Re: qmail-dk dropping mail?

Qmail backup MX

Hi - quick question regarding the above that somehow has me baffled and am
hoping the answer is an obvious one!!

Got a cluster of 3 load balanced outbound SMTP relay servers built as per
LWQ that also act as secondry MX for several thousand domains. I've been
seeing from the qmail logs that some mail is getting into a loop whenever
the primary MX is down. Until the message finally bounces with the
"too_many_hops" error.

For the domains in question I've checked that they only exist in the
rcpthosts file and that no reference to the domains is in the smtproutes or
locals files. The servers sit behind a PIX firewall and are load balanced by
a Foundry Server Iron.

An example of this is:

sentinelgb.net
dig +short sentinelgb.net mx
10 relay.firstnet.net.uk.
5 mail.sentinelgb.net.

telnet mail.sentinelgb.net 25
Trying 135.196.25.211...

grep sentinelgb.net /var/qmail/control/rcpthosts
sentinelgb.net

bash-2.05# grep sentinelgb.net /var/qmail/control/smtproutes
bash-2.05# grep sentinelgb.net /var/qmail/control/locals

 <at> 4000000044f7f99e178585c4 starting delivery 2167: msg 171378 to remote
kevinmacdonald <at> sentinelgb.net
 <at> 4000000044f7f9db22a2b10c end msg 171378
 <at> 4000000044f7f9db22a262ec delivery 2167: success:
212.103.224.41_accepted_message./Remote_host_said:_250_ok_1157101981_qp_2262
3/

The log snippet above is a typical example of the mail loop I'm seeing.

Any help would be appreciated.

Julian.

Julian Grunnell
3rd Line Technical Support
Pipex Communications

Tel: 0113 344 1304
Mob: 07803 649593
Web: http://www.pipex.com/

This e-mail is subject to: http://www.pipex.net/disclaimer.html 

Re: Qmail backup MX

On Fri, 1 Sep 2006, Julian Grunnell wrote:

> For the domains in question I've checked that they only exist in the
> rcpthosts file and that no reference to the domains is in the smtproutes or
> locals files. The servers sit behind a PIX firewall and are load balanced by
> a Foundry Server Iron.

Your servers don't know that the servers listed in the MX records are
themselves.  Search qmail.org for "moreipme patch", or create dummy
interfaces.

Rick.

RE: Qmail backup MX

> -----Original Message-----
> From: Richard Lyons [mailto:frob-qmail <at> webcentral.com.au] 
> Sent: 01 September 2006 09:24
> To: qmail <at> list.cr.yp.to
> Subject: Re: Qmail backup MX
> 
> On Fri, 1 Sep 2006, Julian Grunnell wrote:
> 
> > For the domains in question I've checked that they only 
> exist in the 
> > rcpthosts file and that no reference to the domains is in the 
> > smtproutes or locals files. The servers sit behind a PIX 
> firewall and 
> > are load balanced by a Foundry Server Iron.
> 
> Your servers don't know that the servers listed in the MX 
> records are themselves.  Search qmail.org for "moreipme 
> patch", or create dummy interfaces.
> 
> Rick.
> 
Thanks Rick, makes sense.

Stopped qmail and tried to apply the patch but get:

pwd
/usr/local/src/netqmail-1.05/netqmail-1.05

patch < ../../moreipme.patch.txt
patching file Makefile
patching file ipme.c
Hunk #3 FAILED at 42.
Hunk #4 succeeded at 104 (offset 5 lines).
1 out of 4 hunks FAILED -- saving rejects to file ipme.c.rej

more ipme.c.rej
***************
*** 40,51 ****
    int len;
    int s;
    struct ip_mx ix;

    if (ipmeok) return 1;
    if (!ipalloc_readyplus(&ipme,0)) return 0;
    ipme.len = 0;
    ix.pref = 0;

    if ((s = socket(AF_INET,SOCK_STREAM,0)) == -1) return -1;

    len = 256;
--- 42,60 ----
    int len;
    int s;
    struct ip_mx ix;
+   int moreipme_fd;

    if (ipmeok) return 1;
    if (!ipalloc_readyplus(&ipme,0)) return 0;
    ipme.len = 0;
    ix.pref = 0;

+   /* 0.0.0.0 is a special address which always refers to
+    * "this host, this network", according to RFC 1122, Sec. 3.2.1.3a.
+   */
+   byte_copy(&ix.ip,4,"\0\0\0\0");
+   if (!ipalloc_append(&ipme,&ix)) { return 0; }
+
    if ((s = socket(AF_INET,SOCK_STREAM,0)) == -1) return -1;

    len = 256;

Should the patch apply to a netqmail install ok?

Thanks - Julian.

testing the MX for that dy domain

Hello,

we have two nodes for qmail in cluster and with ldap.

Which is the patch, for qmail, for rejecting any message without a valid 
MX for that domain?

thanks in advance.

--

-- 

   :) cumprimentos
----------------------
José Luís Faria
Network Eng./Administrador de Sistemas
Cisco Certified Network Associate
Departamento de Informática
Universidade do Minho

RE: Qmail backup MX

Thanks to Richard who set me on the right track.

With the netqmail install you just need the netqmail moreipme patch.

So far it's looking good.

Julian. 

