Sender verify failed - Me or Them?

[SonServers]

Hi, I have a local user that can not receive mail from a remote user on another system.

Judging by this log, is my server not liking theirs, or is it theirs rejecting the verification? I'm not sure which it is.

2006-10-24 14:53:12 H=(Mail1.remotehost.com) [remoteip] sender verify fail for <[email protected]>: response to "RCPT TO:<[email protected]>" from remotehost.com.abcd.efgh.com [otherremoteip] was: 500 Reject: previous Mail From command was invalid

2006-10-24 14:53:12 H=(Mail1.remotehost.com) [remoteip] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed


To me it almost looks like their server does not like the format my server is using for the sender verify. The main thing I'm trying to figure out is if the problem is at my server or theirs.

 

[RickG]

2006-10-24 14:53:12 H=(Mail1.remotehost.com) [remoteip] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed

In simple terms ...

Your server:

- is rejecting the inbound mail from [email protected]
- addressed to [email protected]
- because your server cannot verify that [email protected] is a valid sender (or remotehost.com is a valid domain, depending on how you have sender verify set).

An earlier post in this thread may be helpful as well as link
http://forums.cpanel.net/showpost.php?p=271595&postcount=4

Hope this helps -

 

[SonServers]

Thanks Rick,

I understand the verify didn't complete, but I was trying to figure out why, as I know the address is valid (they can send to, and receive from it from other services). It looks to me like when my server is trying to verify the address, their server is saying:
500 Reject: previous Mail From command was invalid

I guess I'm wondering if my server is sending out an "invalid Mail From command" in the verification process or if it is likely a config issue on their end and that message doesn't really mean anything.

I had tried to set up the verify whitelist but it wasn't working. I've since entered their domain a couple more times in the whitelist file in different formats and I'm waiting for them to test it. I was able to send a message from another server with the "from" address set to [email protected] and the server didn't try to verify it so maybe the whitelisting will work now.

Thanks again.

 

[sparek-3]

It sounds like that the remote mail server may not be accepting mail from the null sender, which puts it in violation of RFC standards.

Try connecting to Mail1.remotehost.com from your server on port 25 (telnet is good for this) and issuing a sample mail transaction.

telnet Mail1.remotehost.com 25

Then for the transaction:

EHLO <your server's name>

Wait for a response

mail from: <>

Wait for a response, I suspect that this will result in an error. If everything is OK:

rcpt to: <[email protected]>

And wait for a response.

At this point, there's no need to go any further, regardless of whether or not there are errors or not so:

quit

If everything is OK and no errors are generated, then I don't know what the problem is. But I suspect that the mail server does not like the null sender (<>) and that is what is causing this error.

 

[SonServers]

I see three related host names in the error logs. Earlier today, I tried to telnet to all of them and couldn't get an initial connection.


The: "500 Reject: previous Mail From command was invalid" is coming from:
kindredhealthcare.com.s8a1.psmtp.com

Then the next line is the "Sender Verify Failed" but coming from these two hosts:
Mail1.Kindredhealthcare.com
Mail2.Kindredhealthcare.com

Its strange that they reply to my server with that error, but yet I can't initiate a telnet connection on port 25.

(I'm still waiting to hear if the whitelist worked for them.)

 

[sparek-3]

It does not look like mail1.kindredhealthcare.com or mail2.kindredhealthcare.com are accepting connections from outside port 25. But kindredhealthcare.com.s8a1.psmtp.com does and it appears to be listed as an mail exchange for kindredhealthcare.com. I tried connecting to kindredhealthcare.com.s8a1.psmtp.com and doing a simple mail transaction, and I was able to successfully complete it. It looks like this mail server does accept mail from the null sender. If you are still having problems, I would check to make sure that [email protected] is a valid mail account on kindredhealthcare.com.s8a1.psmtp.com.

 

[SonServers]

Thanks for looking at that for me.

What I don't understand is that they claim they can send to kindredhealthcare.com from our server, just that the recipient can't reply because of the verify error.

I did search my log and found where they did indeed send to this outside user:


2006-10-23 15:23:45 1Gc6Kk-00020a-Lv => user <[email protected]> R=boxtraper_autowhitelist T=boxtrapper_autowhitelist
2006-10-23 15:23:51 1Gc6Kk-00020a-Lv => [email protected] R=lookuphost T=remote_smtp H=kindredhealthcare.com.s8a1.psmtp.com
[64.18.7.10] X=TLSv1:AES256-SHA:256
2006-10-23 15:23:51 1Gc6Kk-00020a-Lv Completed

But when [email protected] tries to reply back, they get the verify error from my server.

 

[SonServers]

That's it . . . the null sender.

I tried to telnet in to kindredhealthcare.com.s8a1.psmtp.com and did (using the real user address)

mail from: [email protected]
rcpt to: [email protected]

And got an OK response.


Next I tried:

mail from: <>
rcpt to: [email protected]

and got the:
500 Reject: previous Mail From command was invalid
error.

So then, they should allow null senders but are not which is against standard policy?

 

[SonServers]

Thank you guys for your help today.

After more testing, this certainly looks like it is due to the sending server not accepting null senders.

I did get the whitelist set up correctly so my server is not trying to verify their domain and they can send mail to my clients now.

I appreciate your willingness to assist.

 

[sparek-3]

This looks like a noncompliance issue to me, but perhaps I am wrong. Someone else may be able to corroborate my understanding of this.

If mail is being allowed through when you use a real e-mail address in the MAIL FROM: command but is not being allowed through when you use a null sender (MAIL FROM: <>) then to me that looks like the mail server is not accepting mail from the null sender, which I gather from http://www.dnsstuff.com/pages/rfc1123.htm is required.

But before blame goes entirely to the remote mail server, you may want to check that documentation or see if anyone else here can back me up.

 

[SageBrian]

When I have this issue, I try to educate the sender in why their email is being blocked.

I politely tell them that my server is simply verifying that they exist. It does this by checking with their server. It's THEIR server that is not verifying that they exist.

I then try to send links to the 'rules'
http://www.ietf.org/rfc/rfc2821.txt

I just found this link about it: http://marc.merlins.org/netrants/nullenvelope.txt

I go to DNSreport.com to run a report on their domain to see how many errors show up. I give them a link to that, and a link to a report on my server (no errors). And try to politely imply that if their server admins are not keeping up or using standards for DNS, SPF, etc, then the error is very likely on their end and there may be other security issues they might start being concerned with.

Some people are grateful, and others just don't care... "the mail is just supposed to work!, and I don't have this problem with other servers!" To which I suggest "how do you know your mail is going thru and not just being dumped?"

You can only do so much.
For my really good clients, I will turn off callout for a short period of time to allow the maverick sender thru, letting them know they will likely cause everyone on the server to get more spam during that time.

I'd rather not get into a habit of whitelisting 'bad senders' because then there is no motivation for the bad servers to mend their ways.