Hopefully this will be useful for figuring out why SMTP sometimes fails even though you have full pingability. Since not every server on the internet obeys good practices, it is likely you will sometimes have success even when some of the rules below are broken... just don't count on it. Of course, none of this applies when the mail is handled only by amateur systems end-to-end ;-)<br>
<br>I do apologize for the style in which this is written. I just got done with a fairly large research document for my boss (I manage the network for a private university) and it looks like I'm stuck in that style and tone for a while. Hopefully it'll wear off soon...<br>
<br>Current internet SMTP policies are generally similar to the following:<br><br>SMTP connections on port 25 are accepted and processed only from mail servers (not end-user agents, see further down).<br><br>Additionally, If the port 25 traffic is neither from nor to an address that the server is responsible for (or in its list of valid relay domains), the message will be dropped. Sometimes this happens silently, other times the SMTP server will reject the message. Sometimes, the SMTP server will start rejecting ALL subsequent SMTP commands on this connection.<br>
<br>If the port 25 traffic is not coming from an IP listed as an authoritative mail server(MX/SPF-specified) for the message From address, it will often drop it. Same possible behaviors as above.<br><br>Various other antispoof operations will take place, and unless the jnos box sending the email is legitimately responsible for the domain of the smtp from address (stuff like having correct MX and SPF records pointing to its internet-visible IP), it will correctly be detected as an attempt to spoof a message and rejected. The fact that it is a "legitimate" spoof doesn't really matter. See <a href="http://en.wikipedia.org/wiki/E-mail_spoofing">http://en.wikipedia.org/wiki/E-mail_spoofing</a><br>
<br>Technically, SMTP is a server-to-server transport protocol, not a user-to-server submission protocol. While it has been used to do both jobs for many years, this is the weakness that led to the booming industry of unsolicited commercial email. As such, open relays are actively shut down or blackholed. <a href="http://en.wikipedia.org/wiki/Open_relay">http://en.wikipedia.org/wiki/Open_relay</a> <br>
<br>Best-practices user-to-mailserver mail submission is now done in compliance with RFC4409 over port 587. This SUBMISSION protocol is effectively ESMTP but with some usage restrictions. Mainly these restrictions are that the mail server must reject MAIL FROM until a SMTP AUTH has been accepted and that it must only accept mail where the from address is from one of the domains it controls. Additionally it SHOULD make sure the AUTHed user is authorized to send mail from that particular address, but this isn't always enforced.<br>
Since there are few SMTP AUTHs that are safe as plaintext, this means that it is common to require a STARTTLS crypto session before accepting any SMTP AUTH, thus requiring crypto to submit any email. <br><br>So, if you are sending a message from <a href="mailto:hamguy@example.org">hamguy@example.org</a>, and the internet-visible IP of your JNOS box is NOT that of <a href="http://example.org">example.org</a> and is NOT pointed to by a MX or SPF record for <a href="http://example.org">example.org</a>, many internet servers will reject mail sent by your JNOS box. If appropriate, you can make the JNOS box legitimately responsible for <a href="http://example.org">example.org</a>. Otherwise, you could have the JNOS box speak SMTP over port 587 to the real <a href="http://example.org">example.org</a> machine who would then pass the message on like any other message. <br>
Or, to put it more simply, if JNOS is "acting like" a user submitting an email to the mail server, port 587 submission is usually needed. If JNOS is being a legitimate mail relay for a domain, it will speak port 25 SMTP to the recipient's MX host and it should be identified as a legitimate relay for that domain in the domain's SPF record. No other configurations are guaranteed (or increasingly, likely) to work on the public internet.<br>
<br>Any mail that doesn't pass through the servers responsible for its from-address domain is technically spoofed. The ever-increasing anti-spam efforts doom all such mail to eventual rejection even if it sometimes works today. Any email server that accepts and forwards an email from random ips when the mail's from-address is not in its own mail domain is an open relay and will usually be blacklisted as such. Most serious mail domains will ignore all mail from blacklisted servers.<br>
<br>References: <br><a href="http://en.wikipedia.org/wiki/Mail_submission_agent">http://en.wikipedia.org/wiki/Mail_submission_agent</a> (covers the difference between MSA and MTA as well as some details of rfc4409 smtp-submission protocol)<br>
<a href="http://en.wikipedia.org/wiki/Sender_policy_framework">http://en.wikipedia.org/wiki/Sender_policy_framework</a> covers the SPF records, how they work, and why they exist.<br><a href="http://en.wikipedia.org/wiki/Extended_SMTP">http://en.wikipedia.org/wiki/Extended_SMTP</a> (the current mandated form of SMTP)<br>
<a href="http://en.wikipedia.org/wiki/CRAM-MD5">http://en.wikipedia.org/wiki/CRAM-MD5</a> (the only commonly available SMTP AUTH method usable without TLS crypto security. Uses hashing not encryption, so should be legal over amateur links.)<br>
<br><br><br><br><br><div class="gmail_quote">On Sun, Jun 28, 2009 at 12:47, Barry <span dir="ltr"><<a href="mailto:k2mf@ptd.net">k2mf@ptd.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Sat, 27 Jun 2009 16:01:30 +0000 (GMT), <a href="mailto:doug@kalish.com">doug@kalish.com</a><br>
wrote:<br>
<div><div></div><div class="h5"><br>
> I'm having trouble with the smtp gateway:<br>
><br>
> (Set up gateway and ping it)<br>
> jnos> smtp gateway <a href="http://smtp.gmail.com" target="_blank">smtp.gmail.com</a><br>
> jnos> smtp trace 3<br>
> jnos> ping <a href="http://smtp.gmail.com" target="_blank">smtp.gmail.com</a><br>
> jnos> Resolving smtp.gmail.com... <a href="http://209.85.147.109" target="_blank">209.85.147.109</a>: rtt 40<br>
><br>
> (Send a message to <a href="mailto:doug@kalish.com">doug@kalish.com</a>)<br>
> jnos> queue job 432 From: <a href="mailto:ka3l@sceast.ampr.org">ka3l@sceast.ampr.org</a> To: <a href="mailto:doug@kalish.com">doug@kalish.com</a><br>
> Trying Connection to 209.62.105.13<br>
> SMTP client Trying...<br>
> smtp sent: QUIT<br>
><br>
> (smtp is trying to connect to <a href="http://kalish.com" target="_blank">kalish.com</a>, not <a href="http://smtp.gmail.com" target="_blank">smtp.gmail.com</a>)<br>
> jnos> ping <a href="http://kalish.com" target="_blank">kalish.com</a><br>
> jnos> Resolving kalish.com... <a href="http://209.62.105.13" target="_blank">209.62.105.13</a>: rtt 63<br>
><br>
> Help please.<br>
><br>
> Doug KA3L<br>
<br>
</div></div>Very few internet providers permit connections to port 25 off<br>
their "premises". This is done to reduce spam and there is<br>
very little, if anything, you can do about it without drawing<br>
attention to yourself.<br>
<br>
You will need to find an SMTP "gateway" server that permits<br>
SMTP connections from 44-net and then actually connect to it<br>
from a 44-net SMTP client that is *behind* your gateway. You<br>
will likely also need to use a SAFE (source address filter<br>
elimination) tunnel for your packets to the non-ampr internet,<br>
because if your provider filters outgoing connections to port<br>
25, it is also likely they filter outgoing packets which have<br>
source IP addresses that do not belong to its network.<br>
<font color="#888888"><br>
--<br>
73, Barry, K2MF >><br>
<a href="mailto:k2mf@ptd.net">k2mf@ptd.net</a><br>
</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
nos-bbs mailing list<br>
<a href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a><br>
<a href="https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs" target="_blank">https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Regards, Robert Thompson<br><br>====================================================<br>~ Concise, Complete, Correct: Pick Two<br>~ Faster, Cheaper, Better: Pick Two<br>
~ Pervasive, Powerful, Trustworthy: Pick One<br>====================================================<br>