Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Linux & BSD & Mac => Topic started by: jasc22 on April 28, 2011, 10:31:27 AM

Title: Difficulty passing Administrator test
Post by: jasc22 on April 28, 2011, 10:31:27 AM
Hello All, I am using Ubuntu - Postfix -Dovecot. I was not receiving internal emails which is now fixed. The strange thing is tcpdump shows that the email from HE is being sent to the tunnel endpoint. Do i need a route from the tunnel end point to the host? (i'm using the same host for the test that the tunnel is configured on) Below is my DNS info. Any help will be greatly appreciated!! Thx!!

; <<>> DiG 9.7.1-P2 <<>> jasc22.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42735
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jasc22.com.         IN   ANY

;; ANSWER SECTION:
jasc22.com.      86400   IN   SOA   ns1.he.net. hostmaster.he.net. 2011042603 10800 1800 604800 86400
jasc22.com.      86400   IN   MX   10 5103.jasc22.com.
jasc22.com.      82230   IN   AAAA   2001:470:d:ee7::2
jasc22.com.      86400   IN   NS   ns4.he.net.
jasc22.com.      86400   IN   NS   ns3.he.net.
jasc22.com.      86400   IN   NS   ns5.he.net.
jasc22.com.      86400   IN   NS   ns2.he.net.
jasc22.com.      86400   IN   NS   ns1.he.net.

;; Query time: 54 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Apr 28 10:20:02 2011
;; MSG SIZE  rcvd: 220

Routing table -

2001:470:c:ee7::/64            ::                         Un   256 0     0 he-ipv6
2001:470:d:ee7::/64            ::                         U    256 0     0 eth1
fe80::/64                      ::                         U    256 0     0 eth1
fe80::/64                      ::                         Un   256 0     0 he-ipv6
::/0                           ::                         U    1024 0     0 he-ipv6
::/0                           ::                         !n   -1  1   199 lo
::1/128                        ::                         Un   0   2    31 lo
2001:470:c:ee7::2/128          ::                         Un   0   1  1186 lo
2001:470:d:ee7::2/128          ::                         Un   0   1   267 lo
fe80::6369:6bb5/128            ::                         Un   0   1     0 lo
fe80::e22a:82ff:fe3a:c791/128  ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth1
ff00::/8                       ::                         U    256 0     0 he-ipv6
::/0                           ::                         !n   -1  1   199 lo
Title: Re: Difficulty passing Administrator test
Post by: cholzhauer on April 28, 2011, 10:33:25 AM
I assume the 2001:470:d:ee7::2 you're using is out of your routed /64?

Title: Re: Difficulty passing Administrator test
Post by: jasc22 on April 28, 2011, 11:19:33 AM
@cholzhauer - Thx for your reply. Yes, that's correct!! I'm able to get to my web server via IPv6 and DNS-AAAA and MX records all seem to be working fine but not sure what the problem is. Any troubleshooting tips?
Title: Re: Difficulty passing Administrator test
Post by: broquea on April 28, 2011, 11:54:11 AM
dig aaaa 5103.jasc22.com +trace doesn't return a result when checking any of the listed auth ns.

And there is no AAAA record in your zonefile in dns.he.net for 5103.jasc22.com, as you pasted.

Code: [Select]
~$ host 5103.jasc22.com
Host 5103.jasc22.com not found: 3(NXDOMAIN)
Title: Re: Difficulty passing Administrator test
Post by: jasc22 on April 28, 2011, 12:41:18 PM
thx @broquea!!! I changed the AAAA to point to 5103.jasc22.com which now resolves to the IP. However, when i run ig aaaa 5103.jasc22.com +trace, i still do not get anything. any tips that you could provide? thx!!
Title: Re: Difficulty passing Administrator test
Post by: broquea on April 28, 2011, 01:45:44 PM
Think there is another problem:

Code: [Select]
$ telnet  5103.jasc22.com 25
Trying 2001:470:d:ee7::2...
telnet: Unable to connect to remote host: Connection refused
Title: Re: Difficulty passing Administrator test
Post by: jasc22 on April 28, 2011, 02:45:26 PM
thx broquea!! i figured that out and fixed the issue. i am now able to send email internally but still having issues sending externally. checking logs to see what is going on.
Title: Re: Difficulty passing Administrator test
Post by: jasc22 on April 29, 2011, 09:33:38 AM
broquea - i fixed most of my config issues. i am now able to receive internal emails but not external. i tried from gmail as well but no luck. having issues with DNS and name servers. any other troubleshooting tips that you can provide will be greatly appreciated. thx!
Title: Re: Difficulty passing Administrator test
Post by: cholzhauer on April 29, 2011, 10:08:45 AM
Check DNS

