postfix error RCPT from unknown[some ip address] host rejected

Hi,

Some times we see some messages to be rejected by postfix with erro RCPT from unknown

Solution.
RCPT from
unknown[some ip address]: 550 Client host rejected: cannot find your hostname

if you do

dig -x your ip +short

you will get some hostname as the dig output. (reverse dns)

Reverse DNS of your ip exists and points to some hostname, unfortunately the same host name does not exist in forward dns file. That is the reason why Postfix regards your host as “unknown”.

Don’t use reject_unknown_client in your postfix configuration. It may reject the valid mails also.

This message is looping: it already has my Delivered-To line. (#5.4.6)

DESC:

 When I send a message now to a user on my server from an outside account.
 I am getting this from qmail.

OBSERVATION:

 You are probably forwarding mail to yourself.

SOLUTION:

 Check your /var/qmail/control/smtproutes file to make sure you are not
 sending mail to a relay which is sending back to you, and also look at
 your forwarding files, .qmail, .qmail-default etc.

How to configure OutLook email client?

Steps to configure OutLook Email client

+++++++++++++++++++++++++++++

1. Click “Tools” -> “Email Accounts” on the menu bar.

2. Select “Add a new e-mail account” and click “Next”.

3. Select “POP3″ and click “Next”.

4. Enter your name and email address under “User Information”.

5. Under “Logon Information”, enter the username and password you use to login to the mail server. MAKE SURE to put the domain at the end of the username — e.g. “user@domain.com” and not just “user”.

6. Check “Remember password” if desired.

7. Under “Server Information”, enter the mailserver in both the POP3 and SMTP fields.

8. Click “More Settings…”.

9. Open the tab “Outgoing Server”. Check the box that says “My outgoing server (SMTP) requires authentication”, and make sure that “Use same settings as my incoming mail server” is selected beneath that.

10. Click “OK”, then “Next”, and then “Finish”.

How to configure OutLook Express

Steps to configure configure Outlook Express.
+++++++++++++++++++++++++++++++++
1) Launch Outlook Express

2) Click Tools>>Accounts.

3) In the “Internet Accounts Windows” click Add >> Mail.

4) Fill in your username and Click Next.

5) Fill in your email address and Click Next.

6) On the “Email Servers Name” page, fill in the server information.
“My incoming mail server is a POP3 server.”

“Incoming Mail server”: –> Fill in with your mail server name.
“Outgoing mail server”: –> Fill in with your mail server name.
Now, Click Next.

7) In the account name field enter your e-mail address (name@domain.com) and the password below. Click Next.

8)Click Finish.

Now,
9) Take Tools >> Accounts >> Properties >> Servers
Enable the “My server requires authentication” option and click Apply

10) Click the Advanced tab,
Enable the “Leave a copy of messages on the server” option and click Apply.

Now Outlook Express must be configured for you to send and receive mails.

Postsuper commands

Requeue the messages with
“postsuper -r ALL”.

Delete All messages in the queue

“postsuper -d ALL”.

Delete a single message

“postsuper -d message-id”.

How to resolve primary virus scanner (auto) error in Mailscanner

You may find you get an error like:

Unable to select a regular expression for your primary virus scanner (auto) – please see the examples in functions.php to create one.

This happens when you are using newer versions of MailScanner and have the auto setting turned on in your MailScanner.conf file. Edit the configuration and set the string for your virus scanner instead of using the auto setting like:

##Virus Scanners = auto
Virus Scanners = clamav

SquirrelMail and Courier IMAP

Hi ,

I was getting error when dealing with courier imap and squirrelmail .

ERROR : Could not complete request. Query:CREATE "INBOX./Sent" Reason Given: Invalid mailbox name

To correct this for all your users and run ./conf.pl (must be run from config/ in Squirrelmail’s root dir) select option 3 then 1 and enter ‘none’ (without the quotes). Save your changes and exit.

That might fix it, but in the most current version (1.4.0) from the main screen in ./conf.pl choose “D” and then pick your imap server.

If you are still having problems maximize your PHP error reporting by editing php.ini and changing:

   display_errors = on
   error_reporting = E_ALL

Then restart your web server.

