Two Problems

[Tezcatlipoca]

Hi All,

Ok, I recently upgraded my hMail to 5.3, and, as such, now have access to tools such as the Diagnostics option. Now over the last few days, my hMail is reporting two problems, which I'm posting here as I suspect they are linked. Firstly, some background:

Background

My company has two routers that run simultaneously. Both are conencted to an ISP, and both have static, public facing IP addresses. Let's call them R1 and R2 for the sake of clarity.

Both R1 and R2 have firewalls switched off. they do nothing but filter back to a Twin WAN gateway behind, and it is this Twin WAN that handles all the firewalling, port forwarding, traffic shaping, etc., etc. We use two routers as our bandwidth load gets neatly balanced by the Twin WAN, and, in the case of a router failure, the other takes over. This Twin WAN is set to forward all port 25, 110 and 143 traffic to the internal IP address of the machine running hMail.

Finally, I have my MX records set as 10 mail.<mydomain> and 20 mail2.<mydomain>. mail. is an A DNS record that goes to the static IP of R1, and mail2. has a DNS A that goes to the static IP of R2.

This all works just fine and my users can send an receive emails, internally and externally just fine.


Problem 1

Since upgrading, I now have access to the Diagnostics tool in hMAil and have run it against my own domain. I consistently get a clean bill of health expect for the R1 IP address, which always fails to connect.



My next step, obviously, was to test this by a simple telnet <mydomain> 25 check. Connection fails (note, fails, not is refused) on the IP belonging to R1, and always succeeds on the IP belonging to R2.

Further tests on outgoing email headers have shown that mail originates from the R2 IP, never the R1.

Now I know what you're thinking, since I thought the same thing, but the R1 router (a netgear DG834) definitely has it's firewall switched off, and is passing traffic back to the Twin WAN as it should do.
I can also confirm that our ISP is not blocking port 25 on this static IP (I have an email confirming this from them).

This is made a little more confusing by the fact that, diagnostically, I can run open relay tests from the internet against both R1's and R2's IP addresses and they both come back clean (i.e. we are not open relays and require authentication). I can fire the same tests at the FQDNs and get the same good results.
I can also run a series of tests using MX Toolbox (again, run once for each IP then one for each FQDN) and all tests come back green.

Soooo...can't telnet to port 25 of the R1 IP. R1 is definitely passing traffic back to the exact same Twin WAN that R2 is. All local to external traffic is confirmed as always using R2's IP. All external tests come back green.
Everything about this shouts out that this is a router blocking issue, but I cannot see anything in R1 that would cause this.


Problem 2

I could be wrong, but I suspect this is related to the above. I have begun to notice hMail throwing up a series of logged errors, and example of which from today (from the awstats log) is:

Code: Select all

"ERROR"	2132	"2010-01-13 14:36:26.919"	"Severity: 3 (Medium), Code: HM4224, Source: PersistentMessage::_SaveRecipients, Description: Tried to save recipient without an address."
"ERROR"	1968	"2010-01-13 14:36:26.997"	"Severity: 3 (Medium), Code: HM5007, Source: SMTPDeliverer::DeliverMessage(), Description: Message 342105 could not be delivered. No remaining recipients. File: E:\hMailServer\Data\{EB71E865-C106-4C38-B458-C52C080434D7}.eml"

The comparative section of the main log (edited with <mydomain> for my actual comapny domain name and <valid.user> for an actual employee) is:

Code: Select all

"TCPIP"	1116	"2010-01-13 14:36:26.638"	"TCPConnection - Posting AcceptEx on 0.0.0.0:25"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.638"	"10.0.1.122"	"SENT: 220 mail.<mydomain>"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.638"	"10.0.1.122"	"RECEIVED: EHLO CLIENTPC28"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.638"	"10.0.1.122"	"SENT: 250-mail.<mydomain>[nl]250-SIZE 10240000[nl]250 AUTH LOGIN"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.638"	"10.0.1.122"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.638"	"10.0.1.122"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.638"	"10.0.1.122"	"RECEIVED: dGltLnNrZXRjaGxleUByb2NrZXRtYXJrZXRpbmdncm91cC5jb20="
"SMTPD"	1116	31323	"2010-01-13 14:36:26.638"	"10.0.1.122"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.638"	"10.0.1.122"	"RECEIVED: ***"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.638"	"10.0.1.122"	"SENT: 235 authenticated."
"SMTPD"	1116	31323	"2010-01-13 14:36:26.653"	"10.0.1.122"	"RECEIVED: MAIL FROM: <<valid user>@<mydomain>> SIZE=19979"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.653"	"10.0.1.122"	"SENT: 250 OK"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.653"	"10.0.1.122"	"RECEIVED: RCPT TO: <mark@blinds-2go.co.uk>"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.653"	"10.0.1.122"	"SENT: 250 OK"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.653"	"10.0.1.122"	"RECEIVED: DATA"
"SMTPD"	1116	31323	"2010-01-13 14:36:26.653"	"10.0.1.122"	"SENT: 354 OK, send."
"SMTPD"	608	31323	"2010-01-13 14:36:26.669"	"10.0.1.122"	"SENT: 250 Queued (0.016 seconds)"
"SMTPD"	1852	31323	"2010-01-13 14:36:26.669"	"10.0.1.122"	"RECEIVED: QUIT"
"SMTPD"	1852	31323	"2010-01-13 14:36:26.669"	"10.0.1.122"	"SENT: 221 goodbye"
"TCPIP"	1944	"2010-01-13 14:36:26.716"	"DNS - MX Lookup: blinds-2go.co.uk"
"ERROR"	2132	"2010-01-13 14:36:26.919"	"Severity: 3 (Medium), Code: HM4224, Source: PersistentMessage::_SaveRecipients, Description: Tried to save recipient without an address."
"ERROR"	1968	"2010-01-13 14:36:26.997"	"Severity: 3 (Medium), Code: HM5007, Source: SMTPDeliverer::DeliverMessage(), Description: Message 342105 could not be delivered. No remaining recipients. File: E:\hMailServer\Data\{EB71E865-C106-4C38-B458-C52C080434D7}.eml"
"TCPIP"	1944	"2010-01-13 14:36:27.044"	"DNS - MX Result: 2 IP addresses were found."
"TCPIP"	1944	"2010-01-13 14:36:27.044"	"Connecting to 195.182.184.2..."
"SMTPC"	1880	31324	"2010-01-13 14:36:27.731"	"195.182.184.2"	"RECEIVED: 220 apscontrol.com SurgeSMTP (Version 3.9e-1) http://surgemail.com"
"SMTPC"	1880	31324	"2010-01-13 14:36:27.731"	"195.182.184.2"	"SENT: HELO mail.<mydomain>"
"SMTPC"	1880	31324	"2010-01-13 14:36:27.747"	"195.182.184.2"	"RECEIVED: 250 apscontrol.com. Hello mail.<mydomain> (87.83.146.211)"
"SMTPC"	1880	31324	"2010-01-13 14:36:27.747"	"195.182.184.2"	"SENT: MAIL FROM:<<valid user>@<mydomain>>"
"SMTPC"	1880	31324	"2010-01-13 14:36:29.122"	"195.182.184.2"	"RECEIVED: 250 Command MAIL OK"
"SMTPC"	1880	31324	"2010-01-13 14:36:29.122"	"195.182.184.2"	"SENT: RCPT TO:<mark@blinds-2go.co.uk>"
"SMTPC"	1880	31324	"2010-01-13 14:36:29.185"	"195.182.184.2"	"RECEIVED: 250 remote recipient accepted"
"SMTPC"	1880	31324	"2010-01-13 14:36:29.185"	"195.182.184.2"	"SENT: DATA"
"SMTPC"	1880	31324	"2010-01-13 14:36:29.200"	"195.182.184.2"	"RECEIVED: 354 Command DATA Start mail input; end with <CRLF>.<CRLF>"
"SMTPC"	1848	31324	"2010-01-13 14:36:29.216"	"195.182.184.2"	"SENT: [nl]."
"SMTPC"	1880	31324	"2010-01-13 14:36:31.044"	"195.182.184.2"	"RECEIVED: 250 message sent ok"
"SMTPC"	1880	31324	"2010-01-13 14:36:31.044"	"195.182.184.2"	"SENT: QUIT"

So, those are my two hMail issues. Everything else works perfectly, and I'm extremely happy with it. If anyone can shed any light on the above, I'd be extremely grateful.

[Tezcatlipoca]

***ADDITIONAL*** Regarding Problem 2, I suspect I may have found an answer. I recently elevated the anti-spam solution on hMail by enabling the zen.spamhaus.org blacklist (score of 5), and it's only since I did this that I've begun to notice these errors.

I've also notived that a great deal of spam claiming to originate and/or target old employees at our old domain name are being registered as trying, without success, to go via hMail.

I've also noted that zen.spamhaus.org is now returning True matches for some of these old email addresses.

I have a theory that these old email addresses are on spam listing and that spammers are trying to use them. These were all back in the day of my predecessor, so I think that when I started with the company and shifted all our company mail over to a brand new hMail server and configured both authentication and anti-spam procedures, this old spam was stopped dead in its tracks. The details are getting stripped, and this is throwing up false-positive errors in hMail...?

