Anyone knows what's this message means?

[Jason Dax]

"An message from xxx.xxx.xxx.xxx was rejected because their server lied to us"?

ID: 0C06, Blocked mail.

I'm getting this message starting this morning. Nothing unusual was happen. I don't install nothing, upgrade nothing... the server was running smootly till now...

The weird thing is, all the blocked messages come from my Internal Network!!! Every user is trying to send emails to outside, but wingate blocked all!!

I'm not using autentications: every client get an IP from Wingate DHCP, ENS/NAT enabled.

Users config is ok. Was running ok until this morning....

Anyone has any idea about it?

Regards

[labull]

Jason,

I know I'm going to have trouble explaining this but here goes.

That indicates that the sending server/agent identified itself in a way that spammers often use.

The sender will send

ehlo xxx.xxx.xxx.xxx

or

helo xxx.xxx.xxx.xxx


Where xxx.xxx.xxx.xxx is the IP address of the WinGate SMTP server.

Since this is the IP of the receiver and WinGate knows it is - this can't be correct.

WinGate SMTP rejects the message a issues a Server Lied error.

Now, how that applies in you situation I'm not sure.

What clients/apps are talking to WinGate SMTP?

Larry

[Pascal]

"An message from xxx.xxx.xxx.xxx was rejected because their server lied to us"?

You will get this message if the server you are connecting to (HELO or EHLO) sends a HELO like:

HELO www.xxx.yyy.zzz

where www.xxx.yyy.zzz is either a local IP (WinGate Server's) OR it does not match the IP address the WG Server is connected to (If it is an IP address).

(Okay, so Larry beat me to it ... )

[Jason Dax]

Ok. This is the scenario I have:
1- Workstations running inside my network are using Outlook Express to receive their messages. IPs in range 192.168.10.xxx. Some ones are using Incredimail, a few ones.

2- WG Server Internal NIC, IP 192.168.10.1, External NIC have an public IP. Running as POP3/SMTP & DHCP server.

Till yesterday morning everything was ok. I don't get what cause the problem.

OE is configured as usually: POP3 server is the name of my server, equal to the SMTP server. Thinking that maybe the problem was in this name, I replace it with the IP of the server. Same happen. Maybe if I use the internal IP it work again?

And again, why work almost four months ok and now get the problem? Seem weird to me.

[Jason Dax]

Ok. I get this from the system log:

01/08/04 01:28:48 Blocked email A message from 165.98.242.19 was rejected because their server lied to us
01/08/04 01:28:49 QAyKEKVi8hOYYABRAQAAAAYAwPCBCMkAC/3JS4EAAEUAADC5NkAALAYz/0AMihClYvITmGAAUXSdp6YAAAAAcAJg9AujAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
01/08/04 01:28:50 QAyKEKVi8hOYYABRAQAAAAYAwPCBCMkAC/3JS4EAAEUAACi5N0AALAY0BkAMihClYvITmGAAUXSdp6cAAAAAUARg9DhjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
01/08/04 01:28:50 QAyKEKVi8hOalhGAAQAAAAYAwPCBCMkAC/3JS4EAAEUAADC5OUAALAYz/EAMihClYvITmpYRgHkpWxwAAAAAcAJg9EA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
01/08/04 01:28:50 la4og6Vi8hMAGRN1AQAAAAYAwPCBCMkAC/3JS4EAAEUAACh6wkAAMAZ6ZpWuKIOlYvITABkTdUIf9cCbEZKOUBT68OYpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
01/08/04 01:28:53 QAyKEKVi8hOalhGAAQAAAAYAwPCBCMkAC/3JS4EAAEUAADC5OkAALAYz+0AMihClYvITmpYRgHkpWxwAAAAAcAJg9EA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
01/08/04 01:29:00 QAyKEKVi8hOalhGAAQAAAAYAwPCBCMkAC/3JS4EAAEUAADC5O0AALAYz+kAMihClYvITmpYRgHkpWxwAAAAAcAJg9EA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

The IP showed here is the IP of my WG POP3 Server, so, How is posible that he lied to itself? and, what are the code in the next four lines?