Code: [Select]
[carl@mars ~]$ host 5103.jasc22.com
Host 5103.jasc22.com not found: 3(NXDOMAIN)
Title: Re: Difficulty passing Administrator test
Post by: jasc22 on April 29, 2011, 11:00:44 AM
thx cholzhauer - i checked below and it resolves to the IP. thoughts?
Code: [Select]
s733l@5103:/var/log$ host 5103.jasc22.com
5103.jasc22.com has IPv6 address 2001:470:d:ee7::2
Title: Re: Difficulty passing Administrator test
Post by: cholzhauer on April 29, 2011, 11:03:32 AM
It's resolving now.

Code: [Select]
[carl@mars ~]$ host 5103.jasc22.com
5103.jasc22.com has IPv6 address 2001:470:d:ee7::2

But, you have another issue

Code: [Select]
[carl@mars ~]$ telnet  5103.jasc22.com 25
Trying 2001:470:d:ee7::2...
telnet: connect to address 2001:470:d:ee7::2: Connection refused
telnet: Unable to connect to remote host

Either your mail server isn't listening on IPv6 or your firewall is blocking traffic.  You say it works internally, so I would look at the firewall.

Title: Re: Difficulty passing Administrator test
Post by: jasc22 on April 29, 2011, 12:09:44 PM
thx much cholzhauer!!! it's strange...my system is on the DMZ and i'm allowing SMTP. However, when I run a portscan it's showing up as closed. very strange. can't seem to figure this one out. does anybody know if ATT blocks SMTP inbound? When I check the logs, I am not seeing any traffic on port 25.

Code: [Select]
Starting Nmap 5.00 ( http://nmap.org ) at 2011-04-29 12:08 PDT
Interesting ports on jasc22.com (2001:470:d:ee7::2):
Not shown: 997 filtered ports
PORT    STATE  SERVICE
25/tcp  closed smtp
80/tcp  open   http
143/tcp open   imap

Nmap done: 1 IP address (1 host up) scanned in 6.31 seconds
Title: Re: Difficulty passing Administrator test
Post by: cholzhauer on April 29, 2011, 12:14:59 PM
I can see ATT blocking SMTP on IPv4, but I can't imagine they'd be doing it on IPv6.  Who knows though.
Title: Re: Difficulty passing Administrator test
Post by: jasc22 on April 29, 2011, 12:24:30 PM
thx cholzhauer!! i tried sending myself an email on ipv4 from gmail but that does not seem to be working either. does anybody know if it's possible to complete this test using godaddy's email service? stumped!!!
Title: Re: Difficulty passing Administrator test
Post by: johnpoz on April 30, 2011, 06:14:01 AM
Besides the point of looking 25 is blocked, sorry but still can not resolve mx record to that host some times - so that could be causing you pain in trying to send email as well.

And I found your problem with the resolving problem

You have these listed as NS

;; Received 493 bytes from 2001:dc3::35#53(m.root-servers.net) in 100 ms

jasc22.com.             172800  IN      NS      ns1.he.net.
jasc22.com.             172800  IN      NS      ns2.he.net.
jasc22.com.             172800  IN      NS      ns3.he.net.
jasc22.com.             172800  IN      NS      ns4.he.net.
jasc22.com.             172800  IN      NS      ns5.he.net.
jasc22.com.             172800  IN      NS      ns71.domaincontrol.com.
jasc22.com.             172800  IN      NS      ns72.domaincontrol.com.

And notice that the he.net ones return AAAA

5103.jasc22.com.        86400   IN      AAAA    2001:470:d:ee7::2
;; Received 61 bytes from 2001:470:200::2#53(ns2.he.net) in 89 ms

But if domaincontrol gets asks -- you fail on that entry
jasc22.com.             3600    IN      SOA     ns71.domaincontrol.com. dns.jomax.net. 2011042901 28800 7200 604800 86400
;; Received 114 bytes from 208.109.255.46#53(ns72.domaincontrol.com) in 40 ms

All NS listed for a domain need to match up for records or going to have issues.  Which NS gets asked is just random luck pretty much.




