• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Problem passing the mail part of the test

Started by cholzhauer, August 20, 2009, 11:22:16 AM

Previous topic - Next topic

cholzhauer

So I finally figured out how to get sendmail to accept incoming connections, but I'm still not able to receive mail from the outside.

What sort of things should I be looking for?  I have port 25 opened for that host in the firewall

Thanks

cholzhauer

Well, I'm getting packets...

13:50:00.303078 IP6 ipv6.he.net.54107 > mars.sscorp.com.smtp: S 30866768:30866768(0) win 5760 <mss 1440,sackOK,timestamp 1675021947 0,nop,wscale 6>
13:50:00.303496 IP6 mars.sscorp.com.smtp > ipv6.he.net.54107: S 2946778062:2946778062(0) ack 30866769 win 65535 <mss 1440,nop,wscale 3,sackOK,timestamp 3865513126 1675021947>
13:50:06.260091 IP6 ipv6.he.net.54107 > mars.sscorp.com.smtp: S 30866768:30866768(0) win 5760 <mss 1440,sackOK,timestamp 1675024947 0,nop,wscale 6>
13:50:06.260327 IP6 mars.sscorp.com.smtp > ipv6.he.net.54107: S 2946778062:2946778062(0) ack 30866769 win 65535 <mss 1440,nop,wscale 3,sackOK,timestamp 3865513126 1675024947>
13:50:17.958236 IP6 ipv6.he.net.54107 > mars.sscorp.com.smtp: S 30866768:30866768(0) win 5760 <mss 1440,sackOK,timestamp 1675030947 0,nop,wscale 6>
13:50:17.958692 IP6 mars.sscorp.com.smtp > ipv6.he.net.54107: S 2946778062:2946778062(0) ack 30866769 win 65535 <mss 1440,nop,wscale 3,sackOK,timestamp 3865513126 1675030947>

kriteknetworks

You didn't state if your firewall was iptables, or ip6tables, the former has no effect on ipv6. Check default policy for INPUT chain with ip6tables. Check your mail logs for connection attempts. Manually telnet to the server on the configured listening ipv6 IP on port 25.

cholzhauer

Ooops, sorry.

No firewall as of right now

Telnet on port 25 works...

carl@venus:~> telnet mars.sscorp.com 25
Trying 2001:4978:1d8:e000:20c:29ff:fe26:51b7...
Connected to mars.sscorp.com.
Escape character is '^]'.
220 mars.sscorp.com ESMTP Sendmail 8.14.3/8.14.3; Thu, 20 Aug 2009 15:25:14 -0400 (EDT)



kriteknetworks

I cannot reach mars.sscorp.com 25 via ipv6 from here. Something's blocking....you didn't mention, are there any connect attempts from ipv6 src addresses in your mail logs?

Can't ping it either.

cholzhauer

The only connection attempts in there are the ones from my local network.

Server is listening for mail:

tcp6       0      0 *.smtp                 *.*                    LISTEN
tcp4       0      0 *.smtp                 *.*                    LISTEN


The only other thing I can think of is sendmail itself...  from the config:

# SMTP daemon options

O DaemonPortOptions=Name=IPv4, Family=inet
O DaemonPortOptions=Name=IPv6, Family=inet6, Modifiers=O
O DaemonPortOptions=Port=587, Name=MSA, M=E
#O DaemonPortOptions=Port=25


If I remove the comment from the last line, nothing works, and I can't telnet to port 25 anymore.

jimb

Something is blocking.  Probably FBSD pf firewall (IIRC that's what you're using) on your gateway, or some sort of firewall or the SMTP server itself on the mail server.

Look at the logs on your firewall and your server make sure it's not dropping the traffic.  If you don't have them configured to log packet drops, you should probably do so.  It's great for diagnosing problems like this.  Make sure that your firewall(s) are configured to allow tcp port 25.  Also make sure your sendmail isn't using some front end which blocks traffic (tcp wrappers, etc).

Note that I also can't ping mars.

cholzhauer

Yeah, the default route thing is why you can't ping mars...I set the default route to be my IPv6 router, then it magically changes back to my ASA.  I have to look into how to make that route stay put.

Anyway.  I'm not using any sort of firewall on the bsd machines.  IP tables isn't turned on by default in BSD and I have no intentions of messing with that thing.

AFAIK there isn't any sort of front end..it's just a default install out of the box.   I'll have to take a packet capture on the router and see if it matches up to what I'm seeing on the host.

cholzhauer

Never mind, I got it.

I didn't change anything other then the default route...even though I didn't reboot or anything, it still changed back to the address of the ASA.

Grr.

Sorry for the false alarm guys. 

Thanks for your ideas

jimb

Quote from: cholzhauer on August 20, 2009, 08:58:26 PM
Never mind, I got it.

I didn't change anything other then the default route...even though I didn't reboot or anything, it still changed back to the address of the ASA.

Grr.

Sorry for the false alarm guys. 

Thanks for your ideas
You appear to be using IPv6 autoconfiguration to set your IPv6 addresses on your e000 network.  Most likely the Cisco is running route advertisement, or you have your FBSD box set up using radvd.  You need to adjust the configuration so that your router advertisement daemon advertises your FBSD box as your default router on that subnet, instead of the Cisco box.

Either that, or just config the IPv6 addresses and default route statically.