[labull]

The code in the those four lines are Firewall hit information. Adrien has explained them elsewhere in this forum and I don't think they're part of the problem.

Though I can't for sure explain the "server lied" problem you're seeing, I suggest you check the bindings and Transparent Redirection settings for POP and SMTP on your server.

Somehow it seems things are looping.

Larry

[Jason Dax]

SMTP:

Allow connections coming in from any interface
Start even if address is in use.
Redirect ENS and WGIC coneections enabled.

Same config to POP

[labull]

Sorry, I've run out of ideas.

If you could post your configuration here the developers will check to see if they see anything suspect.

Larry

[Jason Dax]

1.01 WINGATE CONFIGURATION REPORT

1.02 Thursday, January 08, 2004, 19:52

1.03

1.04 ---------------------------------------------

1.05 WinGate Engine

1.06 ---------------------------------------------

1.07 WinGate 5.2.2 (Build 892)

1.08 Operating System: Windows 2000 (NT 5.0)

1.09 Language:

1.10

4.01 ---------------------------------------------

4.02 Dialer information

4.03 ---------------------------------------------

4.04 Dialer is disabled

4.05

5.01 ---------------------------------------------

5.02 Network Interfaces

5.03 ---------------------------------------------

5.04 127.0.0.1 (LOOPBACK) [Internal] [Secure]

5.05 165.98.242.19 (LAN) [External] [Unsecure]

5.06 192.168.100.1 (LAN) [Internal] [Secure]

5.07

6.01 ---------------------------------------------

6.02 Services

6.03 ---------------------------------------------

6.04

6.05 System Policies

6.06 ---------------------------------------------

6.07 Default System Access Rights:

6.08 Everyone - Unrestricted rights

6.09 Default Start/Stop Rights:

6.10 Administrators - Unrestricted rights

6.11 Default Edit Rights:

6.12 Administrators - Unrestricted rights

6.13

6.14 POP3 Proxy server (POP3 Proxy server)

6.15 ---------------------------------------------

6.16 Session Timeout: 120

6.17 Port: 8110

6.18 Startup: Automatic start/stop

6.19 Binding 1: 127.0.0.1

6.20 Binding 2: 192.168.100.1

6.21 Access Rights: Defaults: may be used instead

6.22 Administrators - Unrestricted rights

6.23 Start/Stop Rights: Defaults: may be used instead

6.24 Edit Rights: Defaults: may be used instead

6.25

6.26 Telnet Proxy server (Telnet Proxy server)

6.27 ---------------------------------------------

6.28 Session Timeout: 60

6.29 Port: 23

6.30 Startup: Automatic start/stop

6.31 Bindings: ANY interface

6.32 Access Rights: Defaults: are ignored

6.33 Administrators - Unrestricted rights

6.34 Start/Stop Rights: Defaults: may be used instead

6.35 Edit Rights: Defaults: may be used instead

6.36

6.37 WWW Proxy server (WWW Proxy server)

6.38 ---------------------------------------------

6.39 Session Timeout: 60

6.40 Port: 80

6.41 Startup: Automatic start/stop

6.42 Bindings: ANY interface

6.43 Access Rights: Defaults: may be used instead

6.44 Everyone - Restricted by security level

6.45 Administrators - Unrestricted rights

6.46 Start/Stop Rights: Defaults: may be used instead

6.47 Edit Rights: Defaults: may be used instead

6.48

6.49 DHCP Service (DHCP Service)

6.50 ---------------------------------------------

6.51 Session Timeout: 60

6.52 Port: 67

6.53 Startup: Automatic start/stop

6.54 Binding 1: 192.168.100.1

6.55 Access Rights: Defaults: are ignored

6.56 Everyone - Unrestricted rights

6.57 Start/Stop Rights: Defaults: may be used instead

6.58 Edit Rights: Defaults: may be used instead

6.59

6.60 Winsock Redirector Service (Winsock Redirector Service)

6.61 ---------------------------------------------

6.62 Session Timeout: 20

6.63 Port: 2080

6.64 Startup: Automatic start/stop

6.65 Binding 1: 127.0.0.1

6.66 Binding 2: 192.168.100.1

6.67 Access Rights: Defaults: may be used instead

6.68 Administrators - Unrestricted rights

6.69 Start/Stop Rights: Defaults: may be used instead

6.70 Edit Rights: Defaults: may be used instead

6.71

6.72 FTP Proxy server (FTP Proxy server)

6.73 ---------------------------------------------

6.74 Session Timeout: 60

6.75 Port: 21

6.76 Startup: Automatic start/stop

6.77 Binding 1: 127.0.0.1

6.78 Binding 2: 192.168.100.1

6.79 Access Rights: Defaults: may be used instead

6.80 Administrators - Unrestricted rights

6.81 Start/Stop Rights: Defaults: may be used instead

6.82 Edit Rights: Defaults: may be used instead

6.83

6.84 RTSP Streaming Media Proxy (RTSP Streaming Media Proxy)

6.85 ---------------------------------------------

6.86 Session Timeout: 60

6.87 Port: 554

6.88 Startup: Automatic start/stop

6.89 Binding 1: 127.0.0.1

6.90 Binding 2: 192.168.100.1

6.91 Access Rights: Defaults: may be used instead

6.92 Start/Stop Rights: Defaults: may be used instead

6.93 Edit Rights: Defaults: may be used instead

6.94

6.95 SOCKS Proxy server (SOCKS Proxy server)

6.96 ---------------------------------------------

6.97 Session Timeout: 60

6.98 Port: 1080

6.99 Startup: Automatic start/stop

6.100 Binding 1: 127.0.0.1

6.101 Binding 2: 192.168.100.1

6.102 Access Rights: Defaults: may be used instead

6.103 Administrators - Unrestricted rights

6.104 Start/Stop Rights: Defaults: may be used instead

6.105 Edit Rights: Defaults: may be used instead

6.106

6.107 VDOLive Proxy server (VDOLive Proxy server)

6.108 ---------------------------------------------

6.109 Session Timeout: 60

6.110 Port: 7000

6.111 Startup: Automatic start/stop

6.112 Binding 1: 127.0.0.1

6.113 Binding 2: 192.168.100.1

6.114 Access Rights: Defaults: may be used instead

6.115 Start/Stop Rights: Defaults: may be used instead

6.116 Edit Rights: Defaults: may be used instead

6.117

6.118 POP3 Server (POP3 Server)

6.119 ---------------------------------------------

6.120 Session Timeout: 120

6.121 Port: 110

6.122 Startup: Automatic start/stop

6.123 Bindings: ANY interface

6.124 Access Rights: Defaults: may be used instead

6.125 Start/Stop Rights: Defaults: may be used instead

6.126 Edit Rights: Defaults: may be used instead

6.127

6.128 SMTP Server (SMTP Server)

6.129 ---------------------------------------------

6.130 Session Timeout: 1000

6.131 Port: 25

6.132 Startup: Automatic start/stop

6.133 Bindings: ANY interface

6.134 Access Rights: Defaults: may be used instead

6.135 Start/Stop Rights: Defaults: may be used instead

6.136 Edit Rights: Defaults: may be used instead

6.137

6.138 GDP Service (GDP Service)

6.139 ---------------------------------------------

6.140 Session Timeout: 60

6.141 Port: 368

6.142 Startup: Automatic start/stop

6.143 Binding 1: 127.0.0.1

6.144 Binding 2: 192.168.100.1

6.145 Access Rights: Defaults: may be used instead

6.146 Start/Stop Rights: Defaults: may be used instead

6.147 Edit Rights: Defaults: may be used instead

6.148

6.149 XDMA Proxy service (XDMA Proxy service)

6.150 ---------------------------------------------

6.151 Session Timeout: 20

6.152 Port: 8000

6.153 Startup: Automatic start/stop

6.154 Binding 1: 127.0.0.1

6.155 Binding 2: 192.168.100.1

6.156 Access Rights: Defaults: may be used instead

6.157 Start/Stop Rights: Defaults: may be used instead

6.158 Edit Rights: Defaults: may be used instead

6.159

6.160 DNS Service (DNS Service)

6.161 ---------------------------------------------

6.162 Session Timeout: 60

6.163 Port: 53

6.164 Startup: Disabled

6.165 Bindings: ANY interface

6.166 Access Rights: Defaults: may be used instead

6.167 Start/Stop Rights: Defaults: may be used instead

6.168 Edit Rights: Defaults: may be used instead

6.169

6.170 WWW Server for viewing log files (Logfile Server)

6.171 ---------------------------------------------

6.172 Session Timeout: 60

6.173 Port: 8010

6.174 Startup: Automatic start/stop

6.175 Bindings: ANY interface

6.176 Access Rights: Defaults: may be used instead

6.177 Administrators - Unrestricted rights

6.178 Start/Stop Rights: Defaults: may be used instead

6.179 Edit Rights: Defaults: may be used instead

6.180

6.181 Remote Control Service (Remote Control Service)

6.182 ---------------------------------------------

6.183 Session Timeout: 180

6.184 Port: 808

6.185 Startup: Automatic start/stop

6.186 Binding 1: 127.0.0.1

6.187 Binding 2: 165.98.242.19

6.188 Binding 3: 192.168.100.1

6.189 Access Rights: Defaults: may be used instead

6.190 Start/Stop Rights: Defaults: may be used instead

6.191 Edit Rights: Defaults: may be used instead

6.192

7.01 ---------------------------------------------

7.02 System Route Table

7.03 ---------------------------------------------

7.04 Current Route Table:

7.05 ---------------------------------------------

7.06 Network Mask Gateway Interface Metric

7.07 0.0.0.0 0.0.0.0 165.98.242.1 165.98.242.19 1

7.08 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

7.09 165.98.242.0 255.255.255.192 165.98.242.19 165.98.242.19 1

7.10 165.98.242.19 255.255.255.255 127.0.0.1 127.0.0.1 1

7.11 165.98.242.21 255.255.255.255 165.98.242.19 165.98.242.19 1

7.12 165.98.255.255 255.255.255.255 165.98.242.19 165.98.242.19 1

7.13 192.168.100.0 255.255.255.0 192.168.100.1 192.168.100.1 1

7.14 192.168.100.1 255.255.255.255 127.0.0.1 127.0.0.1 1

7.15 192.168.100.3 255.255.255.255 127.0.0.1 127.0.0.1 1

7.16 192.168.100.255 255.255.255.255 192.168.100.1 192.168.100.1 1

7.17 192.168.150.1 255.255.255.255 192.168.100.3 192.168.100.3 1

7.18 224.0.0.0 224.0.0.0 165.98.242.19 165.98.242.19 1

7.19 255.255.255.255 255.255.255.255 192.168.100.1 192.168.100.1 1

7.20

8.01 ---------------------------------------------

8.02 Enhanced Network Support

8.03 ---------------------------------------------

8.04 Enhanced Network Support: 5.10 Syz - Installed and active

8.05 Driver: Enabled

8.06 NAT: Enabled

8.07 Router: Enabled

8.08 Firewall level: Custom

8.09

8.10 Firewall

8.11 ---------------------------------------------

8.12 Disable network name broadcasts to the Internet: Enabled

8.13 Allow users to ping this machine locally: Enabled

8.14 Allow users to ping this machine from the Internet: Enabled

8.15 Discard spoofed packets: Enabled

8.16

8.17 Routing

8.18 ---------------------------------------------

8.19 Multiple default routes: Enabled

8.20 Relay UDP broadcast packets: Enabled

8.100

8.101 Port Security

8.102 ---------------------------------------------

8.103

8.104 Security for: External TCP

8.105 Action: Allow Port: 23 - Hole for Telnet Proxy server

8.106 Action: Allow Port: 25 - Hole for SMTP Server

8.107 Action: Allow Port: 53 - Hole for DNS Queries

8.108 Action: Allow Port: 80 - Hole for WWW Proxy server

8.109 Action: Allow Port: 110 - Hole for POP3 Server

8.110 Action: Allow Port: 113 - AUTH

8.111 Action: Allow Port: 808 - Hole for Remote Control Service

8.112 Action: Allow Port: 809 - Hole for VPN (Control)

8.113 Action: Allow Port: 1024 - 4096 - External

8.114 Action: Allow Port: 8010 - Hole for Logfile Server

8.115 Action: Allow Port: 8180 - IA Webmail Port

8.116

8.117 Security for: External UDP

8.118 Action: Allow Port: 53 - Hole for DNS Service

8.119 Action: Allow Port: 809 - Hole for VPN (Data)

8.120 Action: Allow Port: 1024 - 4096 - External

8.121

8.122 Security for: Internal TCP

8.123 Action: Allow Port: 25 - Hole for SMTP Server

8.124

8.125 Security for: Internal UDP

8.126

8.127 Security for: NAT TCP

8.128 Action: Redirect Port: 21 - Transparent Redirect

8.129 Action: Redirect Port: 23 - Transparent Redirect

8.130 Action: Redirect Port: 25 - Transparent Redirect

8.131 Action: Redirect Port: 80 - Transparent Redirect

8.132 Action: Redirect Port: 110 - Transparent Redirect

8.133 Action: Redirect Port: 554 - Transparent Redirect

8.134 Action: Redirect Port: 8010 - Transparent Redirect

8.135 Action: Redirect Port: 8110 - Transparent Redirect

8.136

8.137 Security for: NAT UDP

8.500

9.01 ---------------------------------------------

9.02 END OF CONFIGURATION REPORT

[Jason Dax]

Just an update: I still have no clue about the problem. Last night, started to give me this message:

01/12/04 10:58:54 Email Error initialising new email message - reason:

This is what appears in System log. In the Gatekeeper, the system log tab says:

Error initialising new email message - reason: <too long to print>

Anyone have any idea about this: I'm feel stuck here. nothing change in every test I made. I'm running out of ideas.

Regards

[adrien]

Try turning on debug logging for the SMTP server and see what you get in its log file.

If nothing changed on your clients, then it is unlikely to be them. WinGate only gives you this error if the mail sender identified itself using an IP address. 99.9% of all senders use a name not an IP address, and I am picking you will see this when you turn on the debug log.

Adrien

[Jason Dax]

If you see the first message of this thread, the SMTP Log has always been on. Unfortunately, the log keeps growing too fast to see it online. (i'm in home right now). I will check it tomorrow morning, to see if anything change from the first message I tell you (the server lied to us). Just to mention, this messages of "lies" make the smtp log grow till 600MB daily. I'll have to erase the old logs, just to make room in my disk. The first time, and was when I noted the message, fill out all my disk space. Now, Every day I keep moving the logs, an open it took a lot of time (opening 600MB of text is always hard, don't you think?)

Regards.

[labull]

Jason,

If you check the Debug option in the SMTP - Logging tab you'll get even more information. If you turn this on for just long enough to capture a few of the seesions that result in "server lied" and post them here, that will help Adrien evaluate the problem.

I wouldn't leave Debug turned on for very long. Very interesting stuff in there but it'll fill up the hard drive pretty quickly.

