Sendmail 5.5.0 Error from external mail.

Discussion in 'Getting Started' started by Michael Spaulding, Jun 13, 2013.

  1. Michael Spaulding

    Michael Spaulding New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I' ve been wracking my brain and cannot find anything related to what is happening to me.

    I set up a sendmail server on CentOS 6.4. I changed the loopback address to the correct IP address in the sendmail.mc and rebuilt the sendmail.cf. I've added all respective names in the local-host-names files including mydomain1.com, server.mydomain1.com, alias.mydomain1.com. I've opened port 25 in the IP tables and in the Sophos UTM.


    I can send mail from server.mydomain.com. I can send mail to local accounts from my exchange server exchange.mydomain2.com. But if I try to send mail to a local account from any outside server, like yahoo, gmail, or Time Warner, I get a 5.5.0 Unable to relay mail.

    The server is behind a Sophos UTM gateway which does IPS, Firewall, Anti-Malware, VPN, Mail Proxy, etc. However, all allowances that were made for our exchange server have been made for the sendmail server.
  2. dirk.digalow

    dirk.digalow New Member

    Messages:
    17
    Likes Received:
    9
    Trophy Points:
    3
    What does your sendmail.mc look like?
  3. Michael Spaulding

    Michael Spaulding New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    divert(-1)dnl
    dnl #
    dnl # This is the sendmail macro config file for m4. If you make changes to
    dnl # /etc/mail/sendmail.mc, you will need to regenerate the
    dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
    dnl # installed and then performing a
    dnl #
    dnl # /etc/mail/make
    dnl #
    include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
    VERSIONID(`setup for linux')dnl
    OSTYPE(`linux')dnl
    dnl #
    dnl # Do not advertize sendmail version.
    dnl #
    dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
    dnl #
    dnl # default logging level is 9, you might want to set it higher to
    dnl # debug the configuration
    dnl #
    dnl define(`confLOG_LEVEL', `9')dnl
    dnl #
    dnl # Uncomment and edit the following line if your outgoing mail needs to
    dnl # be sent out through an external mail server:
    dnl #
    dnl define(`SMART_HOST', `smtp.your.provider')dnl
    dnl #
    define(`confDEF_USER_ID', ``8:12'')dnl
    dnl define(`confAUTO_REBUILD')dnl
    define(`confTO_CONNECT', `1m')dnl
    define(`confTRY_NULL_MX_LIST', `True')dnl
    define(`confDONT_PROBE_INTERFACES', `True')dnl
    define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
    define(`ALIAS_FILE', `/etc/aliases')dnl
    define(`STATUS_FILE', `/var/log/mail/statistics')dnl
    define(`UUCP_MAILER_MAX', `2000000')dnl
    define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
    define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
    define(`confAUTH_OPTIONS', `A')dnl
    dnl #
    dnl # The following allows relaying if the user authenticates, and disallows
    dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
    dnl #
    dnl define(`confAUTH_OPTIONS', `A p')dnl
    dnl #
    dnl # PLAIN is the preferred plaintext authentication method and used by
    dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
    dnl # use LOGIN. Other mechanisms should be used if the connection is not
    dnl # guaranteed secure.
    dnl # Please remember that saslauthd needs to be running for AUTH.
    dnl #
    dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    dnl #
    dnl # Rudimentary information on creating certificates for sendmail TLS:
    dnl # cd /etc/pki/tls/certs; make sendmail.pem
    dnl # Complete usage:
    dnl # make -C /etc/pki/tls/certs usage
    dnl #
    dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
    dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
    dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
    dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
    dnl #
    dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
    dnl # slapd, which requires the file to be readble by group ldap
    dnl #
    dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
    dnl #
    dnl define(`confTO_QUEUEWARN', `4h')dnl
    dnl define(`confTO_QUEUERETURN', `5d')dnl
    dnl define(`confQUEUE_LA', `12')dnl
    dnl define(`confREFUSE_LA', `18')dnl
    define(`confTO_IDENT', `0')dnl
    dnl FEATURE(delay_checks)dnl
    FEATURE(`no_default_msa', `dnl')dnl
    FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
    FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
    FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
    FEATURE(redirect)dnl
    FEATURE(always_add_domain)dnl
    FEATURE(use_cw_file)dnl
    FEATURE(use_ct_file)dnl
    dnl #
    dnl # The following limits the number of processes sendmail can fork to accept
    dnl # incoming messages or process its message queues to 20.) sendmail refuses
    dnl # to accept connections once it has reached its quota of child processes.
    dnl #
    dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
    dnl #
    dnl # Limits the number of new connections per second. This caps the overhead
    dnl # incurred due to forking new sendmail processes. May be useful against
    dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
    dnl # limit would be useful but is not available as an option at this writing.)
    dnl #
    dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
    dnl #
    dnl # The -t option will retry delivery if e.g. the user runs over his quota.
    dnl #
    FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
    FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
    FEATURE(`blacklist_recipients')dnl
    EXPOSED_USER(`root')dnl
    dnl #
    dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
    dnl # the following 2 definitions and activate below in the MAILER section the
    dnl # cyrusv2 mailer.
    dnl #
    dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
    dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
    dnl #
    dnl # The following causes sendmail to only listen on the IPv4 loopback address
    dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
    dnl # address restriction to accept email from the internet or intranet.
    dnl #
    DAEMON_OPTIONS(`Family=inet, Port=smtp,Addr=192.168.0.47, Name=MTA')dnl
    dnl #
    dnl # The following causes sendmail to additionally listen to port 587 for
    dnl # mail from MUAs that authenticate. Roaming users who can't reach their
    dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
    dnl # this useful.
    dnl #
    dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
    dnl #
    dnl # The following causes sendmail to additionally listen to port 465, but
    dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
    dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
    dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
    dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
    dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
    dnl #
    dnl # For this to work your OpenSSL certificates must be configured.
    dnl #
    dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
    dnl #
    dnl # The following causes sendmail to additionally listen on the IPv6 loopback
    dnl # device. Remove the loopback address restriction listen to the network.
    dnl #
    dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
    dnl #
    dnl # enable both ipv6 and ipv4 in sendmail:
    dnl #
    dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
    dnl #
    dnl # We strongly recommend not accepting unresolvable domains if you want to
    dnl # protect yourself from spam. However, the laptop and users on computers
    dnl # that do not have 24x7 DNS do need this.
    dnl #
    FEATURE(`accept_unresolvable_domains')dnl
    dnl #
    dnl FEATURE(`relay_based_on_MX')dnl
    dnl #
    dnl # Also accept email sent to "localhost.localdomain" as local email.
    dnl #
    LOCAL_DOMAIN(`domain1.com')dnl
    dnl #
    dnl # The following example makes mail from this host and any additional
    dnl # specified domains appear to be sent from mydomain.com
    dnl #
    MASQUERADE_AS(`domain1.com')dnl
    dnl #
    dnl # masquerade not just the headers, but the envelope as well
    dnl #
    dnl FEATURE(masquerade_envelope)dnl
    dnl #
    dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
    dnl #
    dnl FEATURE(masquerade_entire_domain)dnl
    dnl #
    dnl MASQUERADE_DOMAIN(localhost)dnl
    dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
    dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
    dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
    MAILER(smtp)dnl
    MAILER(procmail)dnl
    dnl MAILER(cyrusv2)dnl
  4. Michael Spaulding

    Michael Spaulding New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Found the problem. It was in the NAT portion of the firewall.

    I had allowed an exception to bypass the proxy on the internal address but not the external address.

    Consequently, anything sent from an internal address resolved to the internal IP and bypassed the proxy, any external requests would hit the external IP and be proxied through the gateway. I'm not sure why the proxy was generating a relay error, but once I bypassed that, all seemed right with the world.

Share This Page