Telneting in to Postfix reports back with old host name

Question

Telneting in to Postfix reports back with old host name

Hi.

I am setting up a home server for my family (4 users) running a late 2010 Mac mini server with OSX Server 3.0.1

I am computer literate but am new to server hosting. I have successfully navigated setting up DNS properlly the way I want it, but am now running into a problem setting up a family mail server.

When I first got the machine I just played around with the server settings under Snow Leopard and turned on some services without really intending to use them as we were all using Google services at the time. I now want to get off those services, such as mail, etc. and host them myself.

Anyway, I've registered a domain and pointed it to my machine, and everything appears to be working properly. I used GoDaddy.com to register the domain.

But after setup of the Mail server, getting my ISPs mail relay server configured, etc. I get the following when I test using telnet to connect to port 25:

server:~ admin$ telnet 127.0.0.1 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 <oldhostname>.org ESMTP Postfix

421 4.4.2 <oldhostname>.org Error: timeout exceeded

Connection closed by foreign host.

server:~ admin$ sudo changeip -checkhostname

Password:

Primary address = 10.0.1.254

Current HostName = <newhostname>.org

DNS HostName = <newhostname>.org

The names match. There is nothing to change.

dirserv:success = "success"

server:~ admin$ hostname -f

<newhostname>.org

You'll notice I then double checked that my DNS was set up correctly, and then checked the host name again for good measure. However, Postfix is calling my outgoing SMTP by the old and never really used host name still.

I would really appreciate any help you knowledgable people could give me! Is there a library file that needs updating and if so how do I do that? I found a similar problem here but this is on a linux box, which I have no experience with whatsoever, and can't figure out how to do what he did.

Thank you again in advance for any input.

Mac mini, OS X Mavericks (10.9)

Posted on Jan 1, 2014 7:34 AM

Reply

Answer 1

Jan 1, 2014 8:45 AM in response to myopicpaideia

Ok - update - a little more digging found me the main.cf file, which I modified to change the myhostname parameter to the correct updated value.

However, I am still getting the 421 4.4.2 Error: timeout exceeded problem.

Do I have to match up my settings at GoDaddy's DNS Manager for my domain to those I set up in the Server App??

Reply

Answer 2

Jan 1, 2014 9:42 AM in response to myopicpaideia

Please post your real domain name and I'll check that. Otherwise start reading here. (That thread also includes why I generally avoid directly editing the configuration files, and has details that will help you confirm you're working with the active Postfix configuration files.)

As for the timeout, launch Console.app from Applications > Utilities and see if there are any Postfix-related errors. As part of that, also check your local DNS translations for the host and for your MX record. You've obfuscated the domain, so I can't check that for correctness. I'd expect to see the MX record point to somehostname.example.org, where example.org is your registered domain.

You'll also need a static IP address from your ISP, or you'll need to set up an authorized SMTP relay through another mail server. If you don't have static IP and proper DNS, various other mail servers will decide your mail server is a spam engine and drop outbound messages. Further, some mails ervers will make a similar determination and will drop messages intended for your mail server, too.

Reply

Answer 3

Jan 1, 2014 11:03 AM in response to MrHoffman

Thanks for the help!

grabko.org is the domain.

If I've made a fool of myself, I apologise. I created all the appropriate DNS records on the Server app as well as adjusting the respective records on the GoDaddy DNS manager service within the last 12-15 hours. If this thread is premature that's my fault.

The thing is that I have added a couple of test users in the server app as local users, and tried adding their accounts to the calendar and contact apps without success.

I am using the _caldavs_tcp and _carddavs_tcp DNS service records, but have not received back my trusted certificate yet from GoDaddy. Could this be causing a problem as well?

Also, I don't have a static IP per say (but I have had the same external IP address for over a year now, I had my ISP bridge the cable modem it supplies directly into my Airport Extreme for the purposes of setting up Microsoft RDP for a virtual machine I run Windows on for work, and I use it literally every day) but I do have the proper mail relay server from my ISP set up in the Server app.

Reply

Answer 4

Jan 4, 2014 8:58 AM in response to MrHoffman

Hi Mr. Hoffman, here is an update:

Console shows this when I telnet in to port 25 in the terminal:

04/01/14 17:54:35,681 login[21847]: USER_PROCESS: 21847 ttys000

04/01/14 17:55:10,102 Mail[21433]: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))

04/01/14 17:55:10,102 Mail[21433]: [<_MCLibSasl2SaslClient: 0x6000004a9000> mechanism: GSSAPI security layer: no] Failed to start the SASL connection

SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))

04/01/14 17:55:10,116 Mail[21433]: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))

04/01/14 17:55:10,116 Mail[21433]: [<_MCLibSasl2SaslClient: 0x6000004a8be0> mechanism: GSSAPI security layer: no] Failed to start the SASL connection

SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))

04/01/14 17:55:10,127 Mail[21433]: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))

04/01/14 17:55:10,127 Mail[21433]: [<_MCLibSasl2SaslClient: 0x600000cb9d40> mechanism: GSSAPI security layer: no] Failed to start the SASL connection

SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))

04/01/14 17:55:10,140 Mail[21433]: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))

04/01/14 17:55:10,140 Mail[21433]: [<_MCLibSasl2SaslClient: 0x6080004b54e0> mechanism: GSSAPI security layer: no] Failed to start the SASL connection

SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))

I have installed my SSL Certificate from GoDaddy.

Reply

Answer 5

Jan 4, 2014 9:16 AM in response to myopicpaideia

Also Getting the following in Console:

04/01/14 18:04:59,806 kdc[62640]: AS-REQ ggs.grabko.org$@GGS.GRABKO.ORG from 127.0.0.1:57943 for krbtgt/GGS.GRABKO.ORG@GGS.GRABKO.ORG

04/01/14 18:04:59,808 kdc[62640]: UNKNOWN -- ggs.grabko.org$@GGS.GRABKO.ORG: no such entry found in hdb

04/01/14 18:05:00,294 servermgrd[20002]: nsc_smb XPC: handle_event error : < Connection invalid >

And my sudo postconf -c /Library/Server/Mail/Config/postfix -n output:

alias_maps = hash:/etc/aliases

always_bcc =

biff = no

command_directory = /usr/sbin

config_directory = /Library/Server/Mail/Config/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

data_directory = /Library/Server/Mail/Data/mta

debug_peer_level = 2

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5

dovecot_destination_recipient_limit = 1

enable_server_options = yes

header_checks = pcre:/Library/Server/Mail/Config/postfix/custom_header_checks

html_directory = /usr/share/doc/postfix/html

imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred

inet_interfaces = all

inet_protocols = all

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

mail_owner = _postfix

mailbox_size_limit = 0

mailbox_transport = dovecot

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

message_size_limit = 10485760

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

mydomain = grabko.org

mydomain_fallback = localhost

myhostname = server.grabko.org

mynetworks = 127.0.0.0/8

newaliases_path = /usr/bin/newaliases

postscreen_dnsbl_sites = zen.spamhaus.org*2

queue_directory = /Library/Server/Mail/Data/spool

readme_directory = /usr/share/doc/postfix

recipient_canonical_maps = hash:/Library/Server/Mail/Config/postfix/system_user_maps

recipient_delimiter = +

relayhost = smtprelay1.telia.com

sample_directory = /usr/share/doc/postfix/examples

sendmail_path = /usr/sbin/sendmail

setgid_group = _postdrop

smtp_sasl_auth_enable = no

smtp_sasl_password_maps =

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit

smtpd_enforce_tls = no

smtpd_helo_required = yes

smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname

smtpd_pw_server_security_options = cram-md5,digest-md5,gssapi

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit

smtpd_sasl_auth_enable = yes

smtpd_tls_CAfile = /etc/certificates/server.grabko.org.1C04ED269951F447E3422EB93680FCEDAE448203.ch ain.pem