Hope this helps you all.

error installing amavisd-new clamav on centos 5

Hi friends ,

m back

when trying to install amavisd-new on centos 5 , i was getting following error.

yum install amavisd-new spamassassin clamav clamd unzip bzip2 unrar

there is the message no match argument found.

So i googled few mins as usual and found the solution

Thing to check:

1. Check your /etc/yum.repos.d/
CentOS-Base.repo CentOS-Media.repo

Let say you already have this two repos.
To get the dag repo manually try this:

Use your favorite editor (vi or nano or etc) create rpmforge.repo

1. nano /etc/yum.repos.d/rpmforge.repo
2. Copy the code below and paste it into rpmforge.repo

# Name: RPMforge RPM Repository for Red Hat Enterprise 4 – dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever – RPMforge.net – dag
#baseurl = http://apt.sw.be/redhat/el4/en/$basearch/dag
mirrorlist = http://apt.sw.be/redhat/el4/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1

3. Type this command

rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

This key will store in this directory /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag.

You may also download the GPG key manual and store it. Then just type “rpm –import RPM-GPG-KEY.dag.txt”

4. Type this command

yum –enablerepo=rpmforge list amavisd-new spamassassin clamav clamd unzip bzip2 unrar

still it gave me following error on centos 5 :

—> Package compat-db.i386 0:4.2.52-5.1 set to be updated
–> Running transaction check
–> Processing Dependency: lha for package: amavisd-new
–> Finished Dependency Resolution
Error: Missing Dependency: lha is needed by package amavisd-new

wget http://dag.wieers.com/rpm/packages/lha/lha-1.14i-19.2.2.el5.rf.i386.rpm

rpm -ivh lha-1.14i-19.2.2.el5.rf.i386.rpm

###############################################################################

yum –enablerepo=rpmforge install amavisd-new spamassassin clamav clamd unzip bzip2 unrar

###############################################################################

So i had a happy ending to my story, hope u liked the story.

Bye and enjoy with linux

tc

some problems that i faced when setting up a mail server

Hi all,

While setting up a mail server, i had faced some problem while trying to make it run properly.

Hope if u encounter such errors, this thing might help u all.

All the errors started , when i installed amavis and configured it.

Error 1

file master.cf

amavis unix – - – - 2 smtp
-o smtp_data_done_timeout=1200

Error message in the log file:

bad transport type: smtp_data_done_timeout=1200

Solution: note that you need leading whitespace before the -o directives.

so do not forget to give a white space.

Error 2

When starting amavis , you may get this error.

/etc/init.d/amavis start
Starting amavisd: The value of variable $myhostname is “aganith”, but should have been a fully qualified domain name; perhaps uname(3) did not provide such.
You must explicitly assign a FQDN of this host to variable $myhostname
in amavisd.conf, or fix what uname(3) provides as a host’s network name!
(failed).

Solution: Just include $myhostname=’mail.yourdomain.com’; in the 50-user file within the amavis directory. Remember to include a FQDN.

Note: I am using ubuntu as my server OS. Dono where to add this line in RedHat based versions.

Error 3:

connect to 127.0.0.1[127.0.0.1]: Connection refused (port 10024)

and

TROUBLE in pre_loop_hook: db_home directory is not writable: /var/lib/amavis/db at /usr/sbin/amavisd-new line 6451

Solution:

For this , i just changed the permission for the db directory

chown -R virtual:virtual /var/lib/amavis/db

This command solved both of my problems.

Just restart amavis, clamv(dono if required, i did it) and finally postfix .

and enjoy using the mail server.

qmail: Relaying Explained

A lot of documents talk about mail relaying, specifying rules about mail relaying and getting converted in cdb file but what they lack is a nice explanation about relaying, specifying relaying rules. This inspired me to write this document.

What is mail relaying anyway? And what is an open relay?

In a literal sense the word relay means- act or instance of conveying or trasnmitting by or as by relays. In mail servers’ relation it may be explained as: accepting email on behalf of someone for someone.

