Sendmail settings. Will sendmail always answer "helo". (and tracing blocked port 25)

Bjorkli · 05-18-2004, 03:05 AM

Hi (again).

I have set up sendmail (in Fedora Core 1) so I can send mail. I also have a fixed IP, and bought a couple of domain names which I have forwarded to my webserver. (all well and good there).

In the domain provider admin tables, I have made a subdomain called mail.mydomain.com and directed it to my IP address (in IPv4 or IPv6 admin text field). And in my MX 1: box of mydomain.com admin pages I typed mail.mydomain.com. Opened up port 25 in my firewall, and redirected this port to my Fedora Core 1 sendmail server. This should be ok (the people I bought the domain of says so anyway).

When I try locally "telnet <my internal ip for linux server> 25" I can type helo and it answers.

When I try from work the telnet <my ip> 25 it says "Could not open a connection to host on port 25 : Connect failed".

How can I tell if it is my ISP that has blocked port 25, or if it is me that has forgotten something? (or simply my sendmail that refuses to answer my work machine). Will sendmail answer anyone who tries to connect if port 25 is not blocked, no matter what I have specified in the sendmail.mc file. Or do I have to type my domain providers place somewhere in the sendmail.mc file, or my ISP, or my ISP's IP, or my domain provider IP, or my works domain name or IP? (DNS confuses me so) for sendmail to answer my work machine?

Fedora for Dummies states "To ensure that mail delivery works correctly, your system's name must match the system name your ISP has assigned to you. Although you can give your system any host name you want, other systems can successfylly deliver mail to you system only if your system's name is in the ISP's name sever"

I figured that this does not apply to me, since I have setup mail.mydomain.com to point to my IP address instead of a name. (The people I bought the domain of, and my ISP are not the same company). (So it should work, right?) But I guess my ISP could still block port 25...

So. My main questions are: Will sendmail answer the command "helo" from anyone if I connect to it using telnet <ip adress> 25 (as long as the path to it is not blocked somehow and no matter what sendmail.mc settings I have)? And how can I tell if it is me or my ISP that is blocking the port? And can I use a different port than 25 for mail transport just to trick my ISP if they don't feel like opening the port for me?

Hope you can help

carlmarshall · 05-18-2004, 06:01 AM

Do you have any form of firewall? How about hosts.allow and hosts.deny in /etc? You'll need to allow local access AND access from outside.

You could use the hosts.allow file to give access only to your ISPs mail server or to anyone on port 25. If your mail server is the primary MX record for your domain, you should allow access to anyone on that port. If the MX is that of your ISP then they'll need some other form of transferring mail to your server other than MX record.

Your MX record should point to a host name, NOT an IP. You should have a matching A record to translate the host to IP.

Generally, it doesn't matter what the hostname of your server is. External mail is delivered to you regardless provided that the MX and A records translate to your IP.

Sending mail can be different. If you send all your outgoing mail to your ISP and they accept it based on your IP, then all will be fine. If you resolve the MX records yourself, you'll run into problems when the recipient mail server will only accept mail when it can perform a reverse (PTR) lookup. Your mail server will declare itself as mail.mydomain.com but the receiving system doing a reverse lookup will almost certainly not find the in-addr.arpa resolving to the same name.

Sendmail will always respond to a connection on port 25 (though not with a helo as that comes from the connecting server) provided the packets can get to it.

It is possible to configure sendmail (can't remember how) to use a port other than 25, but that would be no use to you as other mail servers will still try to contact you on 25.

Regards,

Carl

LuggerHouse · 05-18-2004, 08:00 AM

To eliminate sendmail complex configuration problems and to confirm that your ISP is blocking 25 or not, use telnetd.

Edit your /etc/xinet.d/telnet

change the port 22 for 25 and disable = yes to disable = no

stop sendmail
restart xinetd

Then from external telnet mail.yourdomain.com 25

If you can connect there, well it's a mail config problem..

If I can remember, I think sendmail defaults to listen on localhost only.

But I'not sure since I'm using PostFix wich is an alternative to sendmail and easyier to configure..

Bjorkli · 05-19-2004, 09:02 AM

Thanks for the reply.

