Aug 16 23:37:57 frostdragon sendmail[3738]: l7H3ak69003738: collect: premature EOM: unexpected close
Aug 16 23:37:57 frostdragon sendmail[3738]: l7H3ak69003738: collect: unexpected close on connection from mail6.tcusa.com, sender=<orders@example.com>

I had also been receiving reports from others that sending even small messages sometimes takes a long time. A couple of times when I checked the number of SMTP connections to the server with netstat -a | grep smtp | wc -l, I found over 60 connections from other email servers. Previously, I would find that there would usually be no more than a dozen such connections at any give time. And, if I connected to the SMTP port with telnet mail.example.com 25, I would sometimes see fairly slow responses.

In searching for information on the problem, I found Sendmail ‘collect: premature EOM: unexpected close’ solution . The author was encountering the same problem, which he traced to the use of a defunct DNSBL, relays.ordb.org. Like the author, I have been using relays.ordb for a long time to block incoming spam to the server. In the /etc/mail/sendmail.mc file on the server, I have the following line.

FEATURE(`dnsbl', `relays.ordb.org', `"550 Mail from " $`'&{client_addr} " refused due to sending server misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl

I removed the above line from /etc/mail/sendmail.mc, but added another DNSBL in its place, the Abusive Hosts Blocking List (AHBL), which I found listed at HOWTO: Sendmail tips for Ensim, by adding the following line to /etc/mail/sendmail.mc.

FEATURE(dnsbl,`dnsbl.ahbl.org', `"550 Host is on the AHBL - Please see [url]http://www.ahbl.org/tools/lookup.php?ip=[/url]"$&{client_addr}')dnl

I then took the following steps to update sendmail's configuration information so that it no longer checks the relays.ordb.org blocklist, but uses the AHBL list instead.

1. I issued the command below
   
   m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
   
   
2. I then stopped and restarted sendmail with the command below
   
   /etc/init.d/sendmail restart

According to DNS Blacklist ORDB.org is shutting down the relays.ordb.org DNSBL has been shut down since December 18, 2006. When I tried pinging it, I don't get a response and an nslookup on the name returns an error message as well.

# nslookup relays.ordb.org
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
;; connection timed out; no servers could be reached

I'm using 5 other blocklists as well, so I checked all of them by pinging them to ensure that no other blocklists that I am using have disappeared. I got responses for all of them, but that just verifies that a system is functioning at the address pinged. To check whether a system is actually functiong as a DNSBL at that address, you should issue use the nslookup, host, or dig commands to query the system using a query in the form 2.0.0.127.blacklist.example.com. All of the commands should result in the address 127.0.0.2 being displayed as the IP address for the query. This is because DNSBL's normally work by storing the IP address of systems to be blocked as reversed mappings so that queries are submitted akin to how you would do a reverse lookup for an in-addr.arpa query (see Chapter 9: Howto Create a DNSBL (DNS Black List), if you wish further details on how DNSBL's work). Since the convention is for DNSBL's to always have the address 127.0.0.2 in the list, querying for that address allows for easy testing. E.g. for AHBL, I could use 2.0.0.127.dnsbl.ahbl.org with nslookup, host, or dig.

# nslookup 2.0.0.127.dnsbl.ahbl.org
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server:         207.233.128.10
Address:        207.233.128.10#53

Non-authoritative answer:
Name:   2.0.0.127.dnsbl.ahbl.org
Address: 127.0.0.2

# host  2.0.0.127.dnsbl.ahbl.org
2.0.0.127.dnsbl.ahbl.org has address 127.0.0.2

# dig +short  2.0.0.127.dnsbl.ahbl.org
127.0.0.2

Note: this won't work for all DNSBL's, e.g. performing an nslookup for 2.0.0.127.dnsrbl.swinog.ch returns ** server can't find 2.0.0.127.dnsrbl.swinog.ch: NXDOMAIN, even though the DNSBL is working.

For checking whether a particular IP address is in one of the blacklists, you would reverse the address and then put a period and the name of the blacklist after it when issuing an nslookup, host, or dig query. E.g., if I wanted to find out whether the addresses 62.30.35.75 and 62.30.35.76 are in the Composite Blocking List (CBL), I could use the commands below.

# host 75.35.30.62.cbl.abuseat.org
75.35.30.62.cbl.abuseat.org has address 127.0.0.2
# host 76.35.30.62.cbl.abuseat.org
Host 76.35.30.62.cbl.abuseat.org not found: 3(NXDOMAIN)

From the results, I see that the first address is in the CBL DNSBL, but the second address is not in the blacklist.

Checking other blacklists, aka blocklists, I'm using by querying for the presence of 127.0.0.2 in the lists, I found that opm.blitzed.org is no longer functioning either.

# host 2.0.0.127.opm.blitzed.org
;; connection timed out; no servers could be reached

At OPM status, I learned that opm.blitzed.org has also been shut down. It was shut down in May 2006. Details on the shutdown have been posted at [opm-announce] opm.blitzed.org has shut down.

So I removed the line below from /etc/mail/sendmail.mc.

FEATURE(`dnsbl', `opm.blitzed.org', `"550 Mail from " $`'&{client_addr} " refused - see http://opm.blitzed.org"')dnl

After verifying all of the other blacklists I was using in sendmail.mc still worked, I then rebuilt the sendmail.cf file with the m4 command as above and then restarted sendmail again.

References:

1. Sendmail ‘collect: premature EOM: unexpected close’ solution
   Posted by plattapuss on February 28th, 2007
   Out of Control Image
2. DNSBL
   Wikipedia, the free encyclopedia
3. Abusive Hosts Blocking List
4. HOWTO: Sendmail tips for Ensim
   Posted By: pblinux
   Posted: December 1, 2003
   The Planet Forums
5. DNS Blacklist ORDB.org is shutting down
   Article ID: KBID002925
   GFI Knowledge Base
6. Chapter 9: Howto Create a DNSBL (DNS Black List)
   ZyTrax, Inc.
7. Composite Blocking List
8. OPM Status
   Blitzed Wiki
9. [opm-announce] opm.blitzed.org has shut down
   Posted By: Andy Smith grifferz at blitzed.org
   Posted: May 7, 2006
   lists.blitzed.org Mailing Lists

[/network/email/sendmail] permanent link