I could be wrong, but this seems plausible to my mind, and the logs certainly show an absolute ton, and I do literally mean a ton, of spam - all referencing old employee emails - bouncing off hMail now.

If the case, I presume I can just ignore this? I can confirm that I've run rigorous tests against both my public IPs and FQDNs, and none appear on any spam lists or blacklists.

[sheffters]

zen.spamhaus.org blacklist

its screwed at the moment ... uncontactable earlier today and hms was marking everything as spam ... dont know if its a hms error thinking no response is spam score or spamhaus sending out dodgy messages ... suspect its hms failing to handle uncontactable correctly since others say spamhaus is offline - tho since its gone offline it could just be going mental ... so disable it for a day or so and then try again when its working properly.

S.

[Tezcatlipoca]

zen.spamhaus.org blacklist

its screwed at the moment ... uncontactable earlier today and hms was marking everything as spam ... dont know if its a hms error thinking no response is spam score or spamhaus sending out dodgy messages ... suspect its hms failing to handle uncontactable correctly since others say spamhaus is offline - tho since its gone offline it could just be going mental ... so disable it for a day or so and then try again when its working properly.

S.

Hmm..interesting. Upon reading this I disabled spamhaus and, so far, no more of these errors. Time will tell!

My hMail still has the problem listed as Problem 1 above, though, if anyone has any smart ideas...?

[sheffters]

Re prob 1 .. I know you checked your router, but is Win Server definately setup to allow traffic? ... i.e. its not being blocked by its internal firewall?

S.

[Tezcatlipoca]

Hi Tezcatlipoca,
What I'm going to suggest may or may not help but your network configuration (to me) is uncharted territory.

Do you currently have a network DNS server running? If so you might consider adding Mail.* and mail2.* to point to your HMS LAN IP. If not maybe you should add mail.* and Mail2.* to your HMS's computer "hosts" file.

Now this, folks, is a great example of applying your extensive network knowledge to trying to solve a problem in the most complex way possible, whilst forgetting the most basic and fundamental considerations until somebody finally asks "Did you try this?" and it all suddenly becomes clear!

I can telnet on port 25 directly into my hMail server from outside my network just fine, but not from within the network. Why? Because when setting up hMail I configured the system, the server, the MX and DNS A records, applied IMAP clients, and did everything necessary to get a mailserver running...

...ahem...expect I completely forgot to add two local records for mail. and mail2. into my network's DNS. Ergo, no internal PC (including the server with hMail on it) was able to telnet in.

Have now added said records, and, surprise surprise, my internal machines, including the hMail machine, can now telnet into the mailserver on port 25.

Thanks, horndog. Sometimes you get so focused on a problem that you need somebody with the advantage of an objective viewpoint to simply say "Did you do this?"


Regarding Problem 2, hMail threw some more errors, even with spamhaus turned off, but I'm increasingly convinced that these errors are indicative of spam just failing to get through. Eror logs are:

Code: Select all

"ERROR"	2132	"2010-01-14 05:24:20.258"	"Severity: 3 (Medium), Code: HM4224, Source: PersistentMessage::_SaveRecipients, Description: Tried to save recipient without an address."
"ERROR"	1944	"2010-01-14 05:24:20.336"	"Severity: 3 (Medium), Code: HM5007, Source: SMTPDeliverer::DeliverMessage(), Description: Message 343234 could not be delivered. No remaining recipients. File: E:\hMailServer\Data\{B4B53CF9-7CF9-48A7-98B4-60FFE7E56388}.eml"

Essentially, there was an error at 05:24 this morning, when nobody in the company was sending or receiving genuine mail.
The awstats log has one entry for that timestamp, as follows:

Code: Select all

2010-01-14 05:24:03	47095bf7.2010508@<mydomain>	47095bf7.2010508@<mydomain>	61.90.156.21	127.0.0.1	SMTP	?	550	0

The public IP listed here resolves to Thailand, and, surprise surprise, it appears in all three blacklist IP checks I made on it.

I'm now content that Problem 2 is solved. I think these errors are spam trying to either spam us directly or use our mailserver as a relay. Now that hMail is on the case, they are failing in both instances, but a symptom ar ethese errors being thrown up.

A huge thank you to everyone who helped. These forums, and the people here, continue to be just another reason why hMail is such a stunning project.

[Tezcatlipoca]

In addition it might be wise to recheck if you have an open relay after changing you settings.

All checked, no open relays, thanks.