> -----Original Message-----
> From: Richard Lyons [mailto:frob-qmail <at> webcentral.com.au] 
> Sent: 01 September 2006 09:24
> To: qmail <at> list.cr.yp.to
> Subject: Re: Qmail backup MX
> 
> On Fri, 1 Sep 2006, Julian Grunnell wrote:
> 
> > For the domains in question I've checked that they only 
> exist in the 
> > rcpthosts file and that no reference to the domains is in the 
> > smtproutes or locals files. The servers sit behind a PIX 
> firewall and 
> > are load balanced by a Foundry Server Iron.
> 
> Your servers don't know that the servers listed in the MX 
> records are themselves.  Search qmail.org for "moreipme 
> patch", or create dummy interfaces.
> 
> Rick.
> 

Qmail ignoring rcpthosts?

My qmail seems to be acting as an open relay even though I have an
rcpthosts file:

-rw-r--r-- 1 root root 49 Aug 22 17:13 /var/qmail/control/rcpthosts

which has only my domains in it. I can telnet to my server on port 25
and send email from joelman <at> anywhere.com and it's happy to do so. My
understanding is that qmail shouldn't do this unless I have
RELAYCLIENT environment set.

How can I verify that qmail is/not using rcpthosts?

TIA
Joel

Re: Qmail ignoring rcpthosts?

On Fri, 1 Sep 2006, Joel Gwynn wrote:

> My qmail seems to be acting as an open relay even though I have an
> rcpthosts file:
>
> -rw-r--r-- 1 root root 49 Aug 22 17:13 /var/qmail/control/rcpthosts
>
> which has only my domains in it. I can telnet to my server on port 25
> and send email from joelman <at> anywhere.com and it's happy to do so. My
> understanding is that qmail shouldn't do this unless I have
> RELAYCLIENT environment set.
>
> How can I verify that qmail is/not using rcpthosts?

questions/requests:
what are your tcp.smtp rules?
complete output of qmail-showctl command would be useful.
please provide a complete email w/ headers that has been relayed through 
the server as well.

brian
--
Never be afraid to tell the world who you are.
              -- Anonymous
  14:00:01 up 52 days, 21:18,  2 users,  load average: 0.00, 0.00, 0.00

Re: Qmail ignoring rcpthosts?

OK.  I've attached the output of qmail-ctl and a sample email.  Are
attachments allowed on this list?

here's my /etc/tcp.smtp
127.:allow,RELAYCLIENT=""

Thanks

On 9/1/06, brian <at> highstream.kicks-ass.org
<brian <at> highstream.kicks-ass.org> wrote:
> On Fri, 1 Sep 2006, Joel Gwynn wrote:
>
> > My qmail seems to be acting as an open relay even though I have an
> > rcpthosts file:
> >
> > -rw-r--r-- 1 root root 49 Aug 22 17:13 /var/qmail/control/rcpthosts
> >
> > which has only my domains in it. I can telnet to my server on port 25
> > and send email from joelman <at> anywhere.com and it's happy to do so. My
> > understanding is that qmail shouldn't do this unless I have
> > RELAYCLIENT environment set.
> >
> > How can I verify that qmail is/not using rcpthosts?
>
> questions/requests:
> what are your tcp.smtp rules?
> complete output of qmail-showctl command would be useful.
> please provide a complete email w/ headers that has been relayed through
> the server as well.
>
>
> brian
> --
> Never be afraid to tell the world who you are.
>               -- Anonymous
>   14:00:01 up 52 days, 21:18,  2 users,  load average: 0.00, 0.00, 0.00
>

X-Gmail-Received: a72f19ac5ea86008c61266d6cfe61ae106070626
Delivered-To: joelman <at> gmail.com
Received: by 10.67.100.8 with SMTP id c8cs287555ugm;
        Wed, 30 Aug 2006 18:50:38 -0700 (PDT)
Received: by 10.70.46.1 with SMTP id t1mr557380wxt;
        Wed, 30 Aug 2006 18:50:37 -0700 (PDT)
Return-Path: <joelman <at> whatever.com>
Received: from mail.funnyrnot.com ([66.150.225.38])
        by mx.gmail.com with ESMTP id 44si217813wri.2006.08.30.18.50.37;
        Wed, 30 Aug 2006 18:50:37 -0700 (PDT)
Received-SPF: neutral (gmail.com: 66.150.225.38 is neither permitted nor denied by best guess record
for domain of joelman <at> whatever.com)
Date: Wed, 30 Aug 2006 18:50:37 -0700 (PDT)
Message-Id: <44f6406d.66b66cb9.601e.5519SMTPIN_ADDED <at> mx.gmail.com>
Received: (qmail 11885 invoked by uid 0); 30 Aug 2006 21:50:20 -0400
Received: from localhost (HELO ) (sendmail-bs <at> 127.0.0.1)
  by localhost with SMTP; 30 Aug 2006 21:50:20 -0400
subject: ORT II

still open.

Re: Qmail ignoring rcpthosts?

Joel Gwynn <joelman <at> gmail.com> wrote:
> 
> here's my /etc/tcp.smtp
> 127.:allow,RELAYCLIENT=""

Setting RELAYCLIENT tells qmail-smtpd to ignore rcpthosts.  If you're trying
to test whether you're an open relay, do it from another machine.

Charles
--

-- 
--------------------------------------------------------------------------
Charles Cazabon                               <qmail <at> discworld.dyndns.org>
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
My services include qmail consulting.  See http://pyropus.ca/ for details.
--------------------------------------------------------------------------