Monday, January 31, 2022

Re: Networking error or bad System configuration.

> Am 31.01.2022 um 23:38 schrieb latincom@vcn.bc.ca:
>
>> Some things to consider:
>>
>> - Have you established whether the IPs configured inside your host are
>> actually reachable from the outside? (And whether they reach your host and
>> not something else?)
>> You could check this using SSH which you say is working. Can you connect
>> using both IPv4 and IPv6?
>
> Thank you Mike:
> The server works well with ipv4, both ssh and console.

Console access is nice to have but probably irrelevant for solving your network issues. Have you tried SSH via IPv6 like I suggested?


> What i sow, is that in hours, the ipv6 changed and became unavailable; but
> now i can reach the server ipv4 ipv6. the old server.

Huh? That does not make any sense.


> At this point i decide to destroy this server and configure it since the
> beginning, because my mail was rejected by the cause that mail was passing
> for a different server, causing that every one were not able to do and get
> rdns.
>
> The other reason to destroy it, is that ssh connection was intermittent;
> impossible to work on it!

That sounds seriously messed up.


>> - Are you using pf(4) in any non-default setup?
>
> No
>
>>
>> - According to their website Vultr has a firewall which you can configure.
>> Have you allowed incoming traffic to your services?
>
> No, i prefer pf

If I understood the Vultr website correctly you don't get a choice. You get the Vultr Firewall and you can additionally use pf(4) if you want.

Of course you could configure the Vultr Firewall do be mostly transparent (except for things they always block), but apparently you have not done that.


>> - According to their website Vultr allows you to configure the reverse DNS
>> entries for your host. Currently your cited IPs seem to have only default
>> reverse entries.
>
> What do you mean "default entries"? I configure it myself, adding dkim,
> and dmarc entries.

$ dig +short -x 8.9.36.198
198.36.9.8.in-addr.arpa.
$ dig +short -x 2001:19f0:5:f8c:5400:3ff:fea5:c615
c.8.f.0.5.0.0.0.0.f.9.1.1.0.0.2.ip6.arpa.
$

I would have expected the answer to be "agroena.org." in both cases.

If you did configure reverse DNS for these IPs it didn't work.


> - According to their website Vultr blocks port 25 traffic. You will need
>> to ask them to allow this for your mail server.
>
> Yes, they open port 25 for me.

Ok. But no one is listening on the port as evidenced by the nmap scans.


>> - You seem to indicate that resolving DNS is not working correctly? You
>> need to get that fixed.
>
> Yes, i have not touched dns, i only reinstall the server; because, this is
> a testing serve and i would like to know, if really there were MiM or
> sometjing else.

Did you test DNS resolution on the host? Without working DNS resolution you might as well give up now as your services will require that to work.


> Oh man, this is the new server, were i am going to have only: Opensmtp,
> and Dovecot; to define why the web testers say that e-mail are coming from
> a server with out rdns. For now, nothing is installed and configured.
> Thanks so much to try nmap.

Forget about your services for now. You need to get the basic network setup working first.

I already gave you my recommendations. You don't have to follow them of course but then I have nothing else to help you with.


Good luck!
Mike


> - I did a a quick nmap scan of your host:
>> $ nmap agroena.org
>> Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-31 13:13 CET
>> Nmap scan report for agroena.org (8.9.36.198)
>> Host is up (0.11s latency).
>> Other addresses for agroena.org (not scanned):
>> 2001:19f0:5:f8c:5400:3ff:fea5:c615
>> rDNS record for 8.9.36.198: 198.36.9.8.in-addr.arpa
>> Not shown: 995 closed ports
>> PORT STATE SERVICE
>> 22/tcp open ssh
>> 135/tcp filtered msrpc
>> 139/tcp filtered netbios-ssn
>> 445/tcp filtered microsoft-ds
>> 1688/tcp filtered nsjtp-data
>>
>> Nmap done: 1 IP address (1 host up) scanned in 16.34 seconds
>> $ nmap -6 agroena.org
>> Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-31 13:13 CET
>> Nmap scan report for agroena.org (2001:19f0:5:f8c:5400:3ff:fea5:c615)
>> Host is up (0.100s latency).
>> Other addresses for agroena.org (not scanned): 8.9.36.198
>> rDNS record for 2001:19f0:5:f8c:5400:3ff:fea5:c615:
>> c.8.f.0.5.0.0.0.0.f.9.1.1.0.0.2.ip6.arpa
>> Not shown: 996 closed ports
>> PORT STATE SERVICE
>> 22/tcp open ssh
>> 139/tcp filtered netbios-ssn
>> 445/tcp filtered microsoft-ds
>> 1688/tcp filtered nsjtp-data
>>
>> Nmap done: 1 IP address (1 host up) scanned in 17.26 seconds
>> $
>>
>> That does not show a working mail server (or web/ftp server). In fact only
>> SSH seems to be working. And it shows that reverse DNS is not set up other
>> than a default entry.
>>
>>
>> Things that may help others evaluate whether your host is configured
>> correctly w.r.t. network settings:
>> $ cat /etc/hostname.*
>> $ cat /etc/resolv.conf
>> $ ifconfig -a
>> # netstat -an|grep LISTEN
>> $ ping dns.google.com
>> $ ping6 dns.google.com
>> # rcctl ls started
>> # cat /etc/pf.conf (if you have modified the pf(4) configuration)
>>
>> But: Even if your host is perfectly configured, if the Vultr setup
>> prevents packets from moving to or from your host it will not work.
>>
>>
>> HTH
>> Mike
>
> I really apreciete you recomendations and information Mike.
> Thanks so much.
>
>>
>>
>>> Am 30.01.2022 um 15:17 schrieb latincom@vcn.bc.ca:
>>>
>>> Openbsd 7.0 at Vultr:
>>>
>>> I have a new server at Vultr, everything was working correctly; except
>>> mail rdns; e-mails were rejected by receiver.
>>>
>>> The problem began because the ipv6 assigned was wrong ifconfig gave me a
>>> different ip at the beginning and they did the change.
>>>
>>> they changed the ipv6 to original and i configured the server with
>>> httpd,
>>> smtpd, dovecot, dkimsign, icecast and ftp correctly, all them were
>>> working.
>>>
>>> They are insisting that the error is in the configuration system, and i
>>> think that the error is because the IPs pass for another Vultr server
>>> that
>>> is not configured for rdns.
>>>
>>> Please, how might discover an error in the system or configuration? How
>>> to
>>> identify it? and of course, how to repair it if it is in my hands?
>>>
>>> # ifconfig vio0
>>> vio0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>> lladdr 56:00:03:a5:c6:15
>>> index 1 priority 0 llprio 3
>>> groups: egress
>>> media: Ethernet autoselect
>>> status: active
>>> inet 8.9.36.198 netmask 0xffffff00 broadcast 8.9.36.255
>>> inet6 fe80::5400:3ff:fea5:c615%vio0 prefixlen 64 scopeid 0x1
>>> inet6 2001:19f0:5:f8c:5400:3ff:fea5:c615 prefixlen 64
>>>
>>> # host agroena.org
>>> ;; connection timed out; no servers could be reached
>>>
>>>
>>>
>>> # ping6 2001:19f0:5:f8c:5400:3ff:fea5:c615
>>> PING 2001:19f0:5:f8c:5400:3ff:fea5:c615
>>> (2001:19f0:5:f8c:5400:3ff:fea5:c615): 56 data bytes
>>> 64 bytes from 2001:19f0:5:f8c:5400:3ff:fea5:c615: icmp_seq=0 hlim=64
>>> time=0.182 ms
>>> 64 bytes from 2001:19f0:5:f8c:5400:3ff:fea5:c615: icmp_seq=1 hlim=64
>>> time=0.082 ms
>>>
>>> # dig agroena.org
>>>
>>> ; <<>> dig 9.10.8-P1 <<>> agroena.org
>>> ;; global options: +cmd
>>> ;; connection timed out; no servers could be reached
>>>
>>> # ping agroena.org
>>> PING agroena.org (8.9.36.198): 56 data bytes
>>> 64 bytes from 8.9.36.198: icmp_seq=0 ttl=255 time=0.108 ms
>>> 64 bytes from 8.9.36.198: icmp_seq=1 ttl=255 time=0.054 ms
>>> 64 bytes from 8.9.36.198: icmp_seq=2 ttl=255 time=0.056 ms
>>>
>>> I do not have idea, what files should i show you.
>>>
>>> Thanks for your attention.
>>>
>>> PD:
>>> Actually i can access the server using ssh and console.
>>>
>>>
>>
>

No comments:

Post a Comment