All sent email being refused, stuck in que

bubblecatcher · July 27, 2020, 5:36pm

Hi, all email via my server has suddenly refused and is stuck in the mailq:

2020-07-27 18:23:55 1k06qx-0004Sr-4S <= [email protected] H=host86-190-128-189.range86-190.btcentralplus.com ([192.168.1.169]) [86.190.128.189] P=esmtpsa X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no SNI=“mail.innesphotography.co.uk” A=dovecot_plain:[email protected] S=747 [email protected]
2020-07-27 18:23:56 1k06qx-0004Sr-4S H=mx-eu.mail.am0.yahoodns.net [188.125.72.73] Connection refused
2020-07-27 18:23:57 1k06qx-0004Sr-4S H=mx-eu.mail.am0.yahoodns.net [188.125.72.74] Connection refused
2020-07-27 18:23:57 1k06qx-0004Sr-4S == [email protected] R=dnslookup T=remote_smtp defer (111): Connection refused

2020-07-27 18:25:11 1k06sA-0004aQ-Vf <= [email protected] H=localhost (webmail.michael-innes.co.uk) [127.0.0.1] P=esmtp S=504 [email protected]
2020-07-27 18:25:11 1k06sA-0004aQ-Vf == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host for ‘mail.com’

I have check if in block lists and have found only positive,
http://rfc-clueless.org/lookup/mail.michael-innes.co.uk

This comes up as an ancestor issue with no obvious means to removal.

Should not that domains the server that do not show in this list also fail to send?

2020-07-27 18:31:41 1k06yT-0004k4-KS <= [email protected] H=host86-190-128-189.range86-190.btcentralplus.com ([192.168.1.169]) [86.190.128.189] P=esmtpsa X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no SNI=“mail.carpconnect.biz” A=dovecot_plain:[email protected] S=650 [email protected]
2020-07-27 18:31:41 1k06yT-0004k4-KS == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host for ‘mail.com’

any pointers?

thanks

AlwaysSkint · July 27, 2020, 5:56pm

Just been having a look at one of my Russian test servers and it’s also struggling to email my own address. You gave me a light bulb moment - it won’t connect because I can’t set a rDNS/PTR yet with this specific hosting provider.

Poor pun?

bubblecatcher · July 28, 2020, 8:29am

When send email via console

echo “Test message from server” | mail -s “Test message from server” [email protected]

it works for receiving email domains on server, but not external emails such as gmail?

thanks

falzo · July 28, 2020, 10:26am

did you try to run a traceroute towards these yahoo IPs to see if you get blocked on the way already or if yahoo is rejecting your connection attempts because of other reasons?

piping some string into a mail command is not a reliable mail test in any way. rather try connecting to the destination mail server via telnet to see proper responses.

AlwaysSkint · July 28, 2020, 10:26am

For gmail/hotmail, you need to get all your DNS records in order: rDNS, SPF, DKIM, DMARC
Then, maybe, just maybe the email will be accepted, unless you try to send via the muppets than run ATT, sbcglobal et al, group.

falzo · July 28, 2020, 10:29am

afaik @bubblecatcher server is with hetzner and has an rdns set, at least when I checked based on the domain names above.
that’s why I suggest to see if he even can make a connection to those IPs and especially port 25 etc.
I still think he is either blocked by his own firewall settings or maybe with those providers directly. for the latter however you normally get a proper 5.7.1 or something and not just connection refused…

bubblecatcher · July 28, 2020, 10:55am

Thanks for reply

First off, all was working fine until recently so doubt it something i have done, possible an update?

Yes i did do traceroute and dig

traceroute 188.125.72.74
traceroute to 188.125.72.74 (188.125.72.74), 30 hops max, 60 byte packets
1 static.78-47-66-225.clients.your-server.de (78.47.66.225) 0.313 ms 0.482 ms 0.635 ms
2 * core23.fsn1.hetzner.com (213.239.229.233) 1.537 ms core24.fsn1.hetzner.com (213.239.229.237) 7.426 ms
3 core1.fra.hetzner.com (213.239.203.153) 4.815 ms 4.952 ms core1.fra.hetzner.com (213.239.229.77) 5.035 ms
4 yahoo.peering.cz (91.213.211.120) 19.375 ms 18.834 ms 19.875 ms
5 UNKNOWN-188-125-89-X.yahoo.com (188.125.89.123) 20.335 ms 19.933 ms 19.466 ms
6 UNKNOWN-188-125-89-X.yahoo.com (188.125.89.53) 25.379 ms 27.604 ms 24.044 ms
7 xe-4-2-0.pat1.tc2.yahoo.com (66.196.65.210) 24.250 ms 25.258 ms 24.673 ms
8 UNKNOWN-66-196-65-X.yahoo.com (66.196.65.217) 40.263 ms 39.991 ms 41.017 ms
9 et-1-1-2.msr1.ir2.yahoo.com (66.196.65.19) 42.090 ms 41.365 ms ge-0-3-9-d104.pat1.the.yahoo.com (66.196.65.21) 41.103 ms
10 lo0.fab1-1-gdc.ir2.yahoo.com (77.238.190.2) 42.128 ms lo0.fab2-1-gdc.ir2.yahoo.com (77.238.190.3) 41.887 ms lo0.fab3-1-gdc.ir2.yahoo.com (77.238.190.4) 41.222 ms
11 usw1-1-lbb.ir2.yahoo.com (77.238.190.104) 42.195 ms usw2-1-lbb.ir2.yahoo.com (77.238.190.105) 41.109 ms usw1-1-lbb.ir2.yahoo.com (77.238.190.104) 41.381 ms
12 mtaproxy2.free.mail.vip.ir2.yahoo.com (188.125.72.74) 41.548 ms 40.999 ms 39.975 ms

dig 188.125.72.74

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> 188.125.72.74
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39042
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;188.125.72.74. IN A

;; AUTHORITY SECTION:
. 1052 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020072800 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 213.133.100.100#53(213.133.100.100)
;; WHEN: Tue Jul 28 11:34:16 BST 2020
;; MSG SIZE rcvd: 117

Note this is not just yahoo or gmail, but any other email that sending is tried too, including

How can my own firewill be blocking me when it is turned off?

I need to configure DMARC, all others should be fine.

AlwaysSkint · July 28, 2020, 11:00am

Could it be that Hetzner has decided to block port 25? Just a thought.
As per @Falzo try a telnet 25 test.

Raphael · July 28, 2020, 11:09am

Hetzner usualy doesnt block any ports .

bubblecatcher · July 28, 2020, 11:52am

tried telnet from my laptop.

telnet mail.michael-innes.co.uk 25
Trying 176.9.39.21…
Connected to mail.michael-innes.co.uk.
Escape character is ‘^]’.
220 server.lislehost.com
EHLO mail.michael-innes.co.uk
250-server.lislehost.com Hello host86-190-128-189.range86-190.btcentralplus.com [86.190.128.189]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250-STARTTLS
250 HELP
Mail FROM:[email protected]
250 OK
RCPT TO:[email protected]
550 smtp auth required

thanks

falzo · July 28, 2020, 1:16pm

you should try telnet not into your own server but from your server to e.g. yahoos mailserver, because you can’t send mails there

edit: maybe also post the output of iptables -nL and csf -t and ipset -L to see what else could be going on… you are not using selinux, right?

AlwaysSkint · July 28, 2020, 1:41pm

bubblecatcher · July 28, 2020, 6:12pm

Output as requested.
iptables -nl output

csf -t
csf: There are no temporary IP entries

ipset -L
ipset: command not found

I tried dropping all csf denied ips

csf -df

still mail stuck in que.

telnet yahoo

telnet 188.125.72.74 25
Trying 188.125.72.74…
Connected to 188.125.72.74.
Escape character is ‘^]’.
220 mtaproxy203.free.mail.ir2.yahoo.com ESMTP ready
Connection closed by foreign host.

many thanks

AlwaysSkint · July 28, 2020, 6:18pm

So, it closed the connection before you could send a formatted test email?

( Test TCP Port 25 (smtp) access with telnet - Thomas-Krenn-Wiki-en )

bubblecatcher · July 28, 2020, 7:34pm

i tried exim -qf`

/var/log/exim4/mainlog

2020-07-28 19:13:15 1k06sA-0004aQ-Vf H=mx01.mail.com [74.208.5.22] Connection refused
2020-07-28 19:13:15 1k06sA-0004aQ-Vf == [email protected] R=dnslookup T=remote_smtp defer (111): Connection refused

2020-07-28 19:13:20 1k0Kvb-0001TB-3c H=alt3.gmail-smtp-in.l.google.com [108.177.97.26] Connection refused
2020-07-28 19:13:21 1k0Kvb-0001TB-3c H=alt4.gmail-smtp-in.l.google.com [74.125.28.26] Connection refused
2020-07-28 19:13:21 1k0Kvb-0001TB-3c == [email protected] R=dnslookup T=remote_smtp defer (111): Connection refused

bubblecatcher · July 28, 2020, 7:36pm

Note although the main server IP is not on any blacklist, one other IP in server is listed, though looks like this is to do with mail/dns setup which i am looking into.

thanks

falzo · July 28, 2020, 8:38pm

that iptables listing tells a story. do you even know, what half of the rules you put in there are doing?

I suggest for a simple test to change the policies of INPUT and OUTPUT chain to ACCEPT and try sending a mail. if it works, you know what you messed up.

btw. that’s what ipset is for, hashing large lists of IPs and subnets instead having them ressource-hogging inside iptables. and on top of that you (want to) use csf? paranoid much?

anyway, this is far off from what Hestia sets or does at all so in no way related.

as said before, if you want to find what causes your troubles start from scratch. iptables+fail2ban which comes with hestia works out of the box.
if you change that dramatically by running scripts that implement large blocklist in a questionable way and on top put in a second firewall appliance in parallel, I am afraid no one can help you.

TL;DR; YOU are blocking yourself from sending mails to the outside world with installing/running too much stuff that you can’t properly debug yourself. and it’s not related to hestia.

Raphael · July 28, 2020, 9:27pm

hes-right-you-know-32644960

AlwaysSkint · July 28, 2020, 10:57pm

^ You’d cringe if you saw my complete blocklist (ipset/CSF).
Typically 12 countries, nearly all the csf.blocklists plus AWS and now DO, on some servers. Plus, of course the idiots who broadcast/scan on the local networks.
Ain’t nothing to do with HestiaCP though.

falzo · July 29, 2020, 5:05am

No worries, I do use ipset myself with a few selected blocklists.

However I don’t think iptables is the right place for weird rules trying to match uids or gids trying to control whos allowed to send out mail … just sayin’