Larry

[Jason Dax]

This is what I get from the smtp log for a single email error:

01/13/04 08:35:41 SMTP Server Error: Message 0000055667 could not move .msg file error 2
01/13/04 08:35:41 SMTP Server Error: Message 0000055667 msg file not found, rcp file moved to dead
01/13/04 08:35:41 SMTP Server Debug: Message 0000130216 moved to dead, undeliverable, but no return path
01/13/04 08:35:41 SMTP Server Error: Message 0000052419 could not move .msg file error 2
01/13/04 08:35:41 SMTP Server Error: Message 0000052419 msg file not found, rcp file moved to dead
01/13/04 08:35:41 SMTP Server Error: Message 0000055783 could not move .msg file error 2
01/13/04 08:35:41 SMTP Server Error: Message 0000055783 msg file not found, rcp file moved to dead

This kind of messages I know coul'd be generated when my NAVCE detect a virus, an erase the message/file infected. Will make further test to see if this is the present problem. Hear suggestions.

Regards

[Jason Dax]

Is a wingate error. I just disable NAVCE, and the same message keep appearing in the smtp log. I'm completely out of ideas. HELP!!!!


Regards

[labull]

Jason,

If you turn on Debug logging for the SMTP server you should see something like this:

01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: <=S: 220 exchange.xxxxxxxxx.com ESMTP Service ready
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: C=>: EHLO exchange.radianinc.com
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858Debug: <=S: 250-exchange.radianinc.com greets you
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: <=S: 250 AUTH CRAM-MD5
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: C=>: MAIL FROM:<xxxxl@xxxxxxxxx.com>
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: <=S: 250 Requested mail action okay, completed
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: C=>: RCPT TO:<xxxxxx@xxxxxxx.com>
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: <=S: 250 Requested mail action okay, completed
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: C=>: DATA
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: <=S: 354 Start mail input; end with <CRLF>.<CRLF>
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: <=S: 250 Requested mail action okay, completed
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Requested: SMTP In: mail from xxxxx@xxxxxxxxx.com to xxxxxx@xxxxxxx.com (6kb)
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: C=>: QUIT
01/13/04 10:19:22 172.16.1.41 radsys_mail 0000212858 Debug: <=S: 221 SMTP Server Service closing transmission channel

This is the info needed to diagnose the server lied problem.

Larry

[Jason Dax]

labull:

Right now, all i can see in the smtp server log is the email <too long to print> related messages. In fact, is the only thing that appear. Apparently, smtp is not longer working, all the email clients get an meesage like this " smtp server is not responding" or timeouts messages.

The "server lied to us" stop appearing in the same moment the mail <too long to print> started. Right now, I'm trying to restart the smtp, i no longer have mail. I can check mail, but no one can send mails.

I'll keep posting news, as soon as I have one.

Regards

[labull]

Maybe there is a corrupt file in the mail folders.

Stop the SMTP service.

In Program Files\WinGate\Mail\Spool there are 6 subfolders.

If you move the contents of these sub folders to a safe place you will be starting with a clean system.

Then start the the SMTP service.

If things work OK the folks at Qbik may be interested in the files you moved to see what the problem is.

Larry

[Jason Dax]

Sorry. I read the last thread too late.

I opt by uninstalling everything, an reinstalling from scratch. The problem appear, but after configuring everything as i have it initially, the <too long> problem dissapear. But, "server lied to us" is again showing in the sys log.

In fact, checking the six folders you say I see something I don't undestand: there is a lot of files in there:

Folder: Files:
Dead 6,655 files, 4.67MB total
Holding 23 files, 449kb total
Incoming 162 files, 8.27MB total
Holding 21,844 files, 8.06MB total

what this mean, I don't know. I wold like to know what store every folder, just curious.

About the smtp server log with the problem "server lied to us" here it is:

01/13/04 12:07:52 165.98.242.19 Guest 0000009513 Debug: C=>: RCPT TO:
01/13/04 12:07:52 165.98.242.19 Guest 0000009513 Debug: <=S: 550 Service denied - your server lied to us
01/13/04 12:07:52 165.98.242.19 Guest 0000009471 Debug: C=>: RCPT TO: <33815735@pager.icq.com>
01/13/04 12:07:52 165.98.242.19 Guest 0000009471 Debug: <=S: 550 Service denied - your server lied to us

---------------

01/13/04 11:51:09 165.98.242.19 cmoya 0000001667 Failed authorisation: A message from 165.98.242.19 was rejected because their server lied to us

------------------------------

[labull]

I believe the SMTP folders match the EMWAC standard. You can check on that on the Internet.

