Hurricane Electric's IPv6 Tunnel Broker Forums

Tunnelbroker.net Specific Topics => Questions & Answers => Topic started by: sigmoun on May 24, 2013, 09:48:48 AM

Title: Administrator Certification Problem
Post by: sigmoun on May 24, 2013, 09:48:48 AM
Hi everyone,
I am trying to pass the administrator certification, I have successfully setup the MX ( you can check by yourself: dig mx mail.ipv6.forbidden-access.org )
When I ask for sending me the HE mail to get the code, it takes too long and no mail is received in my mail server ...
Has anyone experienced something similar ?
Title: Re: Administrator Certification Problem
Post by: kasperd on May 24, 2013, 09:58:46 AM
Your mailserver appears to be down.
Code: [Select]
traceroute to mail.ipv6.forbidden-access.org (2001:470:28:f0a:95f0:1a5b:6b47:2265), 30 hops max, 80 byte packets
 1  2a01:d0:839a:babe:735d:77a7:990d:702c  0.130 ms  0.168 ms  0.209 ms
 2  2001:470:0:11e::2  40.965 ms  47.021 ms  47.911 ms
 3  2001:470:27:f0a::2  158.772 ms  146.462 ms  153.476 ms
 4  *  *  *
 5  *  *  *
 6  *  *  *
 7  *  *  *
 8  2001:470:27:f0a::2  285.995 ms !H  171.668 ms !H  *
Title: Re: Administrator Certification Problem
Post by: broquea on May 24, 2013, 10:11:57 AM
what was the specific email addy you submitted, because everything left of @ including the @ gets stripped, and the test works with what remains.
Title: Re: Administrator Certification Problem
Post by: sigmoun on May 25, 2013, 02:47:25 AM
@kasperd Yes when you did the test, the mailserver was rebooting  :P now he is up and still waiting for mails :(
@broquea I am trying to test with sigmoun@mail.ipv6.forbidden-access.org
Thanks !
Title: Re: Administrator Certification Problem
Post by: sigmoun on May 25, 2013, 03:14:33 AM
I have change the AAAA and so the MX to zied.forbidden-access.org
But it's still sending ...
Title: Re: Administrator Certification Problem
Post by: kasperd on May 25, 2013, 04:27:55 AM
now he is up and still waiting for mails
Nope. Still down. The traceroute output looks the same as before. Your router responds with no route to host, after three seconds. This almost certainly means your router is sending a neighbor discovery and getting no reply back from the mail server, so after three seconds the router times out and send an error back.
Title: Re: Administrator Certification Problem
Post by: sigmoun on May 25, 2013, 04:59:13 AM
now he is up and still waiting for mails
Nope. Still down. The traceroute output looks the same as before. Your router responds with no route to host, after three seconds. This almost certainly means your router is sending a neighbor discovery and getting no reply back from the mail server, so after three seconds the router times out and send an error back.

I have changed the AAAA (and so the MX) to :
Code: [Select]
zied.forbidden-access.org, I think you made the test with mail.ipv6.forbidden-access.org that's why you have no route to host.
Title: Re: Administrator Certification Problem
Post by: kasperd on May 25, 2013, 06:17:04 AM
I have changed the AAAA (and so the MX) to :
Code: [Select]
zied.forbidden-access.org,
That host is responding, but HE have packet filters in place preventing others from connecting to your mailserver. That means either the issue need to be debugged using only information available from your end of the connection, or you need to email ipv6@he.net and ask them to help you.

If you install a Teredo relay on your router, I would be able to find out a bit more about what your problem is. And installing such a Teredo relay is a good idea anyway, as it will give you a more reliable communication, when communicating with Teredo users. What OS are you running on the router? I know how to install and configure a Teredo relay on an Ubuntu system, and it is really easy.
Title: Re: Administrator Certification Problem
Post by: sigmoun on May 25, 2013, 06:21:35 AM
Thanks for these information,
As router I am using Vyatta ...
Title: Re: Administrator Certification Problem
Post by: kasperd on May 25, 2013, 06:37:10 AM
As router I am using Vyatta ...
According to Wikipedia it is based on Debian just like Ubuntu is, and it is specialized for networking. With those properties it definitely should support running a Teredo relay. So how about you try out the steps that works on Ubuntu and let us know, if they work on Vyatta as well.

First of all install the software with apt-get install miredo. Secondly edit the /etc/miredo.conf configuration file. The default configuration file on installation is for a Teredo client, and what you want is not a client, but a relay. Here is the configuration file, I use on one of my machines
Code: [Select]
# Please refer to the miredo.conf(5) man page for details.
InterfaceName   teredo
RelayType relay

# Pick a Teredo server:
#ServerAddress  teredo.ipv6.microsoft.com
#ServerAddress  teredo-debian.remlab.net

# Some firewall/NAT setups require a specific UDP port number:
#BindPort       3545
BindPort        64646
I made three changes. I changed the RelayType, I commented out the ServerAddress, and I added a BindPort. I picked a static port number between 61000 and 65535, just for convenience. It is easier to recognize in packet dumps that way. Finally run service miredo restart which will stop the Teredo client (which may have been started automatically by apt-get install) and then start the relay.
Title: Re: Administrator Certification Problem
Post by: kasperd on May 25, 2013, 07:17:45 AM
Looks like you got the Teredo relay up, as I can see when I now ping zied.forbidden-access.org from a Teredo client, the Teredo server gives me a different Teredo relay address.

But packets send from my Teredo client to your Teredo relay appear to get lost on the route. Is there a firewall or a NAT device between your Vyatta router and the Internet preventing packets from me making it to the Vyatta router? Or could there be a firewall rule on the Vyatta router blocking packets to the Teredo relay?
Title: Re: Administrator Certification Problem
Post by: sigmoun on May 25, 2013, 07:23:09 AM
yes I have installed Terodo as you asked and forward the port from my router...
What should I do now ?
Title: Re: Administrator Certification Problem
Post by: sigmoun on May 25, 2013, 07:24:31 AM
by the way, the he support answer was
Code: [Select]
SMTP is not filtered to/from the system that performs the administrator
test.
Title: Re: Administrator Certification Problem
Post by: kasperd on May 25, 2013, 07:34:58 AM
What should I do now ?
I tried running an nmap against your IPv6 address, now that your Teredo relay is functional. This is what I got:
Code: [Select]
nmap -6 zied.forbidden-access.org

Starting Nmap 5.21 ( http://nmap.org ) at 2013-05-25 16:31 CEST
Nmap scan report for 2001:470:28:f0a:6510:c8c3:a3cf:f911
Host is up (0.095s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds
So it looks like nothing is listening on port 25 on that host. That would explain why no email can be delivered to it. So check again that the mailserver is indeed running on zied.forbidden-access.org, and check which IP it is listening on. Maybe it is listening only on ::1 or maybe it is listening only on IPv4.
Title: Re: Administrator Certification Problem
Post by: kasperd on May 25, 2013, 07:40:44 AM
by the way, the he support answer was
Code: [Select]
SMTP is not filtered to/from the system that performs the administrator
test.
They may have misunderstood the question. But then again, I haven't seen the question you send to them.

I know the filters don't prevent going through the certification test, if you got the mailserver setup correctly. But the filter prevents anybody else from trying to connect to the server to find out, why it isn't working. That means you cannot just go to the forum and ask for help, because nobody on the forum can see what is happening behind the HE filters.

That is why I suggested that you go to ipv6@he.net and ask for the advice, you could previously have gotten from the forum. But they appear not to have understood that point.

I guess that just means whenever such question shows up, I'll advice people to setup a Teredo relay instead. No harm done, if many of the people going through the certification test learns to setup a Teredo relay. And now if you happen to want to ssh back home from your laptop, and you are somewhere with only IPv4 connectivity, then you can just use a Teredo client on your laptop. :-)
Title: Re: Administrator Certification Problem
Post by: kasperd on May 25, 2013, 07:42:38 AM
So it looks like nothing is listening on port 25 on that host. That would explain why no email can be delivered to it. So check again that the mailserver is indeed running on zied.forbidden-access.org, and check which IP it is listening on. Maybe it is listening only on ::1 or maybe it is listening only on IPv4.
I see you got that working now:
Code: [Select]
# telnet -6 zied.forbidden-access.org 25
Trying 2001:470:28:f0a:6510:c8c3:a3cf:f911...
Connected to zied.forbidden-access.org.
Escape character is '^]'.
220 zied.forbidden-access.org ESMTP Postfix (Ubuntu)
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
I hope the certification test passes now.
Title: Re: Administrator Certification Problem
Post by: sigmoun on May 25, 2013, 07:48:27 AM
I have [2001::]/16 to "mynetworks" in the /etc/postifix/main.cf
So that's why you can telnet it.
But still same problem...
Can you try to send mail to sigmoun@zied.forbidden-access.org through telnet ?
Thanks !
Title: Re: Administrator Certification Problem
Post by: kasperd on May 25, 2013, 08:41:16 AM
Can you try to send mail to sigmoun@zied.forbidden-access.org through telnet ?
Code: [Select]
$ telnet -6 zied.forbidden-access.org 25
Trying 2001:470:28:f0a:6510:c8c3:a3cf:f911...
Connected to zied.forbidden-access.org.
Escape character is '^]'.
220 zied.forbidden-access.org ESMTP Postfix (Ubuntu)
HELO bfbqv.25.may.2013v6.kasperd.net
250 zied.forbidden-access.org
MAIL From:<blackhole@bfbqv.25.may.2013v6.kasperd.net>
250 2.1.0 Ok
RCPT To:<sigmoun@zied.forbidden-access.org>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: blackhole@bfbqv.25.may.2013v6.kasperd.net
To: sigmoun@zied.forbidden-access.org
Subject: 2895

https://www.tunnelbroker.net/forums/index.php?topic=2895

.
250 2.0.0 Ok: queued as 0D52F1F16
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
Title: Re: Administrator Certification Problem
Post by: sigmoun on May 25, 2013, 08:49:40 AM
Yes I have received the mail  ??? ??? ??? ??? ??? ??? ??? ???
So could'nt the administrator system send me mail ??? ??? ???
Title: Re: Administrator Certification Problem
Post by: kasperd on May 25, 2013, 09:02:22 AM
So could'nt the administrator system send me mail
Time to fire up tcpdump. If you have tcpdump on the router, then running it on the router is the best option. Otherwise it could still be useful to run it on the mailserver.

I think the tunnel interface on the router is the best one to look at for debugging this issue. I imagine something like this tcpdump -pni sit1 -s0 -Uw smtp.pcap which would dump all the traffic from the sit1 interface to the file smtp.pcap.

Then while the tcpdump command is running, you try the certification test again. Once it has produced an error, you can stop tcpdump and look at the result with something like tcpdump -nr smtp.pcap
Title: Re: Administrator Certification Problem
Post by: sigmoun on May 25, 2013, 09:11:48 AM
SOLVED !
I have send a mail to the support explaining them that a HE user (you) was able to send mail to my mailserver. This is their response:
Code: [Select]
Should be better at this time.  Looks like a stale cache entry was the
issue.

Thank you for your help!!!!!!!!!