Can't receive email with citadel
i have installed citadel using the Linode guide in a subdomain (posta.mydomain.com), and set the MX records as follows:
posta.mydomain.com 10 Default
smtp.secureserver.net 20 Default
mailstore1.secureserver.net 30 Default
mydomain.com 0 posta Default
so i have add posta.mydomain.com and mydomain.com with the subdomain posta.mydomain.com, instead smtp.secureserver.net and mailstore1.secureserver.net was already there as default (i have the domain with GoDaddy).
In the citadel settings I have insert this:
Fully qualified domain name: mydomain.com
Local host aliases and Directory domains: mydomain.com and posta.mydomain.com
I have created a new user on Citadel,
Delivery to the following recipient failed permanently:
piero@mydomain.com
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain mydomain.com by smtp.secureserver.net. [68.178.213.37].
The error that the other server returned was:
550 5.1.1 <piero@mydomain.com>Recipient not found.</piero@mydomain.com>
what can i do to fix the problem, i have maybe misconfigured citadel or mx record?
16 Replies
Trying 109.74.198.44…
And it hangs there.
So it looks like you haven't opened any firewall rule to allow incoming port 25. Eventually the sending server will time out and move onto the next server, which is the secureserver.net machine, which is rejecting mail.
So you need to allow incoming port 25 mail. You should probably also remove the secureserver stuff if they're not accepting mail for you.
whaletrue.com. 600 IN MX 20 smtp.secureserver.net.
whaletrue.com. 600 IN MX 30 mailstore1.secureserver.net.
whaletrue.com. 600 IN MX 10 posta.whaletrue.com.
Now from what you said your server is posta.whaletrue.com so you don't need the first two.
posta.whaletrue.com points to 109.74.198.44 which is a Linode IP however I can't connect to port 25 on that IP so either it's firewalled off, the smtp server isn't running or it's the wrong IP.
If 109.74.198.44 is the correct IP ensure that a smtp server is running and check your firewall.
You can check what's listening using
sudo netstat -lpnt
and you can check the firewall using
sudo iptables -L -n -v
@sweh:
% telnet posta.whaletrue.com 25
Trying 109.74.198.44…
And it hangs there.
So it looks like you haven't opened any firewall rule to allow incoming port 25. Eventually the sending server will time out and move onto the next server, which is the secureserver.net machine, which is rejecting mail.
So you need to allow incoming port 25 mail. You should probably also remove the secureserver stuff if they're not accepting mail for you.
Thanks for your answer, to open the port 25 i have do this:
sudo nano /etc/iptables.firewall.rules
i have add this rule:
# Allows SMTP access
-A INPUT -p tcp --dport 25 -j ACCEPT
# Allows pop and pops connections
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
# Allows imap and imaps connections
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
i have apply the new rules using the following command:
sudo iptables-restore < /etc/iptables.firewall.rules
then this command
sudo iptables -L
give me this:
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
then i have do this:
iptables-save > /etc/iptables.firewall.rules
so i can't understand why is not reachable, i don't know if it's useful but i have checked this file:
sudo tail /var/log/mail.err
and this is the log:
Mar 30 19:00:54 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:01:16 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:01:16 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:01:16 whaletrue citserver[8883]: client_write(32 bytes) failed: Broken pipe (32)
Mar 30 19:01:16 whaletrue citserver[8883]: client_write(137 bytes) failed: Broken pipe (32)
Mar 30 19:01:16 whaletrue citserver[8883]: IMAPCC[32] client disconnected: ending session.
Mar 30 19:01:16 whaletrue citserver[8883]: POP3 client disconnected: ending session.
Mar 30 19:01:16 whaletrue citserver[8883]: SMTP: client disconnected: ending session.
Mar 30 19:01:16 whaletrue citserver[8883]: SMTP: client disconnected: ending session.
Mar 30 19:01:16 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:01:16 whaletrue citserver[8883]: client_write(47 bytes) failed: Broken pipe (32)
Mar 30 19:01:16 whaletrue citserver[8883]: client_read_blob() failed: Connection reset by peer
Mar 30 19:01:16 whaletrue citserver[8883]: XMPP: client disconnected: ending session.
Mar 30 19:01:16 whaletrue citserver[8883]: managesieve: client disconnected: ending session.
Mar 30 19:01:55 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:02:56 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:03:57 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:04:58 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:05:18 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:05:18 whaletrue citserver[8883]: client_write(32 bytes) failed: Broken pipe (32)
Mar 30 19:05:18 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:05:18 whaletrue citserver[8883]: client_write(137 bytes) failed: Broken pipe (32)
Mar 30 19:05:18 whaletrue citserver[8883]: IMAPCC[39] client disconnected: ending session.
Mar 30 19:05:18 whaletrue citserver[8883]: SMTP: client disconnected: ending session.
Mar 30 19:05:18 whaletrue citserver[8883]: POP3 client disconnected: ending session.
Mar 30 19:05:18 whaletrue citserver[8883]: SMTP: client disconnected: ending session.
Mar 30 19:05:18 whaletrue citserver[8883]: managesieve: client disconnected: ending session.
Mar 30 19:05:18 whaletrue citserver[8883]: SSL_accept failed: retval=-1, errval=5, err=error:00000005:lib(0):func(0):DH lib
Mar 30 19:05:18 whaletrue citserver[8883]: client_write(47 bytes) failed: Broken pipe (32)
Mar 30 19:05:18 whaletrue citserver[8883]: client_read_blob() failed: Connection reset by peer
Mar 30 19:05:18 whaletrue citserver[8883]: XMPP: client disconnected: ending session.
Mar 30 19:05:59 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:07:00 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:08:01 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:09:02 whaletrue citserver[8883]: No external notifiers configured on system/user
Mar 30 19:10:43 whaletrue citserver[2008]: Failed to adjust ownership of: /etc/citadel/netconfigs/7 [No such file or directory]
Mar 30 19:10:43 whaletrue citserver[2008]: Failed to adjust ownership of: /etc/citadel/netconfigs/7 [No such file or directory]
Mar 30 19:10:44 whaletrue citserver[2008]: No external notifiers configured on system/user
Mar 30 19:11:45 whaletrue citserver[2008]: No external notifiers configured on system/user
Mar 30 19:12:46 whaletrue citserver[2008]: No external notifiers configured on system/user
Mar 30 19:13:47 whaletrue citserver[2008]: No external notifiers configured on system/user
Mar 30 19:14:48 whaletrue citserver[2008]: No external notifiers configured on system/user
Mar 30 19:15:49 whaletrue citserver[2008]: No external notifiers configured on system/user
@Whale:
then this command
sudo iptables -L
give me this:ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
That is not the complete output of the command. Other stuff is missing. I still can not access that SMTP port on 109.74.198.44 (nor any of the other ports). Your firewall config is not correct. But because you're not showing the complete output we can not diagnose the problem.
Now if i use the command
sudo netstat -lpnt
on 109.74.198.44 this is the complete result:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1797/sshd
tcp 0 0 0.0.0.0:504 0.0.0.0:* LISTEN 2582/citserver
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2582/citserver
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2024/webcit
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 2582/citserver
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 2582/citserver
tcp 0 0 0.0.0.0:2020 0.0.0.0:* LISTEN 2582/citserver
tcp 0 0 0.0.0.0:5222 0.0.0.0:* LISTEN 2582/citserver
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 1890/amavisd-new (m
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1854/mysqld
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 2582/citserver
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 2582/citserver
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 2582/citserver
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 1906/spamd.pid
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2020/webcit
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 2582/citserver
tcp6 0 0 :::22 :::* LISTEN 1797/sshd
tcp6 0 0 ::1:783 :::* LISTEN 1906/spamd.pid
and the command
sudo iptables -L -n -v
give me this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7142 756K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
6220 679K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
1495 108K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
8745 972K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
97 5260 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
127 7480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
284 16316 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 188 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
777 52587 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
839 56275 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11146 2578K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (2 references)
pkts bytes target prot opt in out source destination
12412 1354K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
i hope this help to solve my problem, thanks.
839 56275 DROP all – * * 0.0.0.0/0 0.0.0.0/0
It's there before the "allow SMTP, allow POP3" rules and so it's blocking all the traffic to those ports.
Order of rules is important in iptables. Make sure your "allow" rules are before this "drop" rule.
1) If my mail server where i have installed citadel i down, what happen at the messages?
2) Releated to the question above, if the messages are lost, there is a way to recover it, or to avoid this problem (i don't know maybe install citadel also on my first server)
If you only have 1 server and your server is down then the sender will normally queue the message and retry over a period of time. Eventually the sender will give up and send an error back to the person who sent the mail. What that timeout is depends on the sending server; it's typically over a day but really busy servers could bring that value down to hours.
@sweh:
You have a second server with a really long queue time. So if the primary goes away it will all queue up on the second server. THen when the primary comes back the secondary will forward on the mail in its queue.
Thanks for the answer, i haven't installed any backup mail server yet on whaletrue.com, if i install it, how i can set a long queue time and the forward to the new server?
You know maybe a tutorial?
Thanks
A good example is several of my associates turn their lab email servers OFF over the weekends. Some data (although I'm not yet convinced) seems to point to way less spam, because the spammers think it's a bad address (they don't resend ever).
So determine the value of the email your server (and users) deal with - then figure out if that's worth a second server (and remember that if you decide to run a second email server, it needs to be in a completely different data center then the first).
@vonskippy:
You probably want to analyze your email server needs. Most of the small shops I'm familiar with, only run a single server. First off, down time is usually rare and limited to a day (or less) when it happens (assuming you have a good install/config documentation, backups, and a recovery plan). Second, most email servers try for a day or three before bouncing the email, and most when they finally bounce will send a message back to the sender. Third, people are familiar with how email works, so a bounced mail just means they send it again, and a missing email is relatively common (lost in transmission, caught by some filter, etc) that if it's important they'll try another means of communicating. All that adds up such that a second backup email server is usually a waste of equipment/sysadmin time/money.
A good example is several of my associates turn their lab email servers OFF over the weekends. Some data (although I'm not yet convinced) seems to point to way less spam, because the spammers think it's a bad address (they don't resend ever).
So determine the value of the email your server (and users) deal with - then figure out if that's worth a second server (and remember that if you decide to run a second email server, it needs to be in a completely different data center then the first).
Thanks to all for all your answer