mailserver problem sending email onbehave of outside clients

Server: Debian Linux 3.1
Mail Delivery: Postfix / Sendmail

We are running a mailserver in which clients from outside IP's are sending
mail using our mailserver.

Problem:
When sending mail on behalf of clients to certain outside mailservers
such as "aol.com", "hotmail.com", "yahoo.com"
there are delays or defered actions, Status=Defered, Status=Delay, Mail
Message 421 , and or mail server "refused to talk to me"?

what could the problem, what would be a good solution?

daveshow wrote:
> Server: Debian Linux 3.1
> Mail Delivery: Postfix / Sendmail
>
> We are running a mailserver in which clients from outside IP's are sending
> mail using our mailserver.
>
> Problem:
> When sending mail on behalf of clients to certain outside mailservers
> such as "aol.com", "hotmail.com", "yahoo.com"
> there are delays or defered actions, Status=Defered, Status=Delay, Mail
> Message 421 , and or mail server "refused to talk to me"?
>
> what could the problem, what would be a good solution?
>
You're probably blacklisted as an open relay and serve you right
if you're forwarding mail from all and sundry.

- limit where you accept mail from to your own users (relay_domain)
- always send mail via your ISP's mail server (relay_host)
- when you've fixed your configuration and are no longer relaying spam
try to get yourself off the blacklists (good luck)


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |

To clarify we are sending greeting E-cards on behave of clients/users via
html form

> - limit where you accept mail from to your own users (relay_domain)
"relay_domain" varible is not set, should this be set to our main
domain?
relay_domain=

Our settings for Postfix "main.cf" relaying are local
mynetworks = 192.168.1.101, 127.0.0.1
disable_dns_lookup = yes

relay_host=
the "relay_host" variable is not set. Should this be set to our
domain/ip?

> - always send mail via your ISP's mail server (relay_host)
please explain more detail how to set the "relay_host" varible.
We are a server/mailserver




"Martin Gregorie" <martin@see.sig.for.address> wrote in message
news:ru15k4-cej.ln1@zoogz.gregorie.org...
> daveshow wrote:
> > Server: Debian Linux 3.1
> > Mail Delivery: Postfix / Sendmail
> >
> > We are running a mailserver in which clients from outside IP's are
sending
> > mail using our mailserver.
> >
> > Problem:
> > When sending mail on behalf of clients to certain outside
mailservers
> > such as "aol.com", "hotmail.com", "yahoo.com"
> > there are delays or defered actions, Status=Defered, Status=Delay,
Mail
> > Message 421 , and or mail server "refused to talk to me"?
> >
> > what could the problem, what would be a good solution?
> >
> You're probably blacklisted as an open relay and serve you right
> if you're forwarding mail from all and sundry.
>
> - limit where you accept mail from to your own users (relay_domain)
> - always send mail via your ISP's mail server (relay_host)
> - when you've fixed your configuration and are no longer relaying spam
> try to get yourself off the blacklists (good luck)
>
>
> --
> martin@ | Martin Gregorie
> gregorie. | Essex, UK
> org |

daveshow wrote:
> To clarify we are sending greeting E-cards on behave of clients/users via
> html form
>
>> - limit where you accept mail from to your own users (relay_domain)
> "relay_domain" varible is not set, should this be set to our main
> domain?
> relay_domain=
>
Mine is set to:

relay_domains = $mydomain

which will prevent Postfix sending mail directory to anybody outside my LAN.
In order to send mail across the internet I also set:

relay_host = my.ISP's.smtp_server

> Our settings for Postfix "main.cf" relaying are local
> mynetworks = 192.168.1.101, 127.0.0.1

That looks OK, but if its always been set that way, how come you're
saying that you've been relaying mail that doesn't originate locally?

> disable_dns_lookup = yes
>
This won't restrict where mail can be sent to but may interfere with
legit. outgoing mail.

> relay_host=
> the "relay_host" variable is not set. Should this be set to our
> domain/ip?
>
See above for the setting and the reason for doing it.

>> - always send mail via your ISP's mail server (relay_host)
> please explain more detail how to set the "relay_host" varible.
> We are a server/mailserver
>
In that case why are you restricting your mail sources to a private
Class C network?

How is your mail server connected to the wider internet?


