Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0)

NathanPardoe · 05-05-2008, 05:48 AM

Hi everyone,

I've been having a problem for months with Sendmail and DNSBL lookups. DNSBL lookups fail without any output in error logs, even with Sendmail's log level set to 22. Furthermore, NOQUEUE errors occur as per the mail logs. The server runs FreeBSD 7.0, fully up-to-date in terms of the base system and ports. The problem has been present since FreeBSD 6.2, and at the risk of sounding stupid, "seemed to happen overnight without me changing anything". Sendmail details are as follows -

Code:

root@darkweb# sendmail -d0.1
Version 8.14.2
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

My hostname.mc file -

Code:

OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')dnl
FEATURE(blacklist_recipients)dnl
FEATURE(greet_pause, `500')dnl Wait half a second before issuing 220 greeting
FEATURE(lookupdotdomain)dnl
FEATURE(mailertable)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(no_default_msa)dnl
FEATURE(nocanonify, `canonify_hosts')dnl
FEATURE(nouucp, 'reject')dnl
FEATURE(redirect)dnl
FEATURE(relay_hosts_only)dnl
FEATURE(smrsh,'/usr/libexec/smrsh')dnl
FEATURE(use_ct_file)dnl
FEATURE(use_cw_file)dnl
FEATURE(virtuser_entire_domain)dnl
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')dnl

dnl Binding options
DAEMON_OPTIONS(`Name=MSA, Family=inet, Port=submission, M=Ea')dnl
DAEMON_OPTIONS(`Name=MTA, Family=inet, Port=smtp, M=E')dnl
DAEMON_OPTIONS(`Name=MTA-SSL, Family=inet, Port=smtps, M=Es')dnl

dnl Local host names file location
define(`confCT_FILE', `-o /etc/mail/trusted-users')dnl
define(`confCW_FILE', `-o /etc/mail/local-host-names')dnl

dnl Various configuration options
define(`confALIAS_WAIT', `0')dnl
define(`confBAD_RCPT_THROTTLE', `2')dnl
define('confBIND_OPTS', `WorkAroundBrokenAAAA')dnl
define('confCHECK_ALIASES','False')dnl
define(`confCON_EXPENSIVE', `true')dnl
define(`confCONNECTION_RATE_THROTTLE', `2')dnl
define(`confDEF_CHAR_SET', `iso-8859-1')dnl
define('confDELIVERY_MODE','background')dnl
define(`confDIAL_DELAY', `20s')dnl
define(`confDIRECT_SUBMISSION_MODIFIERS', `C')
define(`confDOMAIN_NAME',`darkweb.ticklestix.co.uk')dnl
define('confDONT_EXPAND_CNAMES', 'False')dnl
define('confDONT_PROBE_INTERFACES','True')dnl
define(`confFORWARD_PATH', `')
define(`confMAX_DAEMON_CHILDREN', 20)dnl
define(`confMAX_HOP', `35')dnl
define(`confMAX_MESSAGE_SIZE', `20971520')dnl 20MB attachment limit
define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl
define(`confMILTER_MACROS_ENVRCPT',`b,r,v,Z')dnl
define(`confNO_RCPT_ACTION', `add-to-undisclosed')dnl
define('confPRIVACY_FLAGS', 'authwarnings,noexpn,novrfy,goaway,restrictmailq,restrictqrun,needmailhelo,nobodyreturn')dnl
define(`confQUEUE_LA', `5')dnl
define(`confQUEUE_SORT_ORDER', `Time')dnl
define(`confREFUSE_LA', `12')dnl
define(`confRUN_AS_USER', `root:wheel')
define(`confSEPARATE_PROC', `False')dnl
define(`confSINGLE_LINE_FROM_HEADER', `True')dnl
define(`confSMTP_LOGIN_MSG', `$j TickleStix MTA: $b')dnl
define(`confSUPER_SAFE',`true')dnl
define(`confTO_COMMAND', `1m')dnl
define(`confTO_DATABLOCK', `1m')dnl
define(`confTO_DATAFINAL', `1m')dnl
define(`confTO_DATAINIT', `1m')dnl
define(`confTO_HELO', `2m')dnl
define(`confTO_HOSTSTATUS', `2m')dnl
define(`confTO_ICONNECT', `15s')dnl
define('confTO_IDENT','0s')dnl
define(`confTO_INITIAL', `6m')dnl
define(`confTO_MAIL', `1m')dnl
define(`confTO_MISC', `1m')dnl
define(`confTO_QUIT', `1m')dnl
define(`confTO_RCPT', `1m')dnl
define(`confTO_RSET', `1m')dnl
define(`confTO_STARTTLS', `2m')dnl
define(`confWORK_RECIPIENT_FACTOR', `1000')dnl
define(`confWORK_TIME_FACTOR', `3000')dnl

