OT: Diagnose blocked mail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

OT: Diagnose blocked mail

Ray-56
Hello,
I'm having an issue with mail being blocked (I think) and I was hoping that
someone here would give me an idea on where to get started.

here's the situation. (Made up names)

server is postfix with amavis-new, spam-assassin and dovecot. logs are fairly
verbose.

Alice ([hidden email]) sends Bob an Email ([hidden email]) CC
([hidden email]) I run myserver.com. message goes through to
[hidden email], but not [hidden email].
there is absolutely no trace of alice's domain in the mail logs.

am I being blocked up stream, is my server discarding the mail somewhere or
...?

any suggestions including alternate mail lists or google search terms very
much appreciated.

Ray
Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Terry Carmen
Ray wrote:

> Hello,
> I'm having an issue with mail being blocked (I think) and I was hoping that
> someone here would give me an idea on where to get started.
>
> here's the situation. (Made up names)
>
> server is postfix with amavis-new, spam-assassin and dovecot. logs are fairly
> verbose.
>
> Alice ([hidden email]) sends Bob an Email ([hidden email]) CC
> ([hidden email]) I run myserver.com. message goes through to
> [hidden email], but not [hidden email].
> there is absolutely no trace of alice's domain in the mail logs.
>
> am I being blocked up stream, is my server discarding the mail somewhere or
> ...?
>
> any suggestions including alternate mail lists or google search terms very
> much appreciated.
>
> Ray
>  
Post the appropriate section of /var/log/maillog showing the misbehaving
transfer.

Terry

Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Ray-56
On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:

> Ray wrote:
> > Hello,
> > I'm having an issue with mail being blocked (I think) and I was hoping
> > that someone here would give me an idea on where to get started.
> >
> > here's the situation. (Made up names)
> >
> > server is postfix with amavis-new, spam-assassin and dovecot. logs are
> > fairly verbose.
> >
> > Alice ([hidden email]) sends Bob an Email ([hidden email]) CC
> > ([hidden email]) I run myserver.com. message goes through to
> > [hidden email], but not [hidden email].
> > there is absolutely no trace of alice's domain in the mail logs.
> >
> > am I being blocked up stream, is my server discarding the mail somewhere
> > or ...?
> >
> > any suggestions including alternate mail lists or google search terms
> > very much appreciated.
> >
> > Ray
>
> Post the appropriate section of /var/log/maillog showing the misbehaving
> transfer.
>
> Terry

That's the problem, there's nothing in the logs.
Ray

Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Magnus Bäck
On Thursday, March 05, 2009 at 00:26 CET,
     Ray <[hidden email]> wrote:

> On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > Ray wrote:
> >
> > > Alice ([hidden email]) sends Bob an Email ([hidden email]) CC
> > > ([hidden email]) I run myserver.com. message goes through to
> > > [hidden email], but not [hidden email].
> > > there is absolutely no trace of alice's domain in the mail logs.
> > >
> > > am I being blocked up stream, is my server discarding the mail
> > > somewhere or ...?
> > >
> > > any suggestions including alternate mail lists or google search
> > > terms very much appreciated.
> >
> > Post the appropriate section of /var/log/maillog showing the
> > misbehaving transfer.
>
> That's the problem, there's nothing in the logs.

Is Postfix running?
Is it accepting port 25 connections on the Internet-facing network interface?
Is there any firewall in the way?
Are the MX records pointing towards your server?
Does your ISP block inbound port 25?
Can you connect to port 25 from an outside network?
...

--
Magnus Bäck
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

/dev/rob0
In reply to this post by Ray-56
On Wed March 4 2009 17:26:01 Ray wrote:
> On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > Ray wrote:
> > > Hello,
> > > I'm having an issue with mail being blocked (I think) and I was
> > > hoping that someone here would give me an idea on where to get
> > > started.
> > >
> > > here's the situation. (Made up names)

Unfortunately, made up (misappropriated) domain names as well. Your
problem is most likely either broken DNS or as you suggest, some kind
of firewall blocking. We can't help with any of that if you don't use
real domain names.

> > > server is postfix with amavis-new, spam-assassin and dovecot.
> > > logs are fairly verbose.
> > >
> > > Alice ([hidden email]) sends Bob an Email ([hidden email])
> > > CC ([hidden email]) I run myserver.com. message goes through
> > > to [hidden email], but not [hidden email].
> > > there is absolutely no trace of alice's domain in the mail logs.
> > >
> > > am I being blocked up stream, is my server discarding the mail
> > > somewhere or ...?
> > >
> > > any suggestions including alternate mail lists or google search
> > > terms very much appreciated.
> > >
> > > Ray
> >
> > Post the appropriate section of /var/log/maillog showing the
> > misbehaving transfer.
> >
> > Terry
>
> That's the problem, there's nothing in the logs.

--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Ray-56
In reply to this post by Magnus Bäck
On Wednesday 04 March 2009 16:35:01 Magnus Bäck wrote:

> On Thursday, March 05, 2009 at 00:26 CET,
>
>      Ray <[hidden email]> wrote:
> > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > > Ray wrote:
> > > > Alice ([hidden email]) sends Bob an Email ([hidden email]) CC
> > > > ([hidden email]) I run myserver.com. message goes through to
> > > > [hidden email], but not [hidden email].
> > > > there is absolutely no trace of alice's domain in the mail logs.
> > > >
> > > > am I being blocked up stream, is my server discarding the mail
> > > > somewhere or ...?
> > > >
> > > > any suggestions including alternate mail lists or google search
> > > > terms very much appreciated.
> > >
> > > Post the appropriate section of /var/log/maillog showing the
> > > misbehaving transfer.
> >
> > That's the problem, there's nothing in the logs.
>
> Is Postfix running?
> Is it accepting port 25 connections on the Internet-facing network
> interface? Is there any firewall in the way?
> Are the MX records pointing towards your server?
> Does your ISP block inbound port 25?
> Can you connect to port 25 from an outside network?
> ...
Sorry, I should have filled in all this information before hand :(
Server is live and fully functional. it deals with thousands of messages per
day and has for over a year. One user can't receive messages from one contact.
That contact doesn't even show up in the logs as spam or lost connection or
anything.

Ray

Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Ray-56
In reply to this post by /dev/rob0
On Wednesday 04 March 2009 16:37:37 /dev/rob0 wrote:

> On Wed March 4 2009 17:26:01 Ray wrote:
> > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > > Ray wrote:
> > > > Hello,
> > > > I'm having an issue with mail being blocked (I think) and I was
> > > > hoping that someone here would give me an idea on where to get
> > > > started.
> > > >
> > > > here's the situation. (Made up names)
>
> Unfortunately, made up (misappropriated) domain names as well. Your
> problem is most likely either broken DNS or as you suggest, some kind
> of firewall blocking. We can't help with any of that if you don't use
> real domain names.
>

receiving domain is aplustaxi.ca

> > > > server is postfix with amavis-new, spam-assassin and dovecot.
> > > > logs are fairly verbose.
> > > >
> > > > Alice ([hidden email]) sends Bob an Email ([hidden email])
> > > > CC ([hidden email]) I run myserver.com. message goes through
> > > > to [hidden email], but not [hidden email].
> > > > there is absolutely no trace of alice's domain in the mail logs.
> > > >
> > > > am I being blocked up stream, is my server discarding the mail
> > > > somewhere or ...?
> > > >
> > > > any suggestions including alternate mail lists or google search
> > > > terms very much appreciated.
> > > >
> > > > Ray
> > >
> > > Post the appropriate section of /var/log/maillog showing the
> > > misbehaving transfer.
> > >
> > > Terry
> >
> > That's the problem, there's nothing in the logs.

Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Jose Ildefonso Camargo Tolosa
In reply to this post by Ray-56
Hi!

On Thu, Mar 5, 2009 at 7:11 PM, Ray <[hidden email]> wrote:

> On Wednesday 04 March 2009 16:35:01 Magnus Bäck wrote:
>> On Thursday, March 05, 2009 at 00:26 CET,
>>
>>      Ray <[hidden email]> wrote:
>> > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
>> > > Ray wrote:
>> > > > Alice ([hidden email]) sends Bob an Email ([hidden email]) CC
>> > > > ([hidden email]) I run myserver.com. message goes through to
>> > > > [hidden email], but not [hidden email].
>> > > > there is absolutely no trace of alice's domain in the mail logs.
>> > > >
>> > > > am I being blocked up stream, is my server discarding the mail
>> > > > somewhere or ...?
>> > > >
>> > > > any suggestions including alternate mail lists or google search
>> > > > terms very much appreciated.
>> > >
>> > > Post the appropriate section of /var/log/maillog showing the
>> > > misbehaving transfer.
>> >
>> > That's the problem, there's nothing in the logs.
>>
>> Is Postfix running?
>> Is it accepting port 25 connections on the Internet-facing network
>> interface? Is there any firewall in the way?
>> Are the MX records pointing towards your server?
>> Does your ISP block inbound port 25?
>> Can you connect to port 25 from an outside network?
>> ...
> Sorry, I should have filled in all this information before hand :(
> Server is live and fully functional. it deals with thousands of messages per
> day and has for over a year. One user can't receive messages from one contact.
> That contact doesn't even show up in the logs as spam or lost connection or
> anything.

So, let me see: one user can't receive mail from on specific mail
address, but can other users receive mail from that address?, ie, if
[hidden email] sends a mail to [hidden email] , is the mail
delivered?

Do you have some kind of spam filter "before" your actual mail server?
 if yes: which one, and: can you temporarily disable/remove it and
test?

I hope this helps,

Ildefonso Camargo
Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Bill Weiss-5
In reply to this post by Ray-56
Ray([hidden email])@Wed, Mar 04, 2009 at 04:46:21PM -0700:

> On Wednesday 04 March 2009 16:37:37 /dev/rob0 wrote:
> > On Wed March 4 2009 17:26:01 Ray wrote:
> > > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > > > Ray wrote:
> > > > > Hello,
> > > > > I'm having an issue with mail being blocked (I think) and I was
> > > > > hoping that someone here would give me an idea on where to get
> > > > > started.
> > > > >
> > > > > here's the situation. (Made up names)
> >
> > Unfortunately, made up (misappropriated) domain names as well. Your
> > problem is most likely either broken DNS or as you suggest, some kind
> > of firewall blocking. We can't help with any of that if you don't use
> > real domain names.
> >
>
> receiving domain is aplustaxi.ca

Your DNS and firewall look ok from here:

houdini@www ~ % dig aplustaxi.ca any +short
10 mail.geekdelivery.com.
206.75.152.197
houdini@www ~ % dig mail.geekdelivery.com any +short
206.75.152.197
houdini@www ~ % telnet mail.geekdelivery.com 25
Trying 206.75.152.197...
Connected to mail.geekdelivery.com.
Escape character is '^]'.
220 mail.geekdelivery.com ESMTP Postfix
HELO clanspum.net
250 mail.geekdelivery.com
MAIL FROM: <[hidden email]>
250 2.1.0 Ok
RCPT TO: <[hidden email]>
250 2.1.5 Ok
RSET
250 2.0.0 Ok
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
houdini@www ~ %

Have you tried getting a pcap while the mystery server is supposed to be
sending you mail?

--
Bill Weiss
 
C has all the expressive power of two dixie cups and a string.
    -- Jamie Zawinski

Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Ray-56
On Wednesday 04 March 2009 18:10:22 Bill Weiss wrote:

> Ray([hidden email])@Wed, Mar 04, 2009 at 04:46:21PM -0700:
> > On Wednesday 04 March 2009 16:37:37 /dev/rob0 wrote:
> > > On Wed March 4 2009 17:26:01 Ray wrote:
> > > > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > > > > Ray wrote:
> > > > > > Hello,
> > > > > > I'm having an issue with mail being blocked (I think) and I was
> > > > > > hoping that someone here would give me an idea on where to get
> > > > > > started.
> > > > > >
> > > > > > here's the situation. (Made up names)
> > >
> > > Unfortunately, made up (misappropriated) domain names as well. Your
> > > problem is most likely either broken DNS or as you suggest, some kind
> > > of firewall blocking. We can't help with any of that if you don't use
> > > real domain names.
> >
> > receiving domain is aplustaxi.ca
>
> Your DNS and firewall look ok from here:
>
> houdini@www ~ % dig aplustaxi.ca any +short
> 10 mail.geekdelivery.com.
> 206.75.152.197
> houdini@www ~ % dig mail.geekdelivery.com any +short
> 206.75.152.197
> houdini@www ~ % telnet mail.geekdelivery.com 25
> Trying 206.75.152.197...
> Connected to mail.geekdelivery.com.
> Escape character is '^]'.
> 220 mail.geekdelivery.com ESMTP Postfix
> HELO clanspum.net
> 250 mail.geekdelivery.com
> MAIL FROM: <[hidden email]>
> 250 2.1.0 Ok
> RCPT TO: <[hidden email]>
> 250 2.1.5 Ok
> RSET
> 250 2.0.0 Ok
> QUIT
> 221 2.0.0 Bye
> Connection closed by foreign host.
> houdini@www ~ %
>
> Have you tried getting a pcap while the mystery server is supposed to be
> sending you mail?
>

Haven't done this yet, but I will try it.
Assuming that the connection isn't getting to me, what kind of things do I
check?

> --
> Bill Weiss
>  
> C has all the expressive power of two dixie cups and a string.
>     -- Jamie Zawinski

Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Ray-56
In reply to this post by Jose Ildefonso Camargo Tolosa
On Wednesday 04 March 2009 17:49:57 Jose Ildefonso Camargo Tolosa wrote:

> Hi!
>
> On Thu, Mar 5, 2009 at 7:11 PM, Ray <[hidden email]> wrote:
> > On Wednesday 04 March 2009 16:35:01 Magnus Bäck wrote:
> >> On Thursday, March 05, 2009 at 00:26 CET,
> >>
> >>      Ray <[hidden email]> wrote:
> >> > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> >> > > Ray wrote:
> >> > > > Alice ([hidden email]) sends Bob an Email ([hidden email]) CC
> >> > > > ([hidden email]) I run myserver.com. message goes through to
> >> > > > [hidden email], but not [hidden email].
> >> > > > there is absolutely no trace of alice's domain in the mail logs.
> >> > > >
> >> > > > am I being blocked up stream, is my server discarding the mail
> >> > > > somewhere or ...?
> >> > > >
> >> > > > any suggestions including alternate mail lists or google search
> >> > > > terms very much appreciated.
> >> > >
> >> > > Post the appropriate section of /var/log/maillog showing the
> >> > > misbehaving transfer.
> >> >
> >> > That's the problem, there's nothing in the logs.
> >>
> >> Is Postfix running?
> >> Is it accepting port 25 connections on the Internet-facing network
> >> interface? Is there any firewall in the way?
> >> Are the MX records pointing towards your server?
> >> Does your ISP block inbound port 25?
> >> Can you connect to port 25 from an outside network?
> >> ...
> >
> > Sorry, I should have filled in all this information before hand :(
> > Server is live and fully functional. it deals with thousands of messages
> > per day and has for over a year. One user can't receive messages from one
> > contact. That contact doesn't even show up in the logs as spam or lost
> > connection or anything.
>
> So, let me see: one user can't receive mail from on specific mail
> address, but can other users receive mail from that address?, ie, if
> [hidden email] sends a mail to [hidden email] , is the mail
> delivered?
>

haven't tested that yet. My gut feeling is no, but I will test.

> Do you have some kind of spam filter "before" your actual mail server?
>  if yes: which one, and: can you temporarily disable/remove it and
> test?
>

unless my IP is blocking specific email addresses or domains,
the entire mail system consists of postfix, dovecot, amavisd new, clamav and
spamassassin running under freebsd 7.0. All of the mail components log to the
same file.
Ray


> I hope this helps,
>
> Ildefonso Camargo

Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Terry Carmen

>>> Sorry, I should have filled in all this information before hand :(
>>> Server is live and fully functional. it deals with thousands of messages
>>> per day and has for over a year. One user can't receive messages from one
>>> contact. That contact doesn't even show up in the logs as spam or lost
>>> connection or anything.
>>>      
>> So, let me see: one user can't receive mail from on specific mail
>> address, but can other users receive mail from that address?, ie, if
>> [hidden email] sends a mail to [hidden email] , is the mail
>> delivered?
>>    

If your server is running and postfix is logging normally and there are
no log entries for the missing message, it means that the message isn't
making it as far as your postfix server, it's not a postfix problem and
you need to look elsewhere.

Even if it's being eaten by another app (amavis, a poorly written
filter, etc.), there will still be a log entry showing where postfix
accepted or rejected the message. No log entry means you're looking in
the wrong place.

Terry



Reply | Threaded
Open this post in threaded view
|

OT: Diagnose blocked mail

Michael Orlitzky-2
In reply to this post by Ray-56
Ray wrote:
> Alice ([hidden email]) sends Bob an Email ([hidden email]) CC
> ([hidden email]) I run myserver.com. message goes through to
> [hidden email], but not [hidden email].
> there is absolutely no trace of alice's domain in the mail logs.

Do you have "smtpd_delay_reject = yes" set in main.cf? If not, searching
for Alice's domain might not help. In that case, you'd need to search
for her outgoing mail server's IP address in your logs to see why it is
unable to connect to your server. Note that it may not be easy (read:
possible) to determine that IP address without assistance.

If either,

a) you have set smtpd_delay_reject = yes
b) you don't, but can't find her outgoing server IP in the logs, either

then the message is never making it to Postfix. Regardless, the easiest
and most straight-forward way to solve this is for Alice's mail admin to
find out where her message went. Even if it's ultimately your fault, he
or she has a better view of the problem.
Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail (Summary)

Ray-56
In reply to this post by Ray-56
Summary:
I realize that the problem most likely is not due to postfix (thus the OT in
the subject), but I figured someone here might have seen this before

Server is live and fully functional. it deals with thousands of messages per
day and has for over a year. One user can't receive  messages from one
contact. That contact doesn't even show up in the  logs as spam or lost
connection or anything.

not previously stated, but I can't find my server name or IP address on any
blacklists, and I did confirm that the email address was correct.

the recommendations made (please correct me if I'm wrong or tell me if I'm
missing anything):

1) have a message sent to another account on same server
2) "smtpd_delay_reject = yes" is set, so try to figure out sending ip address
and search for it in maillog.
3) get administrator of sending server to check his logs
4) pcap during a communication attempt

1 is easy, I'll do this one.
I think I can do 2.
i've already asked for 3 to be done, but it's out of my control.
I'll do number 4 if It comes down to it, but frankly I've never done anything
with packet capture and it's a little intimidating.

Thanks everyone for your input. If I get a resolution, I'll post back.
Ray
Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail

Bill Weiss-5
In reply to this post by Ray-56
Ray([hidden email])@Wed, Mar 04, 2009 at 08:32:40PM -0700:
> On Wednesday 04 March 2009 18:10:22 Bill Weiss wrote:
(lots of content snipped for context)
> > Have you tried getting a pcap while the mystery server is supposed to be
> > sending you mail?
>
> Haven't done this yet, but I will try it.
> Assuming that the connection isn't getting to me, what kind of things do I
> check?

If bits are leaving one machine and not getting to another, you need to go
step-by-step between them and see where they're getting lost.  Check any
host-based firewalls first, then your upstream router, then upstream of
that... once you're lost in the internet (where you'll have less luck
asking for tap information), ask the other side to do the same thing.

Being able to point at the device and say "bits go in one side of this
but they don't come out the other" means you're most of the way there.

--
Bill Weiss
 
What is it with the beard thing.. honestly. Give a man a beard and he
thinks he rules the world... add sandals to that and suddenly they become
a unix expert.
    -- Matt Hubbard

Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail (Summary)

Barney Desmond
In reply to this post by Ray-56
2009/3/5 Ray <[hidden email]>:
> Server is live and fully functional. it deals with thousands of messages per
> day and has for over a year. One user can't receive  messages from one
> contact. That contact doesn't even show up in the  logs as spam or lost
> connection or anything.

Can you clarify? I assume the recipient can receive mail from other
senders just fine? Can you find out if another sender at the same
domain can get mail to your user?

> 1) have a message sent to another account on same server

Good idea.

> 2) "smtpd_delay_reject = yes" is set, so try to figure out sending ip address
> and search for it in maillog.

This is the default, but you'll still see records of the connecting IP
address even if it's set to 'no'. Figuring out the sending IP address
may or may not be difficult depending on the level of co-operation
from the sender's side.

> 3) get administrator of sending server to check his logs

This will be the most productive; force them to *prove* that mail is
leaving their servers, and ideally show that it's getting to yours.
While you want to be helpful, you don't want to waste time. I wouldn't
bother doing much more than grepping your logs without some
confirmation the mail is approaching your systems. Also ask the
sending user to send through a copy of whatever error messages they're
getting back, it should be a bounce email.

> 4) pcap during a communication attempt
>
> I'll do number 4 if It comes down to it, but frankly I've never done anything
> with packet capture and it's a little intimidating.

Chances are you'll find the problem well before you need to do this.
On linux, right? tcpdump or wireshark/tshark is your friend :)
Something like `tcpdump -n -i eth0 host rem.ote.ip.address and tcp port smtp
Reply | Threaded
Open this post in threaded view
|

Re: OT: Diagnose blocked mail (Summary)

Michael Orlitzky-2
In reply to this post by Ray-56
Ray wrote:
> 2) "smtpd_delay_reject = yes" is set, so try to figure out sending ip address
> and search for it in maillog.

Er, I meant the opposite. If smtpd_delay_reject=yes is set, then the
mail logs should have recorded everything from the sender's domain to
the intended recipient at some point. The premise is that Postfix will
delay rejecting the message until it has logged some useful information.

So if that's set, you probably don't have to hit up the sender for his
or her outgoing IP addresses--the domain would have appeared in the logs.