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |

Martin,

First I would like to thank you very dearly for helping and getting back so
fast.

also
> mynetworks = 192.168.1.101, 127.0.0.1
>That looks OK, but if its always been set that way, how come you're
>saying that you've been relaying mail that doesn't originate locally?
the reason was initally "mynetworks" was set to our IP address which was
wrong, this was changed
about 3-4 weeks ago to the values you see here.

> In that case why are you restricting your mail sources to a private
> Class C network?
I do not know what you mean by Class C? I am still new to the mailsystem
with very limited experience. can you please
clearify the term "Class C"?

> relay_host = my.ISP's.smtp_server
I guess in sense our server is an ISP, but then we have an ISP above us
which is RCN.com Would this mean we would have to contact RCN for
the name of their smtp?


Reguard

Dave

"Martin Gregorie" <martin@see.sig.for.address> wrote in message
news:3qg5k4-h3l.ln1@zoogz.gregorie.org...
> daveshow wrote:
> > To clarify we are sending greeting E-cards on behave of clients/users
via
> > html form
> >
> >> - limit where you accept mail from to your own users (relay_domain)
> > "relay_domain" varible is not set, should this be set to our main
> > domain?
> > relay_domain=
> >
> Mine is set to:
>
> relay_domains = $mydomain
>
> which will prevent Postfix sending mail directory to anybody outside my
LAN.
> In order to send mail across the internet I also set:
>
> relay_host = my.ISP's.smtp_server
>
> > Our settings for Postfix "main.cf" relaying are local
> > mynetworks = 192.168.1.101, 127.0.0.1
>
> That looks OK, but if its always been set that way, how come you're
> saying that you've been relaying mail that doesn't originate locally?
>
> > disable_dns_lookup = yes
> >
> This won't restrict where mail can be sent to but may interfere with
> legit. outgoing mail.
>
> > relay_host=
> > the "relay_host" variable is not set. Should this be set to our
> > domain/ip?
> >
> See above for the setting and the reason for doing it.
>
> >> - always send mail via your ISP's mail server (relay_host)
> > please explain more detail how to set the "relay_host" varible.
> > We are a server/mailserver
> >
> In that case why are you restricting your mail sources to a private
> Class C network?
>
> How is your mail server connected to the wider internet?
>
>
> --
> martin@ | Martin Gregorie
> gregorie. | Essex, UK
> org |

daveshow wrote:
>> That looks OK, but if its always been set that way, how come you're
>> saying that you've been relaying mail that doesn't originate locally?
> the reason was initally "mynetworks" was set to our IP address which was
> wrong, this was changed
> about 3-4 weeks ago to the values you see here.
>
Understood.

>> In that case why are you restricting your mail sources to a private
>> Class C network?
> I do not know what you mean by Class C? I am still new to the mailsystem
> with very limited experience. can you please
> clearify the term "Class C"?
>
Its standard TCP/IP networking terminology. A class C network is by
definition a private network made up from up to 255 subnets, each
containing up to 255 terminal addresses, i.e. a maximum of 65025
addresses. A class C address always takes the form 192.168.x.y where 'x'
is the subnet address and 'y' is a host address within the subnet.

Class C addresses are meaningless outside the private network: you need
a router do connect it to the wider internet and translate internal
addresses into full unrestricted IP addresses. Most small networks
connect via a NAT router that has a single external IP address (assigned
by the ISP from its user IP block) and knows how to handle connections
between the Internet and your internal systems.

>> relay_host = my.ISP's.smtp_server
> I guess in sense our server is an ISP, but then we have an ISP above us
> which is RCN.com Would this mean we would have to contact RCN for
> the name of their smtp?
>
Its normal to route all your outgoing mail through your ISP's mail
server unless your mail traffic levels are high enough to require other
arrangements. There are reasons for this:

- all too many Windows PC owners are clueless and run unprotected
PCs that get infected and turned into spam spewing members of 'bot
nets.

- because of this a lot of ISPs and anti-spam blacklists block mail
coming directly from an ISP's user IP address range. If your ISP
has harbored spammers in the past it will probably be blocked this way
and (by association) you will be blocked too. The way to avoid being
blocked this way is to route your mail through your ISP's SMTP server,
which will scan outbound mail for infections and spam so it does not
get blocked in turn.

Your ISP will tell you the name of its SMTP server. You set that as the
'relay_host' argument and job done.

Incoming spam and nastiness.

