smtp connection slow + messages stuck in queue

[brynk]

Last week I started using Plesk 8.1. Everything seems to be working fine, except for some problems with qmail.

My first problem occurs when sending mail using a local mailclient. Sending mail works ok, but connecting to the smtp server takes about half a minute. I tried adding -Rt0 to the server args, but that doesn't seem to have any effect. Also I noticed I don't have this problem when I don't use encryption.

Another problem is some messages getting stuck in the queue. E-mails to certain domeins (like aol.com) don't seem to get delivered.

I hope someone can help me out or point me in the right direction.

 

[ricflair71]

SMTP Slow to respond

I too am having issues.

If you telnet to localhost or the machines IPs from console.. on port 25.. you immediately get a response from SMTP server.

however...

If you remote to the machine.. telnet machinesip 25 there is a 10-15 hang before SMTP server responds.. initially I thought it may be a firewall issue.. so I shutdown iptables/ipchains and it's still doing it from remote locations.. (any).

Any idea why the connection would take so long remotely and be super fast locally?

The network connect considered remote is very fast.. 8ms ping between. I also tried other remote network.. same 15 sec hang before SMTP answers.

Thanks,
Ron

 

[ZopfWare]

Just recently moved from a FC2 box that had been upgraded to 8.1 to a completely new install of 8.1 on a (bigger box) running CentOS 4 and I'm having similar issues...high server loads, cpu usage, etc.. also slow to connect using smtp.


Hmmm.. something's changed

 

[Swift42]

Originally posted by brynk
I tried adding -Rt0 to the server args, but that doesn't seem to have any effect.

Had you done a "/etc/init.d/xinet reload" after that?

I also first thought that my changes to smtp_psa and smtps_psa had no effect. Then I realized that I only reloaded qmail. But since the files are located in /etc/xinetd.d, I had to reload xinet.
I simply rebooted the whole machine and after that it worked. Maybe this helps.

By the way, I only needed to add -R to the server_args. After that all mailclients could send mails without the annoying 30sec delay.

Does anybody know why "-R" is not added by Plesk by default? Why is the reverse-DNS-lookup not working?

 

[kieranjones]

I have had similar problems, I had very slow SMTP which was resolved by addint -Rt0 to smtp_psa and smtps_psa

As for not delivering to some domains, I too had this problem, but it was solved at least in some cases by adding an SPF text record to the DNS settings for the domain.

I couldn't deliver to Hotmail, AOL, BT Internet and a few others, all of which check SPF apparently. Worth a shot.

 

[bobjones]

Hi!

Same problem, CentOS 4.3 x86_64 Plesk 8.1.

Adding -Rt0 to smtps_psa and smtp_psa (then xinetd restart) fixed the timeout, but I still can't deliver to hotmail, aol, etc.

Ideas?

attempting just -R...

 

[bobjones]

Nope, -R and /etc/init.d/xinetd reload; service xinetd restart didn't fix it.

I have SPF and TrendMicro RBL disabled. Can you elaborate on "adding an SPF text record to the DNS settings".

Do you think this will help me even if I'm not using SPF/TrendMicro?

 

[kieranjones]

I don't know for sure about all this but here is what I do know, if someone else has any ideas/corrections then please do post so we can all benefit.

My understanding is that you have incoming SPF checking, which ideally should be enabled. This will make sure that all incoming email is being sent from an email address that is authorised to send from that domain name. I have got it setup with the following settings which will deny emails that are denied, but will allow emails where there is no SPF record for that domain or some other problem like that.

Go to the mail settings for the server (not the domain) and set the following options after checking the box to enable SPF.

Checking mode: "Reject mails when SPF resolves to fail (deny)"

Local Rules: include:spf.trusted-forwarder.org

Guess: a/24 mx/24 ptr

Leave the explanation text empty.

Once you've done that add the following TXT record to the DNS zone for the domain you want to send mail from. And to the DNS template if you want it added to all new domains you create.

v=spf1 a mx ptr ~all

That is what I've done and haven't had any complaints since doing it.

As for the MAPS protection, that appears to cause more problems that it solves so I don't use that.

Hope that helps

 

[bobjones]

Doh!

Some clients are not currently pointing to my nameservers, but should be soon.

Upon further research, I have been lead to believe that I simply need my nameserver's reverse PTR's to match up: psoft forum and DNS Report

Wouldn't it be nice if that's all I needed to do...

 

[bobjones]

It Works!!

Doh!

Sure enough, all I needed was reverse PTRs... How did I forget this??

For anyone else that may have this issue, here is how to check to see if you have the needed reverses.

In your command line, use dig to test for the reverse record:

[root@columbus ~]# dig +short -x xxx.xxx.xxx.xxx

(where xxx.xxx.xxx.xxx is the IP of your ns1.yourdomain.com)

Do the same for the IP of ns2.yourdomain.com.

If this prints the name of your corresponding nameserver, then your reverses are in place, and GOOD LUCK to you. You may consider checking DNS Report for other errors. Also, you may try the qmHandle -a explained below to tell qmail to "try now" to send mails in the queue.

If this prints nothing but a new line, you do NOT have reverse PTR's in place, and will need to contact your host (whomever is responsible for your IP's; most likely the people you pay $100+/mo. to) about this. Ask them something to the effect of:

Dear host, Please add a reverse PTR record for my IP xxx.xxx.xxx.xxx to ns1.yourdomain.com and xxx.xxx.xxx.xxx to ns2.yourdomain.com.

(again where xxx.xxx.xxx.xxx is the IP's of your nameservers)

After they set this, wait around 3-8 hrs (depending on their TTL), test that the PTR's are resolving with dig -x again, and if they ARE resolving, run qmHandle -a while watching /usr/local/psa/var/log/maillog with tail -f. To do this,

wget internap.dl.sourceforge.net/sourceforge/qmhandle/qmhandle-1.2.0.tar.gz
tar -zxvf qmhandle-1.2.0.tar.gz
perl qmHandle -a; tail -f /usr/local/psa/var/log/maillog

This tells qmail to try again to send queued mails now. If it shows them sending, it's fixed! If not, GOOD LUCK!!!

Also, for anyone interested in adding kieranjones' text records to all your domains in bulk, make a text file called "list" that is a space or newline delimited list of all the domains you want to add records to. then run command:

for name in `cat list`; do /usr/local/psa/bin/dns.sh --add $name -txt 'v=spf1 a mx ptr ~all' -domain ''; done

kieranjones', If you read this, thanks for your help! do you recommend we also add the record for mail.domain, like:

for name in `cat list`; do /usr/local/psa/bin/dns.sh --add $name -txt 'v=spf1 a mx ptr ~all' -domain 'mail'; done

??

 

[kieranjones]

That's really great work, especially how to add the TXT record en masse.

You don't to the best of my knowledge need to add it anywhere else on your DNS zone, just that one record for the domain itself. You may need to add it if you were sending mail from a sub-domain, I'm not sure. But saying that I don't think Plesk can send email from a sub-domain can it?

So yeah, that should be fine just for the main domain itself, not mail.domain.com or whatever.

The website for a great overview of SPF is http://www.openspf.org

 

[bobjones]

Thanks! I'm definately interested in SPF, and I'll check out that site for sure.


Looks like a LOT of people are having this issue... STICKY!

 

[unhingedmedia]

newbie question

where are the server_args so I can add -R to the server_args.

 

[philb@]

http://www.dnsstuff.com/

Whenever you get timeouts on anything that's dealing with DNS or Reverse DNS, run the utility at dnsstuff.com against the domain.

Note, you don't have to pay them to use their service. Just scroll down and use the upper left test.

This is an excellent utility and will lead you to having your DNS set up perfectly if you follow all of it's recommendations.

 

[bobjones]

unhinged:

[root@columbus ~]# locate smtps_psa smtp_psa
/etc/xinetd.d/smtps_psa
/etc/xinetd.d/smtp_psa

Don't forget to

[root@columbus ~]# service xinetd restart

after you edit the files...

 

[bobjones]

Phil:
dnsreport.com (that i mentioned in my solution post) is the exact same report as dnsstuff, only higher up on the page...

Nice to see that they finally dropped some graphics on their site!

 

[nbritt]

I am having the long wait time on a freebsd server anyone know where to find the smtps_psa and smtp_psa on it

 

[bobjones]

never played with a bsd box. do you have the locate or slocate command? try that:

# locate smtp_psa smtps_psa

or

# slocate smtp_psa smtps_psa

 

[blank_page]

Hello,


Interesting this hotmail stuff. I am really intereted on the following:

You send a mail to hotmail > no bounce, no mail delivered.
You send the mail from hotmail > arrives > reply to the mail and you can send to hotmail.

What does this suppose to mean ?
Is this like some kind of invitation?
(annoying) from my perspective.

 

[unhingedmedia]

All fixed!!

A special thanks to:
bobjones
kieranjones
philb!!!!

Adding the -R argument solved my delay issue, adding SPF checking solved a couple of security issues and I cannot say enough good things about dnsstuff.com/dnsreports.com.

The reverse dns was by far the most difficult issue to solve, because it required me to get the company who issued me my IP address to make the change. Just adding PTR records to my own dns did not solve the problem. I learned a tremendous amount from this experience.

Thank you all!!