Connection refused

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Connection refused

Alec Leamas-2
Hi!

In trouble... I'm a postfix newbie, so this is most likely something
silly. But I cannot connect to my SMTP server from the outside world
i. e., through the network interface. Local connections seems to be
OK. So I cannot receive mail, which is sad.

Some details: My box is a Fedora 9 box connected to the internet
through a router, The router is doing NAT. My ISP blocks outgoing
traffic from me on port 25, so I cannot test this directly. I have
disabled selinux, the iptables firewall and the router firewall(!).

In order to create something testable I've configured yet another smtp
service on port 10025. I can connect to this ( as well as  port 25)
from local host using telnet. I have also created a router tunnel from
external port 10025 to port 10025 on my box. I think the tunnel is OK,
I've tested  to forward it to port 22 (ssh) instead, and it connect as
expected. And other tunnels do work.

Still, doing a "telnet 123.45.67.89 10025"  ends up in a timeout,
basically a "Connection refused".

Any hints out there?

--------------------------------------------------------------------------------------
Netstat: & DNS

$ netstat -ant  |  grep 25
tcp        0      0 0.0.0.0:10025     0.0.0.0:*                LISTEN
tcp        0      0 0.0.0.0:25           0.0.0.0:*                LISTEN
tcp        0      0 :::10025              :::*
LISTEN
tcp        0      0 :::25                    :::*
  LISTEN

I've split DNS setup working for both internal and external hosts. The
single exception is the external router interface. There is a A-record
for this, but no reverse PTR record. This is really outside my
control, I'm using the free dyndns service to keep a fixed name to a
dynamic IP address, but dyndns can't reverse map my ISP's address.

----------------------------------------------------------------------------------------

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 9
debug_peer_list = 192.168.2.50
html_directory = no
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = my-own-domain.net
mynetworks = 192.168.2.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
proxy_interfaces = 83.183.X.XXX
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.5.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550

---------------------------------------------------------------
master.cf

10025     inet  n       -       n       -       -       smtpd -v
smtp    inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
Reply | Threaded
Open this post in threaded view
|

Re: Connection refused

Gabriel Craciun
inet_interfaces = all ?



On Mon, 2008-06-09 at 10:55 +0200, Alec leamas wrote:
> mynetworks = 192.168.2.0/24, 127.0.0.0/8

Reply | Threaded
Open this post in threaded view
|

Re: Connection refused

Alec Leamas-2
Some hours later... this is really an iptables issue, they are active
even when the firewall is disabled - verify with iptables -L.

Found a quick fix to completely remove iptables out there:
*# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
*
After these commands, the connection to the router works as expected.
Remaining question is how to restore the iptables to a reasonable state
without blocking SMTP connections. Any ideas?

Thanks for your help so far!

--alec

Alec Leamas wrote:

> First of all: thanks for taking time for this!
>
> Back to business. "tcpdump my.router" doent't look good, but what's
> this?! "modem.lan" is the internal name of the router, it runs it's
> own DNS service which isn't visible on the local net.
>
> Seems that my host hemulen isn't reachable - but due to the router, or
> the host. I'm not that kind of expert...
>
>
>
> root@hemulen ~]# /usr/sbin/tcpdump "host my-router.net"
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 11:36:15.467677 IP hemulen.XX.net.47333 > modem.lan.10025: S
> 1733702508:1733702508(0) win 5840 <mss 1460,sackOK,timestamp 70216008
> 0,nop,wscale 7>
> 11:36:15.468891 IP modem.lan.62839 > hemulen.XX.net.10025: S
> 1733702508:1733702508(0) win 5840 <mss 1460,sackOK,timestamp 70216008
> 0,nop,wscale 7>
> 11:36:15.468921 IP hemulen.XX.net > modem.lan: ICMP host
> hemulen.XX.net unreachable - admin prohibited, length 68
> 11:36:18.466873 IP hemulen.XX.net.47333 > modem.lan.10025: S
> 1733702508:1733702508(0) win 5840 <mss 1460,sackOK,timestamp 70219008
> 0,nop,wscale 7>
> 11:36:18.467439 IP modem.lan.62839 > hemulen.XXnet.10025: S
> 1733702508:1733702508(0) win 5840 <mss 1460,sackOK,timestamp 70219008
> 0,nop,wscale 7>
> 11:36:18.467479 IP hemulen.XX.net > modem.lan: ICMP host
> hemulen.XX.net unreachable - admin prohibited, length 68
> 11:36:24.466875 IP hemulen.XX.net.47333 > modem.lan.10025: S
> 1733702508:1733702508(0) win 5840 <mss 1460,sackOK,timestamp 70225008
> 0,nop,wscale 7>
> 11:36:24.467777 IP modem.lan.62839 > hemulen.XX.net.10025: S
> 1733702508:1733702508(0) win 5840 <mss 1460,sackOK,timestamp 70225008
> 0,nop,wscale 7>
> 11:36:24.467809 IP hemulen.XX.net > modem.lan: ICMP host
> hemulen.XX.net unreachable - admin prohibited, length 68
>
>
>
>
> Gabriel Craciun wrote:
>> can you run an tcpdump (wireshark) on postfix host to see the connection
>> attempt and what is going wrong?
>>
>> I also have fedora 9 on my desktop and with inet_interfaces all indeed I
>> can connect only from localhost, but if I change to all it form from our
>> office network.
>>
>>
>>
>> On Mon, 2008-06-09 at 11:26 +0200, Alec Leamas wrote:
>>  
>>> Gabriel Craciun wrote:
>>>    
>>>> /var/log/messages, /var/log/maillog
>>>>        
>>> There is no postfix messages .../messages. .../maillog has:
>>> Jun  9 11:16:00 hemulen postfix/postfix-script[10195]: refreshing
>>> the Postfix mail system
>>> Jun  9 11:16:00 hemulen postfix/master[6357]: reload configuration
>>> /etc/postfix
>>>
>>> i. e., the connection attempt leaves not trace
>>>    
>>>> On Mon, 2008-06-09 at 11:17 +0200, Alec leamas wrote:
>>>>        
>>>>> I've tried it before, but doing once again...no difference, can't
>>>>> connect, netstat shows the same :-(
>>>>>
>>>>> On Mon, Jun 9, 2008 at 11:07 AM, Gabriel Craciun
>>>>> <[hidden email]> wrote:
>>>>>            
>>>>>> inet_interfaces = all ?
>>>>>>
>>>>>>                
>>>>        
>>
>>  
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Connection refused

/dev/rob0
On Mon June 9 2008 05:09:15 Alec Leamas wrote:

> Some hours later... this is really an iptables issue, they are active
> even when the firewall is disabled - verify with iptables -L.
>
> Found a quick fix to completely remove iptables out there:
> *# iptables -F
> # iptables -X
> # iptables -t nat -F
> # iptables -t nat -X
> # iptables -t mangle -F
> # iptables -t mangle -X
> # iptables -P INPUT ACCEPT
> # iptables -P OUTPUT ACCEPT

Any other non-ACCEPT policies must be reset to ACCEPT. Try
"iptables-save -c" to see all rules at once "iptables -L" is useless,
and you also need to ensure that the "raw" table is not in use.

> After these commands, the connection to the router works as expected.
> Remaining question is how to restore the iptables to a reasonable
> state without blocking SMTP connections. Any ideas?

Learn how to use your OS. You mentioned Fedora, so see service(8) and
chkconfig(8). I don't have Fedora to be able to tell you the exact
commmands to use, but "iptables" is the service name. "service iptables
save" (or store?) would save your flushed firewall, but it makes more
sense not to load it in the first place, which is where chkconfig can
help.

> >>>>> <[hidden email]> wrote:
> >>>>>> inet_interfaces = all ?

There is no need to clutter up main.cf with default settings.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: Connection refused

Alec Leamas-2
Summing up:

 - It seems that on Fedora 9, you need to stop iptables explicitly to
allow access to everything. Of course, the way to do it is "service
iptables stop", nothing else, forget previous message.

- The easy way is to configure and start the firewall, the GUI is simple enough.

> There is no need to clutter up main.cf with default settings.
Indeed no, but almost everything is as distributed by the Fedora rpm.