Emails Not Sending – defer (111): Connection refused (Exim) and SMTP Tweak

I got a phone call today from a client who’s accounts we’d transferred between two cPanel servers on Friday. Today, Monday about 12pm I get a call saying he’s receiving emails but can’t send. I’m told that there aren’t any error messages or bounced replies, but the receivers haven’t got the emails. So I took his details and said I’d call back.

Usually I see this happen if there is a problem with DNS, particularly with the hostname. The server’s hostname should always point to the primary IP address of the server. There should also be a reverse DNS (rDNS) or pointer setup on that IP address pointing back to the hostname. For example:

fileserver.domain.com.au -> 123.45.67.89
123.45.67.89 -> fileserver.domain.com.au

If you don’t do this, you’re asking for trouble. Most providers won’t accept email from you if you don’t setup your DNS properly. For example, here is a message from AOL:

$ telnet mailin-04.mx.aol.com 25
Trying 64.12.90.66…
Connected to mailin-04.mx.aol.com.
Escape character is ‘^]’.

220-Effective immediately:
220-AOL may no longer accept connections from IP addresses
220 which no do not have reverse-DNS (PTR records) assigned.
quit
221 2.0.0 Bye
Connection closed by foreign host.

In the past I’ve seen the server hostname accidently changed causing a mismatch, and in turn this problem.

However the actual cause of my problem today was caused by playing with cPanel settings I was unclear of. What does SMTP Tweak do exactly? It’s very poorly explained… well no, it’s not explained at all in Web Hosting Manager (WHM), but I extracted this from the cPanel docs explaining SMTP Tweak:

SMTP Tweak

You may want to prevent users from bypassing your mail server to send mail. This is common practice for spammers.  This feature allows you to configure your server so that the mail transport agent (MTA), Mailman mailing list software, and root user are the only accounts able to connect to remote SMTP servers.

Source: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/TweakMail

If your clients are not setup to handle sending mail as an authenticated user, suddenly enabling SMTP Tweak in WHM will cause…

mailin-01.mx.aol.com [205.188.146.193] Connection refused
cluster9.us.messagelabs.com [216.82.242.19] Connection refused
cluster9a.us.messagelabs.com [95.131.108.66] Connection refused
xxx@xxx.com.au <xxx@xxx.com.au> R=lookuphost T=remote_smtp defer (111): Connection refused
mailipao.vtcif.telstra.com.au [202.12.144.27] Connection refused
xxx@telstra.com <xxx@telstra.com> R=lookuphost T=remote_smtp defer (111): Connection refused
gmail-smtp-in.l.google.com [209.85.221.11] Connection refused
alt1.gmail-smtp-in.l.google.com [216.239.59.27] Connection refused
alt2.gmail-smtp-in.l.google.com [74.125.79.114] Connection refused
alt3.gmail-smtp-in.l.google.com [72.14.221.27] Connection refused
alt4.gmail-smtp-in.l.google.com [209.85.216.62] Connection refused

Uhoh. cPanel’s SMTP Tweak does this by adding these rules to iptables:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  —  anywhere             localhost           tcp dpt:smtp
REJECT     tcp  —  anywhere             anywhere            tcp dpt:smtp reject-with icmp-port-unreachable

So in the end, it had nothing to do with his migration. It was a simple mis-click of SMTP Tweak. At least we know for certain what it does! It effectively firewalls your outbound connection from the server unless you’re an authenticated user, making it appear as if the destination server is blocking you. Unless you look carefully it has the potential to be confusing.

mailin-01.mx.aol.com [205.188.146.193] Connection refused
cluster9.us.messagelabs.com [216.82.242.19] Connection refused
cluster9a.us.messagelabs.com [95.131.108.66] Connection refused
xxx@xxx.com.au <xxx@xxx.com.au> R=lookuphost T=remote_smtp defer (111): Connection refused
mailipao.vtcif.telstra.com.au [202.12.144.27] Connection refused
xxx@telstra.com <xxx@telstra.com> R=lookuphost T=remote_smtp defer (111): Connection refused
gmail-smtp-in.l.google.com [209.85.221.11] Connection refused
alt1.gmail-smtp-in.l.google.com [216.239.59.27] Connection refused
alt2.gmail-smtp-in.l.google.com [74.125.79.114] Connection refused
alt3.gmail-smtp-in.l.google.com [72.14.221.27] Connection refused
alt4.gmail-smtp-in.l.google.com [209.85.216.62] Connection refused

Similar Posts:

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)
This entry was posted in Server Administration. Bookmark the permalink.

2 Responses to Emails Not Sending – defer (111): Connection refused (Exim) and SMTP Tweak

  1. Brendan says:

    Thanks Jon, fixed 🙂

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  2. Jon V says:

    Your first example about making sure the forward and reverse records match… doesn’t match. fileserver.domain.com.au != fileserver.domain.com.a

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: +1 (from 1 vote)

What are your thoughts?