Hi,

We are receiving emails from any source and we can send emails to any domain that is within our network, but Sendmail will queue any mail that should be sent out from the network. There is no entry in /var/log/maillog that Sendmail ever tries to resend any such email from the mailq. The OS is Fedora Core 6.

sendmail.mc was first setup as follows:

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST', `smtp.your.provider')dnl
dnl #
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 20.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl

The above setup was similar to what was previously used and worked on Redhat 9. After reviewing many boards a change was made this line:
dnl define(`SMART_HOST', `smtp.your.provider')dnl
to:
define(`SMART_HOST', `mail.ourserver.com')dnl
(mail.ourserver.com is not the real name of the mail server)

A certificate was created as follows:
$>cd /etc/pki/tls/certs
$>make sendmail.pem

The changes in sendmail.mc were configured as follows:
$>m4 /etc/mail/sendmail.mc > /etc/mail.sendmail.cf
$>service sendmail restart
$>service saslauthd restart

The following files in /etc/mail were editted correctly:
access
local-host-names
relay-domains

As was /etc/pam.d/smtp

/etc/dovecot.conf was editted to add:
protocals = pop3
started and set to start on boot.

Since mail going out from the network was being queued and no attempts were being made to resend them the following test was done:
$>/usr/sbin/sendmail -v zzz@hotmail.com
testing
.
hotmail.com: name server timeout
zzz@hotmail.com... transient parse error -- message queued for future delivery
zzz@hotmail.com... queued

Then ran:
$>mailq

There was no entry for zzz@hotmail.com. The only entries that were found were the 2 emails which i tried to send outside of the network and one email from a form that was completed on one of the domains. All the queued mails have this line:
(host map: lookup (xxxx.com): deferred)

I thought of changing the paths in the old sendmail.cf and sendmail.mc and replacing them with the existing files, but I doubt that would make any difference since they are almost identical. The old files have a few extra lines.

The dns seems to resolve correctly and the lookups show as they should.

Any help or suggestions the get Sendmail 8.13.8.2 working properly would be appreciated.

Thanks in advance.

Either your /etc/resolv.conf doesn't point to a proper nameserver, or you have a firewall blocking DNS queries.

Thanks for the reply. Both the Linux firewall and SELinux have been disabled. I have not installed /etc/rc.firewall yet.

More than likely this could be a problem with Network but I'm not sure how to fix it. Network Manager creates /etc/resolv.conf as follows:

# generated by NetworkManager, do not edit!

; Use a local caching nameserver controlled by NetworkManager

search tesbroadcasting.net

nameserver 207.61.69.66
nameserver 207.61.69.67

I know that there should also be a line here as follows:
nameserver 127.0.0.1
but I can not get NetworkManager to write this. If NetworkManager writes this line then it does not write the other 2 nameserver lines. In /etc/sysconfig/networking/profiles/default the resolv.conf file is exactly the same and the network file is empty. I have also tried to do this:
System > Administration > Network > DNS
Tertiary DNS: 127.0.0.1
which does not work. Also under the Hosts tab I am not able to enter the following since it is not being accepted:
127.0.0.1 localhost.localdomain local host
However /etc/hosts does have this entry.

Any help or suggestions would be appreciated.

Thanks.

Are you sure you're running a caching nameserver locally? You don't want to add 127.0.0.1 to your resolv.conf unless you know it's supposed to be there (and why).

If you do what do you get?

It's not necessarily the host firewall that is blocking DNS queries. Quite possibly there is another firewall somewhere between you and the Internet.

The result I get from dig is:

; <<>> DIG 9.3.2 <<>> mx hotmail.com @207.61.69.66
; (iserver found)
;; global options: printed
;; connection timed out; nmo servers could be reached

I have taken 207.61.69.67 offline right now until the primary is working properly again. I will then put back the multicast-broadcasting switch between the line and the router.

In all previous network configuration I have always included the 127.0.0.1 line.

To further your information I did a reboot the other day (since the cron job to cut the xferlog for the first time for the vsftpd server caused the graphic interfaces to lockup) and at that time there was some mail in the queue. All this mail got sent out on reboot. However, I had to reset Network manually after reboot since it shut itself down looking for the best connection and /etc/resolve.conf only had the 127.0.0.1 line in it.

Also 207.61.69.66 id the primary dns server and 207.61.69.67 is the secondary dns server.

Another thing is that it takes almost 2 minutes to "send" outgoing mail from the workstation (with one timeout) before it gets queued. 4 hours later I get an email that delivery of the message was deferred. Mail sent within the network (domain within the network) gets sent instantly.

