athera
asked on
Fedora Core and Sendmail Config
I have sendmail and dovecot running I got to the point that it all works fine on our internal network send receive etc.
But I can not telnet to the server on port 25 or 143 from an outside server. Thought it may be a firelwall conflict so took the firewall down all together but still does not work
Any ideas???
But I can not telnet to the server on port 25 or 143 from an outside server. Thought it may be a firelwall conflict so took the firewall down all together but still does not work
Any ideas???
ASKER
The server has a public IP address and I can ssh to it, from outside, no problem but no telnet to port 25. By the way httpd works fine
ASKER
PsiCop
Also on the same network I have sendmail running fine on a box that isrunning RedHat Linux not Fedora and it seems that the sendmail.mc is slightly different so I didn't attemt to move it over.
Nicholas
Also on the same network I have sendmail running fine on a box that isrunning RedHat Linux not Fedora and it seems that the sendmail.mc is slightly different so I didn't attemt to move it over.
Nicholas
It is possible in the sendmail.mc to have the daemon bind to a port other than 25. I don't have a sendmail reference handy to look up the specific macro. Can you do a portscan against the box and see what ports are listening? Or use netstat to see what ports are bound?
Also, if the box has TCPWrappers, and they are not configured properly with regards to the network, then the TCP Port 25 traffic may dropped before it reaches sendmail.
Also, if the box has TCPWrappers, and they are not configured properly with regards to the network, then the TCP Port 25 traffic may dropped before it reaches sendmail.
ASKER
As far as TCPWrappers goes I added a line in host.allow
sendmail: ALL
As far as netstat goes ya I can do that but I can't make heads or tails from the output. I see dovecot 3 times but not sendmail.
Now how do I do a portscan??
sendmail: ALL
As far as netstat goes ya I can do that but I can't make heads or tails from the output. I see dovecot 3 times but not sendmail.
Now how do I do a portscan??
ASKER
here is this (not sure if it helps)
[root@www nicholas]# nmap localhost
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-02-24 14:58 EST
Interesting ports on www.athera.com (127.0.0.1):
(The 1652 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
631/tcp open ipp
993/tcp open imaps
Nmap run completed -- 1 IP address (1 host up) scanned in 0.363 seconds
[root@www nicholas]# nmap localhost
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-02-24 14:58 EST
Interesting ports on www.athera.com (127.0.0.1):
(The 1652 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
631/tcp open ipp
993/tcp open imaps
Nmap run completed -- 1 IP address (1 host up) scanned in 0.363 seconds
nmap = portscan
Well, *something* is bound to port 25. What is dovecote?
Well, *something* is bound to port 25. What is dovecote?
ASKER
(nmap = portscan) LOL
Dovecot is what I am using for IMAP
Well SMTP is bound on port 25 cause when I telnet from any box inside our network sendmail works fine
Dovecot is what I am using for IMAP
Well SMTP is bound on port 25 cause when I telnet from any box inside our network sendmail works fine
If you can telnet to the server on port 25 from another machine on your inside network, but not from the Internet, you need to look at what your gateway router/firewall config allows.
ASKER
jlevie
I actually took the firewall down for now no gateway/router restrictions
I actually took the firewall down for now no gateway/router restrictions
So your Internet gateway router now doesn't have any firewall rules active, correct?
Is your local network behind a NAT'ing gateway router? That would mean that hosts on the local network use private IP's (from 10/8, 172.16/12, or 192.168/16)? If you are on a private network you need to configure the gateway router to port forward SMTP traffic to your mail server.
If your local network uses routable IP's and you are certain that there are no firewalls between the mail server and the Internet you need to ask your service provider if they block inbound connections on 25/TCP.
Is your local network behind a NAT'ing gateway router? That would mean that hosts on the local network use private IP's (from 10/8, 172.16/12, or 192.168/16)? If you are on a private network you need to configure the gateway router to port forward SMTP traffic to your mail server.
If your local network uses routable IP's and you are certain that there are no firewalls between the mail server and the Internet you need to ask your service provider if they block inbound connections on 25/TCP.
ASKER
jlevie
Don't even go there, I have half a class 'c' ( 0-127 ) 128 IPs I control the router I had several sendmail servers run before still do.
I know the problem is in that box. So is has to be something I am overseeing in the config files.
This is my first time with Fedora Core by the way. All my other mail servers where on RedHat 6-7-8.
I hope this is helfull.
nicholas
Don't even go there, I have half a class 'c' ( 0-127 ) 128 IPs I control the router I had several sendmail servers run before still do.
I know the problem is in that box. So is has to be something I am overseeing in the config files.
This is my first time with Fedora Core by the way. All my other mail servers where on RedHat 6-7-8.
I hope this is helfull.
nicholas
If that's the case, then I'm back to thinking its something with TCPWrappers. Since its host-specific, its gotta be something in that host's TCP/IP protocol stack. Is it possible for you to turn off TCPWrappers and use straight inetd - mainly to try to pinpoint?
ASKER
jlevie
Also...
you should know this is an fresh install on a new Dell box. Everything else seems to work fine.
sendmail and dovecot work fine internally also.
There must be something in that box either FC or sendmail that prohibits the connection to an outside network.
nicholas
Also...
you should know this is an fresh install on a new Dell box. Everything else seems to work fine.
sendmail and dovecot work fine internally also.
There must be something in that box either FC or sendmail that prohibits the connection to an outside network.
nicholas
ASKER
Have the TCPWrappers changed in FC
I put
sendmail:ALL in the hosts.allow file
but it din't help
I put
sendmail:ALL in the hosts.allow file
but it din't help
Okay, so we can be pretty sure that inbound SMTP connection can reach the FC3 box if the other servers are accessible.
To make sure "we are on the same page" I'd like to verify that you can telnet to this box from another node on the local network on the SMTP port, correct?
When you removed the localhost only restriction in /etc/mail/sendmail.mc did you comment out:
DAEMON_OPTIONS(`Port=smtp, Addr=127.0 .0.1, Name=MTA')dnl
or edit that line. The correct thing to do is to comment it out.
Does /etc/hosts.allow and/or /etc/hosts.deny contain any restrictions?
Does 'iptables -L' show:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Have you verified that the correct netmask and default route is set on this machine?
To make sure "we are on the same page" I'd like to verify that you can telnet to this box from another node on the local network on the SMTP port, correct?
When you removed the localhost only restriction in /etc/mail/sendmail.mc did you comment out:
DAEMON_OPTIONS(`Port=smtp,
or edit that line. The correct thing to do is to comment it out.
Does /etc/hosts.allow and/or /etc/hosts.deny contain any restrictions?
Does 'iptables -L' show:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Have you verified that the correct netmask and default route is set on this machine?
ASKER
just did an ifconfig
both eth0 and eth0:1 have the right info
Mask:255.255.255.128
and the correct broadcast address
I comment the magic line out did not edit it
Nothing in /etc/hosts.deny
How do I do this ( Does 'iptables -L' show: )
both eth0 and eth0:1 have the right info
Mask:255.255.255.128
and the correct broadcast address
I comment the magic line out did not edit it
Nothing in /etc/hosts.deny
How do I do this ( Does 'iptables -L' show: )
ASKER
OK I know what the problem is
now
I have to figure out how to fix it
when I was looking at the ifconfig results I notice that eth0 has an extra line
inet6 addr: fe80::211:11ff:fecb:d2f6/6 4 Scope:Link
so I tryed connecting to the IP that is assinged to eth0 not to eth0:1 that I was going to before and sendmail worked.
so now what??
now
I have to figure out how to fix it
when I was looking at the ifconfig results I notice that eth0 has an extra line
inet6 addr: fe80::211:11ff:fecb:d2f6/6
so I tryed connecting to the IP that is assinged to eth0 not to eth0:1 that I was going to before and sendmail worked.
so now what??
ASKER
I guess the right thing to do is figure out how to configure eth0:1 properly
the way I do it now is by putting the following lines in the rc.local file
/sbin/ifconfig eth0:1 00.00.202.94
/sbin/ifconfig eth0:1 broadcast 00.00.202.127
/sbin/ifconfig eth0:1 netmask 255.255.255.128
/sbin/route add -host 00.00.202.94 dev eth0:1
any ideas
the way I do it now is by putting the following lines in the rc.local file
/sbin/ifconfig eth0:1 00.00.202.94
/sbin/ifconfig eth0:1 broadcast 00.00.202.127
/sbin/ifconfig eth0:1 netmask 255.255.255.128
/sbin/route add -host 00.00.202.94 dev eth0:1
any ideas
Are you actually using an IP of 0.0.202.94, or is that just an obfuscated IP from your netblock?
You don't need to bring the IP up via commands in rc.local. If you create /etc/sysconfig/network-scr ipts/ifcfg -eth0:1 containing:
DEVICE=eth0:1
BOOTPROTO=static
BROADCAST=x.x.202.127
IPADDR=x.x.202.94
NETMASK=255.255.255.128
NETWORK=x.x.202.0
ONBOOT=yes
TYPE=Ethernet
/etc/init.d/network will bring up the sub-interface automatically.
You don't need to bring the IP up via commands in rc.local. If you create /etc/sysconfig/network-scr
DEVICE=eth0:1
BOOTPROTO=static
BROADCAST=x.x.202.127
IPADDR=x.x.202.94
NETMASK=255.255.255.128
NETWORK=x.x.202.0
ONBOOT=yes
TYPE=Ethernet
/etc/init.d/network will bring up the sub-interface automatically.
ASKER
ya I put 00 so my boss doesn't have a freak out
OK so do I create a new file in /etc/sysconfig/network-scr ipts/ifcfg -eth0:xx
for each eth0:1,eth0:2,eth0:3,.... etc....
???
nicholas
OK so do I create a new file in /etc/sysconfig/network-scr
for each eth0:1,eth0:2,eth0:3,.... etc....
???
nicholas
Yes.
ASKER
Hi jlevie
I was thinking that it has to be something within the sendmail.mc that prohibits it from binding due to the IP address misconfiguration.
I am saying that cause both httpd and sshd have no problem on both address.
Any thoughts???
I was thinking that it has to be something within the sendmail.mc that prohibits it from binding due to the IP address misconfiguration.
I am saying that cause both httpd and sshd have no problem on both address.
Any thoughts???
It almost sounds like you edited rather than commented out the localhost IP restriction in sendmail.mc. What does 'grep DAEMON_OPTIONS /etc/mail/sendmail.mc' show?
ASKER
j--
here u go
[root@www nicholas]# grep DAEMON_OPTIONS /etc/mail/sendmail.mc
dnl DAEMON_OPTIONS(`Port=smtp, Addr=127.0 .0.1, Name=MTA')dnl
dnl DAEMON_OPTIONS(`Port=submi ssion, Name=MSA, M=Ea')dnl
dnl DAEMON_OPTIONS(`Port=smtps , Name=TLSMTA, M=s')dnl
dnl DAEMON_OPTIONS(`port=smtp, Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl DAEMON_OPTIONS(`Name=MTA-v 4, Family=inet, Name=MTA-v6, Family=inet6')
[root@www nicholas]#
here u go
[root@www nicholas]# grep DAEMON_OPTIONS /etc/mail/sendmail.mc
dnl DAEMON_OPTIONS(`Port=smtp,
dnl DAEMON_OPTIONS(`Port=submi
dnl DAEMON_OPTIONS(`Port=smtps
dnl DAEMON_OPTIONS(`port=smtp,
dnl DAEMON_OPTIONS(`Name=MTA-v
[root@www nicholas]#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
j--
u are correct I tryed adding eth0:2 your way and works fine.
I can get mail from anywhere now.
However I still have a problem sending not sure why still looking in the mailog
u are correct I tryed adding eth0:2 your way and works fine.
I can get mail from anywhere now.
However I still have a problem sending not sure why still looking in the mailog
ASKER
from the maillog looked like an authentication problem
so I turned off the "pass required" on the client and that works
in sendmail .mc I used to put and I did here too last week when I started on this
TRUST_AUTH_MECH (`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISM S',`LOGIN PLAIN')dnl
so why is it relaying without password
any thoughts???
so I turned off the "pass required" on the client and that works
in sendmail .mc I used to put and I did here too last week when I started on this
TRUST_AUTH_MECH (`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISM
so why is it relaying without password
any thoughts???
To do SMTP AUTH in the general case you should have:
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH (`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISM S',`LOGIN PLAIN')dnl
in your sendmail.mc and have "pwcheck_method:saslauthd" in /usr/lib/sasl2/Sendmail.co nf. Also you'll need the saslauthd daemon running (chkconfig saslauthd on). You can start the daemon with '/sbin/service saslauthd start' without having to reboot.
Without knowing what's currently enabled in sendmail.mc, what's in /etc/mail/access, and where your client is in relation to the Sendmail server it is hard to say why it relayed mail.
define(`confAUTH_OPTIONS',
TRUST_AUTH_MECH (`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISM
in your sendmail.mc and have "pwcheck_method:saslauthd"
Without knowing what's currently enabled in sendmail.mc, what's in /etc/mail/access, and where your client is in relation to the Sendmail server it is hard to say why it relayed mail.
ASKER
j--
to keep with the scope of this forum I will close this q. and start a new one
"FC sendmail will not send mail"
it will be cleaner that way
Thanks for help so far
to keep with the scope of this forum I will close this q. and start a new one
"FC sendmail will not send mail"
it will be cleaner that way
Thanks for help so far
If its behind NAT, then you need to enable port-forwarding on the NAT.