Help Needed: My RHEL5 box suddenly stopped accepting e-mails

Mun mjelists at gmail.com
Sun May 8 18:07:09 UTC 2011


Hi Robert,


On Sun, May 8, 2011 at 4:09 AM, lists-redhat <
replies-lists-b3z1-redhat at listmail.innovate.net> wrote:

> I don't think that you explicitly responded to the status of
> iptables. I use the "old-fashioned" way to control services ..
>
>  /etc/rc.d/init.d/iptables status
>                        ... stop (if it's running)
>

My apologies for missing that.  Here is the output of the 'iptables status'
command:
Firewall is stopped.



>
> [this is done as root of course.] If you have iptables running
> you'll want to only have it off for testing periods.
>
> If iptables was on, try telnetting to port 25 from off-host again.
>
> If that (still) failes, do you have access to another machine on the
> same subnet? If so, try telnetting to port 25 on your machine from
> there. If you get the sendmail herald, then the issue is definitely
> off-host (and you just proved it). By being on the same subnet, with
> no serious network hardware between the machines, you're avoiding
> policy stuff they your networking types may have put in place in
> routers.
>

Okay, so to do a checkpoint here: since my firewall is off, *and* because
other Linux
boxes on the same subnet as my box _can_ successfully telnet into port 25
of my box, that implies the issue is not with my box, right?


>
> If things fail to this point (e.g., you don't have access to another
> machine on your subnet), there are still a few things to do.
>
> >From another machine try telnetting to ports on your machine where
> you don't have a service running - e.g., 1025, 2025, 3080, etc.,
> until you get a "Connection refused" response. That will tell you
> that your machine is reachable on that port, but you don't have
> anything running there. If that's successful (i.e., they haven't
> totally firewalled you off), you can start up sendmail on this other
> port (this requires a one-line modification to your sendmail.cf so
> make certain you have a copy of your current sendmail.cf. **this is
> only to prove a point, and won't work for general mail delivery**.
>
>
> Following up on a few points in other threads:
>
> An entry in hosts.deny (or a deny entry in hosts.allow) will still
> get you a sendmail connection herald. You'll just get a rejection
> when you try to submit a message (with a "550 5.0.0 Access denied"
> error on it). Your issue is that the message delivery is timing out,
> so this isn't related to the host.deny/allow settings.
>

Thanks for the explanation.


>
> You don't need to prove that your machine will deliver mail (yet),
> as the issue is that connections to it are timing out. So, don't
> worry about trying to have a chat with sendmail in order to submit a
> message manually. Once you can reach sendmail/port 25 from a machine
> off your subnet, if it still has issues with accepting/delivering
> mail, then those issues can be addressed.
>

I see.  So does the fact that I get a "Connection timed out." when I try to
telnet into port 25 from a machine
from a different subnet than my machine imply the company has something
mis-configured
somewhere?


>
> If you have SELinux enabled (and there were some updates on it
> recently), that would effect sendmail's ability to start and run,
> but you've proved that it's running (you're getting the herald from
> on-host connections).
>
> The smarthost entry applies to how outbound mail is handled, not
> inbound, so of no effect here.
>

Oh, okay.

Thanks very much for all the help (everyone!).  I'd be lost without you
folks.

Kind regards,

-- 
Mun



>
>
>  - Richard
>
>
>
> ------------ Original Message ------------
> > Date: Saturday, May 07, 2011 09:51:53 PM -0700
> > From: Mun <mjelists at gmail.com>
> > To: redhat-list at redhat.com
> > Subject: Re: Help Needed: My RHEL5 box suddenly stopped accepting
> e-mails
> >
> > Hi Richard,
> >
> > On Sat, May 7, 2011 at 1:50 PM, lists-redhat <
> > replies-lists-b3z1-redhat at listmail.innovate.net> wrote:
> >
> >> if you're telnetting specifically to port 25, the smtp port (not
> >> generically to the machine, which will get you to port 23) and
> >> you're getting "connection lost" or "connection timed out", then
> >> you most likely have some type of a firewall issue.
> >>
> >
> > Yes, for the experiment I was telnetting specifically to port 25.
> > Your assessment of the issue does appear to have merit: Note that
> > when I sent
> > an email from my gmail account to my workstation, gmail eventually
> > sent me a warning
> > stating that "The recipient server did not accept our requests to
> > connect."   Which
> > seems to reinforce your theory.
> >
> >
> >> from the machine itself, try telnetting to its port 25 *by
> >> ipnumber* (not name). make certain that you see that it's not
> >> trying to connect to 127.0.0.1 (which will probably happen if you
> >> try by name). if you get a connect, then it's likely an off-host
> >> firewall/routing issue.
> >>
> >
> > I got a connection to sendmail.
> >
> >
> >>
> >> then, try telnetting to "127.0.0.1 25" -- you should get sendmail
> >> connect.
> >>
> >
> > I got a connection to sendmail.
> >
> >
> >> if the telnetting to port 25 by the machine's ipnumber gets a hang
> >> then you likely have an on-host firewall issue. iptables is the
> >> most likely machine-specific firewall. you can look in
> >> /etc/sysconfig to see if you have an iptables setup. if so, turn
> >> iptables off and try telnetting in to port 25 (by ipnumber and
> >> from off-host) and see what you get.
> >>
> >> if the issue appears to be an off-host firewall issue, then you
> >> need to step back and see what's going on from the outside.
> >>
> >
> > It would seem that I am here, right?
> >
> >
> >>
> >> [honestly, if you did nothing to your machine setup, i'd bet on
> >> some external/network change to be causing your issue.]
> >>
> >
> > I'm a little nervous that the updates that were installed did
> > something to cause this
> > side affect--but by reading their descriptions, that shouldn't of
> > been the case.  Furthermore,
> > since I downgraded the respective patches I should be back to a
> > working system.
> >
> > Thus, I am in agreement that it _does_ seem to be something
> > external to my machine.
> > Although, my IT dept does not agree; so I may be out of luck.
> >
> >
> >>
> >> [by the way, you don't need to reboot the machine to restart
> >> sendmail, or other service starts/stops (rebooting to restart/fix
> >> things is the windows approach to life, and not generally
> >> necessary, or recommended, in the unix world.)]
> >>
> >
> > Agreed.  I did the reboots in response to downgrading packages.
> > Strictly speaking,
> > the downgrades did not require reboots.  But because the downgrade
> > had no affect on my problem,
> > I thought I'd reboot--just in case.  Plus, I was desperate.
> >
> > Kind regards,
> >
> > --
> > Mun
> >
> >
> >
> >>
> >>  - Richard
> >>
> >>
> >> ------------ Original Message ------------
> >> > Date: Saturday, May 07, 2011 01:09:55 PM -0700
> >> > From: Mun <mjelists at gmail.com>
> >> > To: redhat-list at redhat.com
> >> > Subject: Re: Help Needed: My RHEL5 box suddenly stopped
> >> > accepting
> >> e-mails
> >> >
> >> > Hi Richard,
> >> >
> >> >
> >> > On Sat, May 7, 2011 at 3:38 AM, lists-redhat <
> >> > replies-lists-b3z1-redhat at listmail.innovate.net> wrote:
> >> >
> >> >> in your .cf, what do you have as an active (not commented out)
> >> >> option the under:
> >> >>
> >> >>  # SMTP daemon options
> >> >>
> >> >> tag?
> >> >>
> >> >> is it:
> >> >>
> >> >>  O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA
> >> >>
> >> >> or something more along the lines of one of the following:
> >> >>
> >> >>  O DaemonPortOptions=Name=IPv4, Family=inet
> >> >>
> >> >>  O DaemonPortOptions=Name=MTA
> >> >>
> >> >
> >> > I have the choice immediately above in my sendmail.cf:
> >> > DaemonPortOptions=Name=MTA
> >> >
> >> >
> >> >>
> >> >> The first, with the 127.0.0.1, is the default for RHEL and will
> >> >> only accept localhost mail. The other two are forms will allow
> >> >> it to accept mail from off localhost.
> >> >>
> >> >> If that looks ok, try telnetting to port 25 on this machine
> >> >> from off-host - e.g., from the exchange server. Do you get a
> >> >> "connection refused" response or a "hang". If "connection
> >> >> refused", then it's most likely the sendmail daemon doing the
> >> >> blocking. If you get a "hang", then it's likely a firewall of
> >> >> some nature, e.g., iptables.
> >> >>
> >> >
> >> > I get "connection lost" or "Connection timed out"; depending on
> >> > the computer I use to run telnet.
> >> > The "connection lost" is what my Windows XP box returned; and
> >> > the "Connection timed out" is what
> >> > another Linux box returned.
> >> >
> >> >
> >> >> Have you looked at your machine's logs (maillog, messages,
> >> >> secure being the most obvious) they may give some hints.
> >> >>
> >> >
> >> > Yes.  I have looked at those, as has the company's IT dept.  But
> >> > there were no messages that
> >> > would help with this issue.
> >> >
> >> >
> >> >>
> >> >> Have you restarted sendmail?
> >> >>
> >> >
> >> > Yes.  I've also rebooted a coupled of times; nothing seems to
> >> > help.
> >> >
> >> > It's just so weird that with no obvious changes made (except for
> >> > the updates applied and then
> >> > downgraded that I mentioned in my initial message) that my box
> >> > would just all of the sudden
> >> > stop accepting email.
> >> >
> >> > Thanks very much for the reply.  I greatly appreciate the ideas.
> >> >
> >> > Regards,
> >> >
> >> > --
> >> > Mun
> >> >
> >> >
> >> >
> >> >>
> >> >>       - Richard
> >> >>
> >> >>
> >> >>
> >> >> ------------ Original Message ------------
> >> >> > Date: Friday, May 06, 2011 04:48:34 PM -0700
> >> >> > From: Mun.Johl at emulex.com
> >> >> > Subject: RE: Help Needed: My RHEL5 box suddenly stopped
> >> >> > accepting
> >> >> e-mails
> >> >> >
> >> >> > Hi Richard,
> >> >> >
> >> >> > Thanks for your reply.
> >> >> >
> >> >> > I had saved off /etc/mail when we first got email working
> >> >> > properly on my system (a couple of years ago) and I compared
> >> >> > the current sendmail.cf to the "known good" copy.  The only
> >> >> > difference I see is that IT has uncommented the following
> >> >> > line:
> >> >> >
> >> >> > O Timeout.ident=0
> >> >> >
> >> >> > With respect to sendmail.mc, the version currently used by
> >> >> > the system had the following lines commented out:
> >> >> >
> >> >> > MASQUERADE_AS(`mydomain.com')dnl
> >> >> > FEATURE(masquerade_envelope)dnl
> >> >> > MASQUERADE_DOMAIN(localhost)dnl
> >> >> > MASQUERADE_DOMAIN(localhost.localdomain)dnl
> >> >> >
> >> >> > I'm not too experienced with sendmail, but it doesn't appear
> >> >> > to me as if the changes above would result in the problem I
> >> >> > am having; does it?
> >> >> >
> >> >> > Regards,
> >> >>
> >> >> ------------ End Original Message ------------
> >> >>
> >> >>
> >>
> >> ------------ End Original Message ------------
> >>
> >>
>
> ------------ End Original Message ------------
>
>
>



More information about the redhat-list mailing list