Koozali.org: home of the SME Server

E-Mail deliver through alternate smtp Connected_to_127.0.0.1_but_greeting_failed

Offline cam

  • 2
  • +0/-0
Have various 9.2 servers installed. Except for one e-mail gateway server, all servers are regular mail servers where the users connect, receive and send e-mails from various clients T-Bird, outlook etc. on their local network and externally via a single 9.2 email Gateway.  The Gateway I maintain "clean" with reverse DNS, dmark, spf etc. to make sure e-mails are correctly delivered. All satellite servers use the Gateway server for e-mail delivery. This is configured via SME Change Delivery option server-manager console screen where I have the user/password and gatewayserver:465 address configured on the satellites.

All satellites work perfectly but yesterday I had an electrical failure on one of the sites and the server would not receive or send e-mails for that site. Part of the error had to do with the WBL module. This is a documented problem when upgrading from 9.1 to 9.2 and was fixed by uninstalling the WBL smeserver module (later will re-install but for now I want to fix the sending issue).

I updated the (satellite) server to the latest release because it would not send e-mails via the central gateway (like it did perfectly before the electrical failure) but it still does not work.  All the other sites are working ok so I don't think it is an issue with the email gateway server.

Additional info:

1) Qmail log (sending server): deferral: Connected_to_127.0.0.1_but_greeting_failed./Remote_host_said:_451_Upstream_SMTP_server_not_available/

2) Sqpsmtpd log (receiveng server)
@400000005c92f62b1a29a79c 6933 Accepted connection 0/10 from 70.45.150.48 / dynamic.libertypr.net
@400000005c92f62b1a2b8fe4 6933 Connection from dynamic.libertypr.net [70.45.150.48]
@400000005c92f62b273a7524 6933 (connect) tls: fail, unable to establish SSL
@400000005c92f62b273bfbc4 6933 (deny) logging::logterse: ` 70.45.150.48>dynamic.libertypr.net<-><------><------><------>tls<--->903<--->Cannot establis
@400000005c92f62b273cc2fc 6933 550 Cannot establish SSL session
@400000005c92f62b273d18ec 6933 click, disconnecting


3) Both servers are 9.2 but there are some differences on the installed RPMS (below a list of the RPMS that are different)


RECEIVING SERVER                                               SENDING SERVER
binutils-2.20.51.0.2-5.48.el6.x86_64                       binutils-2.20.51.0.2-5.48.el6_10.1.x86_64
clamav-0.99.3-1.el6.sme.x86_64                             clamav-0.100.2-4.el6.sme.x86_64
clamav-db-0.99.3-1.el6.sme.x86_64                          clamav-db-0.100.2-4.el6.sme.x86_64
clamd-0.99.3-1.el6.sme.x86_64                              clamd-0.100.2-4.el6.sme.x86_64
cups-libs-1.4.2-79.el6.x86_64                              cups-libs-1.4.2-80.el6_10.x86_64
*****NOT INSTELLED*****                                    dansguardian-2.10.1.1-1.el6.sme.x86_64
device-mapper-multipath-0.4.9-106.el6.x86_64               device-mapper-multipath-0.4.9-106.el6_10.1.x86_64
device-mapper-multipath-libs-0.4.9-106.el6.x86_64          device-mapper-multipath-libs-0.4.9-106.el6_10.1.x86_64
dhclient-4.1.1-61.P1.el6.centos.x86_64                     dhclient-4.1.1-63.P1.el6.centos.x86_64
dhcp-4.1.1-61.P1.el6.centos.x86_64                         dhcp-4.1.1-63.P1.el6.centos.x86_64
dhcp-common-4.1.1-61.P1.el6.centos.x86_64                  dhcp-common-4.1.1-63.P1.el6.centos.x86_64
djbdns-1.05-8.el6.sme.x86_64                               djbdns-1.05-11.el6.sme.x86_64
e-smith-base-5.6.0-31.el6.sme.noarch                       e-smith-base-5.6.0-34.el6.sme.noarch
e-smith-ntp-2.4.0-6.el6.sme.noarch                         e-smith-ntp-2.4.0-7.el6.sme.noarch
e-smith-pop3-2.4.0-6.el6.sme.noarch                        e-smith-pop3-2.4.0-8.el6.sme.noarch
e-smith-qmail-2.4.0-7.el6.sme.noarch                       e-smith-qmail-2.4.0-8.el6.sme.noarch
e-smith-samba-2.4.0-24.el6.sme.noarch                      e-smith-samba-2.4.0-26.el6.sme.noarch
GeoIP-GeoLite-data-2017.01-1.el6.noarch                    GeoIP-GeoLite-data-2018.04-1.el6.noarch
GeoIP-GeoLite-data-extra-2017.01-1.el6.noarch              GeoIP-GeoLite-data-extra-2018.04-1.el6.noarch
geoipupdate-2.2.1-2.el6.x86_64                             geoipupdate-3.1.1-2.el6.x86_64
*****NOT INSTELLED*****                                    gpg-pubkey-2a6b914a-3a6ce9b9
*****NOT INSTELLED*****                                    gpg-pubkey-849c449f-4cb9df30
kernel-2.6.32-696.1.1.el6.x86_64                           kernel-2.6.32-573.8.1.el6.x86_64
kernel-2.6.32-754.3.5.el6.x86_64                           kernel-2.6.32-754.11.1.el6.x86_64
kernel-firmware-2.6.32-754.3.5.el6.noarch                  kernel-firmware-2.6.32-754.11.1.el6.noarch
kernel-headers-2.6.32-754.3.5.el6.x86_64                   kernel-headers-2.6.32-754.11.1.el6.x86_64
kpartx-0.4.9-106.el6.x86_64                                kpartx-0.4.9-106.el6_10.1.x86_64
mailx-12.4-8.el6_6.x86_64                                  mailx-12.4-10.el6_10.x86_64
mod_perl-2.0.4-11.1.el6.sme.x86_64                         mod_perl-2.0.4-12.1.el6.sme.x86_64
nfs-utils-1.2.3-78.el6.x86_64                              nfs-utils-1.2.3-78.el6_10.1.x86_64
nss-3.36.0-8.el6.x86_64                                    nss-3.36.0-9.el6_10.x86_64
nss-sysinit-3.36.0-8.el6.x86_64                            nss-sysinit-3.36.0-9.el6_10.x86_64
nss-tools-3.36.0-8.el6.x86_64                              nss-tools-3.36.0-9.el6_10.x86_64
ntp-4.2.6p5-12.el6.centos.2.x86_64                         ntp-4.2.6p5-15.el6.centos.x86_64
ntpdate-4.2.6p5-12.el6.centos.2.x86_64                     ntpdate-4.2.6p5-15.el6.centos.x86_64
perl-Email-Address-1.905-1.el6.noarch                      perl-Email-Address-1.912-1.el6.noarch
perl-Mail-DMARC-1.20141206-1.el6.sme.noarch                perl-Mail-DMARC-1.20141206-2.el6.sme.noarch
polkit-0.96-11.el6.x86_64                                  polkit-0.96-11.el6_10.1.x86_64
qpsmtpd-0.96-10.el6.sme.noarch                             qpsmtpd-0.96-11.el6.sme.noarch
*****NOT INSTELLED*****                                    smeserver-dansguardian-2.10-1.el6.sme.noarch
smeserver-qmHandle-1.4-11.el6.sme.noarch                   *****NOT INSTELLED*****
smeserver-qpsmtpd-2.4.0-37.el6.sme.noarch                  smeserver-qpsmtpd-2.4.0-39.el6.sme.noarch
smeserver-spamassassin-2.4.0-8.el6.sme.noarch              smeserver-spamassassin-2.4.0-9.el6.sme.noarch
smeserver-yum-2.4.0-15.el6.sme.noarch                      smeserver-yum-2.4.0-23.el6.sme.noarch
tzdata-2018e-3.el6.noarch                                  tzdata-2018i-1.el6.noarch
yum-3.2.29-81.el6.centos.noarch                            yum-3.2.29-81.el6.centos.0.1.noarch
*****NOT INSTELLED*****                                    yum-plugin-post-transaction-actions-1.1.30-42.el6_10.noarch


4) Various mail rpms and versions
qmail-1.03-18.el6.sme.x86_64
e-smith-email-5.4.0-12.el6.sme.noarch
qpsmtpd-plugins-0.0.1-5.el6.sme.noarch
smeserver-qpsmtpd-2.4.0-37.el6.sme.noarch
qpsmtpd-0.96-10.el6.sme.noarch

5) Wireshark cap (BAD SATELLITE)

SRC            DEST                PROTOCOL   INFO
SATELLITE       MAIL-GETWAY-SRV TLSv1.2      Client Hello
MAIL-GETWAY-SRV SATELLITE       TCP              465 → 58252 [ACK] Seq=1 Ack=192 Win=15616 Len=0 TSval=62810078 TSecr=20312349
MAIL-GETWAY-SRV SATELLITE       TLSv1.2      Server Hello, Certificate
MAIL-GETWAY-SRV SATELLITE       TLSv1.2      Ignored Unknown Record
SATELLITE       MAIL-GETWAY-SRV TCP              58252 → 465 [ACK] Seq=192 Ack=1496 Win=17536 Len=0 TSval=20312660 TSecr=62810302
SATELLITE       MAIL-GETWAY-SRV TLSv1.2      Alert (Level: Fatal, Description: Unknown CA)


Any ideas are certainly appreciated....






Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
SATELLITE       MAIL-GETWAY-SRV TLSv1.2      Alert (Level: Fatal, Description: Unknown CA)

"Unknown CA" is the key issue here. The certificate is untrusted. I notice when I go to https://70.45.150.48/ that Chrome tells me "NET::ERR_CERT_AUTHORITY_INVALID", and by clicking on it I can see it is a self-signed cert:

Subject: camsoftpr.homeip.net
Issuer: camsoftpr.homeip.net
Expires on: 13 Jan 2020
Current date: 21 Mar 2019

The best solution would be for that server to have a proper certificate. It would be possible to modify smtp_auth_proxy on SMEserver so that it doesn't validate the certificate, and it would also be possible to add that CA to the trusted store.

Offline Fumetto

  • *
  • 874
  • +1/-0
Quote
It would be possible to modify smtp_auth_proxy on SMEserver so that it doesn't validate the certificate, and it would also be possible to add that CA to the trusted store.

How can I try this? Have one server with this problem, think is related to a firewall with robin-round, but can be for this too... How can delete validate?
db configuration setprop smtp-auth-proxy....

TIA