Email issues!

I'm banging my head against the wall here.

I know this is a very vague question and it could quite possibly be a multitude of issues, but I'll try my luck anyway.

We have an email server running an old version of IMail.

On Wednesday of last week the server went down and we quickly threw it on another machine to make it operational for the time being. In doing so, we changed the outside IP address of the mail server.

Everything worked fine for a few days, or so we thought.

I came into work Monday morning and email was very sporadic, a few emails would get through, but most would not.

Come to find out that the spool folder was completely full and email was simply not being processed. In the course of fixing that issue, my boss wanted me to briefly turn on Open Relay on the mail server. Don't ask why, I question his decisions often.

I quickly realized it was causing us to take an enormous hit and turned it off.

Mail is working fine now, expect for the fact that we are being blocked by some domains that we were previously able to send to. Would this be due to briefly setting the server to open relay, or the outside IP change?

It's causing me a lot of headaches. I am not at all familiar with IMail and only know the basics of email server operation, so I'm having trouble figuring out what is going on.

I do not have contact information for people in these domains, let alone someone who can actually get into their mail servers.

Suggestions?

I have logs and any other information that you may need to help me!

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

seuss_ssues

When you were an open relay are you aware if you were used by spammers?

That would be my assumption.

theseman

In agreement with seuss_ssues on this one. I would review the logs and also the online black lists to see if your server/domain are listed.

I know our mail server is relay attacked from time to time (we have relay disabled of course, but it still shows up in the logs as attempted).

-Travis

/usr

Yes, it was for certain.

I saw the log that is regularly around 5-6 MB grow to something like 300 MB. That's when I knew something was up.

Even now that I have the mail server set to only relay for internal hosts, I can still see the attempts being denied in the log file.

How would I fix this problem? I really need to get mail to these domains.

Claymoore

/usr wrote:

In doing so, we changed the outside IP address of the mail server.

Have you checked DNS? Not only do the A and MX records have to be correct, but most major ISPs will also require the PTR record to be correct in order to process mail. If you updated the DNS A record with your ISP, make sure they updated the PTR (reverse DNS) record as well.

/usr

Just checked blacklists here.
http://www.mxtoolbox.com/index.aspx

Everything shows "Ok" except for 10 timeouts.

/usr

Have you checked DNS? Not only do the A and MX records have to be correct, but most major ISPs will also require the PTR record to be correct in order to process mail. If you updated the DNS A record with your ISP, make sure they updated the PTR (reverse DNS) record as well.

Bleh, I don't mean to sound like an idiot, but how would I go about checking all of this?

I didn't do any of that when the IP was changed, it was all handled by my boss. And honestly, I'm not entirely sure he understands all of that.

I forgot to mention that my boss is on vacation all week. At a hotel with no internet access, if you can imagine that.

/usr

I mean, even assuming the DNS was wrong, would I actually be getting messages bounced back from their server like the following?

10:14 12:02 SMTP-(00FC056D) 571 Sorry... Connection denied. Listed in deny list.
10:14 12:02 SMTP-(00FC056D) SMTP_DELIV_FAILED
10:14 12:02 SMTP-(00FC056D) >QUIT

/usr

So, will other mail servers dynamically block mail from domains which are set to open relay? I mean, is that a possibility?

undomiel

You could check on some things pretty easily with this site:

mxtoolbox.com

/usr

Everything looked okay on mxtoolbox.

I believe it was the open relay thing. One log message led me to this server.
<http://unblock.secureserver.net

Which clearly tells you that an IP has been blocked due to potential virus/spam.

/usr

554 Transaction Failed. Spam Message not queued.

Another error, different domain.

seuss_ssues

Well you can request to be taken off of most black lists. Also if your just trying to get messages to just one domain i would call their post master and see if you can persuade him into unblocking you.

/usr

So it's going to be a manual thing?

I was crossing my fingers that after a few days we would be taken off whatever list we've been put on for these domains.

seuss_ssues

Im not an email admin so i may be wrong but i do beleive that you will eventually be removed from the lists but that it is a slow process.

/usr

Trying to contact IT people from the problem domains.

It's tough...it's not as if they publish these numbers or anything.

Kaminsky

When your boss told you to put relay on, I hope you got that in email and I hope you bring it up at every appraisal and pay review.

mamono

Getting a mail server removed from the more obscure blackhole lists is a PITA. I agree with Kaminsky. Hope the order was documented.