Title: Re: Difficulty passing Administrator test
Post by: jasc22 on May 03, 2011, 02:57:54 PM
Thx johnpoz!!! ATT was blocking port 25. I resolved the issues per your email below and then tried but still no luck. Checking my system to see if there are any configuration issues that I need to resolve.
Title: Re: Difficulty passing Administrator test
Post by: johnpoz on May 04, 2011, 07:00:40 AM
what did you fix??  You still have the same problem

dig 5103.jasc22.com AAAA +trace

;; Received 493 bytes from 2001:7fd::1#53(k.root-servers.net) in 90 ms

jasc22.com.             172800  IN      NS      ns1.he.net.
jasc22.com.             172800  IN      NS      ns2.he.net.
jasc22.com.             172800  IN      NS      ns3.he.net.
jasc22.com.             172800  IN      NS      ns4.he.net.
jasc22.com.             172800  IN      NS      ns5.he.net.
jasc22.com.             172800  IN      NS      ns71.domaincontrol.com.
jasc22.com.             172800  IN      NS      ns72.domaincontrol.com.
;; Received 405 bytes from 192.48.79.30#53(j.gtld-servers.net) in 191 ms

jasc22.com.             86400   IN      SOA     ns71.domaincontrol.com. dns.jomax.net. 2011050303 28800 7200 604800 8640          0
;; Received 104 bytes from 216.69.185.46#53(ns71.domaincontrol.com) in 47 ms

Notice when ns71.domaincontrol.com gets asked for AAAA of your mail host you get just SOA - fail!!

If one of the he.net servers get ask you return

5103.jasc22.com.        300     IN      AAAA    2001:470:d:ee7::2
;; Received 61 bytes from 2001:470:300::2#53(ns3.he.net) in 90 ms

But I still show that not answering on 25 anyway!!

telnet 5103.jasc22.com 25
Trying 2001:470:d:ee7::2...

Just hangs -- so you still have a dns problem, and you still have a port blocked problem.  So yeah email never going to work.




Title: Re: Difficulty passing Administrator test
Post by: jasc22 on May 04, 2011, 10:49:30 AM
hi johnpoz.....so when i try to run dig 5103.jasc22.com AAAA +trace i get the following error. I ran other dig commands and it seems like it's working. Please let me know your thoughts. As well, I have included my mail.log and I received the email but still having issues with postfix.

Code: [Select]
s733l@5103:~$ dig 5103.jasc22.com AAAA +trace

; <<>> DiG 9.7.1-P2 <<>> 5103.jasc22.com AAAA +trace
;; global options: +cmd
;; connection timed out; no servers could be reached

Code: [Select]
s733l@5103:~$ dig 5103.jasc22.com AAAA +trace

; <<>> DiG 9.7.1-P2 <<>> 5103.jasc22.com AAAA +trace
;; global options: +cmd
;; connection timed out; no servers could be reached

However, when I run the following I get the results below.

Code: [Select]
s733l@5103:~$ dig any jasc22.com

; <<>> DiG 9.7.1-P2 <<>> any jasc22.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30888
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jasc22.com. IN ANY

;; ANSWER SECTION:
jasc22.com. 300 IN MX 10 5103.jasc22.com.
jasc22.com. 86400 IN SOA ns1.he.net. hostmaster.he.net. 2011050309 10800 1800 604800 86400
jasc22.com. 300 IN AAAA 2001:470:d:ee7::2
jasc22.com. 300 IN NS ns4.he.net.
jasc22.com. 300 IN NS ns3.he.net.
jasc22.com. 300 IN NS ns5.he.net.
jasc22.com. 300 IN NS ns2.he.net.
jasc22.com. 300 IN NS ns1.he.net.

;; Query time: 61 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Wed May  4 10:44:24 2011
;; MSG SIZE  rcvd: 236
Code: [Select]
s733l@5103:~$ dig @ns1.he.net -x 2001:470:d:ee7::2

; <<>> DiG 9.7.1-P2 <<>> @ns1.he.net -x 2001:470:d:ee7::2
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48445
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.e.e.0.d.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.e.e.0.d.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa. 86400 IN PTR jasc22.com.

