Koozali.org formerly Contribs.org

E-Mail deliver through alternate smtp Connected_to_127.0.0.1_but_greeting_failed

Offline cam

Have various 9.2 servers installed. Except for one e-mail gateway server, all servers are regular mail servers where the users connect, receive and send e-mails from various clients T-Bird, outlook etc. on their local network and externally via a single 9.2 email Gateway.  The Gateway I maintain "clean" with reverse DNS, dmark, spf etc. to make sure e-mails are correctly delivered. All satellite servers use the Gateway server for e-mail delivery. This is configured via SME Change Delivery option server-manager console screen where I have the user/password and gatewayserver:465 address configured on the satellites.

All satellites work perfectly but yesterday I had an electrical failure on one of the sites and the server would not receive or send e-mails for that site. Part of the error had to do with the WBL module. This is a documented problem when upgrading from 9.1 to 9.2 and was fixed by uninstalling the WBL smeserver module (later will re-install but for now I want to fix the sending issue).

I updated the (satellite) server to the latest release because it would not send e-mails via the central gateway (like it did perfectly before the electrical failure) but it still does not work.  All the other sites are working ok so I don't think it is an issue with the email gateway server.

Additional info:

1) Qmail log (sending server): deferral: Connected_to_127.0.0.1_but_greeting_failed./Remote_host_said:_451_Upstream_SMTP_server_not_available/

2) Sqpsmtpd log (receiveng server)
@400000005c92f62b1a29a79c 6933 Accepted connection 0/10 from 70.45.150.48 / dynamic.libertypr.net
@400000005c92f62b1a2b8fe4 6933 Connection from dynamic.libertypr.net [70.45.150.48]
@400000005c92f62b273a7524 6933 (connect) tls: fail, unable to establish SSL
@400000005c92f62b273bfbc4 6933 (deny) logging::logterse: ` 70.45.150.48>dynamic.libertypr.net<-><------><------><------>tls<--->903<--->Cannot establis
@400000005c92f62b273cc2fc 6933 550 Cannot establish SSL session
@400000005c92f62b273d18ec 6933 click, disconnecting


3) Both servers are 9.2 but there are some differences on the installed RPMS (below a list of the RPMS that are different)


RECEIVING SERVER                                               SENDING SERVER
binutils-2.20.51.0.2-5.48.el6.x86_64                       binutils-2.20.51.0.2-5.48.el6_10.1.x86_64
clamav-0.99.3-1.el6.sme.x86_64                             clamav-0.100.2-4.el6.sme.x86_64
clamav-db-0.99.3-1.el6.sme.x86_64                          clamav-db-0.100.2-4.el6.sme.x86_64
clamd-0.99.3-1.el6.sme.x86_64                              clamd-0.100.2-4.el6.sme.x86_64
cups-libs-1.4.2-79.el6.x86_64                              cups-libs-1.4.2-80.el6_10.x86_64
*****NOT INSTELLED*****                                    dansguardian-2.10.1.1-1.el6.sme.x86_64
device-mapper-multipath-0.4.9-106.el6.x86_64               device-mapper-multipath-0.4.9-106.el6_10.1.x86_64
device-mapper-multipath-libs-0.4.9-106.el6.x86_64          device-mapper-multipath-libs-0.4.9-106.el6_10.1.x86_64
dhclient-4.1.1-61.P1.el6.centos.x86_64                     dhclient-4.1.1-63.P1.el6.centos.x86_64
dhcp-4.1.1-61.P1.el6.centos.x86_64                         dhcp-4.1.1-63.P1.el6.centos.x86_64
dhcp-common-4.1.1-61.P1.el6.centos.x86_64                  dhcp-common-4.1.1-63.P1.el6.centos.x86_64
djbdns-1.05-8.el6.sme.x86_64                               djbdns-1.05-11.el6.sme.x86_64
e-smith-base-5.6.0-31.el6.sme.noarch                       e-smith-base-5.6.0-34.el6.sme.noarch
e-smith-ntp-2.4.0-6.el6.sme.noarch                         e-smith-ntp-2.4.0-7.el6.sme.noarch
e-smith-pop3-2.4.0-6.el6.sme.noarch                        e-smith-pop3-2.4.0-8.el6.sme.noarch
e-smith-qmail-2.4.0-7.el6.sme.noarch                       e-smith-qmail-2.4.0-8.el6.sme.noarch
e-smith-samba-2.4.0-24.el6.sme.noarch                      e-smith-samba-2.4.0-26.el6.sme.noarch
GeoIP-GeoLite-data-2017.01-1.el6.noarch                    GeoIP-GeoLite-data-2018.04-1.el6.noarch
GeoIP-GeoLite-data-extra-2017.01-1.el6.noarch              GeoIP-GeoLite-data-extra-2018.04-1.el6.noarch
geoipupdate-2.2.1-2.el6.x86_64                             geoipupdate-3.1.1-2.el6.x86_64
*****NOT INSTELLED*****                                    gpg-pubkey-2a6b914a-3a6ce9b9
*****NOT INSTELLED*****                                    gpg-pubkey-849c449f-4cb9df30
kernel-2.6.32-696.1.1.el6.x86_64                           kernel-2.6.32-573.8.1.el6.x86_64
kernel-2.6.32-754.3.5.el6.x86_64                           kernel-2.6.32-754.11.1.el6.x86_64
kernel-firmware-2.6.32-754.3.5.el6.noarch                  kernel-firmware-2.6.32-754.11.1.el6.noarch
kernel-headers-2.6.32-754.3.5.el6.x86_64                   kernel-headers-2.6.32-754.11.1.el6.x86_64
kpartx-0.4.9-106.el6.x86_64                                kpartx-0.4.9-106.el6_10.1.x86_64
mailx-12.4-8.el6_6.x86_64                                  mailx-12.4-10.el6_10.x86_64
mod_perl-2.0.4-11.1.el6.sme.x86_64                         mod_perl-2.0.4-12.1.el6.sme.x86_64
nfs-utils-1.2.3-78.el6.x86_64                              nfs-utils-1.2.3-78.el6_10.1.x86_64
nss-3.36.0-8.el6.x86_64                                    nss-3.36.0-9.el6_10.x86_64
nss-sysinit-3.36.0-8.el6.x86_64                            nss-sysinit-3.36.0-9.el6_10.x86_64
nss-tools-3.36.0-8.el6.x86_64                              nss-tools-3.36.0-9.el6_10.x86_64
ntp-4.2.6p5-12.el6.centos.2.x86_64                         ntp-4.2.6p5-15.el6.centos.x86_64
ntpdate-4.2.6p5-12.el6.centos.2.x86_64                     ntpdate-4.2.6p5-15.el6.centos.x86_64
perl-Email-Address-1.905-1.el6.noarch                      perl-Email-Address-1.912-1.el6.noarch
perl-Mail-DMARC-1.20141206-1.el6.sme.noarch                perl-Mail-DMARC-1.20141206-2.el6.sme.noarch
polkit-0.96-11.el6.x86_64                                  polkit-0.96-11.el6_10.1.x86_64
qpsmtpd-0.96-10.el6.sme.noarch                             qpsmtpd-0.96-11.el6.sme.noarch
*****NOT INSTELLED*****                                    smeserver-dansguardian-2.10-1.el6.sme.noarch
smeserver-qmHandle-1.4-11.el6.sme.noarch                   *****NOT INSTELLED*****
smeserver-qpsmtpd-2.4.0-37.el6.sme.noarch                  smeserver-qpsmtpd-2.4.0-39.el6.sme.noarch
smeserver-spamassassin-2.4.0-8.el6.sme.noarch              smeserver-spamassassin-2.4.0-9.el6.sme.noarch
smeserver-yum-2.4.0-15.el6.sme.noarch                      smeserver-yum-2.4.0-23.el6.sme.noarch
tzdata-2018e-3.el6.noarch                                  tzdata-2018i-1.el6.noarch
yum-3.2.29-81.el6.centos.noarch                            yum-3.2.29-81.el6.centos.0.1.noarch
*****NOT INSTELLED*****                                    yum-plugin-post-transaction-actions-1.1.30-42.el6_10.noarch


4) Various mail rpms and versions
qmail-1.03-18.el6.sme.x86_64
e-smith-email-5.4.0-12.el6.sme.noarch
qpsmtpd-plugins-0.0.1-5.el6.sme.noarch
smeserver-qpsmtpd-2.4.0-37.el6.sme.noarch
qpsmtpd-0.96-10.el6.sme.noarch

5) Wireshark cap (BAD SATELLITE)

SRC            DEST                PROTOCOL   INFO
SATELLITE       MAIL-GETWAY-SRV TLSv1.2      Client Hello
MAIL-GETWAY-SRV SATELLITE       TCP              465 → 58252 [ACK] Seq=1 Ack=192 Win=15616 Len=0 TSval=62810078 TSecr=20312349
MAIL-GETWAY-SRV SATELLITE       TLSv1.2      Server Hello, Certificate
MAIL-GETWAY-SRV SATELLITE       TLSv1.2      Ignored Unknown Record
SATELLITE       MAIL-GETWAY-SRV TCP              58252 → 465 [ACK] Seq=192 Ack=1496 Win=17536 Len=0 TSval=20312660 TSecr=62810302
SATELLITE       MAIL-GETWAY-SRV TLSv1.2      Alert (Level: Fatal, Description: Unknown CA)


Any ideas are certainly appreciated....






SATELLITE       MAIL-GETWAY-SRV TLSv1.2      Alert (Level: Fatal, Description: Unknown CA)

"Unknown CA" is the key issue here. The certificate is untrusted. I notice when I go to https://70.45.150.48/ that Chrome tells me "NET::ERR_CERT_AUTHORITY_INVALID", and by clicking on it I can see it is a self-signed cert:

Subject: camsoftpr.homeip.net
Issuer: camsoftpr.homeip.net
Expires on: 13 Jan 2020
Current date: 21 Mar 2019

The best solution would be for that server to have a proper certificate. It would be possible to modify smtp_auth_proxy on SMEserver so that it doesn't validate the certificate, and it would also be possible to add that CA to the trusted store.

Quote
It would be possible to modify smtp_auth_proxy on SMEserver so that it doesn't validate the certificate, and it would also be possible to add that CA to the trusted store.

How can I try this? Have one server with this problem, think is related to a firewall with robin-round, but can be for this too... How can delete validate?
db configuration setprop smtp-auth-proxy....

TIA
Smeserver.it -  Soluzioni e supporto su Sme server in Italia