OK, I figured out that
pass in log on $ext_if proto tcp to ($ext_if) port smtp synproxy state
pass out log on $ext_if proto tcp from ($ext_if) to port smtp synproxy state
synproxy state was causing problem.
I changed both to keep state
and now works fine.
Why does synproxy state cause mail failures?
Thanks,
Chris Bennett
Chris Bennett wrote:
> Well I finally found an obscure reference to these timeouts happening
> due to firewalls.
> So I disabled pf and voila!
> No more problems
>
> Now what I need to know is what to do with my pf.conf to be able to
> reactivate it:
>
> pf.conf:
> ext_if="fxp0"
> #int_if="int0"
> NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8 }"
> #table <spamd> persist
> #table <spamd-white> persist
>
> #my additions --Chris
> table <badhosts> persist file "/etc/badhosts"
> table <bruteforce> persist file "/etc/bruteforce"
>
>
> set skip on lo
>
> #scrub in
> scrub in on $ext_if all
>
> #nat-anchor "ftp-proxy/*"
> #rdr-anchor "ftp-proxy/*"
> #nat on $ext_if from !($ext_if) -> ($ext_if:0)
> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> #rdr pass on $ext_if proto tcp from <spamd> to port smtp \
> # -> 127.0.0.1 port spamd
> #rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
> # -> 127.0.0.1 port spamd
>
> #anchor "ftp-proxy/*"
> #block in
> #pass out keep state
> antispoof quick log for $ext_if inet
> #pass quick on $int_if
> #antispoof quick for { lo $int_if }
>
> pass inet proto tcp from any to egress port 22123 flags S/SA synproxy
> state (max-src-conn 10, max-src-conn-rate 15/5, overload <bruteforce>
> flush global)
> pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state
> pass in log on $ext_if proto tcp to ($ext_if) port smtp synproxy state
> pass out log on $ext_if proto tcp from ($ext_if) to port smtp synproxy state
> block on fxp0 from { <badhosts> <bruteforce> } to any
> block in log quick inet6 all
> # block smb, nfs, mysql, rndc? from the mean world
> block in quick on $ext_if proto tcp from any to any port {137, 138, 139,
> 901}
> block in quick on $ext_if proto tcp from any to any port {2049, 111}
> block in log quick on $ext_if proto tcp from any to any port 3306
> block in quick on $ext_if proto tcp from any to any port 953
> block in quick on $ext_if from $NoRouteIPs to any
> block out quick on $ext_if from any to $NoRouteIPs
>
> Which entry is causing me these problems with sendmail?
>
> Chris Bennett wrote:
>
>> This is the first time I've setup sendmail.
>> Everything is working except relaying
>> I get timeout errors such as:
>>
>>
>> Quote:
>>
>> Apr 13 10:23:52 b03s15le sm-mta[32621]: m3AMaDbG021948:
>> to=<[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>>,
>> ctladdr=<[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>> (5004/5000), delay=2+16:47:39,
>> xdelay=00:00:00, mailer=esmtp, pri=11370520,
>> relay=mailstore1.secureserver.net., dsn=4.0.0, stat=Deferred:
>> Connection timed out with mailstore1.secureserver.net.
>> Apr 13 10:28:52 b03s15le sm-mta[19243]: m3BEGF0d018627: timeout
>> waiting for input from c.mx.mail.yahoo.com. during client greeting
>> Apr 13 10:28:52 b03s15le sm-mta[32621]: m3A3LXeL022236: timeout
>> waiting for input from mdfiber.com.cn. during client greeting
>> Apr 13 10:28:52 b03s15le sm-mta[32621]: m3A3LXeL022236:
>> to=<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>,
>> delay=3+12:07:19, xdelay=00:05:00, mailer=esmtp, pri=12390000,
>> relay=mdfiber.com.cn. [125.115.37.166], dsn=4.0.0, stat=Deferred:
>> Connection timed out with mdfiber.com.cn.
>> Apr 13 10:28:52 b03s15le sm-mta[32621]: m39M3TI3021802:
>> to=<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>,
>> delay=3+17:25:23, xdelay=00:00:00, mailer=esmtp, pri=15630000,
>> relay=email-mx.paypal.com., dsn=4.0.0, stat=Deferred: Connection
>> timed out with email-mx.paypal.com.
>> Apr 13 10:28:52 b03s15le sm-mta[32621]: m39LHSwW029414:
>> to=<[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>>,
>> ctladdr=<[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>> (0/0), delay=3+18:11:24,
>> xdelay=00:00:00, mailer=esmtp, pri=15691859,
>> relay=mailstore1.secureserver.net., dsn=4.0.0, stat=Deferred:
>> Connection timed out with mailstore1.secureserver.net.
>> Apr 13 10:33:51 b03s15le sm-mta[1350]: m3D3c72K007206: timeout
>> waiting for input from a.mx.mail.yahoo.com. during client greeting
>> Apr 13 10:33:52 b03s15le sm-mta[19243]: m3BEGF0d018627: timeout
>> waiting for input from g.mx.mail.yahoo.com. during client greeting
>> Apr 13 10:36:28 b03s15le sm-mta[7022]: m3DFPM8f007022:
>> 219-84-176-17-adsl-tpe.dynamic.so-net.net.tw [219.84.176.17] did not
>> issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>>
>>
>> I understand that lacking reverse DNS can cause these problems, but I
>> have corrected that problem and now pass FcRDNS test. But these problems
>> continue. All other mail works fine.
>> The only other possibility I have encountered is to change a timeout for
>> sendmail. in sendmail.cf
>> Any suggestions?
>> _______________________________________________
>> Openbsd-newbies mailing list
>> [email protected]
>> http://mailman.theapt.org/listinfo/openbsd-newbies
>>
>>
>>
>>
> _______________________________________________
> Openbsd-newbies mailing list
> [email protected]
> http://mailman.theapt.org/listinfo/openbsd-newbies
>
>
>
_______________________________________________
Openbsd-newbies mailing list
[email protected]
http://mailman.theapt.org/listinfo/openbsd-newbies
