Hi All, OpenSMTPd from the OpenBSD 5.3 i386 release is installed, and outgoing mail is stuck in the queue, unable to find the MX server to relay to. What I find confusing is that some emails have been relayed (after some delay).
tcpdump reports that smtpd is sending 3 UDP messages to the name server, but when the reply arrives for the first request, an ICMP port unreachable message is returned, indicating the first port is unreachable. I suspected pf (I always suspect pf :-) but when using dig, we see the MX query and the UDP reply is accepted. The difference I see is that dig sends only one request instead of 3. In both cases (smtpd and dig) `systat states` shows the UDP states. It *looks* like smtpd is no longer listening for a response on the first request's port. I don't see a response to the second and third requests. Does anything in the following configuration appear wrong or questionable? Does smtpd making 3 DNS requests seem reasonable? What might cause it to stop listening for a response? kind regards Richard -- discarded hypotheses -- DNS port 53 blocked: dig works using udp (confirmed with tcpdump) Google greylisting the server: we're dealing with an MX lookup, not even talking to the MX server yet pf blocking the response: pflog shows the response passing through ok, followed by ICMP port unreachable -- example of queued email /var/log/maillog -- Sep 24 16:42:41 air smtpd[26033]: smtp-out: Failed to resolve MX for [relay:gmail.com]: Temporary failure in MX lookup Sep 24 16:42:41 air smtpd[26033]: relay: TempFail for b9f911e5461420de: from=<[email protected]>, to=<[email protected]>, relay=gmail.com, delay=18h46m44s, stat=Temporary failure in MX lookup -- yet successful relays do occur -- Sep 23 07:38:23 air smtpd[26033]: relay: Ok for ea37fd112e1ae8b9: from=<[email protected]>, to=<[email protected]>, relay=173.194.79.27 (pb-in-f27.1e100.net), delay=2d21h26m45s, stat=250 2.0.0 OK 1379885903 tb4si20226167pab.174 - gsmtp Sep 23 07:38:23 air smtpd[26033]: smtp-out: Closing session 00000098010cea0a: 1 message sent. -- results of tcpdump, listening just after scheduling a queued email -- tcpdump: listening on bce0, link-type EN10MB Sep 24 20:59:32.982304 00:19:b9:65:eb:6f 9c:d3:6d:00:4a:da 0800 76: 10.0.19.19.13051 > 10.0.19.1.53: 34084+ MX? finalstep.com.au. (34) Sep 24 20:59:33.992309 00:19:b9:65:eb:6f 9c:d3:6d:00:4a:da 0800 76: 10.0.19.19.30242 > 10.0.19.1.53: 34084+ MX? finalstep.com.au. (34) Sep 24 20:59:35.002296 00:19:b9:65:eb:6f 9c:d3:6d:00:4a:da 0800 76: 10.0.19.19.4501 > 10.0.19.1.53: 34084+ MX? finalstep.com.au. (34) Sep 24 20:59:36.141495 9c:d3:6d:00:4a:da 00:19:b9:65:eb:6f 0800 255: 10.0.19.1.53 > 10.0.19.19.13051: 34084 7/0/0 MX alt2.aspmx.l.google.com. 20,[|domain] (DF) Sep 24 20:59:36.141532 00:19:b9:65:eb:6f 9c:d3:6d:00:4a:da 0800 70: 10.0.19.19 > 10.0.19.1: icmp: 10.0.19.19 udp port 13051 unreachable -- results from pflog, to check that the DNS response is being allowed through -- tcpdump: listening on pflog0, link-type PFLOG Sep 24 22:42:07.899229 rule 21/(match) pass out on bce0: 10.0.19.19.28639 > 10.0.19.1.53: 20546+ MX? gmail.com. (27) Sep 24 22:42:08.909230 rule 21/(match) pass out on bce0: 10.0.19.19.4318 > 10.0.19.1.53: 20546+ MX? gmail.com. (27) Sep 24 22:42:09.919229 rule 21/(match) pass out on bce0: 10.0.19.19.20045 > 10.0.19.1.53: 20546+ MX? gmail.com. (27) Sep 24 22:42:11.053495 rule 25/(match) pass in on bce0: 10.0.19.1.53 > 10.0.19.19.28639: 20546 5/0/0[|domain] (DF) Sep 24 22:42:11.053525 rule 36/(match) pass out on bce0: 10.0.19.19 > 10.0.19.1: icmp: 10.0.19.19 udp port 28639 unreachable -- /etc/mail/smtpd.conf -- listen on lo0 listen on egress # allow submission of mail from anywhere (it may not be accepted) listen on egress smtps certificate base auth # use /etc/mail/certs/base.{crt,key,ca} table aliases db:/etc/mail/aliases.db accept from any for domain "finalstep.net.au" alias <aliases> deliver to mbox accept for local alias <aliases> deliver to mbox accept for any relay -- /etc/pf.conf -- set skip on lo set block-policy return antispoof for egress tcpserv = "{ auth, ssh, http, https, smtp, smtps }" udpserv = "{ ntp, domain }" block log all pass on egress inet proto tcp to port $tcpserv # UDP services - temporary: separate rules and no state to ensure we log each packet # normal rule: pass out on egress inet proto udp to any port $udpserv pass out log quick on egress inet proto udp to any port $udpserv no state pass in log quick on egress inet proto udp from any port $udpserv no state pass in quick on egress inet proto udp from any port bootpc to any port bootps pass out quick on egress inet proto udp from any port bootps to any port bootpc # rules for spamd(8) table <spamd-white> persist table <nospamd> persist file "/etc/mail/nospamd" pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd pass in on egress proto tcp from <nospamd> to any port smtp pass in log on egress proto tcp from <spamd-white> to any port smtp pass out log on egress proto tcp to any port smtp # no spamd for smtps connections because they are authenticated # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 # make the machine troubleshooting-friendly icmp_types = "{ echoreq, unreach }" pass log on egress inet proto icmp all icmp-type $icmp_types # block unwanted visitors table <banned> persist file "/etc/pf.banned" block drop from <banned> -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