;; Query time: 36 msec
;; SERVER: 216.218.130.2#53(216.218.130.2)
;; WHEN: Wed May  4 10:44:59 2011
;; MSG SIZE  rcvd: 114

Code: [Select]
s733l@5103:~$ dig aaaa 5103.jasc22.com +short
2001:470:d:ee7::2

Below is my mail.log....I did receive the email but having issues with postfix seems like it.
Code: [Select]
May  4 08:26:45 5103 postfix/cleanup[3209]: 7EB1A9A0372: message-id=<4dc1703592b3b.1304522805@ipv6.he.net>
May  4 08:26:45 5103 postfix/qmgr[3072]: 7EB1A9A0372: from=<ipv6@he.net>, size=439, nrcpt=1 (queue active)
May  4 08:30:31 5103 postfix/cleanup[3473]: EB4759A038A: message-id=<4dc17117078fe.1304523031@ipv6.he.net>
May  4 08:30:31 5103 postfix/qmgr[3461]: EB4759A038A: from=<ipv6@he.net>, size=439, nrcpt=1 (queue active)
May  4 08:34:44 5103 postfix/qmgr[3644]: 7EB1A9A0372: from=<ipv6@he.net>, size=439, nrcpt=1 (queue active)
May  4 08:36:30 5103 postfix/qmgr[3891]: EB4759A038A: from=<ipv6@he.net>, size=439, nrcpt=1 (queue active)
May  4 08:47:24 5103 postfix/qmgr[4155]: 7EB1A9A0372: from=<ipv6@he.net>, size=439, nrcpt=1 (queue active)
May  4 08:47:24 5103 postfix/qmgr[4155]: EB4759A038A: from=<ipv6@he.net>, size=439, nrcpt=1 (queue active)
May  4 08:48:49 5103 postfix/cleanup[4323]: 6D3489A0388: message-id=<4dc1703592b3b.1304522805@ipv6.he.net>
May  4 08:48:49 5103 postfix/qmgr[4155]: 6D3489A0388: from=<ipv6@he.net>, size=853, nrcpt=1 (queue active)
May  4 08:48:49 5103 postfix/cleanup[4326]: BD6A29A03C0: message-id=<4dc17117078fe.1304523031@ipv6.he.net>
May  4 08:48:49 5103 postfix/qmgr[4155]: BD6A29A03C0: from=<ipv6@he.net>, size=853, nrcpt=1 (queue active)
May  4 08:48:50 5103 postfix/smtp[4327]: B6FAE9A03BF: to=<ipv6@he.net>, relay=he.net[2001:470:0:76::2]:25, delay=0.58, delays=0.1/0.1/0.24/0.14, dsn=4.0.0, status=deferred (host he.net[2001:470:0:76::2] said: 450 Mailbox temporarily unavailable, sorry (in reply to end of DATA command))
May  4 08:48:50 5103 postfix/smtp[4328]: 13EF59A038A: to=<ipv6@he.net>, relay=he.net[2001:470:0:76::2]:25, delay=0.61, delays=0.2/0.03/0.25/0.14, dsn=4.0.0, status=deferred (host he.net[2001:470:0:76::2] said: 450 Mailbox temporarily unavailable, sorry (in reply to end of DATA command))
May  4 08:57:25 5103 postfix/smtp[4539]: B6FAE9A03BF: to=<ipv6@he.net>, relay=he.net[2001:470:0:76::2]:25, delay=516, delays=514/0.04/0.24/1.1, dsn=2.0.0, status=sent (250 Email accepted)
May  4 08:57:30 5103 postfix/smtp[4540]: 13EF59A038A: to=<ipv6@he.net>, relay=he.net[2001:470:0:76::2]:25, delay=520, delays=514/0.04/5.2/1.1, dsn=2.0.0, status=sent (250 Email accepted)
Title: Re: Difficulty passing Administrator test
Post by: jasc22 on May 04, 2011, 12:17:57 PM
Okay...had to make changes to resolv.conf and below is what I got. thx for all your help, johnpoz!! :)

