Doug,
OK, you got my interest with this one. I've done some investigation,
and I may have some clues as to what's going on. But there are a lot
of pieces of this, so go slow...
1. There's no doubt that there are a lot of crossed wires between your
configuration of your SIMS server and the DNS records involved. For
example:
a. you are running your SIMS server on "bigbrother.pecandeluxe.com"
(67.105.93.126) but you have configured it to believe it is
"pecandeluxe.com":
> telnet bigbrother.pecandeluxe.com 25
> Trying 67.105.93.126...
> Connected to pecandeluxe.com.
> Escape character is '^]'.
> 220-pecandeluxe.com Stalker Internet Mail Server V.1.8b9d14 is ready.
b. unfortunately there is a machine called "pecandeluxe.com"
(207.155.248.75) and it also runs a mail server:
> telnet pecandeluxe.com 25
> Trying 207.155.248.75...
> Connected to warspite.xo.com.
> Escape character is '^]'.
> 220 warspite.xo.com ESMTP [ConcentricHost SMTP Relay 1.14] ready at
> Mon, 23 Sep 2002 13:02:50 -0400 (EDT)
This can be a problem all by itself, because it means that your mail
server "bigbrother", when contacting other mail servers to send mail,
will claim (in the HELO/EHLO line) to be "pecandeluxe", but its IP
address will not verify and some mail servers will refuse the
connection right then. (They're not *supposed* to, mind you, but they
do anyway; you can find lots of past mail on this list testifying to
that.)
But even when this is not the direct cause of a problem, it's still
making it harder for you (and us) to debug the situation. Because when
you send logs and headers that say "Received by pecandeluxe.com"
they're really a lie: they should say "Received by
bigbrother.pecandeluxe.com" - the Received line conventionally refers
to the receiving IP address NOT the receiving domain.
To fix this, reconfigure your SIMS server so that its "primary domain"
is bigbrother.pecandeluxe.com. Then go through your router entries and
insert a *first* line (before all others) that says
pecandeluxe.com = bigbrother.pecandeluxe.com
You may also (depending on your entries) need to change some of the
*right hand sides* that refer to pecandeluxe.com to instead refer to
bigbrother.pecandexluxe.com, but hopefully not since once you resolve
things to the correct addresses at pecandeluxe.com they will be
re-routed properly to be local (due to the new first line).
c. You are running incorrect, faked DNS services on
bigbrother.pecandeluxe.com:
> nslookup
>
> > server bigbrother.pecandeluxe.com
> Default Server: bigbrother.pecandeluxe.com
> Address: 67.105.93.126
>
> > pecandeluxe.com
> Server: bigbrother.pecandeluxe.com
> Address: 67.105.93.126
>
> *** No address (A) records available for pecandeluxe.com
> > set type=any
> > pecandeluxe.com
> Server: bigbrother.pecandeluxe.com
> Address: 67.105.93.126
>
> pecandeluxe.com
> origin = bigbrother.pecandeluxe.com
> mail addr = nethead.pecandeluxe.com
> serial = 24
> refresh = 28800 (8H)
> retry = 7200 (2H)
> expire = 604800 (1W)
> minimum ttl = 86400 (1D)
> pecandeluxe.com nameserver = bigbrother.pecandeluxe.com
> pecandeluxe.com preference = 10, mail exchanger =
> bigbrother.pecandeluxe.com
> pecandeluxe.com nameserver = bigbrother.pecandeluxe.com
> bigbrother.pecandeluxe.com internet address = 192.168.1.2
It looks like you are doing this in order to maintain a local network
(192.168.1.*) but still use the same contact information on the local
network that you do on the bigger network. This is FRAUGHT WITH PERIL.
It means that you will get completely different results from machines
on your local network than when they connect via an outside network,
which - hey - you're getting! :^) It's almost impossible to debug this
stuff.
To fix this, you should instead be contacting your SIMS server at the
official IP of bigbrother.pecandeluxe.com and relying on your local
router to do NAT translation of your local client address to the router
address and then contacting your mailserver as if you were inbound from
the outside network. To do this, you should make your DSL router's
external address a configured client host of your SIMS.
d. The official DNS records for your domain are like a game of
adventure: a maze of twisty little passages, all different. For one
thing, you have both MX records for pecandeluxe.com and
bigbrother.pecandeluxe.com, and they differ:
> Default Server: ns1.cnchost.com
> Address: 207.155.248.5
>
> > pecandeluxe.com
> Server: ns1.cnchost.com
> Address: 207.155.248.5
>
> pecandeluxe.com internet address = 207.155.252.38
> pecandeluxe.com internet address = 207.155.248.63
> pecandeluxe.com internet address = 207.155.252.48
> pecandeluxe.com internet address = 207.155.252.76
> pecandeluxe.com nameserver = ns1.xo.com
> pecandeluxe.com nameserver = ns2.xo.com
> pecandeluxe.com preference = 10, mail exchanger =
> bigbrother.pecandeluxe.com
> pecandeluxe.com preference = 20, mail exchanger = mailhost.cnchost.com
> pecandeluxe.com
> origin = ns1.xo.com
> mail addr = hostmaster.xo.com
> serial = 2002092367
> refresh = 36000 (10H)
> retry = 900 (15M)
> expire = 60480 (16h48m)
> minimum ttl = 10800 (3H)
> pecandeluxe.com CPU = Dynamic OS = ConcentricHost
> ns1.xo.com internet address = 207.155.248.16
> ns2.xo.com internet address = 207.155.252.16
> bigbrother.pecandeluxe.com internet address = 67.105.93.126
> mailhost.cnchost.com internet address = 207.155.248.15
> mailhost.cnchost.com internet address = 207.155.248.27
> mailhost.cnchost.com internet address = 207.155.252.26
> mailhost.cnchost.com internet address = 207.155.252.34
> > bigbrother.pecandeluxe.com
> Server: ns1.cnchost.com
> Address: 207.155.248.5
>
> bigbrother.pecandeluxe.com internet address = 67.105.93.126
> bigbrother.pecandeluxe.com nameserver = ns1.xo.com
> bigbrother.pecandeluxe.com nameserver = ns2.xo.com
> bigbrother.pecandeluxe.com preference = 10, mail exchanger =
> excellent.xo.com
> bigbrother.pecandeluxe.com preference = 20, mail exchanger =
> invincible.xo.com
> bigbrother.pecandeluxe.com preference = 30, mail exchanger =
> irresistable.xo.com
> bigbrother.pecandeluxe.com preference = 40, mail exchanger =
> indefatigable.xo.com
> bigbrother.pecandeluxe.com CPU = Static OS = ConcentricHost
> ns1.xo.com internet address = 207.155.248.16
> ns2.xo.com internet address = 207.155.252.16
> excellent.xo.com internet address = 207.155.252.55
> invincible.xo.com internet address = 207.155.248.74
> irresistable.xo.com internet address = 207.155.248.53
> indefatigable.xo.com internet address = 207.155.248.37
For another, the authoritative (registered) nameserver for your domain
gives back DNS records saying that it's not authoritative. (Your DNS
expert will say "the authoritative data does not match the delegation
data.")
Neither of these issues are likely to be directly causing you problems,
but they sure might if people ever address anything to
[EMAIL PROTECTED]! I would recommend that not have MX
records for anything but your top-level domain unless you really do
mail in the subdomains.
e. pecandeluxe.com is not actually serving SMTP directly. You ISP is
playing games with port relays. All telnets I do to the
pecandeluxe.com SMTP port actually end up talking to (a variety of)
hosts that don't even have a returned IP for pecandeluxe.com, whereas
telnets to the pecandeluxe.com telnet port always fail and always go to
an advertised address for that machine.
This is very common stuff, and often done by ISPs to trap mail traffic
from untrusted hosts, but it will cause erratic results if someone
tries to relay messages through pecandeluxe.com when in fact they think
they are talking to bigbrother.pecandeluxe.com. It will also cause
erratic results if your mailserver bigbrother is not trusted by your
ISP and so has its send attempts trapped by your ISP and redirected
through one of their hosts.
Can you telnet from bigbrother.pecandeluxe.com to port 25 on
mx.legend.co.uk? Can you send mail that way reliably? Can you send us
the log of such a session?
2. It looks like the mailservers that masquerade as pecandeluxe.com
require authentication:
telnet pecandeluxe.com 25
Trying 207.155.252.78...
Connected to goliath.xo.com.
Escape character is '^]'.
220 goliath.xo.com ESMTP [ConcentricHost SMTP Relay 1.14] ready at Mon,
23 Sep 2002 13:23:56 -0400 (EDT)
helo mail.brotsky.com
250 goliath.xo.com Hello gateway.brotsky.com [208.25.76.105], pleased
to meet you
mail from: [EMAIL PROTECTED]
550 Not authenticated -- check your mail first
This might explain why you can send mail fine when you dial up your ISP
directly: chances are that your mailer knows how to authenticate
against those servers (or retrieves mail from an associated POP
server). BUT when you connect in your subnet and you use the
"repliconfusicated" DNS info there, you never actually authenticate
against the pecandeluxe.com mail server, so any of your messages that
go through it look to it like relays (probably coming from your SIMS
server). Which brings us to my guess about your actual problem:
3. It looks like your SIMS server may be sending your legend.co.uk mail
through the "pecandeluxe.com" server (whose "SMTP" contact IP address
varies, as shown above), either intentionally or unintentionally. I
can't tell from the info you've sent out, but it would certainly
explain why you are getting failures and also why you are getting
different results at different times.
To verify this, can you send us (i) the telnet session requested above
in 1(e), (ii) the SIMS log of an attempt to send mail from a client on
your local network via bigbrother.pecandeluxe.com to someone at
legend.co.uk, and (iv) the SIMS logs for the message the you copied
below (that you tried to send to the maintainer of legend.co.uk).
Hope this helps,
dan
On Monday, September 23, 2002, at 06:14 AM, NetHead wrote:
> Well, here is yet another episode in the saga of our e-mail and its
> "blockage".
>
> I attempted to sent an e-mail to the isp which is hosting our european
> subsidiary. Since they share the same mail exchanger, we have had
> similar
> problems sending mail to them. I sent another test message to them and
> got back this error:
>
> -----begin error snippet-----
>
>> Return-Path: <>
>
>> Subject: Undeliverable mail: E-mail status
>
>> From: [EMAIL PROTECTED]
>
>> To: [EMAIL PROTECTED]
>
>> Date: Fri, 20 Sep 2002 08:33:25 -0500
>
>> Message-Id: <[EMAIL PROTECTED]>
>
>> X-Mailer: Stalker Internet Mail Server 1.8b9d14
>
>> MIME-Version: 1.0
>
>> Content-Type: multipart/report; report-type=delivery-status;
>
>> boundary="_=receipt=_=32682=_"
>
>>
>
>> Failed to deliver your message to [EMAIL PROTECTED]:
>
>> SMTP: Address rejected by host
>
>> Host 'legend.co.uk' says:
>
>> 554 <[EMAIL PROTECTED]>: Recipient address rejected: Relay access
>> denied
>
>>
>
>> Reporting-MTA: dns; pecandeluxe.com
>
>>
>
>> Final-Recipient: rfc822; [EMAIL PROTECTED]
>
>> Action: failed
>
>> Status: 5.0.0
>
>>
>
>> Received: from [192.168.1.108] ([192.168.1.108] verified)
>
>> by pecandeluxe.com (Stalker SMTP Server 1.8b9d14)
>
>> with SMTP id S.0000032528 for <[EMAIL PROTECTED]>; Thu, 19 Sep 2002
>
>> 16:36:27 -0500
>
>> Subject: E-mail status
>
>> Date: Thu, 19 Sep 2002 16:36:24 -0500
>
>> x-sender: [EMAIL PROTECTED]
>
>> x-mailer: Claris Emailer 2.0v3, January 22, 1998
>
>> From: Doug Starkey <[EMAIL PROTECTED]>
>
>> To: "Darren Spink" <[EMAIL PROTECTED]>
>
>> Mime-Version: 1.0
>
>> Content-Type: text/plain; charset="US-ASCII"
>
>>
> -----end error snippet-----
>
> Now, my interpretation of this is that Legend's mailserver rejected the
> mail because it saw it as a relay. It DOES say, "Host 'legend.co.uk'
> says"...
>
> but here is the response I got from Legend (when forwarding this error
> via a different account):
> -----begin quote-----
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Hi Doug,
>
>
>
> An error from our servers would give a "553" not "554". The error seems
> to
>
> have been generated by:
>
>
>
> Reporting-MTA: dns; pecandeluxe.com
>
>
>
> (MTA - mail transfer agent?)
>
>
> -----end quote-----
> Now, my reading of a "554" is that somewhere, a server thinks I'm
> relaying. Presumably my mail server, right? But why would my mail
> server
> think I'm relaying? I've gone over my configuration. I have all ips on
> my
> network listed in the client-hosts. I have "Relay for Clients Only"
> checked, I have "Verify Return-Path" checked, I do not use an RBL, but
> DO
> have my own internal blacklist.
>
> Is it possible this my isp is somehow detecting my e-mail as a "relay"
> attempt and then blocking it?
>
> Thanks again, all, for putting up with my mess.
>
>
> ================================================
> | Doug Starkey |
> | Network Administrator |
> | Pecan Deluxe Candy Company |
> | 2570 Lone Star Drive |
> | Dallas, TX 75212-6308 |
> | e-mail: [EMAIL PROTECTED] |
> | voice: 214-631-3669 Ext. 108 |
> | fax: 214-631-5833 |
> ================================================
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <[EMAIL PROTECTED]>.
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to <[EMAIL PROTECTED]>
>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
