[milters] Archive

Lists Index Date Thread Search

Article: 1192
From: Rose, Bobby
Date: 2006-10-17 15:56:59 -0400
Subject: Re: Milter-sender and access file question

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

I'm still trying to troubleshoot this and I'm confused.

If during a milter-sender callback, if there is an smtp reset that
occurs on the connection, should milter-sender treat it as a temp
failure and force the sending relay to retry or should it refuse stating
that the senders MX is unresponsive?

I have two examples:  gm.com has 2 MX records and each is set to the
same 8 A records for a round robin setup.  If one of those a records are
unresponsive and happens to be the one that milter-sender uses during
callback, it fails and goes to the second MX which happens to end up
resolving to the same A record/IP.  After that milter-sender treats it
as an MX that doesn't respond and 550's the inbound transaction.  Now
one question we're trying to figure out is if milter-sender/sendmail
should be trying all the IP's assigned to the A record?  When we do some
internal tests, we've found that on sending a message thru sendmail to
an MX that points to an A record with multiple Ips, it does seem to
cycle thru the list until it gets a response which I didn't think it
would do.

In another example, mc.duke.edu domain has 5 equal preference MX
records.  I've telnet'd to port 25 on them and sometimes it connects and
sometimes it doesn't.  When it doesn't, I get "Unable to connect to
remote host: Connection refused" and in snooping the traffic, I see an
smtp rset sent back.  I'm not sure what is occurring on their system
that generates the smtp reset so I'm wondering if it's a load issue but
I thought mail systems tended to 450 under heavy load.  Here's a log
excerpt for the duke.edu session.

Oct 13 09:13:59 eeyore milter-sender[26771]: 04246 k9DDDsmp017558: check
MX list, length=5
Oct 13 09:13:59 eeyore milter-sender[26771]: 04246 k9DDDsmp017558:
trying MX 5 'mx1.oit.duke.edu.' [152.3.233.47] for
<frush943@mc.duke.edu>
Oct 13 09:14:00 eeyore milter-sender[26771]: 04246 k9DDDsmp017558:
opening SMTP connection to 152.3.233.47
Oct 13 09:16:00 eeyore milter-sender[26771]: 04246 k9DDDsmp017558:
152.3.233.47 connection failed code=421 rc=2
Oct 13 09:16:00 eeyore milter-sender[26771]: 04246 k9DDDsmp017558:
trying MX 5 'mx2.oit.duke.edu.' [152.3.233.48] for
<frush943@mc.duke.edu>
Oct 13 09:16:00 eeyore milter-sender[26771]: 04246 k9DDDsmp017558:
opening SMTP connection to 152.3.233.48
Oct 13 09:16:00 eeyore milter-sender[26771]: 04246 k9DDDsmp017558:
152.3.233.48 connection failed code=421 rc=2
Oct 13 09:16:00 eeyore milter-sender[26771]: 04246 k9DDDsmp017558:
trying MX 5 'mx3.oit.duke.edu.' [152.3.233.49] for
<frush943@mc.duke.edu>
Oct 13 09:16:00 eeyore milter-sender[26771]: 04246 k9DDDsmp017558:
opening SMTP connection to 152.3.233.49
Oct 13 09:16:00 eeyore milter-sender[26771]: 04246 k9DDDsmp017558:
152.3.233.49 connection failed code=421 rc=2
Oct 13 09:16:00 eeyore milter-sender[26771]: 04246 k9DDDsmp017558:
closing SMTP connection
Oct 13 09:16:00 eeyore sm-inbound[17558]: k9DDDsmp017558: Milter:
to=<user@med.wayne.edu>, reject=550 5.7.1 recipient denied, because MX 5
'mx3.oit.duke.edu.' [152.3.233.49] for <user@mc.duke.edu> not answering


Any thoughts?




-----Original Message-----
From: milters-bounce@milter.info [mailto:milters-bounce@milter.info] On
Behalf Of Rose, Bobby
Sent: Monday, October 02, 2006 11:09 AM
To: milters@milter.info
Subject: [milters] Re: Milter-sender and access file question

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Sorry for the questions but I'm trying to troubleshoot something and
have gotten more info from the domain I'm having problems with.

If sendmail refuses connections due to load, how would milter-sender
react in that event if there is only one MX for domain it's checking or
if that domain has a DNS round-robin setup and the IP of the second MX
resolves to the same IP address.  I'm not sure if the remote domain is
actually using refuseLA or if they have some other process that just
stops their sendmail.  In the logs, milter-sender logs the "opening SMTP
connection to x.x.x.x" message and then a "x.x.x.x connection failed
code=421 rc=2" but then since it occurs with the second MX (which in
this case happens to be the same IP due unfortunate luck and their
round-robin setup) the check fails and the sender's message is rejected.

If they are purposely taking MXs offline and leaving the records in DNS
then one could cry RFC violation but if it's due to load problems then
one can't but I haven't seen sendmail rejections due to load in years so
I can't remember if sendmail just refuses to listen to any inbound
requests or if it allows a connection and merely issues a try again
later response code.

 

-----Original Message-----
From: milters-bounce@milter.info [mailto:milters-bounce@milter.info] On
Behalf Of Anthony Howe
Sent: Sunday, October 01, 2006 5:03 AM
To: milters@milter.info
Subject: [milters] Re: Milter-sender and access file question

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Rose, Bobby wrote:
> Is it possible to skip sender verification on a specific mail from to 
> a specific rcpt to?  I'm not sure if the NEXT action would do this or 
> not based on the examples on the man page.

No. There currently does NOT exist any means to black/white list combos
like sender/recipient, sender/client, sender/recipient/client, etc.

The NEXT action is the opposite of SKIP and intended for pattern lists
where none of the patterns match and so you want to resume the access
lookup following the pattern list entry.

For example:

milter-sender-connect:10.0		OK
milter-sender-connect:10.0.1		[10.0.1.32/29]REJECT NEXT

I can white list all of 10.0.0.0/16, except a small subnet on
10.0.1.32/29. First sendmail has no CIDR support, but using a pattern
list I can specify a LHS that acts as a selector for the general range
and then a RHS pattern list with a CIDR for a more precise check. So if
a host 10.0.1.167 connects, it should be white listed, but the 10.0.1
would match, but the CIDR pattern would not. NEXT action resumes the
access lookup so that I'll find the 10.0 white list entry.

The above could have been written also like:

milter-sender-connect:10.0		[10.0.1.32/29]REJECT OK

-- 
Anthony C Howe          Skype: SirWumpus                    SnertSoft
+33 6 11 89 73 78         AIM: SirWumpus    Sendmail Milter Solutions
http://www.snert.com/     ICQ: 7116561
     http://www.snertsoft.com/






Lists Index Date Thread Search