smtpd_tls_cert_file = /etc/certificates/server.grabko.org.1C04ED269951F447E3422EB93680FCEDAE448203.ce rt.pem

smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

smtpd_tls_key_file = /etc/certificates/server.grabko.org.1C04ED269951F447E3422EB93680FCEDAE448203.ke y.pem

smtpd_use_pw_server = yes

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

use_sacl_cache = yes

virtual_alias_domains = $virtual_alias_maps

virtual_alias_maps = $virtual_maps

And my sudo serveradmin fullstatus mail:

mail:startedTime = "2014-01-01 11:58:58 +0000"

mail:setStateVersion = 1

mail:state = "RUNNING"

mail:protocolsArray:_array_index:0:status = "ON"

mail:protocolsArray:_array_index:0:kind = "INCOMING"

mail:protocolsArray:_array_index:0:protocol = "IMAP"

mail:protocolsArray:_array_index:0:state = "RUNNING"

mail:protocolsArray:_array_index:0:service = "MailAccess"

mail:protocolsArray:_array_index:0:error = ""

mail:protocolsArray:_array_index:1:status = "OFF"

mail:protocolsArray:_array_index:1:kind = "INCOMING"

mail:protocolsArray:_array_index:1:protocol = "POP3"

mail:protocolsArray:_array_index:1:state = "RUNNING"

mail:protocolsArray:_array_index:1:service = "MailAccess"

mail:protocolsArray:_array_index:1:error = ""

mail:protocolsArray:_array_index:2:status = "ON"

mail:protocolsArray:_array_index:2:kind = "INCOMING"

mail:protocolsArray:_array_index:2:protocol = "SMTP"

mail:protocolsArray:_array_index:2:state = "RUNNING"

mail:protocolsArray:_array_index:2:service = "MailTransferAgent"

mail:protocolsArray:_array_index:2:error = ""

mail:protocolsArray:_array_index:3:status = "ON"

mail:protocolsArray:_array_index:3:kind = "OUTGOING"

mail:protocolsArray:_array_index:3:protocol = "SMTP"

mail:protocolsArray:_array_index:3:state = "RUNNING"

mail:protocolsArray:_array_index:3:service = "MailTransferAgent"

mail:protocolsArray:_array_index:3:error = ""

mail:protocolsArray:_array_index:4:status = "OFF"

mail:protocolsArray:_array_index:4:kind = "INCOMING"

mail:protocolsArray:_array_index:4:protocol = ""

mail:protocolsArray:_array_index:4:state = "STOPPED"

mail:protocolsArray:_array_index:4:service = "ListServer"

mail:protocolsArray:_array_index:4:error = ""

mail:protocolsArray:_array_index:5:status = "ON"

mail:protocolsArray:_array_index:5:kind = "INCOMING"

mail:protocolsArray:_array_index:5:protocol = ""

mail:protocolsArray:_array_index:5:state = "RUNNING"

mail:protocolsArray:_array_index:5:service = "JunkMailFilter"

mail:protocolsArray:_array_index:5:error = ""

mail:protocolsArray:_array_index:6:status = "ON"

mail:protocolsArray:_array_index:6:kind = "INCOMING"

mail:protocolsArray:_array_index:6:protocol = ""

mail:protocolsArray:_array_index:6:state = "RUNNING"

mail:protocolsArray:_array_index:6:service = "VirusScanner"

mail:protocolsArray:_array_index:6:error = ""

mail:protocolsArray:_array_index:7:status = "ON"

mail:protocolsArray:_array_index:7:kind = "INCOMING"

mail:protocolsArray:_array_index:7:protocol = ""

mail:protocolsArray:_array_index:7:state = "RUNNING"

mail:protocolsArray:_array_index:7:service = "VirusDatabaseUpdater"

mail:protocolsArray:_array_index:7:error = ""

mail:logPaths:Server Error Log = "/Library/Logs/Mail/mail-err.log"

mail:logPaths:IMAP Log = "/Library/Logs/Mail/mail-info.log"

mail:logPaths:Server Log = "/Library/Logs/Mail/mail-info.log"

mail:logPaths:POP Log = "/Library/Logs/Mail/mail-info.log"

mail:logPaths:SMTP Log = "/var/log/mail.log"

mail:logPaths:List Server Log = "/Library/Logs/Mail/listserver.log"

mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log"

mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log"

mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log"

mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log"

mail:imapStartedTime = "2014-01-01 11:58:58 +0000"

mail:postfixStartedTime = "2014-01-01 11:59:32 +0000"

mail:servicePortsRestrictionInfo = _empty_array

mail:servicePortsAreRestricted = "NO"

mail:connectionCount = 0

mail:readWriteSettingsVersion = 1

mail:serviceStatus = "ENABLED"

I am only running one zone for the domain, my mind is boggled...

Reply

Answer 6

Jan 4, 2014 11:34 AM in response to myopicpaideia

Your Kerberos is having a problem, and possibly also Open Directory. That can happen when DNS is incorrect, and also when the local DNS configuration has changed. Usual way to fix that is to export, confirm DNS, and then import. Or to delete the configuration and recreate it.

Public DNS is not returning a host address:

$ dig +short MX grabko.org

0 server.grabko.org.

$ dig +short server.grabko.org.

$

I'd normally also check the reverse DNS here — translate the IP address back to the name — but there isn't an address here.

In addition to the public DNS, you'll also want to test the reverse translation on your local network, if you're using NAT'd network

dig +short -x your.ip.address.here

which should return the same host name you started with.

One potential option here is to nuke and pave; to start over again with Server.app, and getting DNS to work first (and to respond correctly to the sudo changeip -checkhostname command to verify that), then activate and configure the other additional services desired.

Reply

Answer 7

Jan 4, 2014 1:37 PM in response to MrHoffman

Thanks a lot, Mr. Hoffman!

Nuking and paving is not a big deal because I am setting it up for the first time, there is nothing to lose really. I just want to make sure I really have nuked everything properly so I can start with a clean slate, can you give me a couple of pointers on that?

My ouput for the internal network is:

server:~ myopicpaideia$ dig +short -x 10.0.1.254

server.grabko.org.

I used the guide at yes>/dev/null - here - in the first place, and followed the advice given there. I set up in this order:

DNS - confirmed everything was good
Open Directory - followed the guide and verified everything was working as per instructed
Mail Service
Calendar Service
Contacts Service

I think something may have been askew because of legacy playing around I did a couple of years ago when I first got the machine? Can I wipe the slate clean without having to wipe the Mac mini completely?

Is the public DNS the one at GoDaddy? I will go and double check it is pointing right!

Reply

Answer 8

Jan 4, 2014 2:29 PM in response to myopicpaideia

Just want to add that my router configuration is a bridged ISP cable modem into a latest generation 2TB Airport Extreme Timecapsule.

Currently, when I go into the Airport Extremes settings via Airport Utility it says DHCP and NAT. Am I using a NAT'd network, and should I change it to DHCP only?

The public DNS is pointing to my LAN's public IP address - my local DNS is supposed to translate that on to my private IP address, correct? And it appears to be doing so for my MX record, but not my server?

My DNS is responding correctly to -checkhostname - it has from the start, that is what is odd.

Reply

Answer 9

Jan 4, 2014 2:56 PM in response to myopicpaideia

Hi

"Is the public DNS the one at GoDaddy?

Yes.

"My DNS is responding correctly to -checkhostname - it has from the start, that is what is odd"

The command verifies the viability of the private DNS view for your domain and has nothing to do with the public DNS view for your domain.