I have firestarter firewall, but port 25 is open. Both hosts.allow and hosts.deny in the /etc folder is empty except the remarks.

[I"]Your MX record should point to a host name, NOT an IP. You should have a matching A record to translate the host to IP."[/I]

Ok. I made a sub domain called mail.mydomain.com (Hopefully this is an A record) which has my IP address in some IPv4 / IPv6 field (hopefully this translate host to IP) in my domain providers admin page. It is this subdomain I put into my MX 1: field of my "main" domain mydomain.com. So that should work... right??

Ok. Now I have to figure out how to make my sendmail accept this mail that is forwarded / translated to my server. Before I try qmail or PostFix, I will try the /etc/mail/sendmail.mc file. To make my sendmail accept (without making it an open relay server) I would change the following (I think) (from the default sendmail.mc file):

Quote:

dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

This I would remark out so it doesn't just listen to IPv4 loopback addresss 127.0.0.1, and accepts email from the internet (this would not make it an open relay???)

Quote:

dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl # a kernel patch
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl

Here I would remove the remark characters to make it listen to the IPv6 loopback (whatever that is. Guess this would be some internett thing. This would not make it an open relay???). Would I have to type something in the Addr=::1 field. Eg my routers / ADSL modem IP?

Quote:

dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl

Um. Why is this one not remarked out? Should it be?

Quote:

dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN('mydomain.com')dnl
dnl #

This is where I state my domain name for mail being sent out. Right??

Quote:

dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

Um um um. What does this do? Well. How about I do the following:I remove dnl before MASQUERADE_AS... line. And remove the dnl that is in front of the FEATURE(masquerade_envelope) line and all the dnl's before the MASQUERADE_DOMAIN... lines. What is a domainalias? and mydomain.lan Is that some network thing.... Hmm... Well. Right? I guess what all the above does is make the mail look like linuxuser@mydomain.com instead of linuxuser@linux.mydomain.com...

And then Fedora for Dummies tips me that I should include the line "Cwlocalhost.localdomain mydomain.com mydomain" at the bottom of the file. Ok. Um.. Will do that too..... (Right?)

And after I have done that, it should securly work without being a open relay? Right?

--- To Luggerhouse
This is my telnet file inside /etc/xinetd.d

Quote:

# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = yes
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}

So I cannot see anything about port there. Do I simply add a Port = 25 line inside the brackets?

Once I figure out that, I will use the commands "service sendmail stop" to stop sendmail (as the root user). And "service xinetd restart" to make xinetd restart. And try telnet <my ip> 25 from work and checks if it answers to the command helo.

Ok.

Thanks so far...

LuggerHouse · 05-19-2004, 09:10 AM

Oops, sorry about that one.... Simplier solution is to edit the telnet record in /etc/services
chaging 22 for anything you would like (25 in your case) for both tcp and udp.. But dont forget to change disable = yes to disable = no in your telent config file!!

The rest of the procedure you mentionned is all right exept for the expected results:

You should then have a login prompt if the port is not blocked (since it is nopt telnetd listening on that port) . That way you can certify the port is not blocked.

Bjorkli · 05-24-2004, 03:13 AM

Oh Joy. Never gotten around to do the sendmail.mc file thing, cause it startet working now. I can now receive and send mail from my little ADSL home computer using the domain name I bought. Must be something I did in webmin sendmail configuration, and the help from you guys. Thanks

I checked the port, and it is open... Maybe it was just time that where needed to update DNS tables or something.

But how can I tell if it is an open relay? I get some logs sent to the root user every day (no idea why). But anyway, they have entries like this:

--------------------- sendmail Begin ------------------------

Relaying denied:
From [220.163.66.196] to 2004qyml@pchome.com.tw: 1 Times(s)
Relaying denied:
From [220.72.224.156] to china9988@21cn.com: 1 Times(s)
Relaying denied:
From IRM-4-19.dialup.access.telecore.net.ru [213.135.70.114] to hotpost@aha.ru:

---------------------- sendmail End -------------------------

This I take it that relaying is being refused, so that my sendmail is not an open relay. Right?

I will wait with trying to install junk mail filters until I get that problem.

Well. This is great. Cheers everybody...