dnl DNS blacklists
FEATURE(`dnsbl',`bl.spamcop.net', `"554 Rejected: Unsolicited e-mail from " $`'&{client_addr} " has been refused. DNSBL list: SpamCop (bl.spamcop.net)."', `t')dnl
FEATURE(`dnsbl',`zen.spamhaus.org', `554 Rejected: Unsolicited e-mail from " $`'&{client_addr} " has been refused. DNSBL list: Spamhaus (zen.spamhaus.org)."', `t')dnl

dnl Mail filters (Milters)
INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl

dnl SMTP authentication
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confAUTH_OPTIONS',`A p y')dnl
define(`confCACERT_PATH', `/usr/local/certs/mail')dnl
define(`confCACERT', `/usr/local/certs/mail/sendmail.pem')dnl
define(`confCLIENT_CERT', `/usr/local/certs/mail/sendmail.pem')dnl
define(`confCLIENT_KEY', `/usr/local/certs/mail/sendmail.pem')dnl
define(`confDONT_BLAME_SENDMAIL', `GroupReadableSASLDBFile')dnl
define(`confRELAY_MSG',`"550 Relaying denied without authentication: Relaying requires authentication over STARTTLS or SSL. Originating sender:" $`'&{client_addr} "."')dnl
define(`confSERVER_CERT', `/usr/local/certs/mail/sendmail.pem')dnl
define(`confSERVER_KEY', `/usr/local/certs/mail/sendmail.pem')dnl
define(`confTLS_SRV_OPTIONS', `V')
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl

dnl Enabling debugging
define(`confLOG_LEVEL', `22')dnl

MAILER(local)dnl
MAILER(smtp)dnl

And an example of the NOQUEUE errors which I cannot resolve -

Code:

May  5 10:49:48 darkweb sm-mta[87963]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use
May  5 10:49:48 darkweb sm-mta[87963]: daemon MSA: problem creating SMTP socket

Disabling all daemons and commenting out mailer entries sees the daemon referred to in NOQUEUE errors change accordingly (i.e. disable MSA --> MTA --> MTA-SSL --> Daemon0 when no user-specified daemons exist). I usually operate with the MAILER(local) entry disabled. Besides this, I've tried every combination of rc.conf sendmail-related options. In use at the moment are -

Code:

# Mail Services
## Core
mta_start_script="/etc/rc.sendmail"
sendmail_pidfile="/var/run/sendmail.pid"
sendmail_procname="/usr/sbin/sendmail"
sendmail_enable="YES"
sendmail_flags="-L sm-mta -bd -q30m"
sendmail_submit_enable="NO"
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
sendmail_outbound_enable="YES"
sendmail_outbound_flags="-L sm-queue -q30m"
sendmail_msp_queue_enable="YES"
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m"
sendmail_rebuild_aliases="YES"
## Extras
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
clamav_freshclam_flags="--checks=12"
saslauthd_enable="YES"
spamass_milter_enable="YES"
spamd_enable="YES"

As I said, I've tried using only one of the sendmail_*_enable options in turn, using all, using different flags, using the /etc/rc.d/sendmail init script and other things Google has turned up - all to no avail.

Regarding the DNSBL problem, I've tried using a variety of other lists, and tried removing my custom error message. The only thing I can think of that would cause the DNSBL lookups to fail silently is the, "t" option, but this is to prevent lookup timeouts causing spam mail to be received. I can successfully use the dig command to lookup known spam IP addresses. I'm not sure if it is relevant, but the server defaults to using the router for DNS lookups and the local cache otherwise (djbdns), with both processing DNS queries OK.

I apologise if I haven't explained my problem very well. The e-mail server sends and receives e-mail without issue, however, even when the log level is set to the default the NOQUEUE errors are still present. I appreciate the NOQUEUE errors may be of no significance, but the output of '/etc/rc.d/sendmail status' concerns me -

Code:

root@darkweb# /etc/rc.d/sendmail status
sendmail is running as pid 1038.
sendmail_clientmqueue is not running.

The main issue is the DNSBL lookups failing and seemingly all mail is accepted - when DNSBL lookups worked 90% of the spam I receive was dropped.

Thanks for your help in advance. Again, I apologise for any difficulties in understanding the problem, and if the information provided isn't sufficient. Any advice or comments would be of assistance.

NathanPardoe · 05-07-2008, 05:39 PM

Bump for assistance.

NathanPardoe · 05-20-2008, 08:01 AM

In case it helps anybody, the (simple) fix is at http://daemonforums.org/showpost.php?p=2975&postcount=9.