• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Administrator certification test question (RESOLVED)

Started by yurko, May 30, 2013, 12:30:36 PM

Previous topic - Next topic

yurko

I reached Administrator certification test.
My mail server has been installed and configured to support ipv6, DNS AAAA and MX records are fine, port 25 is not restricted by a firewall for both ipv4 and ipv6 protocols.
I'm able to send mails to my test address using telnet to ipv6 address port 25 from a different local ipv6 box.

If I open the test page (http://ipv6.he.net/certification/cert-main.php) and try to go through the Administrator test:
- step 1 - code generated;
- step 2 - email address entered;
- step 3 - pressing button "Send It!" and watching spinning sign... the spinning never ends :(
The arrows sign keeps spinning for hours with no results, tcpdump on ipv6 interface never showed any activity.
I tried to use different browsers (mac Safari, mac Chrome and some win7 IE), also tried to log into the test page from both ipv4 and ipv6 networks, nothing changed.

How long did it take for you - wait through spinning sign to get some results?

Any ideas what I'm doing wrong or what the problem is?

cholzhauer

Some more information like domain info might help.

It should respond pretty quickly

yurko

Quote from: cholzhauer on May 30, 2013, 12:51:53 PM
Some more information like domain info might help.

It should respond pretty quickly
Sure.
Client IPV6 address: 2001:470:7:80b::2/64
Routed /64: 2001:470:8:80b::/64

From my side tunnel is on linux server, tunnel ipv6 my side is 2001:470:7:80b::2, eth1 (internal net) has 2001:470:8:80b::1, both IPs answer on port 25.
Before I tried to use 2001:470:7:80b::2 as AAAA for name with MX configured, now I re-cofigured it to use 2001:470:8:80b::1 instead (not propagated to HE name servers yet).
Email address for my test: yurko@ipv6.yurko.net
So far HE name servers answer:
# dig @2001:470:20::2 mx ipv6.yurko.net +short
1 ipv6.yurko.net.
# dig @2001:470:20::2 aaaa ipv6.yurko.net +short
2001:470:7:80b::2


Unfortunately, as I understand, I cannot test connection to my ipv6 port 25 from a remote ipv6 address, because it's filtered by HE, according to last question at http://ipv6.he.net/certification/faq.php

kasperd

The last thread I saw where a user had problems with that test, it turned out that one of the issues was that some old DNS records were cached. If you changed any DNS records during the certification test, it might be that HE still has old DNS records cached.

How long has it been since you last modified some of the DNS records relevant to a server sending email to that domain?

Quote from: yurko on May 30, 2013, 01:04:28 PMUnfortunately, as I understand, I cannot test connection to my ipv6 port 25 from a remote ipv6 address
You can if the remote end is cooperating a little bit. One possibility is to run a Teredo relay on your own gateway, then if the remote end is on a Teredo address, it will work. Another possibility is to manually configure another tunnel between your server and the remote end, which need to reach your SMTP port.

Before you try any of those changes you should take a look at a dump of the tunnelled IPv6 traffic arriving on your network. You can dump it with tcpdump or equivalent. Then look for any SYN packets for port 25 when you try to run the test again.

yurko

Quote from: kasperd on May 30, 2013, 04:39:15 PMThe last thread I saw where a user had problems with that test, it turned out that one of the issues was that some old DNS records were cached. If you changed any DNS records during the certification test, it might be that HE still has old DNS records cached.
Yes, it may be the issue. However the specified HE name servers (2001:470:20::2 and 74.82.42.42) already have up-to-date DNS data.

Quote from: kasperd on May 30, 2013, 04:39:15 PMHow long has it been since you last modified some of the DNS records relevant to a server sending email to that domain?
Still under 48 hours.

Quote from: kasperd on May 30, 2013, 04:39:15 PMBefore you try any of those changes you should take a look at a dump of the tunnelled IPv6 traffic arriving on your network. You can dump it with tcpdump or equivalent. Then look for any SYN packets for port 25 when you try to run the test again.
I specified in my previous messages that tcpdump shows no port 25 traffic going through IPv6-in-IPv4 tunnel interface.

And yes, I am able to send mails inside my local Dualstack network to ipv6-only-MX mail server.
And test page still showing never ending spinning image... :(

broquea

QuoteYes, it may be the issue. However the specified HE name servers (2001:470:20::2 and 74.82.42.42) already have up-to-date DNS data.

And yet, the open recursor is still not the local recursor running on the machine :)

kasperd

Quote from: yurko on May 31, 2013, 11:59:48 AMI specified in my previous messages that tcpdump shows no port 25 traffic going through IPv6-in-IPv4 tunnel interface.
I missed that. I think it is more interesting to look at the traffic on the IPv4 interface, sometimes that will reveal something, which you would not see from the decapsulated IPv6 packets. Though in your particular case, it might not make any difference.

Quote from: yurko on May 31, 2013, 11:59:48 AMAnd test page still showing never ending spinning image..
Would be nice, if it would tell you what it is trying to do. For example it should tell you, which IPv6 address it is trying to connect to.

Your options right now are:

  • Wait for DNS cache to expire.
  • Send an email to HE and ask them for more detail about why exactly the test is hanging.
  • Send an email to HE and request the DNS cache gets flushed.
  • Create a feature request to have the test page provide a bit more information on what it is trying to do.

yurko

Thank you all guys!

I emailed to HE and after couple of mails back-forward got the following answer:
QuotePlease try again.  Looks like a rule was being triggered too soon in the
blocks on that tunnel server.  Should be fine now.
Which means that actually port 25 was blocked from HE side of the tunnel by mistake or due to a bug.

After that I was able to finish all my certifications till the very last level with no problems.

Thank you all again and have a great weekend!