Mailing List SIMS@mail.stalker.com Message #11386
From: NetHead <nethead@pecandeluxe.com>
Subject: Re: Can't send mail to one particular domain
Date: Thu, 1 Aug 2002 10:08:29 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Claris Emailer 2.0v3, January 22, 1998
Whew! That answer nearly wore me out, Bill! ;-)

You are quite exhaustive with the possible options and I'll comment on
them below:

Wasn't it SIMS Discussions SIMS@mail.stalker.com who once said...

>Date: Wed, 31 Jul 2002 12:37:06 -0400
>From: Bill Cole <listbill@scconsult.com>
>Subject: Re: Can't send mail to one particular domain
>
>
>At 7:10 AM -0700 7/31/02, NetHead  imposed structure on a stream of
>electrons, yielding:
>>HELP!
>>
>>I am new to the group, so maybe this has been addressed somewhere,
>>somehow, but I am pulling my hair out over this one. We are having
>>trouble sending mail to our subsidiary company in the UK. The SMTP
>>monitor shows that SIMS is finding their mail exchanger and attempting to
>>send the mail... but it just sits there and finally it gives up, saying
>>"Connection is broken". I have set the SMTP log to log everything and the
>>following is a pretty typical example of what the SMTP log is reporting:
>>-----begin log excerpt-----
>>08:26:49 5 SYSTEM Line Read: To: "Adam McKenna" <adam@0-degrees.com>,
>><sales@pecandeluxe.co.uk>, "'Shirley Hudson (E-mail)'"
>><shirley_hudson@pecande
>>08:26:49 5 SYSTEM Line Read: cc: "'Julie Mair (E-mail)'"
>><quality@pecandeluxe.co.uk>, "'Ernie (E-mail)'"
>><ernie@pecandeluxe.co.uk>, "'Nicki (E-mail)
>>08:26:49 4 SMTP Line 4967 created for pecandeluxe.co.uk, [S.0000015506]
>>08:26:49 4 SMTP-967(pecandeluxe.co.uk) Got 1 relay(s)
>>08:26:49 5 SMTP-967(pecandeluxe.co.uk) *Status=7
>>08:26:49 4 SMTP-967(pecandeluxe.co.uk) Looking for mx.legend.co.uk.
>>08:26:49 5 SMTP-967(pecandeluxe.co.uk) *Status=9
>>08:26:49 5 SMTP-967(pecandeluxe.co.uk) *Status=8
>>08:30:35 3 SMTP-967(pecandeluxe.co.uk) Failed to connect to
>>[212.69.225.52:25]. reason=60
>>08:30:35 5 SMTP-967(pecandeluxe.co.uk) *Status=9
>>08:30:35 5 SMTP-967(pecandeluxe.co.uk) *Status=7
>>08:30:35 3 SMTP-967(pecandeluxe.co.uk) No relay address is accessable.
>>Error Code=-25010
>>08:30:35 5 SMTP-967(pecandeluxe.co.uk) *Status=2
>>-----end log excerpt-----
>>I'm guessing the "key" line here is "Failed to connect ot
>>[212.69.225.52:25]. reason=60".
>
>Certainly. It means that your machine can't open a connection to
>212.69.225.52 on port 25. 212.69.225.52 is the mail exchanger for
>pecandeluxe.co.uk. It looks like SIMS gave it a serious try, taking
>over 3 minutes to fail.

Ok, that makes sense.

>
>>Now, can anybody tell me what "reason=60"
>>is? Do the "*Status=" statements mean anything significant?
>
>Stalker has never documented those numbers, but I suspect that the
>'reason' code probably equates to some standard Open Transport return
>code (probably in this case a timeout) and the Status codes are
>likely SIMS states denoting what phase of a transaction the SMTP
>module is in. My guesses:
>
>7=getting the next MX record
>9=attempting to connect
>8=waiting for a connection to open
>2=finishing up an attempted send
>
Good guesses. I wish somebody WOULD document all of that. It'd be a big
help to troubleshooting efforts.

>
>>This is very troublesom. I have contacted both my isp and our UK
>>subsidiary's isp. Both indicate that everything is okay in terms of DNS
>>issues.
>
>Well, DNS looks reasonable except for an absurdly short TTL on the
>records for your end and no PTR record (aka 'reverse DNS') for your
>primary MX.  I can connect to both your SIMS machine and the UK
>machine on port 25 without a problem.

Yeah, I don't know why XO is using such a short TTL, either. You'd think
they would be a little smarter than that. Oddly enough, I DO have a PTR
record for my mail server on my local DNS server; obviously that
information is not making it "out" of my network, though. That, however,
brings up a whole "OT" can-o-worms about DNS... If anyone wants to talk
about DNS and NAT issues "off-line", I'm open and could use some savvy
advice.

I cannot connect to port 25 on 212.69.225.52 from anywhere on my network.
I'm using NCSATelnet; simply putting in the ip address and indicating
that I want to connect on port 25. I eventually get a response saying
"Host or gateway not responding". I can, however, connect to my SIMS
server using the same method.
>
>This looks like a connectivity issue, probably a transient one. The
>definitive test would be to attempt to connect to 212.69.225.52 port
>25 from the SIMS machine. You can do this with any telnet client by
>pointing it at the IP and port. If you can connect with the telnet
>client and SIMS is still failing, it's a SIMS issue. If you can't
>connect with the telnet client you may need to do more extensive
>testing with a traceroute tool and get your provider involved.

It is decidedly not transient. It has been going on for over 3 weeks now.
I assumed it was transient the first week. Then I started probing the
second week and contacted my isp, who said they couldn't look up that
domain on their systems and besides, "since your hosting your own mail
server, we can't help you".

I then began contacting our subsidiary and had them contact their isp.
Now in the beginning of the fourth week, I contacted this list.
>
>>Any ideas? Some setting I should check? Has MY domain (pecandeluxe.com)
>>been blacklisted somehow?
>
>It's unlikely that your domain has been blacklisted, but the IP space
>that you are in could be. (note the distinction between domains, i.e.
>'pecandeluxe.com' and the IP address, which is 67.105.93.126  for
>your own primary MX) However, most blacklisting is applied at the
>application level, not the transport level, and this is clearly a
>failure at the transport level: you can't even get a TCP connection
>open to the other end. Generally speaking, if you are blacklisted
>you'll get the connection and try to send mail, and the other end
>will send rejection responses to SMTP commands.

Ahhh! Now I understand!

>
>One outside possibility is that the other end is doing a rather dumb
>trick and attempting to do a reverse DNS lookup on your IP address
>before it even accepts the connection at the TCP level. It looks like
>the geniuses at XO are not providing any rDNS for 67.105.93.126 and
>this WILL impact your ability to send mail from that machine. In most
>cases the impact will be seen at the application layer (i.e. explicit
>rejections in SMTP) but there are some people out there who push such
>checks down into the transport layer (dumb dumb dumb) and the result
>of that would be failed connections.

This appears to be the most likely culprit based on some testing I was
able to do yesterday. Dave Pooser (another SIMS-lister) happens to be in
my neighborhood and called me. We set up an account on his SIMS server
(which has a clear PTR record for DNS) and were able to e-mail our
subsidiary via his server. That, coupled with the fact that I can also
e-mail pecandeluxe.co.uk via AOL, pretty well confirms that the problem
is most likely Legend (the isp for pecandeluxe.co.uk) is doing a "reverse
DNS lookup on [our] IP address before it even accepts the connection at
the TCP level". I have been unable to get them to confirm or deny that
they are doing reverse lookups, but I have a sneaky suspicion that that
is the case.
>
>So, my suggestions:
>
>1. Check if this is transient and/or strictly a SIMS problem. I
>suspect that it is NOT a SIMS issue, and that it IS transient (i.e.
>it has probably already gone away.)  If it is permanent, it is almost
>certainly NOT limited to SIMS. The steps:
>
>   a. Confirm that SIMS is still having the problem by trying to send
>      mail.
>   b. Confirm that SIMS can get mail to go out at all. Anywhere else.

The problem is ONLY with pecandeluxe.co.uk. We are sending mail to all
sorts of other people (as this message's appearance on this list proves).
These two steps are a given; I wouldn't have been crying for help if I
hadn't already checked these things.

>   c. If SIMS is having this problem with all mail, reboot. It's
>      a Mac after all, and bad stuff can happen to the networking.
>   d. If SIMS can't get to that machine but can get to others, try
>      using something like BetterTelnet, MacSSH, or whatever your
>      favorite telnet client is  to connect to port 25 on that IP.
>      If a telnet client can connect while SIMS can't, there's a
>      problem with SIMS itself, and your only hope is to try to get
>      help from Stalker.

See notes about NCSATelnet above.

>   e. If SIMS can't deliver mail anywhere and the telnet test fails
>      as well, it could be that your ISP is filtering your connectivity.
>      Many ISP's don't allow outbound port 25 traffic from accounts that
>      they sell as consumer-grade retail connections. If you don't have a
>      business-class connection, you may be unable to send mail out
>      directly, and may instead need to funnel mail through their servers.
>   f. If this is solely a problem with that remote site, but SIMS can get
>      mail to go elsewhere AND telnet can't get to that site, the problem
>      is with that site in particular.

See comments on point b. above.
>
>
>2. Talk to the people handling the other end and see what sort of
>firewalling and SMTP blacklisting they are using.

Not getting the best response out of them. They asked for a traceroute
and what appeared to be information that indicates they are trying to set
up a PTR record in their DNS for our mailserver. But because of the time
difference, responses are always about 1 day behind.
>
>3. Get XO to tweak your DNS:
>
>    a. Set a reasonable TTL on the MX record for pecandeluxe.com and the
>       A record for bigbrother.pecandeluxe.com. 15 minutes is silly for
>       anything other than dynamic DNS.  (and you really shouldn't even try
>       to run a mail server without a static IP address.) This is not
>       likely to be the source of this problem, but it could interfere with
>       your ability to receive mail reliably and quickly.

I am working on this right now.
>
>    b. Provide a reasonable PTR record for 67.105.93.126. The best
>       choice would be bigbrother.pecandeluxe.com (or whatever your SIMS
>       server uses as a primary name, as long as it resolves to that
>       address,) but if they insist on something under their domain, that
>       would be a lot better than having no rDNS at all. This COULD be the
>       source of this particular problem and not fixing it WILL cause some
>       sites to decline to accept your mail.
>
>
>--
>Bill Cole                                  
>bill@scconsult.com
>
>
>
>------------------------------
I DO appreciate your comments and input. I believe your analysis of the
PTR issue is probably dead-on and that is the direction I will be
pursuing. I will post a note to let everyone know how this turns out.



================================================
|     Doug Starkey                             |
|     Network Administrator                    |
|     Pecan Deluxe Candy Company               |
|     2570 Lone Star Drive                     |
|     Dallas, TX 75212-6308                    |
|     e-mail: nethead@pecandeluxe.com          |
|     voice: 214-631-3669 Ext. 108             |
|     fax: 214-631-5833                        |
================================================

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster