Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0)

[NathanPardoe]

Hi everyone,

I've been having a problem for months with Sendmail and DNSBL lookups. DNSBL lookups fail without any output in error logs, even with Sendmail's log level set to 22. Furthermore, NOQUEUE errors occur as per the mail logs. The server runs FreeBSD 7.0, fully up-to-date in terms of the base system and ports. The problem has been present since FreeBSD 6.2, and at the risk of sounding stupid, "seemed to happen overnight without me changing anything". Sendmail details are as follows -

Code:

root@darkweb# sendmail -d0.1
Version 8.14.2
 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

My hostname.mc file -

Code:

OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')dnl
FEATURE(blacklist_recipients)dnl
FEATURE(greet_pause, `500')dnl Wait half a second before issuing 220 greeting
FEATURE(lookupdotdomain)dnl
FEATURE(mailertable)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(no_default_msa)dnl
FEATURE(nocanonify, `canonify_hosts')dnl
FEATURE(nouucp, 'reject')dnl
FEATURE(redirect)dnl
FEATURE(relay_hosts_only)dnl
FEATURE(smrsh,'/usr/libexec/smrsh')dnl
FEATURE(use_ct_file)dnl
FEATURE(use_cw_file)dnl
FEATURE(virtuser_entire_domain)dnl
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')dnl

dnl Binding options
DAEMON_OPTIONS(`Name=MSA, Family=inet, Port=submission, M=Ea')dnl
DAEMON_OPTIONS(`Name=MTA, Family=inet, Port=smtp, M=E')dnl
DAEMON_OPTIONS(`Name=MTA-SSL, Family=inet, Port=smtps, M=Es')dnl

dnl Local host names file location
define(`confCT_FILE', `-o /etc/mail/trusted-users')dnl
define(`confCW_FILE', `-o /etc/mail/local-host-names')dnl

dnl Various configuration options
define(`confALIAS_WAIT', `0')dnl
define(`confBAD_RCPT_THROTTLE', `2')dnl
define('confBIND_OPTS', `WorkAroundBrokenAAAA')dnl
define('confCHECK_ALIASES','False')dnl
define(`confCON_EXPENSIVE', `true')dnl
define(`confCONNECTION_RATE_THROTTLE', `2')dnl
define(`confDEF_CHAR_SET', `iso-8859-1')dnl
define('confDELIVERY_MODE','background')dnl
define(`confDIAL_DELAY', `20s')dnl
define(`confDIRECT_SUBMISSION_MODIFIERS', `C')
define(`confDOMAIN_NAME',`darkweb.ticklestix.co.uk')dnl
define('confDONT_EXPAND_CNAMES', 'False')dnl
define('confDONT_PROBE_INTERFACES','True')dnl
define(`confFORWARD_PATH', `')
define(`confMAX_DAEMON_CHILDREN', 20)dnl
define(`confMAX_HOP', `35')dnl
define(`confMAX_MESSAGE_SIZE', `20971520')dnl 20MB attachment limit
define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl
define(`confMILTER_MACROS_ENVRCPT',`b,r,v,Z')dnl
define(`confNO_RCPT_ACTION', `add-to-undisclosed')dnl
define('confPRIVACY_FLAGS', 'authwarnings,noexpn,novrfy,goaway,restrictmailq,restrictqrun,needmailhelo,nobodyreturn')dnl
define(`confQUEUE_LA', `5')dnl
define(`confQUEUE_SORT_ORDER', `Time')dnl
define(`confREFUSE_LA', `12')dnl
define(`confRUN_AS_USER', `root:wheel')
define(`confSEPARATE_PROC', `False')dnl
define(`confSINGLE_LINE_FROM_HEADER', `True')dnl
define(`confSMTP_LOGIN_MSG', `$j TickleStix MTA: $b')dnl
define(`confSUPER_SAFE',`true')dnl
define(`confTO_COMMAND', `1m')dnl
define(`confTO_DATABLOCK', `1m')dnl
define(`confTO_DATAFINAL', `1m')dnl
define(`confTO_DATAINIT', `1m')dnl
define(`confTO_HELO', `2m')dnl
define(`confTO_HOSTSTATUS', `2m')dnl
define(`confTO_ICONNECT', `15s')dnl
define('confTO_IDENT','0s')dnl
define(`confTO_INITIAL', `6m')dnl
define(`confTO_MAIL', `1m')dnl
define(`confTO_MISC', `1m')dnl
define(`confTO_QUIT', `1m')dnl
define(`confTO_RCPT', `1m')dnl
define(`confTO_RSET', `1m')dnl
define(`confTO_STARTTLS', `2m')dnl
define(`confWORK_RECIPIENT_FACTOR', `1000')dnl
define(`confWORK_TIME_FACTOR', `3000')dnl

dnl DNS blacklists
FEATURE(`dnsbl',`bl.spamcop.net', `"554 Rejected: Unsolicited e-mail from " $`'&{client_addr} " has been refused. DNSBL list: SpamCop (bl.spamcop.net)."', `t')dnl
FEATURE(`dnsbl',`zen.spamhaus.org', `554 Rejected: Unsolicited e-mail from " $`'&{client_addr} " has been refused. DNSBL list: Spamhaus (zen.spamhaus.org)."', `t')dnl

dnl Mail filters (Milters)
INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl

dnl SMTP authentication
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confAUTH_OPTIONS',`A p y')dnl
define(`confCACERT_PATH', `/usr/local/certs/mail')dnl
define(`confCACERT', `/usr/local/certs/mail/sendmail.pem')dnl
define(`confCLIENT_CERT', `/usr/local/certs/mail/sendmail.pem')dnl
define(`confCLIENT_KEY', `/usr/local/certs/mail/sendmail.pem')dnl
define(`confDONT_BLAME_SENDMAIL', `GroupReadableSASLDBFile')dnl
define(`confRELAY_MSG',`"550 Relaying denied without authentication: Relaying requires authentication over STARTTLS or SSL. Originating sender:" $`'&{client_addr} "."')dnl
define(`confSERVER_CERT', `/usr/local/certs/mail/sendmail.pem')dnl
define(`confSERVER_KEY', `/usr/local/certs/mail/sendmail.pem')dnl
define(`confTLS_SRV_OPTIONS', `V')
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl

dnl Enabling debugging
define(`confLOG_LEVEL', `22')dnl

MAILER(local)dnl
MAILER(smtp)dnl

And an example of the NOQUEUE errors which I cannot resolve -

Code:

May  5 10:49:48 darkweb sm-mta[87963]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MSA: cannot bind: Address already in use
May  5 10:49:48 darkweb sm-mta[87963]: daemon MSA: problem creating SMTP socket

Disabling all daemons and commenting out mailer entries sees the daemon referred to in NOQUEUE errors change accordingly (i.e. disable MSA --> MTA --> MTA-SSL --> Daemon0 when no user-specified daemons exist). I usually operate with the MAILER(local) entry disabled. Besides this, I've tried every combination of rc.conf sendmail-related options. In use at the moment are -

Code:

# Mail Services
## Core
mta_start_script="/etc/rc.sendmail"
sendmail_pidfile="/var/run/sendmail.pid"
sendmail_procname="/usr/sbin/sendmail"
sendmail_enable="YES"
sendmail_flags="-L sm-mta -bd -q30m"
sendmail_submit_enable="NO"
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
sendmail_outbound_enable="YES"
sendmail_outbound_flags="-L sm-queue -q30m"
sendmail_msp_queue_enable="YES"
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m"
sendmail_rebuild_aliases="YES"
## Extras
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
clamav_freshclam_flags="--checks=12"
saslauthd_enable="YES"
spamass_milter_enable="YES"
spamd_enable="YES"

As I said, I've tried using only one of the sendmail_*_enable options in turn, using all, using different flags, using the /etc/rc.d/sendmail init script and other things Google has turned up - all to no avail.

Regarding the DNSBL problem, I've tried using a variety of other lists, and tried removing my custom error message. The only thing I can think of that would cause the DNSBL lookups to fail silently is the, "t" option, but this is to prevent lookup timeouts causing spam mail to be received. I can successfully use the dig command to lookup known spam IP addresses. I'm not sure if it is relevant, but the server defaults to using the router for DNS lookups and the local cache otherwise (djbdns), with both processing DNS queries OK.

I apologise if I haven't explained my problem very well. The e-mail server sends and receives e-mail without issue, however, even when the log level is set to the default the NOQUEUE errors are still present. I appreciate the NOQUEUE errors may be of no significance, but the output of '/etc/rc.d/sendmail status' concerns me -

Code:

root@darkweb# /etc/rc.d/sendmail status
sendmail is running as pid 1038.
sendmail_clientmqueue is not running.

The main issue is the DNSBL lookups failing and seemingly all mail is accepted - when DNSBL lookups worked 90% of the spam I receive was dropped.

Thanks for your help in advance. Again, I apologise for any difficulties in understanding the problem, and if the information provided isn't sufficient. Any advice or comments would be of assistance.

[NathanPardoe]

Bump for assistance.

[J65nko]

Can you do a manual DNSBL lookup?

Does tcpdump show any attempts of sendmail to do a DNSBL lookup?

Code:

# tcpdump -nv -i re0 host 192.168.222.10 and port domain

This example assumes 192.168.222.10 is your DNSBL box.

[NathanPardoe]

Quote:

Originally Posted by J65nko

Can you do a manual DNSBL lookup?

Does tcpdump show any attempts of sendmail to do a DNSBL lookup?

Code:

# tcpdump -nv -i re0 host 192.168.222.10 and port domain

This example assumes 192.168.222.10 is your DNSBL box.

Thanks for the reply. I've run the commands, adjusted to match my hardware and network configurations.

Quote:

root@darkweb# tcpdump -nv -i sis0 host 192.168.1.10 and port domain
tcpdump: listening on sis0, link-type EN10MB (Ethernet), capture size 96 bytes
00:25:56.173316 IP (tos 0x0, ttl 64, id 20868, offset 0, flags [none], proto UDP (17), length 74) 192.168.1.10.53567 > 192.168.1.1.53: 23645+ A? 81.141.137.78.bl.spamcop.net. (46)
00:25:56.284145 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 127) 192.168.1.1.53 > 192.168.1.10.53567: 23645 NXDomain 0/1/0 (99)
00:25:56.286047 IP (tos 0x0, ttl 64, id 21168, offset 0, flags [none], proto UDP (17), length 91) 192.168.1.10.55018 > 192.168.1.1.53: 7184+[|domain]
00:25:56.318625 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 150) 192.168.1.1.53 > 192.168.1.10.55018: 7184 NXDomain[|domain]

Is the result of running -

Quote:

nathan@darkweb% nslookup 81.141.137.78.bl.spamcop.net
Server: 192.168.1.1
Address: 192.168.1.1#53

** server can't find 81.141.137.78.bl.spamcop.net: NXDOMAIN

I used 81.141.137.78 as it was my IP address at the time of writing. The results of tcpdump indicate DNSBL lookups are taking place. I apologise if I have misunderstood your suggestions, and would appreciate any further help you may be able to offer.

By chance, whilst I was writing this post I left tcpdump monitoring the NIC. It shows two DNSBL lookups taking place via Sendmail -

Quote:

00:27:53.254451 IP (tos 0x0, ttl 64, id 12157, offset 0, flags [none], proto UDP (17), length 75) 192.168.1.10.63366 > 192.168.1.1.53: 42274+ A? 80.152.123.222.bl.spamcop.net. (47)
00:27:53.366346 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 128) 192.168.1.1.53 > 192.168.1.10.63366: 42274 NXDomain 0/1/0 (100)
00:27:53.366561 IP (tos 0x0, ttl 64, id 60466, offset 0, flags [none], proto UDP (17), length 77) 192.168.1.10.52480 > 192.168.1.1.53: 42275+ A? 80.152.123.222.zen.spamhaus.org. (49)
00:27:53.454784 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 93) 192.168.1.1.53 > 192.168.1.10.52480: 42275 1/0/0 80.152.123.222.zen.spamhaus.org. (65)

Could it be that the DNSBL lists I am using don't contain the IP addresses used by spammers? This seems unlikely as all spam gets through regardless of DNSBL use.

[J65nko]

To see more of the DNSBL lookup, which is just a special case of a normal DNS lookup you can use this improved tcpdump command

Code:

tcpdump -nvv -i re0 -s512 host 192.168.222.10 and port domain

Normally tcpdump only captures 96 bytes. The -s512 makes it capture the maximum size of an DNS UPD packet. (192.168.222.10 is my local resolving caching nameserver)
Doing the spamhaus query in your post

Code:

dig 80.152.123.222.zen.spamhaus.org.

; <<>> DiG 9.3.4 <<>> 80.152.123.222.zen.spamhaus.org.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21831
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;80.152.123.222.zen.spamhaus.org. IN    A

;; ANSWER SECTION:
80.152.123.222.zen.spamhaus.org. 1800 IN A      127.0.0.10

;; Query time: 364 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Tue May 13 01:37:34 2008
;; MSG SIZE  rcvd: 65

This produces in tcpdump (on an old OpenBSD amd64 snapshot)

Code:

01:44:52.518263 192.168.222.20.41027 > 192.168.222.10.53
  54582+ A? 80.152.123.222.zen.spamhaus.org. (49) (ttl 64, id 24704, len 77
01:44:52.519029 192.168.222.10.53 > 192.168.222.20.41027: [udp sum ok] 
 54582 q: A? 80.152.123.222.zen.spamhaus.org. 1/0/0 80.152.123.222.zen.spamhaus.org. A 127.0.0.10 (65) (ttl 64, id 8814, len 93)

You now see the complete answer.

This answer in the 127/8 network means it is listed and thus should receive special treatment of your sendmail.
A NXdomain answer means the address is not listed.

I posted a shell script at http://daemonforums.org/showthread.php?t=302 that does the reversal of the IP address for this kind of DNSBL checks.

[NathanPardoe]

Thanks again for the reply. Sorry about the delays in getting back to you, I've been snowed under with work and not had chance to check the forums.

Running the updated command reveals that addresses listed in DNSBLs can be determined, as demonstrated by the following output -

Quote:

root@darkweb# tcpdump -nvv -i sis0 -s512 host 192.168.1.10 and port domain
tcpdump: listening on sis0, link-type EN10MB (Ethernet), capture size 512 bytes
22:56:16.537689 IP (tos 0x0, ttl 64, id 58914, offset 0, flags [none], proto UDP (17), length 77) 192.168.1.10.51968 > 192.168.1.1.53: [udp sum ok] 22625+ A? 80.152.123.222.zen.spamhaus.org. (49)
22:56:16.582227 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 109) 192.168.1.1.53 > 192.168.1.10.51968: [udp sum ok] 22625 q: A? 80.152.123.222.zen.spamhaus.org. 2/0/0 80.152.123.222.zen.spamhaus.org. A 127.0.0.10, 80.152.123.222.zen.spamhaus.org. A 127.0.0.4 (81)

The tcpdump was sourced from checking Spamhaus using the same IP address as before.

Quote:

nathan@darkweb% dig 80.152.123.222.zen.spamhaus.org

; <<>> DiG 9.4.2 <<>> 80.152.123.222.zen.spamhaus.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22625
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;80.152.123.222.zen.spamhaus.org. IN A

;; ANSWER SECTION:
80.152.123.222.zen.spamhaus.org. 1800 IN A 127.0.0.10
80.152.123.222.zen.spamhaus.org. 1800 IN A 127.0.0.4

;; Query time: 46 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed May 14 22:56:16 2008
;; MSG SIZE rcvd: 81

Analysing the Sendmail logs reveals no rejections due to DNSBL listing, and the nightly FreeBSD periodic mail doesn't list any blocklists. It is as if Sendmail ignores the DNSBL options in the configuration file. Perhaps Sendmail is compiled incorrectly, but this seems odd as I am using the standard FreeBSD port.

Sorry if my post has missed anything out. Again, I'd appreciate any further help you could offer.

[J65nko]

I don't run a mailserver. That is why I just did a manual DNSBL lookup to show you what to expect in the tcpdump output.
You will have to determine using tcpdump whether sendmail is doing DNSBL lookups while processing the incoming mail.

From the rc.conf stuff you posted, I saw you use clamav virusscanning. This really can be a resource hog. You could check if you are not somehow running out of resources like file descriptors, memory space etc.

Another point is the /etc/rc.d/sendmail status output complaining that "sendmail_clientmqueue" is not running.

Did you take the necessary steps to "compile' the sendmail mc file into the sendmail.cf format? And make sendmail re-read this file?

I am not really a sendmail expert. If the above suggestions don't work you may be better off to ask on a sendmail mailing list

[NathanPardoe]

Quote:

Originally Posted by J65nko

From the rc.conf stuff you posted, I saw you use clamav virusscanning. This really can be a resource hog. You could check if you are not somehow running out of resources like file descriptors, memory space etc.

Another point is the /etc/rc.d/sendmail status output complaining that "sendmail_clientmqueue" is not running.

Did you take the necessary steps to "compile' the sendmail mc file into the sendmail.cf format? And make sendmail re-read this file?

I am not really a sendmail expert. If the above suggestions don't work you may be better off to ask on a sendmail mailing list

I agree with ClamAV being a resource hog, but it's the only antiviral solution I have tried in conjunction with Sendmail. Based on this experience, I am considering ditching Sendmail altogether. Regarding the compilation and update of Sendmail to use the new configuration files, I've run all appropriate commands. I wrote a simple 'MailRestart.sh' to restart the mail server and associated daemons (SpamAssassin and ClamAV), which recompiles the Sendmail configuration and ensures it is reread.

I'll post my problem on a Sendmail board, but I am greatful of your help. Thanks for your replies and sharing your knowledge of tcpdump. I owe you an e-Beer or webhosting (visit the URL in my signature), get in touch if you need either.

[NathanPardoe]

Turns out the fix was simple, and the problem due to my stupidity. My custom mail start/stop script called "make start" and the rc.d script, which meant the server was started twice. Once I'd changed this, and set an alternate pid file for the MSP queue in rc.conf everything worked perfectly. I had to change the ownership of /var/spool/clientmqueue to root:wheel (preserving default permissions of 770 worked). The rc.conf section for sendmail now looks as follows -

# Mail Services
## Core
mta_start_script="/etc/rc.sendmail"
sendmail_pidfile="/var/run/sendmail.pid"
sendmail_procname="/usr/sbin/sendmail"
sendmail_enable="YES"
sendmail_flags="-L sm-mta -bd -q30m"
sendmail_outbound_enable="YES"
sendmail_outbound_flags="-L sm-queue -q30m"
sendmail_msp_queue_enable="YES"
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m -OPidFile=/var/spool/clientmqueue/sm-client.pid"
sendmail_rebuild_aliases="YES"

[J65nko]

Thanks for posting the solution.

I am sure that in the future, some poor soul lost in the sendmail configuration desert, will appreciate that