Mail problem

I`m using open suse 11.0. For the mail service i use imap-uw and postfix. My issue is this : i can send mail to any mailbox and when i use my gmail/yahoo account to send mail to my server, i get the following error:

Hi. This is the qmail-send program at yahoo.com.
I’m afraid I wasn’t able to deliver your message to the following addresses.
This is a permanent error; I’ve given up. Sorry it didn’t work out.

<@.no-ip.org>:
Sorry, I wasn’t able to establish an SMTP connection. (#4.4.1)
I’m not going to try again; this message has been in the queue too long.

— Below this line is a copy of the message…

PS: i have a freedns account that “covers” my dinamic ip *.no-ip.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do you have port 25 open to the world, and is your DNS setup to resolve
MX requests to this machine, and then does a connection work from the
outside to that machine on that port?

Good luck.

creatura85 wrote:
> I`m using open suse 11.0. For the mail service i use imap-uw and
> postfix. My issue is this : i can send mail to any mailbox and when i
> use my gmail/yahoo account to send mail to my server, i get the
> following error:
>
>> Hi. This is the qmail-send program at yahoo.com.
>> I’m afraid I wasn’t able to deliver your message to the following
>> addresses.
>> This is a permanent error; I’ve given up. Sorry it didn’t work out.
>>
>> <@.no-ip.org>:
>> Sorry, I wasn’t able to establish an SMTP connection. (#4.4.1)
>> I’m not going to try again; this message has been in the queue too
>> long.
>>
>> — Below this line is a copy of the message…
>
> PS: i have a freedns account that “covers” my dinamic ip *.no-ip.org
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJkeFO3s42bA80+9kRAiCZAKCFPbRLJPqmnbFHdJt+hzEUlD/s0ACfaQMK
iXnxeF19SRWLEMwB3dSqu9A=
=bDkn
-----END PGP SIGNATURE-----

I`m a newbie at this and i hope to respond well to your issues :
when i use netstat -a smpt appears open and i see 2 lines saying this :

tcp 0 0 localhost:smtp * : * LISTEN

when i use iptables -L there is a chain for smtp that looks like this :
LOG tcp – anywhere anywhere limit: avg 3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ’
ACCEPT tcp – anywhere anywhere tcp dpt:smtp

Regarding MX requests i have looked in /etc/postfix/main.cf and i did not found anything. Where can i look for info`s about MX requests?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The netstat output doesn’t help if it’s only listening on localhost as
nothing can reach localhost ecxept, well, the local host. The snippet
from iptables only applies as long as nothing before it is overriding it
but it says to listen to anything I believe and don’t see how it applies
to port 25, but maybe I’m missing something. The last bit is all about
DNS. Your DNS entry for your domain needs to be setup so when queried
with something like dig mx yourdomain.com the IP address that will
route port 25 traffic to your SMTP server is the one returned. Let’s
pretend you are at ‘yourdomain.com’ and the IP address that routes to
your SMTP machine’s port 25 is 123.45.67.89. If that is the case post
the following output executed from a machine outside your network:

dig mx yourdomain.com

netcat -zv 123.45.67.89 25

Also note that the dig command above should show 123.45.67.89 with ‘MX’
in the line when run as shown above. Finally from the server itself run:

netstat -anp | grep 'LISTEN ’

Post the output from all of those.

Good luck.

creatura85 wrote:
> I`m a newbie at this and i hope to respond well to your issues :

when i use netstat -a smpt appears open and i see 2 lines saying this :

tcp 0 0 localhost:smtp * : *
LISTEN

when i use iptables -L there is a chain for smtp that looks like this
:
LOG tcp – anywhere anywhere limit: avg
3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix SFW2-INext-ACC-TCP ' > ACCEPT tcp -- anywhere anywhere tcp > dpt:smtp > > Regarding MX requests i have looked in /etc/postfix/main.cf and i did > not found anything. Where can i look for infos about MX requests?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJkr373s42bA80+9kRAgN8AJ9RfbNWW0RLmWXUBA0LMrnFXDtTeACfQTc9
8FS8Cu7OaczWnQXBeKMtyXg=
=mhaO
-----END PGP SIGNATURE-----

My virtual name is creation.no-ip.org since i have a dynamic ip . Here is the output :

dig mx creation.no-ip.org

; <<>> DiG 9.4.2-P1 <<>> mx creation.no-ip.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16942
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;creation.no-ip.org.            IN      MX

;; Query time: 139 msec
;; SERVER: 213.154.124.1#53(213.154.124.1)
;; WHEN: Thu Feb 12 09:17:44 2009
;; MSG SIZE  rcvd: 36

netcat -zv 127.0.0.1 25
localhost [127.0.0.1] 25 (smtp) open

netcat -zv localhost 25
localhost [127.0.0.1] 25 (smtp) open

...
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      3462/master
...
tcp        0      0 ::1:25                  :::*                    LISTEN      3462/master
...

I think this is all that you have asked.

To allow your postfix process to listen to outside requests, you have to edit /etc/sysconfig/mail and set SMTPD_LISTEN_REMOTE=yes, then restart postfix. But that may not be all, you also have to add a port forwarding command to your broadband router. But it’s a start.

I don`t own a broadband router :). If i open yast and go to MTA there i find an option “accept remote smtp connections” is that the same thing with “SMTPD_LISTEN_REMOTE=yes” ?

Yes, I think so, it’s the same thing. You can double check by looking at the file and see if that option has changed to yes afterwards.

PS: I hope you are prepared, at least psychologically, for the fact that as soon as you present an open SMTP port to the outside world, you will get a continual stream of attempts to send you spam from hijacked Windows machines. They are not targetting you particularly, it’s just that there are so many compromised machines that lots of them are made by spammers to spend their time just trying IP addesses at random in the hope that they will find an open relay or another machine to infect.

Let me see if i got this right: if i adjust that setting my computer will be in danger of being infected?

No, far from that. But you will get more machines trying to connect that you might think. You think nobody knows your mail domain, but these infected machines will try random addresses.

That’s the other thing you have to get working: you need a MX entry at your domain registrar so that the MX record for your domain points to your IP address. If your IP address is dynamic, then you need to do this at your dynamic IP registrar.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Perhaps a simplified dialog will help you. We have two parties
involved… somebody wanting to e-mail you (‘Customer’) and your mail
server (‘mx4creatura85.creatura85.org’, aka 123.45.67.25).

Customer: I need to send an e-mail to creatura85@creatura85.org and to
do so I must find a mail server. Operating System (OS), do you know
where the mail server it?
Customer OS: No, it’s not in my cache or static entries so let me find
out via DNS.
Customer OS: Hey DNS, do you know what in the world creatura85.org is?
Customer DNS: No, let me check around. <time lapse… ten milliseconds>
okay I’ve got it. You want 123.45.67.89. Anything else?
Customer OS: I need an MX record while you’re at it.
Customer DNS: Why didn’t you say so… hold on… <time lapse, five
milliseconds> Okay, for mail (MX) you actually want 123.45.67.25.
Customer OS: Got it. Thank-you. Okay Customer, your message will go
to 123.45.67.25 on TCP port 25. Anything else I can do?
Customer: Great, here is the message. Please give it to ‘creatura85’
at that address.
Customer OS: I’ll be one second… if I’m slow. Time for a trip on the
(Information Super)Highway to deliver the letter. Vroom, vroom.
(“driving” in an ultra-reliable car (probably a Toyota) to 123.45.67.25
port 25).
Customer OS (via TCP): HELO mx4creatura85, I am
customeros.customernetwork.net and I have a letter for creatura85. Do
you know who that is?
mx4creatura85: One step at a time, skippy. Let me verify your identity
first or you don’t get to talk to nobody.
mx4creatura85: Hey DNS… you know this bum who just drove up? His
driver’s license says he’s from 121.212.121.212 but he claims to be from
customernetwork.net.
mx4creatura85 DNS: I don’t know for myself but checking with my
partners at that DNS name they verified the driver’s license is right
for that person.
mx4creatura85: Okay, thanks.
mx4creatura85: All right, Customer OS, you’re apparently who you say
you are. I know ‘creatura85’ and will deliver that for you. It’s been
a bit hectic lately since we opened up for business with the public;
used to keep it all internal and things were much nicer… less
loitering, people going door-to-door asking for random “friends” and
“business partners” of theirs… all kinds of riffraff. Anything else I
can do for you?
Customer OS (via TCP): Nope, that’s it. Thanks.
mx4creatura85: Okay, bye.
Customer OS: Hey Customer, I managed to drop off your letter… took me
about 0.8 seconds. I deserve a raise don’t you think? I didn’t get
confused by any routing issues on either end, and didn’t get snagged by
any network or host-based firewalls preventing access to port 25 on the
remote end. I didn’t even get an old outdated MX record from remote DNS
because of my good reliable contacts. Whew… all in a second’s work.
Customer: Yes, very nice. Get back to work.

• — In the meantime

mx4creatura85: I’d better store this away so the next time creatura85
comes by I can hand him all of his mail.
creatura85: Hey mail server, have anything for me?
mx4creatura85: Oh boy do I! I just received one from a very important
somebody. Here you go.
creatura85: Great thanks.

So anyway, there are a lot of pieces involved. If your DNS MX entry is
outdated (your responsibility or your ISP’s responsibility to keep up to
date… ultimately yours though) mail won’t get to you because there’s
no way to tell a remote mail server where to send mail. With around
four billion IP addresses available it’s a lot of work narrowing down
the options. Also if you are using a dynamic IP you must make sure that
record updates as your IP does, hence why most sites and services
available to the public online use static IP addresses, or at least have
really well-updated DNS records. You also need to make sure your mail
server is configured to accept data from the outside world, but it needs
to make sure that it does not “relay” messages for just anybody or you
will become a SPAM source overnight. Firewalls need to be out of the
way for port 25 too, of course.

Good luck.

ken yap wrote:
> No, far from that. But you will get more machines trying to connect that
> you might think. You think nobody knows your mail domain, but these
> infected machines will try random addresses.
>
> That’s the other thing you have to get working: you need a MX entry at
> your domain registrar so that the MX record for your domain points to
> your IP address. If your IP address is dynamic, then you need to do this
> at your dynamic IP registrar.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJltWg3s42bA80+9kRAjlKAJ0Su/8x4lRu6vZgML0coIj1yH0HsACcDDAL
sypZx47fpS6uLZile5Awk5I=
=AIoW
-----END PGP SIGNATURE-----

Wow, I didn’t know mail delivery could be so exciting. Thanks for that dramatisation, that really brightened up my morning.

Yes it was very good. But how can i use my no-ip.com mask to make MX record work properly? If i use /dns my-mask it shows my ip but when i used “dig mx creation.no-ip.org” it did show :
“…
; SERVER: 213.154.124.1#53(213.154.124.1)
…”

Can i integrate this in postfix configuration?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It’s all about DNS. Chances are good that you’ll need to get your
no-ip.com provider to set this up for you as it is probably THEIR DNS
server being queried, and it doesn’t know you have a MX server out there
(most people don’t… especially most people w/dynamic IPs).

Good luck.

creatura85 wrote:
> Yes it was very good. But how can i use my no-ip.com mask to make MX
> record work properly? If i use /dns my-mask it shows my ip but when i
> used “dig mx creation.no-ip.org” it did show :
> “…
> ; SERVER: 213.154.124.1#53(213.154.124.1)
> …”
>
> Can i integrate this in postfix configuration?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJJnBcJAAoJEFl00+q2r0YpoRMP/RhzWBfqHCd8VSN89hSo+yEQ
aRxroLsyAlMdaa1PLdVREeNW76gOEAwdLGl97KkNpD+4D3O3g15tckV3s/tXpKpF
WGoVAEKyICLmXxUf5Hka8DhN1r+dZR7CPo+wuNgO892lCEBRzL/2HwfB56xNEDir
7o7e8jdFHzYOktJBSKV/9tUwwU8zg7q8ey7QjCNGDSKhUzVKmSExYkuEJwmUSpS8
QMoRkWwPdMz0SW1NbdyJ44Dzel4beiTLgMTvLp06rJ7HB1JvXZzXUGkKPHxvfknX
kw+FXMKJK07JZd8huWPTg2A25UjopMHIIM7lmnxMKq1CIOYlDfGOFV7yQ8UvBuE5
6iGW36F9SeG0nMASEvYVN/rVOxXq3qITVdmJS2JVImDwk9lqHfuNvEIPOs+2jeWR
YR+mNUZr5Cd2yg9zVgp7UsELXNT+LUoNdpFbEwtSRfEq496/d6/0Mzt6RC21rfvp
5qszS/1g6EnSh3f0zZD5pobgLq/o6W+3Vn1i+WjGsunIKvzycP4li5vYyUtoldbS
KoAGJGe7pVVSSoxyNRGs227idDkUMJyM3KhQoRrt+HzdujlqZlrmIstGYKvoCuAr
tNkmg5v/aMG6k6GH21hpyfBVf2vplaL5I411AiRqUpcM44Dh98b9L2qaQzL56F5r
FPVjSZaqMRnOUUNpjH0Z
=Co2H
-----END PGP SIGNATURE-----

I see. Lets say that no-ip.com offers me that chance where do i add in my postfix conf(main.cf) the MX infos ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You don’t… you add it to their site somehow. Your mail server is not
being reached AT ALL for anything at this point. Unless I missed a post
you still need to test just accessing it directly by IP address.
Assuming you can reach on your own from the Internet to your own server
(by IP address) on port 25 with something like netcat (or, worst case,
telnet) all the MX records in the world will only point a server to a
blocked port on your router. Make sure you have access from the net and
then you can keep on worrying about the DNS side.

Good luck.

creatura85 wrote:
> ab@novell.com;1946265 Wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> It’s all about DNS. Chances are good that you’ll need to get your
>> no-ip.com provider to set this up for you as it is probably THEIR DNS
>> server being queried, and it doesn’t know you have a MX server out
>> there
>> (most people don’t… especially most people w/dynamic IPs).
>>
>> Good luck.
>>
>>
> I see. Let`s say that no-ip.com offers me that chance where do i add in

my postfix conf(main.cf) the MX info`s ?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJJnFf9AAoJEFl00+q2r0Yp3YwQALFmlXB1wn1aXfrbtGLlRZ8J
mKKQaNqJcCnWVLjMtPU57olGbXomJAVW0eeUp/O2mkTBxciIxPz1JbKjjiUgltCA
ilPegGyXEVkl2F0aZ2r2Ouaum7sLK0pdRymWyU+LORU6ryMAcQNI/3M+0dXqeiKN
kZjF0JEG9bJK2/w27UV5m7hEWlvlY7ROHNRTgTjoiswYD0fKjDdRLwLqSPZhlswJ
3pLB9ZZERIgd1ktX7R03HfiIACkvouKtv6nNiBPv4YV2PAPpxfW+0yLAsTvU/nNh
cx5ugmsCqeSd4peHP/rZAISyyXju1WTJWGlsBteID6G39f3MrKMnxQCb8c0atNNU
n0HOBN4RK2j7lozNrR/YDixaD6VDWBmslJ1hX3AdSD5W0g6mhs78oWzlb71kpU1c
qwG5Q7stobrnPXfvosyZeqxjKuyPuCL12kD4ebtz315nOGUZlaTdN/eqOxGVR+t2
9CxfWh5dlsGAoKMZfXPnVkYIlEZPELNqmUzRDjzY15vWJoUviQc7P7zSJqXDE4m8
rDFKSq31JTGBVEM853n3miOEM+JTvGjjIwjbJUZ/gv2oKDm3CUzgOMVuB5dMaRAq
MtCiLnfUs+qif0/KjzlZ9H+wcnLoBHcbyZLC8Z6fFKQex7yVCPOPQLSYYk6oj14c
y6Hao1p1xn5qlVXoPrFs
=FCAa
-----END PGP SIGNATURE-----

I see. Well it seems that i will need a static ip if i want to do this. Thank you all for your help

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, it would help, but no, it’s not required.

Good luck.

creatura85 wrote:
> I see. Well it seems that i will need a static ip if i want to do this.
> Thank you all for your help
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJJoL5ZAAoJEFl00+q2r0YphksQAI5kgB1jbi+Y5zvTjsnpDhVa
+37cuEis+CwpKHZ34Xi8lDnW3zp1chya5itkc9QHt9KCbfQTx12z/vdI2C0Sedwe
xAa0kvXEtqMtdYlstmAzVAFRgR115qvThHQrIs1YXCREudiHdRzrLPO6EU+Crwqk
Ksg4PQSNfp1snl6aMA2GgdXGGz8nSbMH4PHFCSV8oQ7VXS0F0UzjyvX2TcrlofFL
2dQLPBMn1LVIXdD54sY55bo+n9kTA2F0WqwmM3z12AFtNibidltB5pqbHkQQUIHy
jcSnV9BAfzHhzILmWC1MeeaH2ToGYoDdwDhTaKRC4xxnUz9mOeofUrh7/Y986djC
/NJ0bb9W7SijkE6H1yFjhHTN6EUZuR+zFMCjzqJMdugg3jadjcP+/iu10qXaHa0U
dpowSoIhiBGwMn4yYvrBp/fKRotW6ja4iQGZKDZisGwu5+eCu20UXX6gT1O8f+V9
rT2/NMuIVYgOLj0tA5yS8jOQxvFKno88g+1S8P7Cyt3LxuY0s/Yw3DbLo89adhkP
uYkyrG8SAkUj24GQul0eLQ6bmbVs3ItfXVTJDH0ZT1KNx68SSAwLSqU1p0hiMYRO
NS9cY5AETCMTjK6nIdYTh+RPUAjqm4jL6gVwKwq54nA2JXgt1Qpzdmx+M9EXFLa2
VO8jVs4nLCqHNwqhgAgQ
=xA21
-----END PGP SIGNATURE-----

Yes but is out of reach for me since im a newbie. I have only 6 months of experience with linux so im still building my basics

Back with another question : if i change the default port from 25 to another port above 1024, will that help ?