Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Problem passing the mail part of the test  (Read 7299 times)

cholzhauer

  • Hero Member
  • *****
  • Posts: 2709
Problem passing the mail part of the test
« on: August 20, 2009, 11:22:16 AM »

So I finally figured out how to get sendmail to accept incoming connections, but I'm still not able to receive mail from the outside.

What sort of things should I be looking for?  I have port 25 opened for that host in the firewall

Thanks
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2709
Re: Problem passing the mail part of the test
« Reply #1 on: August 20, 2009, 11:49:42 AM »

Well, I'm getting packets...

13:50:00.303078 IP6 ipv6.he.net.54107 > mars.sscorp.com.smtp: S 30866768:30866768(0) win 5760 <mss 1440,sackOK,timestamp 1675021947 0,nop,wscale 6>
13:50:00.303496 IP6 mars.sscorp.com.smtp > ipv6.he.net.54107: S 2946778062:2946778062(0) ack 30866769 win 65535 <mss 1440,nop,wscale 3,sackOK,timestamp 3865513126 1675021947>
13:50:06.260091 IP6 ipv6.he.net.54107 > mars.sscorp.com.smtp: S 30866768:30866768(0) win 5760 <mss 1440,sackOK,timestamp 1675024947 0,nop,wscale 6>
13:50:06.260327 IP6 mars.sscorp.com.smtp > ipv6.he.net.54107: S 2946778062:2946778062(0) ack 30866769 win 65535 <mss 1440,nop,wscale 3,sackOK,timestamp 3865513126 1675024947>
13:50:17.958236 IP6 ipv6.he.net.54107 > mars.sscorp.com.smtp: S 30866768:30866768(0) win 5760 <mss 1440,sackOK,timestamp 1675030947 0,nop,wscale 6>
13:50:17.958692 IP6 mars.sscorp.com.smtp > ipv6.he.net.54107: S 2946778062:2946778062(0) ack 30866769 win 65535 <mss 1440,nop,wscale 3,sackOK,timestamp 3865513126 1675030947>
Logged

kriteknetworks

  • Sr. Member
  • ****
  • Posts: 260
    • aRDy Music
Re: Problem passing the mail part of the test
« Reply #2 on: August 20, 2009, 11:55:15 AM »

You didn't state if your firewall was iptables, or ip6tables, the former has no effect on ipv6. Check default policy for INPUT chain with ip6tables. Check your mail logs for connection attempts. Manually telnet to the server on the configured listening ipv6 IP on port 25.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2709
Re: Problem passing the mail part of the test
« Reply #3 on: August 20, 2009, 12:54:17 PM »

Ooops, sorry.

No firewall as of right now

Telnet on port 25 works...

carl@venus:~> telnet mars.sscorp.com 25
Trying 2001:4978:1d8:e000:20c:29ff:fe26:51b7...
Connected to mars.sscorp.com.
Escape character is '^]'.
220 mars.sscorp.com ESMTP Sendmail 8.14.3/8.14.3; Thu, 20 Aug 2009 15:25:14 -0400 (EDT)


Logged

kriteknetworks

  • Sr. Member
  • ****
  • Posts: 260
    • aRDy Music
Re: Problem passing the mail part of the test
« Reply #4 on: August 20, 2009, 01:20:24 PM »

I cannot reach mars.sscorp.com 25 via ipv6 from here. Something's blocking....you didn't mention, are there any connect attempts from ipv6 src addresses in your mail logs?

Can't ping it either.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2709
Re: Problem passing the mail part of the test
« Reply #5 on: August 20, 2009, 01:24:25 PM »

The only connection attempts in there are the ones from my local network.

Server is listening for mail:

tcp6       0      0 *.smtp                 *.*                    LISTEN
tcp4       0      0 *.smtp                 *.*                    LISTEN


The only other thing I can think of is sendmail itself...  from the config:

# SMTP daemon options

O DaemonPortOptions=Name=IPv4, Family=inet
O DaemonPortOptions=Name=IPv6, Family=inet6, Modifiers=O
O DaemonPortOptions=Port=587, Name=MSA, M=E
#O DaemonPortOptions=Port=25


If I remove the comment from the last line, nothing works, and I can't telnet to port 25 anymore.
Logged

jimb

  • Hero Member
  • *****
  • Posts: 805
  • ^^^ Warped picture
Re: Problem passing the mail part of the test
« Reply #6 on: August 20, 2009, 06:57:07 PM »

Something is blocking.  Probably FBSD pf firewall (IIRC that's what you're using) on your gateway, or some sort of firewall or the SMTP server itself on the mail server.

Look at the logs on your firewall and your server make sure it's not dropping the traffic.  If you don't have them configured to log packet drops, you should probably do so.  It's great for diagnosing problems like this.  Make sure that your firewall(s) are configured to allow tcp port 25.  Also make sure your sendmail isn't using some front end which blocks traffic (tcp wrappers, etc).

Note that I also can't ping mars.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2709
Re: Problem passing the mail part of the test
« Reply #7 on: August 20, 2009, 08:50:30 PM »

Yeah, the default route thing is why you can't ping mars...I set the default route to be my IPv6 router, then it magically changes back to my ASA.  I have to look into how to make that route stay put.

Anyway.  I'm not using any sort of firewall on the bsd machines.  IP tables isn't turned on by default in BSD and I have no intentions of messing with that thing.

AFAIK there isn't any sort of front end..it's just a default install out of the box.   I'll have to take a packet capture on the router and see if it matches up to what I'm seeing on the host.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2709
Re: Problem passing the mail part of the test
« Reply #8 on: August 20, 2009, 08:58:26 PM »

Never mind, I got it.

I didn't change anything other then the default route...even though I didn't reboot or anything, it still changed back to the address of the ASA.

Grr.

Sorry for the false alarm guys. 

Thanks for your ideas
Logged

jimb

  • Hero Member
  • *****
  • Posts: 805
  • ^^^ Warped picture
Re: Problem passing the mail part of the test
« Reply #9 on: August 20, 2009, 09:12:34 PM »

Never mind, I got it.

I didn't change anything other then the default route...even though I didn't reboot or anything, it still changed back to the address of the ASA.

Grr.

Sorry for the false alarm guys. 

Thanks for your ideas
You appear to be using IPv6 autoconfiguration to set your IPv6 addresses on your e000 network.  Most likely the Cisco is running route advertisement, or you have your FBSD box set up using radvd.  You need to adjust the configuration so that your router advertisement daemon advertises your FBSD box as your default router on that subnet, instead of the Cisco box.

Either that, or just config the IPv6 addresses and default route statically.

Logged