Can T Send Mail to That Realm

By | May 27, 2022

Version 6.2

Introduction

Installation

SysAdmin

Network

Objects

Storage

E-mail

Real-Time

Access

Services

Directory

Clusters

Applications

Miscellaneous

Licensing

WebMail

Pronto!

PBX

Introduction

Features

History

How To

Help Me

Help Me

  • Security
    • Is my Server an open relay?
    • An Account was compromised and my server is being used for mass mailing. What can I do?
  • WebAdmin
    • I have rerouted the Postmaster account and now I cannot log in as the Postmaster.
    • I have deleted the Postmaster account.
    • I have created a secondary Domain and now I cannot log into WebAdmin.
    • When I try to log in, I get the “access from your network is denied” error.
  • SMTP Receiving
    • My Server does not accept mail from my Web script/applet.
  • SMTP Sending
    • My Server cannot send mail to some host using SSL/TLS.
  • Access
    • WebUser connections return the pink page saying “we do not provide Web Access to this domain”.
    • WebUser sessions are disconnected almost immediately after login.
    • What does the “unassigned local network address” error mean?
  • Directory
    • Microsoft LDAP (Outlook and Outlook Express) users cannot find Directory records.
    • Attempts to update Account Settings result in the
      directory record with the specified DN is not found
      error.
  • Date and Time
    • The time stamps in messages sent or received with CommuniGate Pro are several hours off.
  • Logs
    • Every time I access the WebAdmin interface, a Failure-type ROUTER record appears in the Log.
    • What do these
      DNR-16538(xxx.xx.x.xx.rss.mail-abuse.org) A:host name is unknown
      records mean?
  • Miscellaneous
    • What is that non-standard UDP port the CommuniGate Pro Server opens on my system?.
    • How can I make my
      formmail-type CGI work with CommuniGate Pro?.

This section lists the most common problems with the CommuniGate Pro installations, and it provides the suggestions that should help you to solve those problems.

Security

Is my Server an open relay?

Open Relay is an SMTP (or SIP) server configured in such a way that it allows anyone on the Internet to send e-mail (or make calls) through it, not just mail destined to or originating from known users. If you receive a lot of mail/spam from unknown origin, but the targets are your local users, then it has nothing to do with relaying; relaying means sending through your server to external targets.

With the default settings CommuniGate Pro is configured NOT to be an open relay, it relays only e-mails (calls) submitted by senders who had authenticated.
Relaying for non-authenticated senders is possible if the sender had connected from an address from the Client IP Addresses list, so make sure there are no excessive addresses there; ideally that list should be empty and all your users must authenticate when sending. If you receive all mail from a gateway – do NOT add the gateway address to the

Client IP Addresses

list, but add it to UnBlacklistable (White Hole) IP Addresses list.

In SMTP Relaying page make sure:

  • the “Relay to any IP Address: If Received from:” is set to
    clients
    or
    nobody
  • the “Relay to Client IP Addresses: If Sent to:” is set to
    simple
    or
    none
  • the “Relay to Hosts We Backup:” is
    disabled

An Account was compromised and my server is being used for mass mailing. What can I do?

Someone had learned/guessed the password of an Account and uses that Account to send spam. Note that this case has nothing to do with open relaying.

Open the Mail page in the WebAdmin Monitors realm, and open the Queue page. There you should see a lot of messages with similar size and contents.

  • Open one of such messages to learn the compromised Account name and the sender’s IP address.
  • Click the Reject All Sender’s Messages button.
  • Open the compromised Account Settings page.
    • Reset or disable the password to prevent new logins.
    • Temporary disable the
      Mail
      service to stop submitting mail from existing logins.
  • Use the Reject All Sender’s Messages button to clean the Queue. The messages which are being processed may not be rejected, so you may need to repeat this step several times.

In order to lower the chances of the users’ passwords becoming compromised:

  • Make sure all users use encrypted connections (SSL/TLS) when commuicating with the server. That will prevent hackers from learning passwords via network sniffers.
  • Force users to have enough long and complex passwords which cannot be guessed easily.
  • Force Two-factor Authentication, if possible.
  • Impose tighter limits in
    • “Failed Logins Limit” in the Account Settings page
    • Temporarily Blocked IP Addresses in Settings->Network->”Blacklisted IPs” page

    to prevent brute-force attacks.

  • Enable the Hide ‘Account Unknown’ messages to hinder address harvesting.

To reduce the damage caused by compromised Accounts, and to make them to be less attractive for hackers:

  • Impose tighter limits for “Outgoing Mail Limit”, “Outgoing Recipients Limit” and “Max Recipients per Message” in Outgoing Mail Transfer Settings.

    That will reduce the rate a hacker will be able to send messages.
  • Impose “‘From’ Address Restrictions” and “‘From’ Name Restrictions” in Outgoing Mail Transfer Settings.

    That will give the hackers less freedom for spoofing the message origin.
  • If your customers are to use WebMail/Pronto only and no external SMTP clients, then in the Enabled Services disable the
    Relay
    service.
    That will disallow hackers to use SMTP which is the most convenient way to submit messages.

WebAdmin

I have rerouted the Postmaster account and now I cannot log in as the Postmaster

CommuniGate Pro applies routing rules not only to addresses in incoming messages, but to all addresses it processes. If you have rerouted the
postmaster
account to some other account
abc, then all attempts to log in as the
postmaster
will cause the Server to try to open the
abc
account. If you provide the correct password (i.e. the
abc
account password), you will be able to log in, but you will have the access rights granted to the
abc
account, not to the
postmaster
account.

You still can log into the
postmaster
account even if the
postmaster
name is redirected to a completely different address. Use the following name instead of the
postmaster
name:

This address is always routed to the account

postmaster

. Use the regular

postmaster

account password with this string.

For more details on the
.local
routing, check the Local Delivery Module section.

I have deleted the Postmaster account

If you have deleted the

postmaster

account, stop the Server and start it again.

If the CommuniGate Pro Server does not find the
postmaster
account during the startup process, it creates a new one. Check the
postmaster
account files to get the new
postmaster
password, in the same way you used when you installed the CommuniGate Pro Server.

I have created a secondary Domain and now I cannot log into WebAdmin

When you connect to CommuniGate Pro via a browser, the Server checks the domain name you have specified in the browser URL. If that name matches the name of one of your Secondary Domains, the WebAdmin Interface of that Domain is opened, rather than the Server WebAdmin Interface.

To open the Server WebAdmin Interface, use the Main Domain Name in your browser URL. If that name does not have a DNS A-record or its record points to a different server, use the Server IP Address in the browser URL.

If all Server IP Addresses were assigned to secondary Domains, you can try to use ANY domain name that points to the CommuniGate Pro Server, and does not match any of the Secondary Domain names.

If all Server IP Addresses were assigned to secondary Domains and all DNS domain names pointing to your server are names of your secondary Domains or secondary Domain Aliases, then use the following URL:

http://sub.domain.com:8010/MainAdmin

https://sub.domain.com:9010/MainAdmin

where
sub.domain.com
is any name pointing to your server computer or any of its IP addresses.

When I try to log in, I get the “access from your network is denied” error

Open the Network pages in the WebAdmin Settings realm, and open the Client IPs page. The Logins from Non-Client IP Addresses option is set to
prohibit, so users can connect to the Server only from the addresses listed in the Client IP Addresses field (on the same page).

If the Client IP Addresses field was left empty, you still can connect to the Server if you launch your browser on the Server computer itself, and connect locally, using the
http://127.0.0.1:8010
URL.

If you have not entered anything into the Client IP Addresses field, or if you cannot connect from the IP Addresses listed in that field, and you cannot connect to the server locally, using the
http://127.0.0.1:8010
URL, then:

  • stop the CommuniGate Pro Server;
  • open the

    {base}/Settings/IPAddresses.settings

    file and change the ClientOnly option from
    YES
    to
    NO, and save the updated file.
  • start the CommuniGate Pro Server again.

SMTP Receiving

My Server does not accept mail from my Web script/applet

When the SMTP module receives messages, it tries to route the address specified in the Mail From command (the message ‘Return-Path’ address). If the domain name in that address is a name of the Server local Domain and the specified Account (or other Object) is not found in that Domain, the Router returns an error code and the SMTP module refuses to accept the message.

You should reconfigure your script/applet to use either an empty Return-Path (<>) for generated messages, or to use an E-mail address of some existing Account. If the script/applet cannot be reconfigured, you can create an Alias for any existing Account.

If, for example, your script/applet submits messages to your server with the <[email protected]> Return-Path address, and you do not have the webform Account in the mydomain.com Domain, you may want to create the webform alias for the postmaster Account. If delivery of a submitted message fails, the error report will be sent to the postmaster Account.


SMTP Sending

My Server cannot send mail to some host using SSL/TLS

When the CommuniGate Pro SMTP module connects to a mail host/relay and tries to establish a secure (SSL/TLS) connection, it receives the host Certificate and check the name in that certificate. That name should match either the name of the domain the mail should go to, or the MX relay name for that domain name.

When a remote server hosts several domains on the same IP address, it always sends out only one certificate, because the server cannot learn to which domain the incoming messages will go to and thus it cannot present the Certificate for that particular domain. As a result, your (sending) server may refuse to proceed.

If the server mainhost.com also hosts client1.com and client2.com domains, and the MX records for all 3 domains point to the same name and to the same IP address on that server, the server will always present only one Certificate – usually, the mainhost.com Certificate.

To allow your CommuniGate Pro Server to send mail securely to client1.com and client2.com domains, you should specify 2 Domain-level Router records:

These records will place mail to client1.com and client2.com domains into the mailhost.com SMTP queue. You should place the mainhost.com name into the Send Encrypted list of the SMTP module, and the server will connect to the mailhost.com server, check its certificate (it should contain either the mailhost.com name or the name of the relay the SMTP module connected to), and then the SMTP module will establish a secure (SSL/TLS) connection with that server and it will send mail to recipients in the client1.com and client2.com domains via that secure connection.


Access

WebUser connections return the pink page saying “we do not provide Web Access to this Domain”

It is very important to understand that the domain name
something.com
and
mail.something.com
are completely different domain names. If your CommuniGate Pro Server has the main Domain
mycompany.dom, and you are trying to connect to it by typing
http://mail.mycompany.com:8100
in your Web browser, you will get the page saying that the CommuniGate Pro Server does not provide access to the
mail.mycompany.com
Domain.

In most cases, you want the domain names
mail.mycompany.com,
webmail.mycompany.com, etc. to be just other names (aliases) of the
mycompany.com
CommuniGate Pro Domain. To specify this, open the
mycompany.com
Domain Settings page and find the Aliases table. In an empty field, enter the
mail.mycompany.com
name and click the Update button. Now the CommuniGate Pro Server will know that
mail.mycompany.com
domain name is just a different name for the
mycompany.com
Domain it serves. Connection requests specifying the
mail.mycompany.com
domain name will connect to the
mycompany.com
CommuniGate Pro Domain, and messages sent to a

username@mail.mycompany.com

address will be delivered to the account
username
in the
mycompany.com
domain.

Note:
The WebAdmin interface opens the Server Administrator Interface if the name specified in the browser URL is not a CommuniGate Pro Domain name. This is why connections to the WebAdmin port (8010) can work, while the connections to the WebUser port (8100) return the “pink page”.

WebUser sessions are disconnected almost immediately after login

When a user connects to your server via a “multi-homed HTTP proxy” (used by large ISPs such as AOL), TCP connections come to the CommuniGate Pro Server from several different IP addresses of those proxy servers. If the
Require Fixed Network Address
option is enabled in the Account WebUser Preferences, user browser connections can be rejected. Disable the
Require Fixed Network Address
option for those users that connect via “multi-homed proxy” servers. If most of your users connect via those proxy servers, you may want to disable this setting in the Domain Account Defaults or in the All-Server Account Defaults.

What does the “unassigned local network address” error mean

Your CommuniGate Pro server computer has one or several IP (network) addresses assigned to it. Those addresses can be assigned to CommuniGate Pro Domains, and the Domains WebAdmin page shows all Domains with the IP addresses assigned to them.

Usually, the Main Domain has the Assigned IP Addresses setting set to All Available, so all IP Addresses not assigned to secondary Domains are automatically assigned to the Main Domain. If none of your Domains has the Assigned IP Addresses setting set to All Available, then some of your Server IP addresses may be not assigned to any Domain.

When a user connects to the server using a POP or IMAP client and provides just the account name (without the domain name), or when a secure (SSL/TLS) connection has to be established, the CommuniGate Pro Server takes the local IP address the user has connected to and tries to find the Domain that address is assigned to. If that IP address is not assigned to any CommuniGate Pro Domain, then the “unassigned local network address” error is generated.

Open the WebAdmin Settings->General page to see all the Local IP Addresses of your Server. You may have to click the Refresh button to see all addresses. The unassigned IP Addresses are displayed in red.


Directory

Microsoft LDAP (Outlook and Outlook Express) users cannot find Directory records

Most of LDAP clients (including the Microsoft Outlook products) contain a setting specifying the Directory subtree that should be used for search operations. In Outlook Express, this setting can found in Tools->Accounts->Directory Service, on the Advanced stub. It is called Search Base and it should contain the DN for the user domain (by default, that DN is
cn=domainname
).

If this setting field is left empty, Outlook products silently replace it with the
c=country_code

string, and search operations fail (unless your Directory has the
c=country_code

subtree).

If you do want to search the entire Directory with an Outlook product, enter the word
top
into the Search Base setting field.

Attempts to update Account Settings result in the
directory record with the specified DN is not found
error

This error appears when the Directory Integration option is enabled. This option tells the CommuniGate Pro Server to update the Account record in the Central Directory every time the Account Settings are updated. If the Directory does not contain a record for that account, the error message is returned. Account records may be missing in the Directory if the Accounts were created when the Directory Integration option was disabled.

To fix the problem, open the Domain Settings and find the Directory Integration panel. Click the Delete All button. It will remove all Domain object records from the Directory. Then click the Insert All button. The CommuniGate Pro Server will create a Directory record for the Domain, and then it will create Directory records for all Domain Objects (Accounts, Groups, Mailing Lists).

Note:
if the Domain contains more than 100,000 Accounts, the Insert All operation can take several minutes.


Date and Time

Time stamps in messages sent or received with CommuniGate Pro are several hours off

This problem is caused by an incorrect Time Zone setting on the server and/or on the client machines. To check the Time Zone setting value on the server machine, open the General page in the Settings realm of the CommuniGate Pro WebAdmin Interface. The Server Time field should contain the correct Date and Time values
and
the correct Time Zone value: -0800 means ‘8 hours behind the GMT’, +0800 means ‘8 hours ahead of GMT’.

If the Time Zone value is incorrect, fix the OS settings that specifies that value, and re-open the General page to verify the Time Zone value.


Logs

Every time I access the WebAdmin interface, a Failure-type ROUTER record appears in the Log

The WebAdmin interface adds the
[email protected]
string to the domain name you specify in your browser URL field and tries to route the resulting address as any other E-mail address. If routing fails, the WebAdmin Interface defaults to the main domain and to the Server WebAdmin Interface, but the failure record appears in the Router Log:

Usually this happens when you use a non-qualified domain name (like

mail

) instead of the qualified domain name (

mail.mycompany.com

). You should either use the qualified domain name in your browser URLs, or you should add the

mail

Domain Alias to the

mail.mycompany.com

CommuniGate Pro Domain.

What do these
DNR-16538(xxx.xx.x.xx.rss.mail-abuse.org) A:host name is unknown
records mean?

When your SMTP module uses RBLs to check the IP address of the server that tries to send any mail to your server, it converts that server aa.bb.cc.dd IP Address into the dd.cc.bb.aa.rbl-server-name
domain name, and tries to resolve this name using the DNS system. If the sending server is not a known offender, and its address is not included into the RBL database, this composed domain name will NOT exist in the DNS system, and the DNR module will report this with a Problem-level Log record.

If you use RBL servers, you may want to restrict the DNR module Log Level to Major & Failures events only.


Miscellaneous

What is that non-standard UDP port the CommuniGate Pro Server opens on my system?

This is a DNR (Domain Name Resolver) socket. The port number is selected by the OS, and it can change if you restart the CommuniGate Pro Server. This socket is used to send requests (UDP packets) to DNS servers and to receive responses from those servers.

Other applications (servers, browsers, etc.) use the same type of sockets to resolve domain names, but they usually open and close those UDP sockets quickly, so you may not notice them in your
netstat
output. CommuniGate Pro opens the DNR UDP socket when it starts, and uses that socket for all DNR requests, closing the socket only when the Server shuts down.

How can I make my
formmail-type CGI work with CommuniGate Pro?

Formmail
and similar CGIs are used to send E-mail messages from regular Web Server HTML forms. Implemented in the form of a Perl script, these CGIs use the legacy
sendmail
program to send the composed messages.

On most platforms, CommuniGate Pro software installer does not replace the legacy
sendmail
program, though the package does contain the
sendmail
replacement program. In order to use that program, you should modify your Perl script: you should find all references to the
sendmail
program (usually the default path used is
/usr/sbin/sendmail), and replace them with the

{application directory}/sendmail

references.

For example, if CommuniGate Pro and your CGI are installed on a MacOS X system, where the CommuniGate Pro
application directory
is
/usr/sbin/CommuniGatePro/, the CGI script
/usr/sbin/sendmail
strings should be replaced with the
/usr/sbin/CommuniGatePro/sendmail
strings.


CommuniGate┬« Pro Guide. Copyright ┬ę 1998-2019, Stalker Software, Inc.

Can T Send Mail to That Realm

Source: https://communigate.com/CommuniGatePro/HelpMe.html

Popular:   How to Find Which Post Office Is Mine