01/13/04 12:07:52 165.98.242.19 Guest 0000009513 Debug: C=>: RCPT TO:
01/13/04 12:07:52 165.98.242.19 Guest 0000009513 Debug: <=S: 550 Service denied - your server lied to us

There should be several more lines associated with session 9513. Could you post all of them?

We need to see what the helo/ehlo statement says.

Thanks!

Larry

Last edited by labull on Jan 14 04 8:36 am, edited 1 time in total.

[Jason Dax]

Here are the lines missing. Sorry, I think that all the lines was together, but, I was wrong.

01/13/04 12:07:45 165.98.242.19 Guest 0000009513 Debug: C=>: HELO 127.0.0.1
01/13/04 12:07:45 165.98.242.19 Guest 0000009513 Debug: <=S: 250 Requested mail action okay, completed
01/13/04 12:07:45 165.98.242.19 Guest 0000009513 Failed authorisation: A message from 165.98.242.19 was rejected because their server lied to us
---
01/13/04 12:07:47 165.98.242.19 Guest 0000009513 Debug: C=>: MAIL FROM: <eaamksj@msn.com>
01/13/04 12:07:47 165.98.242.19 Guest 0000009513 Debug: <=S: 250 Requested mail action okay, completed
-----
01/13/04 12:07:47 165.98.242.19 Guest 0000009513 Debug: C=>: RCPT TO: <chris_5150@local.net>
01/13/04 12:07:47 165.98.242.19 Guest 0000009513 Debug: <=S: 550 Service denied - your server lied to us
-------
01/13/04 12:07:49 165.98.242.19 Guest 0000009513 Debug: C=>: RCPT TO: <chickie@local.net>
01/13/04 12:07:49 165.98.242.19 Guest 0000009513 Debug: <=S: 550 Service denied - your server lied to us
------
01/13/04 12:07:49 165.98.242.19 Guest 0000009513 Debug: C=>: RCPT TO: <chickje@local.net>
01/13/04 12:07:49 165.98.242.19 Guest 0000009513 Debug: <=S: 550 Service denied - your server lied to us
----
01/13/04 12:07:52 165.98.242.19 Guest 0000009513 Debug: C=>: RCPT TO: <chief92@local.net>
01/13/04 12:07:52 165.98.242.19 Guest 0000009513 Debug: <=S: 550 Service denied - your server lied to us
-----
01/13/04 12:07:52 165.98.242.19 Guest 0000009513 Debug: C=>: QUIT
01/13/04 12:07:52 165.98.242.19 Guest 0000009513 Debug: <=S: 221 SMTP Server Service closing transmission
----
01/13/04 12:07:52 165.98.242.19 Guest 0000009513 Traffic 361 175 0 0 8s
----

These are all the lines for Guest 0000009513. I hope this help.

Regards

[Jason Dax]

Update: Finally my server is back online. Yesterday, after reinstalling everything the problem still persist: blocked mails, and no one can send mails. So, I decide to try the labull's advice: delete all the content from spool folder and reboot. Voila! The users were able to send mails. But, th blocked mails still persist. Till 10 minutes ago, the blocked mail message appear at least three per second. Proceed to install the KAV plugin, just in case, and the messages now appear two or three in a minute.

I don't know the relation betwenn KAV an the message. But, now the problem is minimal.

Analizing the smtp report, comparing against the user activity, I conclude that maybe one user is infecte with a virus/trojan. Now, I'm working in that direction: double checking every pc in my network, to see if I'm wrong. 60 machines could take me a lot of time, so, I will update this thread when I have news, hope, good news.

Regards