Your MX Record (the public one at GoDaddy) does not resolve to anything:

host -t MX grabko.org

grabko.org mail is handled by 0 server.grabko.org.

Testing it reveals this:

host server.grabko.org.

Host server.grabko.org not found: (NXDOMAIN)

Finally 213.66.19.121 resolves to you ISP's rDNS record for that block of addresses.

Just some friendly advice but if you want to succesfully host your own mail server you really do need a fixed public IP address, an MX Record that resolves correctly as well as some idea of how to secure it properly.

HTH?

Tony

Reply

Answer 10

Jan 4, 2014 11:36 PM in response to Antonio Rocco

Thank you for the reply as well, much appreciated.

Are you saying that the public address doesn't resolve back to my domain but rather the domain that my ISP has set up for that block of public IP addresses?

That this output:

server:~ myopicpaideia$ dig +short -x 213.66.19.121

213-66-19-121-no132.tbcn.telia.com

Should read:

server:~ myopicpaideia$ dig +short -x 213.66.19.121

server.grabko.org

Would this be resolved by requesting a static IP from my ISP? Or could I portforward port 25 into my server using my AirPort Extreme to address this issue?

Am I delusional in thinking that just because I have had the same public IP for well over a year, and it will not change unless I refresh my DHCP lease from the ISP (or become disconnected for longer than a few minutes) that I do not really absolutely need a static IP (I could just stop and restart the services with the corrected DNS records and it would be good to go again?)?

As for securing it properly, I am going to be relaying all mail traffic through my ISP's mail relay server as seen above in my postconf output. I also will be using Server.app's junk mail and virus filtering options, as well as SSL.

Is this what you mean by secureing it properly? Or did you mean something else?

Again, thank you both so much for the help, I really do appreciate it very much!

Reply

Answer 11

Camelot

Level 9

54,333 points

Jan 5, 2014 12:17 AM in response to myopicpaideia

Would this be resolved by requesting a static IP from my ISP?

Indirectly, maybe. You can resolve this by asking your ISP to setup reverse DNS for your IP address, rather than using their generic reverse hostnames. Few, if any, ISPs will do this for dynamic/residential-type accounts and therefore you may need to go to a static IP address, but even that won't solve your problem unless you expressly ask for reverse DNS.

Or could I portforward port 25 into my server using my AirPort Extreme to address this issue?

Port forwarding will make no difference - indeed, you've probably already setup port forwarding if connections are getting to your server.

Am I delusional in thinking that just because I have had the same public IP for well over a year, and it will not change unless I refresh my DHCP lease from the ISP (or become disconnected for longer than a few minutes) that I do not really absolutely need a static IP (I could just stop and restart the services with the corrected DNS records and it would be good to go again?)?

On a dynamic address you have zero, zip, nada control over your reverse DNS. You will have to engage your ISP to resolve that. If you don't then you WILL have problems getting and sending mail. What's more, the problems may be transient and/or silent, so you don't even know that your mail isn't getting in (or out).

Mail without valid, working reverse DNS is just asking for trouble.

Reply

Answer 12

Jan 5, 2014 3:45 AM in response to Camelot

If my ISP won't do reverse DNS or give me a static IP without going up to some kind of corporate service, can I use something like DynDNS to fix this? I know they have a dynamic DNS service...

Reply

Answer 13

Camelot

Level 9

54,333 points

Jan 5, 2014 4:39 PM in response to myopicpaideia

If my ISP won't do reverse DNS or give me a static IP without going up to some kind of corporate service, can I use something like DynDNS to fix this?

No. The ONLY entity that has control over your reverse DNS is your ISP. DynDNS (and their like) can do forward DNS for you, but reverse is a beast of a different color.

It's not uncommon to find that ISPs don't do this for residential accounts - there are few reasons for most residential users to need it, but it's something that commercial accounts need all the time.

Reply