# sendmail times out or fails to connect to remote server



## stevevg (Apr 16, 2013)

I'm trying to send email from the mail program, via sendmail, but finding it hard to do so, since every server I try to pass an email off to refuses the connection, or times out. Should work: 

```
mail ******@sbcglobal.net
  enter subject and body, terminate with CTRL^D.
```

I get the following in /etc/var/maillog:

```
Apr 15 20:08:07 [myhostname] sendmail[1952]: r3G187tg001952: to=*****@sbcglobal.net, ctladdr=steve (1001/1001), delay=00:00:00,
 xdelay=00:00:00, mailer=relay, pri=30067, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0,
 stat=Sent (r3G1879S001953 Message accepted for delivery)
Apr 15 20:09:35 [myhostname] sm-mta[1955]: r3G1879S001953: to=<******@sbcglobal.net>, ctladdr=<steve@stevevg.com> (1001/1001),
 delay=00:01:28, xdelay=00:01:28, mailer=esmtp, pri=30386,
 relay=mx2.sbcglobal.am0.yahoodns.net. [98.136.217.192], dsn=4.0.0, stat=Deferred: Operation timed out with mx2.sbcglobal.am0.yahoodns.net.
```


----------



## lbol (Apr 16, 2013)

This looks more like a network issue than a sendmail problem. Can you ping the destination address?
`# ping 98.136.217.192`


----------



## kpa (Apr 16, 2013)

ping(8) is not a reliable way to test connectivity to public servers that offers MTA or other services. Very often they are filtering (wrongly IMO) ICMP completely. Use a combination of net/mtr, traceroute(8) or even tcpdump(8) to see how far the connection actully gets and if anything is returned from the host.


----------



## wblock@ (Apr 16, 2013)

ISPs often firewall port 25 for dynamic IP addresses, forcing those people to smarthost through the ISP's mailserver.


----------



## lbol (Apr 16, 2013)

I can connect to the server on port 25


```
# telnet 98.136.217.192 25                                       ~
Trying 98.136.217.192...
Connected to 98.136.217.192.
Escape character is '^]'.
220 mta1293.sbc.mail.gq1.yahoo.com ESMTP YSmtpProxy service ready
```


----------



## kpa (Apr 16, 2013)

What kind of internet connection are we talking about here? If it's PPPoE this could be an MTU problem. The other possibility that comes to my mind is that something in the contents of the messages causes the yahoo mail server to hang up prematurely.


----------



## lbol (Apr 16, 2013)

The message in the logfile clearly says 
	
	



```
... stat=Deferred: Operation timed out ...
```


----------



## kpa (Apr 16, 2013)

That's a symptom. What its cause is is unknown. It could be that yahoo has a content filter that actively blocks any further connections after it has found something it does not like.


----------



## stevevg (Apr 16, 2013)

I think my ISP is blocking port 25 - that's the only thing I can think of. I can ping a whole bunch of different mailservers, but can't telnet to any on port 25.

On @wblock@'s suggestion of smarthosting through my ISP's mailserver: Any security concerns with that? I mean, if I'm using somebody else's mailserver, isn't there a possibility that my ISP can cache my email?


----------



## kpa (Apr 16, 2013)

Your mails will be stored temporarily in their mail queue so if you're concerned about that, don't.


----------



## stevevg (Apr 16, 2013)

kpa said:
			
		

> Your mails will be stored temporarily in their mail queue so if you're concerned about that, don't.



Theoretically, and hopefully, right? I'm not very good with all this mailserver stuff, but I should think that if you have an email on your machine sitting in a queue at one point in time, it's shouldn't be too hard to save that email off for later viewing, or whatever.

I'm not really concerned about _my_ mail being intercepted, since I don't plan to send out much more than verification emails (you know when you make an account on an website, they send you an email, that sort of thing), but rather am more concerned about the theoretical implications, and really the question is, does the ISP really have the right to block port 25? Isn't that, maybe, a little, unethical?


----------



## kpa (Apr 16, 2013)

The network is owned by the ISP and you're only "paying rent" to use it so they can set the rules what can or can not be done in their network. No ethics involved IMHO.

The mails that you forward to your ISP using the smart host technique will be always queued, that's how mail servers work. It's very possible that they do monitor the contents of the mails to some degree, at least the headers might be archived for some time. I believe in some countries it is even required by law to do so.


----------



## stevevg (Apr 16, 2013)

kpa said:
			
		

> The network is owned by the ISP and you're only "paying rent" to use it so they can set the rules what can or can not be done in their network. No ethics involved IMHO.



Well shoot. Thought I was going to get the chance to call the phone company and huff and puff and blow a little steam to get my way. Still planning to, though.  

In the sad case that doesn't work, what's some good documentation on relaying mail through my ISP? I've been trying to avoid that, since it seems a lot harder than just using my own mailserver.


----------



## kpa (Apr 16, 2013)

Sendmail can do what you want but the documentation requires some degree of expertise to fully understand it.

This is my set up for simple smart host and masquerade:



```
FEATURE(masquerade_envelope)
MASQUERADE_AS(`mydomain.tld')

define(`SMART_HOST', `[mail.myisp.tld]')
```

This will forward everything to mail.myisp.tld and make everything appear as coming from mydomain.tld instead of the hostname determined by the reverse DNS of the my sending system (username@mydomain.tld instead of username@firewall.mydomain.tld).


----------



## wblock@ (Apr 16, 2013)

If you're concerned about privacy, encrypt your mail.  Those packets are already going through the ISP, whether you use their mailserver or not.

Smarthosting is actually pretty easy.  For sendmail(8), create /etc/mail/_hostname_.mc, uncomment the SMART_HOST line by removing the dnl, edit to point to your ISP's mail server, then build and install.  See /etc/mail/Makefile for specific make(1) targets.

```
define(`SMART_HOST', `your.isp.mail.server')
```

The ISP ought to be able to give details on the mailserver.  Some require login, which is more complicated but doable.  The trick is to find someone with the tiniest speck of competence at the ISP.


----------



## wblock@ (Apr 16, 2013)

Oh, and try to telnet(1) to port 25 of the ISP's mailserver.  If that works, but outside mailservers do not, it verifies the firewall idea.


----------



## kpa (Apr 16, 2013)

@wblock@, you're forgetting the square brackets around the address in SMART_HOST, without them Sendmail will try to do MX lookup on the name instead of using it literally as the smart host address. Often the MX lookup will give strange results and smart host doesn't work.


```
define(`SMART_HOST', `[your.isp.mail.server]')
```


----------



## wblock@ (Apr 16, 2013)

The square brackets have never been necessary for me, but okay.


----------



## stevevg (Apr 16, 2013)

So a phone call confirms that they do in fact block the port. Here's a potential problem: the ISP does not host its own mailserver, but rather uses one from Google. I haven't tried it yet, but won't that mean that I won't be able to connect to the Google mailserver, since I'd have to use port 25 to do so? Or do you use a different port when you're smarthosting?


----------



## kpa (Apr 16, 2013)

Most of the time they are not needed but if someone sets the MX records like this they are needed:


```
dig mail.inet.fi mx

; <<>> DiG 9.8.3-P1 <<>> mail.inet.fi mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12190
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; QUESTION SECTION:
;mail.inet.fi.			IN	MX

;; ANSWER SECTION:
mail.inet.fi.		1786	IN	MX	10 mta.inet.fi.

;; AUTHORITY SECTION:
inet.fi.		1766	IN	NS	ns2-usa.global.sonera.net.
inet.fi.		1766	IN	NS	ns2-fin.global.sonera.fi.
inet.fi.		1766	IN	NS	ns1-fin.global.sonera.fi.
inet.fi.		1766	IN	NS	ns1-swe.global.sonera.se.

;; ADDITIONAL SECTION:
mta.inet.fi.		1771	IN	A	195.156.147.12

;; Query time: 0 msec
;; SERVER: 10.71.13.1#53(10.71.13.1)
;; WHEN: Tue Apr 16 20:13:42 2013
;; MSG SIZE  rcvd: 201
```

And in this case mta.inet.fi does not accept mail for delivery but mail.inet.fi does.

Normally the MX records for an address like mail.domain.tld should be empty or point to the address itself.


----------



## kpa (Apr 16, 2013)

I would install sendmail from ports, replacing the base system sendmail with mail/sendmail. Configure it to use the security/sasl2 port for authentication so you can use gmail as smart host with username/password authentication.

Basically the handbook guide adapted to use the port version of sendmail:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/smtp-auth.html

Why I would use the port version of sendmail over the base system is that modifying the base system to depend on ports is imo backwards and to be avoided.


----------



## stevevg (Apr 16, 2013)

Step 5 calls for recompiling sendmail using stuff in /usr/src/ - there's nothing in there (I'm on FreeBSD 9). Problem, or is it ok?


----------



## kpa (Apr 16, 2013)

You don't have system sources installed. http://forums.freebsd.org/showthread.php?t=29172


----------



## stevevg (Apr 16, 2013)

Ok so if I do the following:
[cmd=]dig fidnet.com mx[/cmd]

And I'm pretty sure that's the proper host - the email address they gave me was me@fidnet.com - I get the following output:


```
;; ANSWER SECTION:
fidnet.com.		43200	IN	MX	20 alt1.aspmx.l.google.com.
fidnet.com.		43200	IN	MX	20 alt2.aspmx.l.google.com.
fidnet.com.		43200	IN	MX	30 aspmx2.googlemail.com.
fidnet.com.		43200	IN	MX	30 aspmx3.googlemail.com.
fidnet.com.		43200	IN	MX	30 aspmx4.googlemail.com.
fidnet.com.		43200	IN	MX	30 aspmx5.googlemail.com.
fidnet.com.		43200	IN	MX	10 aspmx.l.google.com.
```

(and then some).

So I added the following to my /etc/mail/hostname.mc file:


```
FEATURE(masquerade_envelope)
MASQUERADE_AS(`stevevg.com')
define(`SMART_HOST', `[aspmx.l.google.com]')
```

And ran [cmd=""]make[/cmd] and then [cmd=""]make install restart[/cmd] (from within the /etc/mail directory, of course), and then tried to run [cmd=""]mail[/cmd]. 

Aside from the difficulty with sasl, I got the following in /var/log/maillog:


```
Apr 16 13:11:22 steve sm-mta[24009]: r3GIA6xP024007: to=<ADDRESS_I_WANT_TO_SEND_TO_SO_BADLY>, ctladdr=<steve@stevevg.com> (1001/1001), delay=00:01:16, xdelay=00:01:15, mailer=relay, pri=30434, relay=aspmx.l.google.com. [74.125.133.27], dsn=4.0.0, stat=Deferred: Operation timed out with aspmx.l.google.com.
```


----------



## lbol (Apr 16, 2013)

Using a smart host doesn't help if your ISP is bocking all traffic on port 25 as sendmail(8) uses that port also to connect to a smart host.


----------



## wblock@ (Apr 16, 2013)

In the few times I've had to deal with this, the ISP's mailserver was inside the network and port 25 to it was open.  Or they might require encryption and use a different port, like TLS on port 465.


----------



## stevevg (Apr 16, 2013)

lbol said:
			
		

> Using a smart host doesn't help if your ISP is bocking all traffic on port 25 as
> 
> 
> 
> ...



So would this solution work?
http://lifehacker.com/111166/how-to-use-gmail-as-your-smtp-server

If so, would I just do it straight through mail, shortcutting around sendmail?


----------



## wblock@ (Apr 16, 2013)

Should be able to do that with sendmail(8).  Otherwise, you'd have to run some type of MUA on your system.


----------



## saulobrito (May 8, 2015)

iI got same issues in oceandigital, they are firewalling one level above my machine blocking 25 output.


----------