Unless you know that your ISP is running anti-spam and AV filters you'd
do well to configure Postfix to provide your own. Spamassassin and
ClamAV are both well regarded and work well with Postfix. I use
Spamassassin. It 'just works'. I have no need to bother with AV, but
then I don't use Windoze boxes to handle mail. If/when I have that
requirement I'll probably install ClamAV.


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |

Martin

Thank you for the Class C explanation

Thank you for all your good advise I will try all recommended possiblities
Then I'll get back to you and let you know how things went

Cheers!

dave

"Martin Gregorie" <martin@see.sig.for.address> wrote in message
news:6lr5k4-f9m.ln1@zoogz.gregorie.org...
> daveshow wrote:
> >> That looks OK, but if its always been set that way, how come you're
> >> saying that you've been relaying mail that doesn't originate locally?
> > the reason was initally "mynetworks" was set to our IP address which
was
> > wrong, this was changed
> > about 3-4 weeks ago to the values you see here.
> >
> Understood.
>
> >> In that case why are you restricting your mail sources to a private
> >> Class C network?
> > I do not know what you mean by Class C? I am still new to the
mailsystem
> > with very limited experience. can you please
> > clearify the term "Class C"?
> >
> Its standard TCP/IP networking terminology. A class C network is by
> definition a private network made up from up to 255 subnets, each
> containing up to 255 terminal addresses, i.e. a maximum of 65025
> addresses. A class C address always takes the form 192.168.x.y where 'x'
> is the subnet address and 'y' is a host address within the subnet.
>
> Class C addresses are meaningless outside the private network: you need
> a router do connect it to the wider internet and translate internal
> addresses into full unrestricted IP addresses. Most small networks
> connect via a NAT router that has a single external IP address (assigned
> by the ISP from its user IP block) and knows how to handle connections
> between the Internet and your internal systems.
>
> >> relay_host = my.ISP's.smtp_server
> > I guess in sense our server is an ISP, but then we have an ISP above
us
> > which is RCN.com Would this mean we would have to contact RCN
for
> > the name of their smtp?
> >
> Its normal to route all your outgoing mail through your ISP's mail
> server unless your mail traffic levels are high enough to require other
> arrangements. There are reasons for this:
>
> - all too many Windows PC owners are clueless and run unprotected
> PCs that get infected and turned into spam spewing members of 'bot
> nets.
>
> - because of this a lot of ISPs and anti-spam blacklists block mail
> coming directly from an ISP's user IP address range. If your ISP
> has harbored spammers in the past it will probably be blocked this way
> and (by association) you will be blocked too. The way to avoid being
> blocked this way is to route your mail through your ISP's SMTP server,
> which will scan outbound mail for infections and spam so it does not
> get blocked in turn.
>
> Your ISP will tell you the name of its SMTP server. You set that as the
> 'relay_host' argument and job done.
>
> Incoming spam and nastiness.
>
> Unless you know that your ISP is running anti-spam and AV filters you'd
> do well to configure Postfix to provide your own. Spamassassin and
> ClamAV are both well regarded and work well with Postfix. I use
> Spamassassin. It 'just works'. I have no need to bother with AV, but
> then I don't use Windoze boxes to handle mail. If/when I have that
> requirement I'll probably install ClamAV.
>
>
> --
> martin@ | Martin Gregorie
> gregorie. | Essex, UK
> org |

Martin

I have tried the "relayhost=" smtp.myhost.com and it works, we can sendmail
to places that would never accept the mail before.
Thank you!

Only one problem, with this configuration we cannot send email to our
server.
Ex : If I am sending a message from Hotmail.com -> myServer.com
the message will not go though. myServer.com
"REJECTED", "RELAY ACCESS DENIED"

what could be the problem?
could it be I need to setup the "virtual" file for postfix or
transport.cf?



"daveshow" <daveshow@hotmail.com> wrote in message
news:a9KdndhTne355u3bnZ2dnUVZ_jKdnZ2d@rcn.net...
> Martin
>
> Thank you for the Class C explanation
>
> Thank you for all your good advise I will try all recommended possiblities
> Then I'll get back to you and let you know how things went
>
> Cheers!
>
> dave
>
> "Martin Gregorie" <martin@see.sig.for.address> wrote in message
> news:6lr5k4-f9m.ln1@zoogz.gregorie.org...
> > daveshow wrote:
> > >> That looks OK, but if its always been set that way, how come you're
> > >> saying that you've been relaying mail that doesn't originate locally?
> > > the reason was initally "mynetworks" was set to our IP address
which
> was
> > > wrong, this was changed
> > > about 3-4 weeks ago to the values you see here.
> > >
> > Understood.
> >
> > >> In that case why are you restricting your mail sources to a private
> > >> Class C network?
> > > I do not know what you mean by Class C? I am still new to the
> mailsystem
> > > with very limited experience. can you please
> > > clearify the term "Class C"?
> > >
> > Its standard TCP/IP networking terminology. A class C network is by
> > definition a private network made up from up to 255 subnets, each
> > containing up to 255 terminal addresses, i.e. a maximum of 65025
> > addresses. A class C address always takes the form 192.168.x.y where 'x'
> > is the subnet address and 'y' is a host address within the subnet.
> >
> > Class C addresses are meaningless outside the private network: you need
> > a router do connect it to the wider internet and translate internal
> > addresses into full unrestricted IP addresses. Most small networks
> > connect via a NAT router that has a single external IP address (assigned
> > by the ISP from its user IP block) and knows how to handle connections
> > between the Internet and your internal systems.
> >
> > >> relay_host = my.ISP's.smtp_server
> > > I guess in sense our server is an ISP, but then we have an ISP
above
> us
> > > which is RCN.com Would this mean we would have to contact RCN
> for
> > > the name of their smtp?
> > >
> > Its normal to route all your outgoing mail through your ISP's mail
> > server unless your mail traffic levels are high enough to require other
> > arrangements. There are reasons for this:
> >
> > - all too many Windows PC owners are clueless and run unprotected
> > PCs that get infected and turned into spam spewing members of 'bot
> > nets.
> >
> > - because of this a lot of ISPs and anti-spam blacklists block mail
> > coming directly from an ISP's user IP address range. If your ISP
> > has harbored spammers in the past it will probably be blocked this
way
> > and (by association) you will be blocked too. The way to avoid being
> > blocked this way is to route your mail through your ISP's SMTP
server,
> > which will scan outbound mail for infections and spam so it does not
> > get blocked in turn.
> >
> > Your ISP will tell you the name of its SMTP server. You set that as the
> > 'relay_host' argument and job done.
> >
> > Incoming spam and nastiness.
> >
> > Unless you know that your ISP is running anti-spam and AV filters you'd
> > do well to configure Postfix to provide your own. Spamassassin and
> > ClamAV are both well regarded and work well with Postfix. I use
> > Spamassassin. It 'just works'. I have no need to bother with AV, but
> > then I don't use Windoze boxes to handle mail. If/when I have that
> > requirement I'll probably install ClamAV.
> >
> >
> > --
> > martin@ | Martin Gregorie
> > gregorie. | Essex, UK
> > org |
>
>

daveshow wrote:
> Martin
>
> I have tried the "relayhost=" smtp.myhost.com and it works, we can sendmail
> to places that would never accept the mail before.
> Thank you!
>
Good.

> Only one problem, with this configuration we cannot send email to our
> server.
> Ex : If I am sending a message from Hotmail.com -> myServer.com
> the message will not go though. myServer.com
> "REJECTED", "RELAY ACCESS DENIED"
>
> what could be the problem?
> could it be I need to setup the "virtual" file for postfix or
> transport.cf?
>
How is your firewall configured? If you're expecting to receive mail
from external mail servers, including your ISP's mail server, your copy
of Postfix must be accessible from the rest of the Internet on port 25.
There are two ways to do this:

- configure your firewall to forward port 25 to your postfix host.
If your ISP forbids you to run servers with world access its
possible that they have blocked port 25, in which case this will
not work.

- use fetchmail. This is usually run as a daemon. Configure it to use
POP3 or IMAP to poll your ISP's mail server for incoming mail and to
pass it on to Postfix. It passes the mail on using SMTP on port 25.
The ISP's server can't tell the difference between, a mail reader
polling for mail and fetchmail doing the same thing.

You can also run fetchmail as an hourly cron job. If you need to stop
fetchmail while you do backups this is the best solution. Normally you
should be able to stop the fetchmail daemon with "service fetchmail
stop" but this doesn't work with the current version.

I'm not willing to punch holes in my firewall so I use fetchmail to
collect incoming mail from my ISP. Fetchmail passes it to Spamassassin
which in turn delivers the result to Postfix. It is a trouble-free
setup. I don't need to stop anything for my backups, so the inability to
stop fetchmail cleanly is only a minor annoyance


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |