and
from off-host) and see what you get.

if the issue appears to be an off-host firewall issue, then you
need to step back and see what's going on from the outside.


It would seem that I am here, right?



[honestly, if you did nothing to your machine setup, i'd bet on
some external/network change to be causing your issue.]


I'm a little nervous that the updates that were installed did
something to cause this
side affect--but by reading their descriptions, that shouldn't of
been the case. Furthermore,
since I downgraded the respective patches I should be back to a
working system.

Thus, I am in agreement that it _does_ seem to be something
external to my machine.
Although, my IT dept does not agree; so I may be out of luck.



[by the way, you don't need to reboot the machine to restart
sendmail, or other service starts/stops (rebooting to restart/fix
things is the windows approach to life, and not generally
necessary, or recommended, in the unix world.)]


Agreed. I did the reboots in response to downgrading packages.
Strictly speaking,
the downgrades did not require reboots. But because the downgrade
had no affect on my problem,
I thought I'd reboot--just in case. Plus, I was desperate.

Kind regards,

--
Mun




- Richard


------------ Original Message ------------
Date: Saturday, May 07, 2011 01:09:55 PM -0700
From: Mun <mjelists@xxxxxxxxx>
To: redhat-list@xxxxxxxxxx
Subject: Re: Help Needed: My RHEL5 box suddenly stopped
accepting
e-mails

Hi Richard,


On Sat, May 7, 2011 at 3:38 AM, lists-redhat <
replies-lists-b3z1-redhat@xxxxxxxxxxxxxxxxxxxxx> wrote:

in your .cf, what do you have as an active (not commented out)
option the under:

# SMTP daemon options

tag?

is it:

O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

or something more along the lines of one of the following:

O DaemonPortOptions=Name=IPv4, Family=inet

O DaemonPortOptions=Name=MTA


I have the choice immediately above in my sendmail.cf:
DaemonPortOptions=Name=MTA



The first, with the 127.0.0.1, is the default for RHEL and will
only accept localhost mail. The other two are forms will allow
it to accept mail from off localhost.

If that looks ok, try telnetting to port 25 on this machine
from off-host - e.g., from the exchange server. Do you get a
"connection refused" response or a "hang". If "connection
refused", then it's most likely the sendmail daemon doing the
blocking. If you get a "hang", then it's likely a firewall of
some nature, e.g., iptables.


I get "connection lost" or "Connection timed out"; depending on
the computer I use to run telnet.
The "connection lost" is what my Windows XP box returned; and
the "Connection timed out" is what
another Linux box returned.


Have you looked at your machine's logs (maillog, messages,
secure being the most obvious) they may give some hints.


Yes. I have looked at those, as has the company's IT dept. But
there were no messages that
would help with this issue.



Have you restarted sendmail?


Yes. I've also rebooted a coupled of times; nothing seems to
help.

It's just so weird that with no obvious changes made (except for
the updates applied and then
downgraded that I mentioned in my initial message) that my box
would just all of the sudden
stop accepting email.

Thanks very much for the reply. I greatly appreciate the ideas.

Regards,

--
Mun




- Richard



------------ Original Message ------------
Date: Friday, May 06, 2011 04:48:34 PM -0700
From: Mun.Johl@xxxxxxxxxx
Subject: RE: Help Needed: My RHEL5 box suddenly stopped
accepting
e-mails

Hi Richard,

Thanks for your reply.

I had saved off /etc/mail when we first got email working
properly on my system (a couple of years ago) and I compared
the current sendmail.cf to the "known good" copy. The only
difference I see is that IT has uncommented the following
line:

O Timeout.ident=0

With respect to sendmail.mc, the version currently used by
the system had the following lines commented out:

MASQUERADE_AS(`mydomain.com')dnl
FEATURE(masquerade_envelope)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl

I'm not too experienced with sendmail, but it doesn't appear
to me as if the changes above would result in the problem I
am having; does it?

Regards,

------------ End Original Message ------------



------------ End Original Message ------------



------------ End Original Message ------------



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



Relevant Pages

  • Re: portknocking question
    ... This is nice but still requires closing the port as a step when done. ... you can use a time out with the relevant iptables command ... You can easily close the connection automatically. ... In that example, any existing ssh connection, for example, will continue ...
    (Ubuntu)
  • iptables and ftp problems via masquerading
    ... Connection failed XXX.XXX.XXX.XXX - connection timed out ... 530 Only client IP address allowed for PORT command. ... i've setup my iptables firewall script to allow masquerading, ... $IPTABLES -A BLOCK -j DLOG ...
    (comp.os.linux.security)
  • Re: Need help configuring smart_host relaying
    ... openmap() dequote:dequote NULL: valid ... either the port specification is wrong in the authinfo file or that the ... connection is being refused because it's not SSL/TLS. ... or how to get the SSL/TLS mechanism into sendmail. ...
    (comp.mail.sendmail)
  • Re: Need help configuring smart_host relaying
    ... either the port specification is wrong in the authinfo file or that the ... connection is being refused because it's not SSL/TLS. ... or how to get the SSL/TLS mechanism into sendmail. ... dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net ...
    (comp.mail.sendmail)
  • Re: Need help configuring smart_host relaying
    ... either the port specification is wrong in the authinfo file or that the ... connection is being refused because it's not SSL/TLS. ... or how to get the SSL/TLS mechanism into sendmail. ... dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net ...
    (comp.mail.sendmail)