Code: [Select]
s733l@5103:~$ dig 5103.jasc22.com AAAA +trace

; <<>> DiG 9.7.1-P2 <<>> 5103.jasc22.com AAAA +trace
;; global options: +cmd
. 476485 IN NS i.root-servers.net.
. 476485 IN NS d.root-servers.net.
. 476485 IN NS b.root-servers.net.
. 476485 IN NS e.root-servers.net.
. 476485 IN NS a.root-servers.net.
. 476485 IN NS c.root-servers.net.
. 476485 IN NS j.root-servers.net.
. 476485 IN NS m.root-servers.net.
. 476485 IN NS h.root-servers.net.
. 476485 IN NS l.root-servers.net.
. 476485 IN NS f.root-servers.net.
. 476485 IN NS g.root-servers.net.
. 476485 IN NS k.root-servers.net.
;; Received 228 bytes from 68.94.156.1#53(68.94.156.1) in 26 ms

com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
;; Received 505 bytes from 2001:503:ba3e::2:30#53(a.root-servers.net) in 38 ms

jasc22.com. 172800 IN NS ns1.he.net.
jasc22.com. 172800 IN NS ns2.he.net.
jasc22.com. 172800 IN NS ns3.he.net.
jasc22.com. 172800 IN NS ns4.he.net.
jasc22.com. 172800 IN NS ns5.he.net.
jasc22.com. 172800 IN NS ns71.domaincontrol.com.
jasc22.com. 172800 IN NS ns72.domaincontrol.com.
;; Received 405 bytes from 2001:503:a83e::2:30#53(a.gtld-servers.net) in 36 ms

5103.jasc22.com. 300 IN AAAA 2001:470:d:ee7::2
;; Received 61 bytes from 2001:470:300::2#53(ns3.he.net) in 34 ms

Title: Re: Difficulty passing Administrator test
Post by: johnpoz on May 04, 2011, 12:35:36 PM
I don't know how to say this any different..

Notice in your trace you hot that record from he.net server

5103.jasc22.com.   300   IN   AAAA   2001:470:d:ee7::2
Received 61 bytes from 2001:470:300::2#53(ns3.he.net) in 34 ms

But if you ask

asc22.com.      172800   IN   NS   ns71.domaincontrol.com.
jasc22.com.      172800   IN   NS   ns72.domaincontrol.com.

You do NOT get a AAAA response -- all server listed as your NS should have ALL records, you really should pull the domaincontrol.com servers out if they are not going to have all the records in them.

Im not currently at a location where I can connect via IPv6 would have to vpn into my home network or wait til get home.. But the box last couple times I have checked was NOT listening on 25 on that address

Title: Re: Difficulty passing Administrator test
Post by: jasc22 on May 04, 2011, 01:32:13 PM
thx johnpoz!!! that worked!! ;D
Title: Re: Difficulty passing Administrator test
Post by: johnpoz on May 04, 2011, 05:23:08 PM
yeah much better

;; Received 493 bytes from 2001:500:2f::f#53(f.root-servers.net) in 44 ms

jasc22.com.             172800  IN      NS      ns1.he.net.
jasc22.com.             172800  IN      NS      ns2.he.net.
jasc22.com.             172800  IN      NS      ns3.he.net.
jasc22.com.             172800  IN      NS      ns4.he.net.
jasc22.com.             172800  IN      NS      ns5.he.net.
;; Received 321 bytes from 192.12.94.30#53(e.gtld-servers.net) in 128 ms

5103.jasc22.com.        300     IN      AAAA    2001:470:d:ee7::2
;; Received 61 bytes from 216.218.130.2#53(ns1.he.net) in 88 ms

Still not showing your server listening on 25 on ipv6, did you turn it off already?

So I can telnet to the he.net mx server on ipv6

telnet 2001:470:0:76::2 25
Trying 2001:470:0:76::2...
Connected to 2001:470:0:76::2.
Escape character is '^]'.
220 he.net ESMTP Ready

see
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php
Checked port 25 on Host/IP 2001:470:0:76::2...
 The checked port (25) is online/reachable!
Completed portscan in 0.162 seconds

But yours just sits there and port shows close on a port scan
Yours fails

Checked port 25 on Host/IP 2001:470:d:ee7::2...
 The checked port (25) is offline/unreachable
Reason: Connection timed out (110)
Portscan ran for 9.9877 seconds






Title: Re: Difficulty passing Administrator test
Post by: jasc22 on May 05, 2011, 04:05:46 PM
Hey johnpoz, thx for checking! I got to Sage yesterday and the Administrator was the only test holding me up. The reason why you were unable to telnet was because l shutdown my machine. Great learning experience and appreciate your help!! ;D