I am assuming that it is a caching nameserver since the install and setup is much the same as I used for RH7 and RH9. From what I can tell the big difference between Fedora and RedHat is how Fedora partitions the HD and the Fedora has allowances for remote connections without requiring a fixed IP address to retrieve your email.

Where would I look for another firewall? The internet line enters a Cisco router which outputs to a hub. Unless there is some hidden firewall in FC6 I don't believe there should be any blocking the port for DNS querries.

Thanks again.

Well something is dropping your DNS queries. I'm sorry, I don't have access to your network or a network diagram, so I cannot find it for you. Trace all the physical pieces between your mail server and your DNS server. Something in that path is dropping the traffic. Perhaps some device does not have it's netmask set correctly, so packets are going to it and that device is ignoring them as bogons. Perhaps your primary DNS server is running a host firewall, or has the wrong netmask configured, or you're not properly NAT'ing requests from your mail server so your DNS server sees the internal IP and cannot route to it... there are a million things that could be wrong.

If you can do and get the correct answer, then apparently you do have a local recursive/caching nameserver and you could just set /etc/resolv.conf to that. That wouldn't fix your broken network though. As for how to get that configuration to "stick", I have no idea. I never use the fancy network configuration utilities because I know how to do everything by hand, so that's how I do it.

The output for dig mx hotmail.com @127.0.0.1 is:

; <<>> DIG 9.3.2 <<>> mx hotmail.com @127.0.0.1
; (1 server found)
;; global options: printcmd
;; connect timed out; no servers could be reached

I have always set things manually. Unfortunately FC6 and higher seems to force the install of the Network gui which requires Network and Network Manager. During the install it also failed to install the named.conf file which forced me to yum install system-conf-bind in order to get it. As soon as you configure the zone files and named.conf manually the gui no longer functions, but without it i could not get named.conf to work even by creating it in chroot and making a symbolic link to it in /etc.

I did notice that on the reboot I mentioned there were these entries in /etc/log/messages

ns1 NetworkManager: <WARNING>
nm_system_divice_set_ip4_route (): Failed to set IPv4 default route on 'eth*' : file exists
(have inserted a * after eth for the number of the network card)

I had to reboot twice to get everything working again after the rotation of the xferlog for the first time. During the first reboot after:
ns1 avahi-daemon[2168]: Server startup complete. Host name is ns1.local. Local service cookie is 3803136270
and before:
ns1 NetworkManager: <information> starting...
all mail in the queue was sent. Named had been started and the avahi-daemon had started the network at this point. Afterwards the network was completely shut down and had to be started by bringing up each service with at the command prompt. Although I issued service network restart the network did not restart and create a new resolv.conf file. resolve.conf at this time looked like:

search tesbroadcasting.net

nameserver 127.0.0.1

and you could not bring up any website in a browser. I had to edit the dns tab of NetworkManager and re-enter the same data then save it to get back the resolve.conf with the 2 name servers in order to be able to view the websites in a browser.

I feel the that problem more than likely is with NetworkManager but I can't find where or how to correct it. From the reboot it seems that nameserver 127.0.0.1 is needed in order to send mail outside from the network since sendmail.mc shows relays using localhost.localdomain.

Thanks again.

It doesn't look like you actually have a nameserver running locally.

Are you sure your default route is set correctly? What's the output of ?

Destination Gateway Genmask Flags Mss Window irtt Iface
207.61.69.64 0.0.0.0 255.255.255.224 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 207.61.69.65 0.0.0.0 UG 0 0 0 eth1

Thanks for getting back.

Well your mailserver and DNS servers appear to be on the same subnet, assuming the mailserver IP is between .64 and .95 (non-inclusive).

You could try running tcpdump on both your DNS server and your mail server while you use dig on the mail server to try to resolve various DNS records, that would give you a clue into what's going on.

Yes they are on the same network. From your comments I suspected a dns problem for localhost. When I purposely crashed the bind gui I had replaced localhost.zone and named.local (the reverse file) with the defaults. I did try to use my old named.local (for localhost.zone), 127.0.0.rev (for named.local) and editted named.conf accordingly, but the dns would not work at all that way. For some reason FC requires named.conf to have these these zones point to these respective files:

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

None of the other default zone files are required for a dns server by FC so I commented them out.

I editted both localhost.zone and named.local to add 2 lines to each file for the NS records for the nameservers ns1.tesbroadcasting.net and ns2.tesbroadcasting.net, restarted named and then restarted sendmail.

$> /etc/rc.d/init.d/named restart
$> service sendmail restart

Then checked the mail queue...
$> mailq
and it was empty. Although I have not sent an email outside from the network I'm sure that it should work now since the problem of mail being stuck in the queue is now resolved. With forcing the bind gui to crash so I could manually create all the dns I had forgotten to re-edit localhost.zone and named.local to add the 2 nameservers NS records to those files.

Thank you very much for your help, time, patience and understanding.

I may have been a bit hasty... All the queued mail was actually bounced back. When I noticed this I sent an email to one of my yahoo accounts. Here is the server message in the dat file:

Reporting-MTA: dns; ns1.tesbroadcasting.net
Received-From-MTA: DNS; [207.61.69.68]
Arrival-Date: Sat, 23 Aug 2008 21:33:51 -0400

Final-Recipient: RFC822; zzzz@yahoo.com
Action: failed
Status: 5.3.5
Diagnostic-Code: SMTP; 553 5.3.5 system config error
Last-Attempt-Date: Sat, 23 Aug 2008 21:33:51 -0400

The corresponding maillog entries are:

Aug 23 21:33:51 ns1 sendmail [21236]: m701XpPU21234: SYSERR(root): mail.tesbroadcasting.net. config error: mail loops back to me (MX problem?)
Aug 23 21:33:51 ns1 sendmail [21236]: m701XpPU21234: ns1.tesbroadcasting.net [207.61.69.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Aug 23 21:33:51 ns1 sendmail [21236]: m701XpPU21234: to=<zzzz@yahoo.com>, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=121107, relay=mail.tesbroadcasting.net [207.61.69.66], dsn=5.3.5, stat=Local configuration error
Aug 23 21:33:51 ns1 sendmail [21236]: m701XpPU21234: m701XpPU21234: DSN: Local configuration error
Aug 23 21:33:51 ns1 sendmail [21236]: m701XpPU21234: to=rootadmin, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=32317, dsn=2.0.0, stat=sent

Am I correct to assume that this is being caused this:

The above setup was similar to what was previously used and worked on Redhat 9. After reviewing many boards a change was made this line:
dnl define(`SMART_HOST', `smtp.your.provider')dnl
to:
define(`SMART_HOST', `mail.ourserver.com')dnl
(mail.ourserver.com is not the real name of the mail server)
and that this line in sendmail.mc should be changed back to:
dnl define(`SMART_HOST', `smtp.your.provider')dnl
?

Thanks in advance.

Just put dnl in front of the smarthost to comment it out. Then restart sendmail. I think the init script automatically runs m4 to recomplile the .cf file from the .mc file.

Made the change and tried to send an email to one of my yahoo accounts. It took about 30 seconds for the email to leave the outbox and then it got queued. Here are the respective entries in /etc/maillog:

Aug 24 08:03:08 ns1 sendmail[16777]: m70C37Cn016777: from=<zzzz@tesbroadcasting.net>, size=1113, class=0, nrcpts=1, msgid=<01dc01c905e1$a2360700$44453dcf@tesbroadcasting>, proto=SMTP, daemon=MTA, relay={207.61.69.68]
Aug 24 08:03:08 ns1 sendmail[16777]: m70C37Cn016777: to=<zzzz.yahoo.com>, delay=00:00:00, mailer=esmtp, pri=31113, dsn=4.4.3, stat=queued

Restarted sendmail to see if it would send the mail in the queue and it did not.

I was wondering if the changes from what I normally use for localhost.zone and named.local could be the problem. Here are the respective old files with the new/changed files in blue:

localhost.zone:

$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ zzzz.tesbroadcasting.net (
2000121610 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expiry
86400 ) ; minimum
1D IN NS ns1.tesbroadcasting.net.
1D IN NS ns2.tesbroadcasting.net.
1D IN A 127.0.0.1

$TTL 86400
$ORIGIN localhost.
@ IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.tesbroadcasting.net.
IN NS ns2.tesbroadcasting.net.
IN A 127.0.0.1

named.local:

$TTL 86400
@ IN SOA ns1.tesbroadcasting.net. zzzz.tesbroadcasting.net. (
2000121610 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ;Minimum
IN NS ns1.tesbroadcasting.net.
IN NS ns2.tesbroadcasting.net.
1 IN PTR localhost.

$TTL 86400
@ IN SOA localhost. root.localhost. (
2000121610 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ;Minimum
IN NS ns1.tesbroadcasting.net.
IN NS ns2.tesbroadcasting.net.
1 IN PTR localhost.

Currently the new/changed files in blue above are the ones which are being used. The difference in the original files is only found in localhost.zone file. Could this be the cause for the slowness for outgoing mail? Or does localhost.zone require and named.local require NS records for localhost in addition to the A record and respective PTR? Or is it something else?

Thanks...

Use the version in blue, but remove the NS entries for ns1 and ns2. You can't query those nameservers from your mailserver, so it's pointless. Besides, nameservers should not answer external queries for localhost information.

Make sure your your mailserver has an entry like this in /etc/hosts: