Connection Refused on Port 25

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Connection Refused on Port 25

asai
Greetings,

For some reason, which I don't know how to figure out, our emails to this one specific email domain are being refused.  Can anyone point me in the right direction?  Here's an example of the log:

Jul  2 09:33:10 triata amavis[1162]: (01162-09) Passed CLEAN, [xx.xx.xx.xx] [xx.xx.xx.xx] [hidden email] -> [hidden email], Message-ID: [hidden email], mail_id: 2RkcE-mZfBX1, Hits: -1.896, size: 2351, queued_as: 0F609FD8066, 761 ms
Jul  2 16:33:10 triata postfix/smtp[1479]: 2FE2AFD8028: to=[hidden email], relay=127.0.0.1[127.0.0.1]:10024, delay=0.98, delays=0.22/0/0/0.76, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0F609FD8066)
Jul  2 09:33:40 triata postfix/smtp[1485]: connect to mail.
theirdomain.com[xx.xx.xx.xx]: Connection timed out (port 25)
Jul  2 09:33:40 triata postfix/smtp[1485]: connect to mail2.theirdomain.com[xx.xx.xx.xx]: Connection refused (port 25)
Jul  2 09:33:40 triata postfix/smtp[1485]: 0F609FD8066: to=[hidden email], relay=none, delay=30, delays=0.05/0/30/0, dsn=4.4.1, status=deferred (connect to mail2.theirdomain.com[xx.xx.xx.xx
]: Connection refused)

Postconf -n output:


alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 600s
maximal_queue_lifetime = 1d
message_size_limit = 0
milter_default_action = accept
milter_macro_daemon_name = ORIGINATING
milter_protocol = 2
minimal_backoff_time = 300s
mydestination = $myhostname, localhost.$mydomain, localhost,
mydomain = mydomain.net
myhostname = triata.mydomain.net
mynetworks = xx.xx.xx.xx.......
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:127.0.0.1:20209
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
show_user_unknown_table_name = no
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access,   reject_invalid_hostname,reject_non_fqdn_hostname, permit
smtpd_milters = inet:127.0.0.1:20209
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname,  reject_non_fqdn_hostname,         reject_non_fqdn_sender, reject_non_fqdn_recipient,  reject_unknown_sender_domain,       reject_unauth_destination, check_policy_service inet:127.0.0.1:2501, permit
smtpd_restriction_classes = webdev_only, unrestricted
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql_restricted_senders.cf,         permit_sasl_authenticated,       reject_non_fqdn_sender, reject_unknown_sender_domain,           permit_mynetworks,  permit
smtpd_tls_cert_file = /etc/ssl/mailserver/smtpd.pem
smtpd_tls_key_file = /etc/ssl/mailserver/smtpd.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_aliases, mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1001
virtual_mailbox_base = /vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1001
virtual_transport = dovecot
virtual_uid_maps = static:1001


-- 
asai
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Stan Hoeppner
Asai put forth on 7/2/2010 3:41 PM:

> Greetings,
>
> For some reason, which I don't know how to figure out, our emails to
> this one specific email domain are being refused.  Can anyone point me
> in the right direction?  Here's an example of the log:
>
> Jul  2 09:33:10 triata amavis[1162]: (01162-09) Passed CLEAN,
> [xx.xx.xx.xx] [xx.xx.xx.xx] <[hidden email]> -> <[hidden email]>,
> Message-ID: <[hidden email]>, mail_id: 2RkcE-mZfBX1,
> Hits: -1.896, size: 2351, queued_as: 0F609FD8066, 761 ms
> Jul  2 16:33:10 triata postfix/smtp[1479]: 2FE2AFD8028:
> to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.98,
> delays=0.22/0/0/0.76, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
> 0F609FD8066)
> Jul  2 09:33:40 triata postfix/smtp[1485]: connect to
> mail.theirdomain.com[xx.xx.xx.xx]: Connection timed out (port 25)
> Jul  2 09:33:40 triata postfix/smtp[1485]: connect to
> mail2.theirdomain.com[xx.xx.xx.xx]: Connection refused (port 25)
> Jul  2 09:33:40 triata postfix/smtp[1485]: 0F609FD8066:
> to=<[hidden email]>, relay=none, delay=30, delays=0.05/0/30/0,
> dsn=4.4.1, status=deferred (connect to
> mail2.theirdomain.com[xx.xx.xx.xx]: Connection refused)

You probably won't get any help due to your obfuscation.  That pretty much
makes it impossible for me to assist, likely everyone else as well.  With what
you've given us, all we can do is guess.  And you can do that effectively
yourself.  Thus I'm left wondering why you even posted here for help...

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Eero Volotinen-2
In reply to this post by asai
2010/7/2 Asai <[hidden email]>:

> Greetings,
>
> For some reason, which I don't know how to figure out, our emails to this
> one specific email domain are being refused.  Can anyone point me in the
> right direction?  Here's an example of the log:
>
> Jul  2 09:33:10 triata amavis[1162]: (01162-09) Passed CLEAN, [xx.xx.xx.xx]
> [xx.xx.xx.xx] <[hidden email]> -> <[hidden email]>, Message-ID:
> <[hidden email]>, mail_id: 2RkcE-mZfBX1, Hits: -1.896, size:
> 2351, queued_as: 0F609FD8066, 761 ms
> Jul  2 16:33:10 triata postfix/smtp[1479]: 2FE2AFD8028:
> to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.98,
> delays=0.22/0/0/0.76, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
> 0F609FD8066)
> Jul  2 09:33:40 triata postfix/smtp[1485]: connect to
> mail.theirdomain.com[xx.xx.xx.xx]: Connection timed out (port 25)
> Jul  2 09:33:40 triata postfix/smtp[1485]: connect to
> mail2.theirdomain.com[xx.xx.xx.xx]: Connection refused (port 25)
> Jul  2 09:33:40 triata postfix/smtp[1485]: 0F609FD8066:
> to=<[hidden email]>, relay=none, delay=30, delays=0.05/0/30/0,
> dsn=4.4.1, status=deferred (connect to mail2.theirdomain.com[xx.xx.xx.xx]:
> Connection refused)

Your network is broken or servers at mail{1,2}.theirdomain.com are unavailable?
--
Eero
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

asai
Eero Volotinen wrote:
2010/7/2 Asai [hidden email]:
  
Greetings,

For some reason, which I don't know how to figure out, our emails to this
one specific email domain are being refused.  Can anyone point me in the
right direction?  Here's an example of the log:

Jul  2 09:33:10 triata amavis[1162]: (01162-09) Passed CLEAN, [xx.xx.xx.xx]
[xx.xx.xx.xx] [hidden email] -> [hidden email], Message-ID:
[hidden email], mail_id: 2RkcE-mZfBX1, Hits: -1.896, size:
2351, queued_as: 0F609FD8066, 761 ms
Jul  2 16:33:10 triata postfix/smtp[1479]: 2FE2AFD8028:
to=[hidden email], relay=127.0.0.1[127.0.0.1]:10024, delay=0.98,
delays=0.22/0/0/0.76, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
0F609FD8066)
Jul  2 09:33:40 triata postfix/smtp[1485]: connect to
mail.theirdomain.com[xx.xx.xx.xx]: Connection timed out (port 25)
Jul  2 09:33:40 triata postfix/smtp[1485]: connect to
mail2.theirdomain.com[xx.xx.xx.xx]: Connection refused (port 25)
Jul  2 09:33:40 triata postfix/smtp[1485]: 0F609FD8066:
to=[hidden email], relay=none, delay=30, delays=0.05/0/30/0,
dsn=4.4.1, status=deferred (connect to mail2.theirdomain.com[xx.xx.xx.xx]:
Connection refused)
    

Your network is broken or servers at mail{1,2}.theirdomain.com are unavailable?
--
Eero
  
Thank you for responding, Eero.

The servers there are available when sending through another MTA like Gmail.  This is the only server out of the thousands of emails which go out daily which reports this connection refused.

I will repost logs and postconf without obfuscation:

Jul  2 09:33:10 triata amavis[1162]: (01162-09) Passed CLEAN, [63.227.91.242] [63.227.91.242] [hidden email] -> [hidden email], Message-ID: [hidden email], mail_id: 2RkcE-mZfBX1, Hits: -1.896, size: 2351, queued_as: 0F609FD8066, 761 ms
Jul  2 16:33:10 triata postfix/smtp[1479]: 2FE2AFD8028: to=[hidden email], relay=127.0.0.1[127.0.0.1]:10024, delay=0.98, delays=0.22/0/0/0.76, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0F609FD8066)
Jul  2 09:33:40 triata postfix/smtp[1485]: connect to mail.draxlerinsurance.com[67.227.17.37]: Connection timed out (port 25)
Jul  2 09:33:40 triata postfix/smtp[1485]: connect to mail2.draxlerinsurance.com[67.227.17.36]: Connection refused (port 25)



Postconf -n

alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 600s
maximal_queue_lifetime = 1d
message_size_limit = 0
milter_default_action = accept
milter_macro_daemon_name = ORIGINATING
milter_protocol = 2
minimal_backoff_time = 300s
mydestination = $myhostname, localhost.$mydomain, localhost,
mydomain = globalchangemultimedia.net
myhostname = triata.globalchangemultimedia.net
mynetworks = 127.0.0.1, 140.99.55.54, 140.99.55.50,140.99.55.51,140.99.55.53,63.227.91.246,  63.227.91.245, 63.227.91.244,  63.227.91.243,  63.227.91.242,  63.227.91.241
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:127.0.0.1:20209
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
show_user_unknown_table_name = no
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access,   reject_invalid_hostname,reject_non_fqdn_hostname, permit
smtpd_milters = inet:127.0.0.1:20209
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname,  reject_non_fqdn_hostname,         reject_non_fqdn_sender, reject_non_fqdn_recipient,  reject_unknown_sender_domain,       reject_unauth_destination, check_policy_service inet:127.0.0.1:2501, permit
smtpd_restriction_classes = webdev_only, unrestricted
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql_restricted_senders.cf,         permit_sasl_authenticated,       reject_non_fqdn_sender, reject_unknown_sender_domain,           permit_mynetworks,  permit
smtpd_tls_cert_file = /etc/ssl/triata.globalchangemultimedia.net/mailserver/smtpd.pem
smtpd_tls_key_file = /etc/ssl/triata.globalchangemultimedia.net/mailserver/smtpd.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_aliases, mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1001
virtual_mailbox_base = /vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1001
virtual_transport = dovecot
virtual_uid_maps = static:1001


-- 
asai
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Sahil Tandon-3
In reply to this post by asai
On Fri, 2010-07-02 at 13:41:06 -0700, Asai wrote:

> For some reason, which I don't know how to figure out, our emails to
> this one specific email domain are being refused.  Can anyone point
> me in the right direction?  Here's an example of the log:
>
> Jul  2 09:33:40 triata postfix/smtp[1485]: connect to
> mail.theirdomain.com[xx.xx.xx.xx]: Connection timed out (port 25)

Are you able to telnet to mail.theirdomain.com on port 25?  If that also
times out, then try from another location.  If that too times out, then
it's a problem with the mail servers at theirdomain.com.

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Eero Volotinen-2
In reply to this post by asai
2010/7/3 Asai <[hidden email]>:

> Eero Volotinen wrote:
>
> 2010/7/2 Asai <[hidden email]>:
>
>
> Greetings,
>
> For some reason, which I don't know how to figure out, our emails to this
> one specific email domain are being refused.  Can anyone point me in the
> right direction?  Here's an example of the log:

Nice servers with cisco pix smtp fixout enabled. Well, I think this is
connection/routing problem on your isp/network.

--
Eero
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Walter Pinto-2
In reply to this post by asai
I can't connect from my location...


[root@smtp1 postfix]# telnet mail2.draxlerinsurance.com 25
Trying 67.227.17.36...
telnet: connect to address 67.227.17.36: Connection refused
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

asai
In reply to this post by Sahil Tandon-3
Sahil Tandon wrote:
On Fri, 2010-07-02 at 13:41:06 -0700, Asai wrote:

  
For some reason, which I don't know how to figure out, our emails to
this one specific email domain are being refused.  Can anyone point
me in the right direction?  Here's an example of the log:

Jul  2 09:33:40 triata postfix/smtp[1485]: connect to
mail.theirdomain.com[xx.xx.xx.xx]: Connection timed out (port 25)
    

Are you able to telnet to mail.theirdomain.com on port 25?  If that also
times out, then try from another location.  If that too times out, then
it's a problem with the mail servers at theirdomain.com.

  
I am able to telnet from another location.

Eero, can you please elaborate on this?  I don't follow you.
"Nice servers with cisco pix smtp fixout enabled."

-- 
asai
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Stan Hoeppner
In reply to this post by Sahil Tandon-3
Sahil Tandon put forth on 7/2/2010 4:13 PM:

> On Fri, 2010-07-02 at 13:41:06 -0700, Asai wrote:
>
>> For some reason, which I don't know how to figure out, our emails to
>> this one specific email domain are being refused.  Can anyone point
>> me in the right direction?  Here's an example of the log:
>>
>> Jul  2 09:33:40 triata postfix/smtp[1485]: connect to
>> mail.theirdomain.com[xx.xx.xx.xx]: Connection timed out (port 25)
>
> Are you able to telnet to mail.theirdomain.com on port 25?  If that also
> times out, then try from another location.  If that too times out, then
> it's a problem with the mail servers at theirdomain.com.

I can get a telnet connection to the problem destination MX server from here,
but I also get a connection refusal to the backup MX.

[04:51:16][stan@greer]~$ telnet 67.227.17.37 25
Trying 67.227.17.37...
Connected to 67.227.17.37.
Escape character is '^]'.
220
***********************************************************************************
quit
221 2.0.0 mail.egismail.com closing connection
Connection closed by foreign host.


[04:53:10][stan@greer]~$ telnet 67.227.17.36 25
Trying 67.227.17.36...
telnet: Unable to connect to remote host: Connection refused

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

asai
In reply to this post by asai


Gary Chambers wrote:
Asai,

  
Eero, can you please elaborate on this?  I don't follow you.
"Nice servers with cisco pix smtp fixout enabled."
    

Eero is asserting that the mail server to which you are trying to
connect is behind a Cisco PIX/ASA firewall.  Those devices have a
known bug that causes trouble with some mail servers due it mangling
the SMTP banner.  Take a look at:

http://blogs.oucs.ox.ac.uk/networks/2009/11/26/cisco-firewall-smtp-fixup-considered-harmful/

-- Gary Chambers

/* Nothing fancy and nothing Microsoft! */
  
OK.  Has anyone successfully been able to work around this issue?
-- 
asai
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Charles Marcus
On 2010-07-02 7:20 PM, Asai wrote:
> OK.  Has anyone successfully been able to work around this issue?

The only way is to have the admin for the CISCO PIX disable the stupid
smtp fixup garbage on the CISCO box.

As far as I know, there is NEVER any reason to have this enabled on an
internet facing box that receives mail from 'wherever'...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Jeroen Geilman
On 07/03/2010 09:14 PM, Charles Marcus wrote:

> On 2010-07-02 7:20 PM, Asai wrote:
>    
>> OK.  Has anyone successfully been able to work around this issue?
>>      
> The only way is to have the admin for the CISCO PIX disable the stupid
> smtp fixup garbage on the CISCO box.
>
> As far as I know, there is NEVER any reason to have this enabled on an
> internet facing box that receives mail from 'wherever'...
>
>    

"fixup protocol smtp" on a Cisco PIX firewall does several things:

1. it inspects every single SMTP packet it sees
2. it disallows all but the SMTP commands explicitly stated in RFC
[8|28|53]21
and
3. it replaces the SMTP greeting banner with a generic one

It is obviously the latter you have an issue with :)

While I agree that it should never be enabled *by default*, it's hardly
stupid, predating modern anti-spam measures such as policydaemons and
DNSBLs by at least 10 years.

J.

Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

asai
Jeroen Geilman wrote:

> On 07/03/2010 09:14 PM, Charles Marcus wrote:
>> On 2010-07-02 7:20 PM, Asai wrote:
>>  
>>> OK.  Has anyone successfully been able to work around this issue?
>>>      
>> The only way is to have the admin for the CISCO PIX disable the stupid
>> smtp fixup garbage on the CISCO box.
>>
>> As far as I know, there is NEVER any reason to have this enabled on an
>> internet facing box that receives mail from 'wherever'...
>>
>>    
>
> "fixup protocol smtp" on a Cisco PIX firewall does several things:
>
> 1. it inspects every single SMTP packet it sees
> 2. it disallows all but the SMTP commands explicitly stated in RFC
> [8|28|53]21
> and
> 3. it replaces the SMTP greeting banner with a generic one
>
> It is obviously the latter you have an issue with :)
>
> While I agree that it should never be enabled *by default*, it's
> hardly stupid, predating modern anti-spam measures such as
> policydaemons and DNSBLs by at least 10 years.
>
> J.
>
Thank you for your responses.

Is there anything I can do on my end?  As far as the SMTP greeting banner?

--
asai

Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Jeroen Geilman
On 07/03/2010 11:20 PM, Asai wrote:

> Jeroen Geilman wrote:
>> On 07/03/2010 09:14 PM, Charles Marcus wrote:
>>> On 2010-07-02 7:20 PM, Asai wrote:
>>>> OK.  Has anyone successfully been able to work around this issue?
>>> The only way is to have the admin for the CISCO PIX disable the stupid
>>> smtp fixup garbage on the CISCO box.
>>>
>>> As far as I know, there is NEVER any reason to have this enabled on an
>>> internet facing box that receives mail from 'wherever'...
>>>
>>
>> "fixup protocol smtp" on a Cisco PIX firewall does several things:
>>
>> 1. it inspects every single SMTP packet it sees
>> 2. it disallows all but the SMTP commands explicitly stated in RFC
>> [8|28|53]21
>> and
>> 3. it replaces the SMTP greeting banner with a generic one
>>
>> It is obviously the latter you have an issue with :)
>>
>> While I agree that it should never be enabled *by default*, it's
>> hardly stupid, predating modern anti-spam measures such as
>> policydaemons and DNSBLs by at least 10 years.
>>
>> J.
>>
> Thank you for your responses.
> Is there anything I can do on my end?  As far as the SMTP greeting
> banner?
>

Have you already established that this is, in fact, the issue ?

J.

Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

asai


Jeroen Geilman wrote:

> On 07/03/2010 11:20 PM, Asai wrote:
>> Jeroen Geilman wrote:
>>> On 07/03/2010 09:14 PM, Charles Marcus wrote:
>>>> On 2010-07-02 7:20 PM, Asai wrote:
>>>>> OK.  Has anyone successfully been able to work around this issue?
>>>> The only way is to have the admin for the CISCO PIX disable the stupid
>>>> smtp fixup garbage on the CISCO box.
>>>>
>>>> As far as I know, there is NEVER any reason to have this enabled on an
>>>> internet facing box that receives mail from 'wherever'...
>>>>
>>>
>>> "fixup protocol smtp" on a Cisco PIX firewall does several things:
>>>
>>> 1. it inspects every single SMTP packet it sees
>>> 2. it disallows all but the SMTP commands explicitly stated in RFC
>>> [8|28|53]21
>>> and
>>> 3. it replaces the SMTP greeting banner with a generic one
>>>
>>> It is obviously the latter you have an issue with :)
>>>
>>> While I agree that it should never be enabled *by default*, it's
>>> hardly stupid, predating modern anti-spam measures such as
>>> policydaemons and DNSBLs by at least 10 years.
>>>
>>> J.
>>>
>> Thank you for your responses.
>> Is there anything I can do on my end?  As far as the SMTP greeting
>> banner?
>>
>
> Have you already established that this is, in fact, the issue ?
>
> J.
>
No, I am basing this assumption on your comment, "It is obviously the
latter you have an issue with :)"

--
asai


Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Jeroen Geilman
On 07/03/2010 11:24 PM, Asai wrote:

>
>
> Jeroen Geilman wrote:
>> On 07/03/2010 11:20 PM, Asai wrote:
>>> Jeroen Geilman wrote:
>>>> On 07/03/2010 09:14 PM, Charles Marcus wrote:
>>>>> On 2010-07-02 7:20 PM, Asai wrote:
>>>>>> OK.  Has anyone successfully been able to work around this issue?
>>>>> The only way is to have the admin for the CISCO PIX disable the
>>>>> stupid
>>>>> smtp fixup garbage on the CISCO box.
>>>>>
>>>>> As far as I know, there is NEVER any reason to have this enabled
>>>>> on an
>>>>> internet facing box that receives mail from 'wherever'...
>>>>>
>>>>
>>>> "fixup protocol smtp" on a Cisco PIX firewall does several things:
>>>>
>>>> 1. it inspects every single SMTP packet it sees
>>>> 2. it disallows all but the SMTP commands explicitly stated in RFC
>>>> [8|28|53]21
>>>> and
>>>> 3. it replaces the SMTP greeting banner with a generic one
>>>>
>>>> It is obviously the latter you have an issue with :)
>>>>
>>>> While I agree that it should never be enabled *by default*, it's
>>>> hardly stupid, predating modern anti-spam measures such as
>>>> policydaemons and DNSBLs by at least 10 years.
>>>>
>>>> J.
>>>>
>>> Thank you for your responses.
>>> Is there anything I can do on my end?  As far as the SMTP greeting
>>> banner?
>>>
>>
>> Have you already established that this is, in fact, the issue ?
>>
>> J.
>>
> No, I am basing this assumption on your comment, "It is obviously the
> latter you have an issue with :)"
>

But I wasn't replying to you.

J.

Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

/dev/rob0
In reply to this post by asai
On Sat, Jul 03, 2010 at 02:24:20PM -0700, Asai wrote:
> Jeroen Geilman wrote:
>> On 07/03/2010 11:20 PM, Asai wrote:
>>> Jeroen Geilman wrote:
>>>> On 07/03/2010 09:14 PM, Charles Marcus wrote:
>>>>> On 2010-07-02 7:20 PM, Asai wrote:
>>>>>> OK.  Has anyone successfully been able to work around this
>>>>>> issue?

What issue? It seems that the original issue was misunderstood,
and/or misdiagnosed. You (Asai) have yet to post anything here with
which we can assist you.

http://www.postfix.org/DEBUG_README.html#mail

>>>>> The only way is to have the admin for the CISCO PIX disable
>>>>> the stupid smtp fixup garbage on the CISCO box.
>>>>>
>>>>> As far as I know, there is NEVER any reason to have this
>>>>> enabled on an internet facing box that receives mail from
>>>>> 'wherever'...
>>>>
>>>> "fixup protocol smtp" on a Cisco PIX firewall does several
>>>> things:
>>>>
>>>> 1. it inspects every single SMTP packet it sees

How is this inspection a good thing?

>>>> 2. it disallows all but the SMTP commands explicitly stated
>>>> in RFC [8|28|53]21

This is NOT a good thing. It breaks the features of ESMTP.

>>>> and
>>>> 3. it replaces the SMTP greeting banner with a generic one
>>>>
>>>> It is obviously the latter you have an issue with :)
>>>>
>>>> While I agree that it should never be enabled *by default*, it's  
>>>> hardly stupid, predating modern anti-spam measures such as  
>>>> policydaemons and DNSBLs by at least 10 years.

I'll admit that most/all of what I know about it is from reading here
and other forums, but I don't see any value in Cisco's SMTP "fixup".

>>> Thank you for your responses.
>>> Is there anything I can do on my end?  As far as the SMTP
>>> greeting banner?
>>
>> Have you already established that this is, in fact, the issue ?
>>
> No, I am basing this assumption on your comment, "It is obviously
> the latter you have an issue with :)"

I think you missed a bit of sarcasm. No, the banner is not causing
problems, it merely pointed out to us one of the potential problems
you're facing.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Jeroen Geilman
On 07/03/2010 11:38 PM, /dev/rob0 wrote:

> On Sat, Jul 03, 2010 at 02:24:20PM -0700, Asai wrote:
>    
>> Jeroen Geilman wrote:
>>      
>>> On 07/03/2010 11:20 PM, Asai wrote:
>>>        
>>>> Jeroen Geilman wrote:
>>>>          
>>>>> On 07/03/2010 09:14 PM, Charles Marcus wrote:
>>>>>            
>>>>>> On 2010-07-02 7:20 PM, Asai wrote:
>>>>>>              
>>>>>>> OK.  Has anyone successfully been able to work around this
>>>>>>> issue?
>>>>>>>                
> What issue? It seems that the original issue was misunderstood,
> and/or misdiagnosed. You (Asai) have yet to post anything here with
> which we can assist you.
>
> http://www.postfix.org/DEBUG_README.html#mail
>
>    
>>>>>> The only way is to have the admin for the CISCO PIX disable
>>>>>> the stupid smtp fixup garbage on the CISCO box.
>>>>>>
>>>>>> As far as I know, there is NEVER any reason to have this
>>>>>> enabled on an internet facing box that receives mail from
>>>>>> 'wherever'...
>>>>>>              
>>>>> "fixup protocol smtp" on a Cisco PIX firewall does several
>>>>> things:
>>>>>
>>>>> 1. it inspects every single SMTP packet it sees
>>>>>            
> How is this inspection a good thing?
>
>    
>>>>> 2. it disallows all but the SMTP commands explicitly stated
>>>>> in RFC [8|28|53]21
>>>>>            
> This is NOT a good thing. It breaks the features of ESMTP.
>    

I'm not claiming it is a good thing.

>    
>>>>> and
>>>>> 3. it replaces the SMTP greeting banner with a generic one
>>>>>
>>>>> It is obviously the latter you have an issue with :)
>>>>>
>>>>> While I agree that it should never be enabled *by default*, it's
>>>>> hardly stupid, predating modern anti-spam measures such as
>>>>> policydaemons and DNSBLs by at least 10 years.
>>>>>            
> I'll admit that most/all of what I know about it is from reading here
> and other forums, but I don't see any value in Cisco's SMTP "fixup".
>    

The value was that $bigco could invest in Cisco firewalls and protect
their mail servers from some abuse, assuming their mail admins were stupid.

You should know that the latter happens more often than we'd like :)

>    
>>>> Thank you for your responses.
>>>> Is there anything I can do on my end?  As far as the SMTP
>>>> greeting banner?
>>>>          
>>> Have you already established that this is, in fact, the issue ?
>>>
>>>        
>> No, I am basing this assumption on your comment, "It is obviously
>> the latter you have an issue with :)"
>>      
> I think you missed a bit of sarcasm. No, the banner is not causing
> problems, it merely pointed out to us one of the potential problems
> you're facing.
>    

I think you also missed the fact that I wasn't responding to the OP,
robb0 :)

J.



Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

Jim Wright
In reply to this post by asai
On Jul 3, 2010, at 4:20 PM, Asai wrote:

> Thank you for your responses. Is there anything I can do on my end?

To put it simply, you're going to need to find a way to contact them postmaster on the other end and let them know that legitimate mail is being blocked.  You will first need to find a way to send email to that domain in order to actually reach the postmaster.

You can email postmaster@ (whatever the domain is), but often these addresses are not monitored.  You could do a DNS lookup and find the technical contact for that domain, and write to that person about the issue.  You could also contact any legitimate users and ask if they can forward a message to the IT or technical support contact for their mail server.  If the domain is for a company, check their web page to see if any support contact may be listed, and try that.

This won't be a simple process, and once you actually reach someone, and convincing them they they have an issue can sometimes be an uphill battle.  But the issue doesn't seem to be on your end, it's on theirs.


Good luck.
Reply | Threaded
Open this post in threaded view
|

Re: Connection Refused on Port 25

JunkYardMail1
In reply to this post by asai

Have you verified your MTA's are not on a Black/Block list?  Maybe
draxlerinsurance.com has firewalled you off.  I know I would.

http://www.mxtoolbox.com/blacklists.aspx


[root@VPS1 ~]# telnet 67.227.17.37 25
Trying 67.227.17.37...
Connected to 67.227.17.37.
Escape character is '^]'.
220
***********************************************************************************
helo test
250 mail.egismail.com Hello test [x.x.x.x], pleased to meet you.
mail from: <[hidden email]>
250 2.1.0 <[hidden email]>... Sender ok
rcpt to: <[hidden email]>
550 5.1.1 <[hidden email]> User unknown; rejecting
quit
221 2.0.0 mail.egismail.com closing connection
Connection closed by foreign host.


--------------------------------------------------
From: "Asai" <[hidden email]>
Sent: Saturday, July 03, 2010 2:20 PM
To: <[hidden email]>
Subject: Re: Connection Refused on Port 25

> Jeroen Geilman wrote:
> Thank you for your responses.
> Is there anything I can do on my end?  As far as the SMTP greeting banner?
>
> --
> asai
>
12