A family member reported that she hadn't received an email message sent to
her today by a
Gmail user who had sent her message in reply to the family member's
email to her. Since I administer the
Sendmail
email server she uses, I checked the Sendmail log file at
/var/log/maillog. I saw the outgoing email sent to the Gmail
address, but no incoming email from that address. So I sent email
messages from a Gmail account I have as well as email messages from other
external addresses to the root account on the server. The other email
messages arrived, but none I sent from the Gmail account arrived. So I ran
tcpdump
on the server to capture data to/from port 25 on the system, which is the
well-known port for
Simple Mail Transfer Protocol (SMTP) traffic. I then sent
another email message to the root account on the Sendmail server from my
Gmail account. After allowing several minutes for an attempted delivery from
the Gmail server to occur, I stopped the packet capture with Ctrl-C.
# tcpdump -i enp1s4 port 25 -w smtp_2017-04-30.pcap tcpdump: listening on enp1s4, link-type EN10MB (Ethernet), capture size 65535 bytes ^C225 packets captured 225 packets received by filter 0 packets dropped by kernel # ls -lh smtp_2017-04-30.pcap -rw-r--r--. 1 tcpdump tcpdump 33K Apr 30 12:33 smtp_2017-04-30.pcap #
The -i option to the
tcpdump command tells
it what network interface it should listen on. In the case of this particular
server, the interface is enp1s4; you can use the ifconfig
-a command on a Linux system to see the available network interfaces.
The -w option instructs tcpdump to write the packets it captures
to the file name that follows the option. Tcpdump can save the captured
data in pcap
form. This Sendmail server was a Linux system, but tcpdump is available for
Microsoft Windows systems as
WinDump; it requires
WinPcap be installed.
After I captured the data, I transferred the pcap file to another system
where I installed Wireshark to
analyze the data; I find the
graphical user interface (GUI) of
Wireshark
makes it easier for me to analyze network traffic. Using Wireshark, I found
that a Gmail server with IP address 209.85.223.169 (mail-io0-f169.google.com)
connected to the Sendmail server, which responded with its banner. The
Google server then issued an EHLO command, the Sendmail server
responded with a list of commands it supports, and then the Gmail server
issed a MAIL FROM: command at which point the Sendmail server
responded with "550 5.7.1 Spam Block:mail from 209.85.223.159 refused -
see http://dnsbl.sorbs.net". The Gmail server issued a QUIT
command after it receivd the 550 reply.
I use the Spam and Open Relay Blocking System (SORBS) block list on the Sendmail server to reduce the amount of spam reaching users' inboxes. Since I could see that email from Gmail was being blocked by Sendmail when it checked the Gmail server's IP address against the SORBS blacklist, I then looked in today's mail log file for any references to SORBS and Google and saw a lot of them.
# grep sorbs /var/log/maillog | grep google Apr 30 10:31:32 moonpoint sendmail[20046]: ruleset=check_relay, arg1=mail-oi0-f4 4.google.com, arg2=127.0.0.6, relay=mail-oi0-f44.google.com [209.85.218.44], rej ect=550 5.7.1 Spam Block:mail from 209.85.218.44 refused - see http://dnsbl.sorb s.net/ Apr 30 10:38:25 moonpoint sendmail[20293]: ruleset=check_relay, arg1=mail-oi0-f4 7.google.com, arg2=127.0.0.6, relay=mail-oi0-f47.google.com [209.85.218.47], rej ect=550 5.7.1 Spam Block:mail from 209.85.218.47 refused - see http://dnsbl.sorb s.net/ Apr 30 10:53:34 moonpoint sendmail[20523]: ruleset=check_relay, arg1=mail-oi0-f4 2.google.com, arg2=127.0.0.6, relay=mail-oi0-f42.google.com [209.85.218.42], rej ect=550 5.7.1 Spam Block:mail from 209.85.218.42 refused - see http://dnsbl.sorb s.net/ Apr 30 11:07:38 moonpoint sendmail[22088]: ruleset=check_relay, arg1=mail-it0-f5 1.google.com, arg2=127.0.0.6, relay=mail-it0-f51.google.com [209.85.214.51], rej ect=550 5.7.1 Spam Block:mail from 209.85.214.51 refused - see http://dnsbl.sorb s.net/ Apr 30 11:08:44 moonpoint sendmail[22106]: ruleset=check_relay, arg1=mail-oi0-f4 5.google.com, arg2=127.0.0.6, relay=mail-oi0-f45.google.com [209.85.218.45], rej ect=550 5.7.1 Spam Block:mail from 209.85.218.45 refused - see http://dnsbl.sorb s.net/ Apr 30 11:13:59 moonpoint sendmail[22245]: ruleset=check_relay, arg1=mail-it0-f5 0.google.com, arg2=127.0.0.6, relay=mail-it0-f50.google.com [209.85.214.50], rej ect=550 5.7.1 Spam Block:mail from 209.85.214.50 refused - see http://dnsbl.sorb s.net/ Apr 30 11:16:05 moonpoint sendmail[22320]: ruleset=check_relay, arg1=mail-oi0-f5 1.google.com, arg2=127.0.0.6, relay=mail-oi0-f51.google.com [209.85.218.51], rej ect=550 5.7.1 Spam Block:mail from 209.85.218.51 refused - see http://dnsbl.sorb s.net/ Apr 30 11:17:35 moonpoint sendmail[22335]: ruleset=check_relay, arg1=mail-io0-f1 70.google.com, arg2=127.0.0.6, relay=mail-io0-f170.google.com [209.85.223.170], reject=550 5.7.1 Spam Block:mail from 209.85.223.170 refused - see http://dnsbl. sorbs.net/ Apr 30 11:25:34 moonpoint sendmail[22898]: ruleset=check_relay, arg1=mail-io0-f1 81.google.com, arg2=127.0.0.6, relay=mail-io0-f181.google.com [209.85.223.181], reject=550 5.7.1 Spam Block:mail from 209.85.223.181 refused - see http://dnsbl. sorbs.net/ Apr 30 11:27:01 moonpoint sendmail[22941]: ruleset=check_relay, arg1=mail-it0-f5 0.google.com, arg2=127.0.0.6, relay=mail-it0-f50.google.com [209.85.214.50], rej ect=550 5.7.1 Spam Block:mail from 209.85.214.50 refused - see http://dnsbl.sorb s.net/ Apr 30 11:29:41 moonpoint sendmail[23537]: ruleset=check_relay, arg1=mail-oi0-f4 3.google.com, arg2=127.0.0.6, relay=mail-oi0-f43.google.com [209.85.218.43], rej ect=550 5.7.1 Spam Block:mail from 209.85.218.43 refused - see http://dnsbl.sorb s.net/ Apr 30 11:30:28 moonpoint sendmail[23571]: ruleset=check_relay, arg1=mail-oi0-f4 9.google.com, arg2=127.0.0.6, relay=mail-oi0-f49.google.com [209.85.218.49], rej ect=550 5.7.1 Spam Block:mail from 209.85.218.49 refused - see http://dnsbl.sorb s.net/ Apr 30 11:31:43 moonpoint sendmail[23593]: ruleset=check_relay, arg1=mail-oi0-f5 4.google.com, arg2=127.0.0.6, relay=mail-oi0-f54.google.com [209.85.218.54], rej ect=550 5.7.1 Spam Block:mail from 209.85.218.54 refused - see http://dnsbl.sorb s.net/ Apr 30 11:32:43 moonpoint sendmail[23613]: ruleset=check_relay, arg1=mail-it0-f4 6.google.com, arg2=127.0.0.6, relay=mail-it0-f46.google.com [209.85.214.46], rej ect=550 5.7.1 Spam Block:mail from 209.85.214.46 refused - see http://dnsbl.sorb s.net/ Apr 30 11:33:31 moonpoint sendmail[23626]: ruleset=check_relay, arg1=mail-it0-f4 1.google.com, arg2=127.0.0.6, relay=mail-it0-f41.google.com [209.85.214.41], rej ect=550 5.7.1 Spam Block:mail from 209.85.214.41 refused - see http://dnsbl.sorb s.net/ Apr 30 11:35:01 moonpoint sendmail[23716]: ruleset=check_relay, arg1=mail-oi0-f4 5.google.com, arg2=127.0.0.6, relay=mail-oi0-f45.google.com [209.85.218.45], rej ect=550 5.7.1 Spam Block:mail from 209.85.218.45 refused - see http://dnsbl.sorb s.net/ Apr 30 11:45:08 moonpoint sendmail[23949]: ruleset=check_relay, arg1=mail-io0-f1 78.google.com, arg2=127.0.0.6, relay=mail-io0-f178.google.com [209.85.223.178], reject=550 5.7.1 Spam Block:mail from 209.85.223.178 refused - see http://dnsbl. sorbs.net/ Apr 30 11:53:37 moonpoint sendmail[24064]: ruleset=check_relay, arg1=mail-oi0-f5 4.google.com, arg2=127.0.0.6, relay=mail-oi0-f54.google.com [209.85.218.54], rej ect=550 5.7.1 Spam Block:mail from 209.85.218.54 refused - see http://dnsbl.sorb s.net/ Apr 30 12:05:44 moonpoint sendmail[25532]: ruleset=check_relay, arg1=mail-io0-f1 80.google.com, arg2=127.0.0.6, relay=mail-io0-f180.google.com [209.85.223.180], reject=550 5.7.1 Spam Block:mail from 209.85.223.180 refused - see http://dnsbl. sorbs.net/ Apr 30 12:16:13 moonpoint sendmail[26021]: ruleset=check_relay, arg1=mail-io0-f1 69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl. sorbs.net/ Apr 30 12:18:14 moonpoint sendmail[26079]: ruleset=check_relay, arg1=mail-io0-f1 75.google.com, arg2=127.0.0.6, relay=mail-io0-f175.google.com [209.85.223.175], reject=550 5.7.1 Spam Block:mail from 209.85.223.175 refused - see http://dnsbl. sorbs.net/ Apr 30 12:18:57 moonpoint sendmail[26107]: ruleset=check_relay, arg1=mail-io0-f1 70.google.com, arg2=127.0.0.6, relay=mail-io0-f170.google.com [209.85.223.170], reject=550 5.7.1 Spam Block:mail from 209.85.223.170 refused - see http://dnsbl. sorbs.net/ Apr 30 12:24:24 moonpoint sendmail[26265]: ruleset=check_relay, arg1=mail-io0-f1 69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl. sorbs.net/ Apr 30 12:26:06 moonpoint sendmail[26666]: ruleset=check_relay, arg1=mail-io0-f1 69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl. sorbs.net/ Apr 30 12:41:16 moonpoint sendmail[27751]: ruleset=check_relay, arg1=mail-io0-f1 76.google.com, arg2=127.0.0.6, relay=mail-io0-f176.google.com [209.85.223.176], reject=550 5.7.1 Spam Block:mail from 209.85.223.176 refused - see http://dnsbl. sorbs.net/ Apr 30 12:55:57 moonpoint sendmail[28554]: ruleset=check_relay, arg1=mail-io0-f1 69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl. sorbs.net/ Apr 30 13:07:14 moonpoint sendmail[29525]: ruleset=check_relay, arg1=mail-io0-f1 69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl. sorbs.net/ Apr 30 13:07:22 moonpoint sendmail[29526]: ruleset=check_relay, arg1=mail-io0-f1 72.google.com, arg2=127.0.0.6, relay=mail-io0-f172.google.com [209.85.223.172], reject=550 5.7.1 Spam Block:mail from 209.85.223.172 refused - see http://dnsbl. sorbs.net/ Apr 30 13:18:22 moonpoint sendmail[29782]: ruleset=check_relay, arg1=mail-io0-f1 69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl. sorbs.net/ Apr 30 13:53:49 moonpoint sendmail[31651]: ruleset=check_relay, arg1=mail-io0-f1 69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl. sorbs.net/ #
From the log file, I found that SORBS was blocking quite a few Gmail addresses today. When I looked up IP addresses on the SORBS website, I found results like the following:
Note: Times shown are for the latest entry only! Found 2 network entries and 0 host/domain entries.
Problem Entries, (listings will cause email problems.)
142 "Spam" entries [19:45:26 28 Apr 2017 GMT+00].
209.85.223.169 - 142 entries [19:45:26 28 Apr 2017 GMT+00].
The blocks are due to the follwing lines in /etc/mail/sendmail.mc
.
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`550 Spam Block: mail from $&{client_addr} refused - see http://dnsbl.sorbs.net/')dnl
I don't want the Sendmail server blocking email from so many Gmail servers.
Rather than remove the SORBS blocklist entry from /etc/mail/sendmail.mc
, I whitelisted IP address ranges used by Google for its Gmail mail
service using IP address ranges I found on the Google support site at
Email bounces because
your IP address is blacklisted in the "Show me Gmail IP addresses to
whitelist section.
64.18.0.0/20
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
172.217.0.0/19
173.194.0.0/16
207.126.144.0/20
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
2001:4860:4000::/36
2404:6800:4000::/36
2607:f8b0:4000::/36
2800:3f0:4000::/36
2a00:1450:4000::/36
2c0f:fb50:4000::/36
The last six address ranges are IPv6 ranges; the prior ones are
IPv4 address
ranges. To stop the IP address blocking by Sendmail due to the use of the
SORBS blacklist, I added the following lines to the /etc/mail/access
file.
# Gmail 64.18.0.0/20 RELAY 64.233.160.0/19 RELAY 66.102.0.0/20 RELAY 66.249.80.0/20 RELAY 72.14.192.0/18 RELAY 74.125.0.0/16 RELAY 108.177.8.0/21 RELAY 172.217.0.0/19 RELAY 173.194.0.0/16 RELAY 207.126.144.0/20 RELAY 209.85.128.0/17 RELAY 216.58.192.0/19 RELAY 216.239.32.0/19 RELAY 2001:4860:4000::/36 RELAY 2404:6800:4000::/36 RELAY 2607:f8b0:4000::/36 RELAY 2800:3f0:4000::/36 RELAY 2a00:1450:4000::/36 RELAY 2c0f:fb50:4000::/36 RELAY
I then rebuilt the access database map by issuing the command
below from the root account:
# makemap hash /etc/mail/access </etc/mail/access #
Once I did that, I was then able to successfully send email from my Gmail account to email accounts on the Sendmail server. And, surprisingly, prior email messages that I had sent when the SORBS block list was preventing email deliveries from Gmail servers then arrived as well, as did the message from the Gmail user that led to the family member reporting the problem to me. Since a 550 error code indicates a permanent delivery problem, unlike some other SMTP reply codes I didn't expect a Gmail SMTP server to attempt to deliver those messages again.