In older days when there were few mail servers on the internet, it was common for MTAs to act as SMTP server and as SMTP client. They typically accepted mails from the hosts on the internet for local users, acting as server. In the opposite role they accepted messages from local users and deliver it to remote users. These were the days when mail servers acted as open relays. Meaning, they used to accept mails from anyone and for anyone. This left the possibility open for illegitimate, unscrupulous junk mailers use these open relays to send bulk mails and commercial mails rather than sending mails from their own servers. This kind of mailing served two purposes for unsolicited mailers. First, they releaved their own servers from the load of sending these bulk emails. Second, they hid the origin of mails.

This forced the adminstrators not to let their MTAs act as open relays. Alas, gone are the days of innocence. In todays synical world if your server acts as an open relay be sure to see it blacklisted on serveral mail servers. Which means, mail messages from your server will be rejected by several servers attributing it as junk since it is originated from a blacklisted server (unfortunately, its yours in this case).

What happens actually in mail relaying?

Consider you have mail server running. You are currently hosting a few domains on this server. You have qmail-smtp listening on port 25 to receive emails for your domains from other hosts. Consider a situation. Some host on the internet connects to your server on port 25. This host might be another mail server running qmail, sendmail, exim or some other MTA or this can be an end user’s mail client. The host initiates SMTP conversation with your server by identifying itself. The SMTP conversation in its simplest form looks as follows:

When an MTA at somedomain.com initiates an SMTP conversation, your server responds..

220 mydomain.com ESMTP
The server for somedomain responds..

ehlo somedoamin.com
On this response your server declares its capabilities..

250-mydomain.com
250-PIPELINING
250-DATAZ
250-STARTTLS
250 8BITMIME
The server for somedomain.com sends the FROM part of envelop..

MAIL FROM:sam@somedomain.com
Your server responds to continue conversation..

250 ok
The server at somedomain.com now sends one or more receipient’s addresses using RCPT TO command.

RCPT TO:alec@imaginary.com
Now at this point server has two options. First is, it can accept the message to relay it to imaginary.com. Second, it can reject with proper error message. It would have answerd ok, had the first case been true.

250 ok
But in second case the server would answer in one of the following way.

553 sorry, relaying denied from your location [10.15.20.25] (#5.7.1)
553 sorry, that domain isn’t in my list of allowed rcpthosts (#5.7.1) Note that your server (mydomain.com) won’t reply with any decisive answer till it sees the recipients address part of envelop. The reason is this mail can be from one of the domains your server is serving (MAIL FROM). If your server finds that it is not responsible for delivering mails from somedomain.com it will wait till it see the recipient’s address. On seeing the recipients address if your server discovers that neither it is responsible to relay the messages from somedomain.com nor it is reponsible for receiving messages for domain in recepients address, it will reject the message with one of the above messages.

Ok, I don’t want an open relay. But how the hell do I fix it?

To prevent your server act as open relay you define rcpthosts file in qmail (in default installation) usually found at /var/qmail/control/. This file contains the list of domains for which your server is responsible to accept mails via SMTP. It accepts mails for domains identified by SMTP RCPT TO command, hence the control file name rcpthosts. This file generally contains all hosts listed in locals and virtualdomains.

If rcpthosts is not present in your qmail setup, your server will immediately become an open relay.

All above is true if you are not using control patch for qmail-ldap.

But now my users are getting messages saying sorry, that domain isn’t in my list of allowed rcpthosts and that I want my users to be able to relay messages from my server. And you know I can’t possibly list every domain in my rcpthosts file that my users may want to send mail to. So what do I do?

Well, certainly you should not add those domains in rcpthosts file! There is nothing called authentication as such in SMTP protocol. So you have to identify whether a particular connection is from one of your users. The esiest way to identify is IP from which the SMTP connection is initiated. Using IPs you can distinguish your users and foreign users. This way you know that the user is connecting from one of the hosts on your network.

You can allow your users to relay messages from your server. This can be achieved by specifying the rules in tcpserver environment. If this explaination is gibberish, here is a more verbose explanation. You specify IPs from which your users will connect to your server in the file called tcp.smtp or tcp in /service/smtpd, depending on your installation. If you have been following my qmail-ldap step-by-step installation document, you will have to edit /var/qmail/control/qmail-smtpd.rules file.

From now on I consider that you have been following my qmail-ldap step-by-step installation document to avoide confusion.

By specifying these IPs in qmail-smtpd.rules you tell qmail to specifically allow SMTP connections from these IPs and relay mails from your server. Suppose some of your users operate from IPs 10.22.13.55; 140.114.27.99; and 115.11.11.1. So in this case we will specify these IPs in /var/qmail/control/qmail-smtpd.rules as follows.

127.:allow,RELAYCLIENT=”"
10.22.13.55:allow,RELAYCLIENT=”"
140.114.27.99:allow,RELAYCLIENT=”"
115.11.11.1:allow,RELAYCLIENT=”"
:allow The first line tells qmail to relay any mail from localhost. Next three lines tell qmail to relay mails from specified IPs. The last line saying :allow is redudent. Which tells qmail server to allow anyone to connect to SMTP server but since it does not have RELAYCLIENT=”" qmail won’t allow anyone to relay mails but the IPs specified with RELAYCLIENT=”". For Example 10.22.13.55:allow,RELAYCLIENT=”" tells to allow mail relaying from IP 10.22.13.55.

Once you are done with that you need to create the cdb file from this /var/qmail/control/qmail-smtpd.rules file. To create cdb file you have to change directory to /var/qmail/control/ then run the command as follows.

tcprules qmail-smtpd.cdb rules.tmp < qmail-smtpd.rules The command tcprules is installed with ucspi-tcp package

Not all of my users have static IP. Many of them have dynamic IP assigned by various ISPs they use. So can I not relay mails if the mails is from one of my domains?

I would interpret the scentence mail from one of my domains as mail with sender’s address as one of my domains. Meaning that I would not believe the sender’s address on envelop to be true sender. This is because one can easily spoof sender’s address on the mail envelop. If you go by the senders address on the email, you have to rely on the senders word and beleave that he is what he claims he is. This is clearly a security issue.

So how my legit users are supposed to relay mails with my domain in senders address field?

In such a case these users can use their ISPs mail servers to relay their mails. Else they can use any server that agrees to relay their mails. Besides its ISPs duty to provide mail relaying service to their users. My personal experience is that some ISPs won’t relay your messages with some other sender’s address. They require not only that the sending host be connected to the ISP’s network, but also that the sender use the address provided by his ISP as his envelope sender address. If your customer wants to relay mail through his ISP’s SMTP server and he has one of these envelope-checking ISPs, he won’t be able to show in his “From” header, the address that you’ve provided him–all his mail will have to appear to come from his ISP address.

So if your user have one of these idiot ISP and wants to show his mail address provided by you, he has only one way that is ideal for him. That would be SMTP_AUTH. Before relaying a mail through your server the user have to authenticate to your mail server. Then the IP from which this user has authenticated will be allowed to relay mails for a short period of time.

If you have been following qmail-ldap step-by-step installation document you would have it already. If you was not, then you may want to refer to the documentation. If you are going to install plain qmail, you need a seperate patch for SMTP_AUTH.

Another way to circumvent the problem. That is to use POP-before-SMTP (PBS). In this mechanism you are allowed to relay messages for a short period of time after a host at that IP address is authenticated via POP. The only problem with this approach is that some M$ windows based email clients are hard wired to send any queued mails before they authenticate and receive. So that leaves your users with an additional responsibility of checking mails before they queue any mails (in their outboxes) for sending.

Other approaches may include running a seperate qmail-smtpd on different IP and on a non-standard port and use it as open relay (which is NOT RECOMENDED at all). For this you have to tell your users to keep this IP and port secret (tell them to keep secret??). You also have to tell your users to configure their mail clients to use this IP & port for smtp. Again there lies the same problem as in PBS (POP-before-SMTP). Some M$ windows based mail clients won’t allow you to change SMTP port.

In approach described, all we get is security through obscurity which is nothing but a feel secure state of mind. In reality, tools like nmap or scanrand (paketto keiretsu) will easily discover these ports (even entire IP range for that matter) in just a minute. Once thay are known …. do I need to tell again what might happen..?

This documentation is distributed in hope that it will be useful but WITHOUT ANY WARRANTY. Without even the implied warranty of FITNESS FOR A PARTICULAR PURPOSE. This documentation is COPYLEFTED.