Jul 28

Sendmail rejected — Default CentOS Installation

Tags:

———————————————————————
– OVERVIEW / THOUGHT PROCESS –
———————————————————————

After completing a brand new minimal install of CentOS 6.4, I configured the installation to be a web server using apache, mysql and sshd for remote access.  After configuring a website on the box, I attempted to send an email from the local webpage, but never received it.

As always, my first troubleshooting step was to check out the log files.  The main log file that I analyzed was /var/log/maillog, although there are others that will show you some useful information.  To read this log file, I used:

$ sudo tail -50 /var/log/maillog

After examining the results, I opened another terminal window and watched the file update in real time using:

$ sudo tail -f /var/log/maillog

Then, I sent an email to myself using the command line:

$ mail -s “test 281245” info@domain.com

The following shows the analysis and troubleshooting that I used to ensure that mail can be sent from my new web server to any receiving email address.

———————————————————————
– THE LOG FILE –
———————————————————————

CHANGES TO PROTECT THE INNOCENT:

info@domain.com = recipient
user = logged in user on the server
hostname = name of the server computer.  (old) / (new) are the same server
localdomain = unchanged
domain = entry from email address or redirect from DNS entries
x:x:x:x:x:x:xxxx:xxrx = receiver’s (mail server) ipv6 address
x:x:x:x:x:x:xxxx:xxtx = sender’s (web server) ipv6 address
xx.xx.xx.rx = receiver’s (mail server) ipv4 address
xx.xx.xx.tx = sender’s (web server) ipv4 address

MAIL COMMAND:

$ mail -s “test 281245” info@domain.com

RESULT /var/log/maillog ENTRY:

Jul 28 12:45:38 centos63 postfix/qmgr[935]: 3F674768CB: from=<user@hostname.localdomain>, size=474, nrcpt=1 (queue active)

Jul 28 12:45:38 centos63 postfix/smtp[1368]: connect to mail.domain.com[x:x:x:x:x:x:xxxx:xxrx]:25: Permission denied

Jul 28 12:45:38 hostname(old) postfix/smtp[1368]: 3F674768CB: to=<info@domain.com>, relay=mail.domain.com[xx.xx.xx.rx]:25, delay=0.17, delays=0.05/0/0.08/0.03, dsn=4.1.8, status=deferred (host mail.domain.com[xx.xx.xx.rx] said: 450 4.1.8 <user@hostname.localdomain>: Sender address rejected: Domain not found (in reply to RCPT TO command))

LEGEND TO READ LOG FILE:

Jul 28 11:28:38 = date
hostname(old) = server’s hostname.  This will change later in the article.
postfix/smtp[1368] = Mail Transfer Agent (MTA) with the Process Identifier (PID)
3F674768CB = the unique queue identifier
to=<info@domain.com> = receiver
relay=mail.domain.com[xx.xx.xx.rx]:25 = receiver’s server
delay=0.17, delays=0.05/0/0.08/0.03 = queue/manager/connection/transmission times
dsn=4.1.8 = Delivery Status Notification (2-success / 4-deferred / 5-failure)
status=deferred = redundant… it’s just explaining the DSN code
The second half of the log message explains the receiver’s response.

 

———————————————————————
– TROUBLESHOOTING –
———————————————————————

At the bottom of the log file, we can see that the domain was not found.  In addition, we can see that the email was not delivered because it had a deferred status.  Initially, I asked myself if the email was even leaving the server box.  I quickly rejected the theory that it wasn’t leaving the box due to the log file saying that it was talking to ‘mail.domain.com.’  Therefore, I had to formulate a new theory.

Since ‘mail.domain.com’ was responding, it was obvious that the server was taking ‘info@domain.com’ and using the correct DNS entries to figure out which IP address to deliver it to.  The MX record for mail.domain.com directs the traffic to the A/AAAA record which points to the appropriate IP address of xx.xx.xx.rx.  The receiving server then tries to use the sender’s address (user@hostname.localdomain) to authenticate the message as a real email and not spam.  When the receiver came back and said domain not found, it was trying to find a DNS record for ‘hostname.localdomain’ and could not find one thereby interpreting this email as spam.

So there are two things that are needed in order make the two servers trust each other.  The sender needs to be able to route to the receiver, which was successful, and the receiver needs to be able to route to the sender, which was not successful.

My initial reaction was to change the mail sender configuration files to send everything to a known SMTP server like google.  Although that might work, it would delay a legitimate solution of having other servers trust this one.  So I moved on to the core of the problem which was trust.

The way to establish trust between the servers is to be able to route to them via the DNS entries.  So let’s make that happen!  In the following two steps, I’ll change the server’s HOSTNAME to a Fully Qualified Domain Name (FQDN), and will then create a DNS entry to ensure that the routing works.

 

———————————————————————
– CHANGE THE SERVER HOSTNAME –
———————————————————————

In order to change your hostname to a FQDN on a CentOS server, make the following changes.  You can change the ‘hostname’ portion to whatever you’d like the local box to be called.  The ‘domain.com’ portion should be whatever your web page’s URL would be.  Secondly, changethe hosts file below to your new FQDN.  It will most likely be whatever you called it when you did the installation.  To make the FQDN, you will be adding ‘domain.com’ followed by a space and the hostname again.  When these changes are complete, reboot the server to have the changes take effect.

/etc/sysconfig/network changed to read:
NETWORKING=yes
HOSTNAME=hostname.domain.com
NETWORKING_IPV6=yes

/etc/hosts changed to read:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
x:x:x:x:x:x:xxxx:xxtx hostname.domain.com hostname
xx.xx.xx.tx hostname.domain.com hostname
xx.xx.xx.tx hostname.domain.com hostname

NOTE: there are two network cards in this server.  One has a private address and the other has a public address.  For the purposes of this article, they will both be labeled as xx.xx.xx.tx.

———————————————————————
– TEST THE NEW HOSTNAME CONFIGURATION –
———————————————————————

Before I created a DNS entry to ensure routing, I wanted to try the mail command again just to see what would happen.  As expected, the mail didn’t route, however you can see that the new hostname took effect.  You can also run the ‘hostname -f’ command to have your server tell you if the changes too effect.

$ mail -s “test 281300” info@domain.com

Jul 28 13:00:59 hostname(new) postfix/qmgr[1108]: E415976710: from=<user@hostname.domain.com>, size=462, nrcpt=1 (queue active)

Jul 28 13:00:00 hostname(new) postfix/smtp[1279]: connect to mail.domain.com[x:x:x:x:x:x:xxxx:xxrx]:25: Permission denied

Jul 28 13:00:00 hostname(new) postfix/smtp[1279]: E415976710: to=<info@domain.com>, relay=mail.domain.com[xx.xx.xx.rx]:25, delay=0.42, delays=0.09/0.01/0.22/0.1, dsn=4.1.8, status=deferred (host mail.domain.com[xx.xx.xx.rx] said: 450 4.1.8 <user@hostname.domain.com>: Sender address rejected: Domain not found (in reply to RCPT TO command))

 

———————————————————————
– CREATE A NEW DNS ENTRY –
———————————————————————

Now it was time to establish the trust using a DNS entry.  My new hostname is ‘hostname(new)’ so the DSN entry should tell the routing traffic how to get to domain.com.  Here’s the record that was created:

Type: CNAME Record
Entry: hostname.domain.com
Goes to: domain.com
TTL: 5 minutes

 

———————————————————————
– RESULTS –
———————————————————————

At this point, the server has a FQDN and there is a DNS entry that will prove that it exists to other servers.  As a side note, it can take some time for all of the servers on the web to replicate the DNS entry; therefore, your new entry may not take immediate effect.  Fortunately, this was not the case for me and the following mail command was successful:

$ mail -s “test 281315” info@domain.com

Jul 28 13:15:57 hostname(new) postfix/pickup[1275]: CEFEA76716: uid=500 from=<user>

Jul 28 13:15:57 hostname(new) postfix/cleanup[1729]: CEFEA76716: message-id=<20130728174857.CEFEA76716@hostname.domain.com>

Jul 28 13:15:57 hostname(new) postfix/qmgr[1276]: CEFEA76716: from=<user@hostname.domain.com>, size=462, nrcpt=1 (queue active)

Jul 28 13:15:58 hostname(new) postfix/smtp[1731]: connect to mail.domain.com[x:x:x:x:x:x:xxxx:xxrx]:25: Permission denied

Jul 28 13:15:58 hostname(new) postfix/smtp[1731]: CEFEA76716: to=<info@domain.com>, relay=mail.domain.com[xx.xx.xx.rx]:25, delay=0.39, delays=0.05/0.01/0.26/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 256F042238)

Jul 28 13:15:58 hostname(new) postfix/qmgr[1276]: CEFEA76716: removed

 

———————————————————————
– ADDITIONAL REMARKS –
———————————————————————

the original email that was unable to be sent is stuck in the queue 🙂  No biggie, it was just for testing and can be deleted later.

Jul 28 13:30:34 hostname(new) postfix/smtp[3040]: 85DDB768C8: to=<info@domain.com>, relay=mail.domain.com[xx.xx.xx.rx]:25, delay=27097, delays=27097/0.08/0.27/0.03, dsn=4.1.8, status=deferred (host mail.domain.com[xx.xx.xx.rx] said: 450 4.1.8 <user@hostname(old).localdomain>: Sender address rejected: Domain not found (in reply to RCPT TO command))

 

—————————————–

Always remember… WHAT IF AND WHY NOT?!?