Loading ...
Sorry, an error occurred while loading the content.

OT: No route to host

Expand Messages
  • email builder
    Hi, TIA to anyone who can assist with a problem that is quite off topic. I have a fedora core 5 system dumped in my lap that is built on a virtual machine
    Message 1 of 14 , Sep 1, 2006
    • 0 Attachment
      Hi,

      TIA to anyone who can assist with a problem that is quite off topic. I have
      a fedora core 5 system dumped in my lap that is built on a virtual machine
      inside of a windows O/S. Yuck. Problem is that there is a certain amount of
      connectivity out of the linux O/S, because wget works for almost anything, a
      browser loaded up in X windows works fine, DNS queries work just fine, but
      postfix (and as I learned subsequently, just regular telnet) cannot connect
      to most any host, complaining "no route to host". I'm not sure how to figure
      this one out, especially since only some types of connections fail. Is this
      purely outgoing port filtering on the local network firewall?? I have the
      same results with and without the firewall on the fedora system (but there is
      still a physical home router type firewall between this and the rest of the
      world).

      # telnet slashdot.org
      Trying 66.35.250.150...
      telnet: connect to address 66.35.250.150: No route to host
      telnet: Unable to connect to remote host: No route to host

      Traceroute seems to find slashdot (although some of the other hosts I tried
      didn't get that far):

      # traceroute slashdot.org
      traceroute to slashdot.org (66.35.250.150), 30 hops max, 40 byte packets
      1 192.168.1.1 (192.168.1.1) 0.339 ms 1.067 ms 0.250 ms
      <cut to protect the innocent>
      10 dcr2-so-2-0-0.SanFranciscosfo.savvis.net (204.70.192.90) 154.895 ms
      156.522 ms 151.836 ms
      11 bhr1-pos-0-0.SantaClarasc8.savvis.net (208.172.156.198) 164.649 ms
      161.233 ms 164.077 ms
      12 csr1-ve243.santaclarasc8.savvis.net (66.35.194.50) 154.987 ms 152.728
      ms 151.281 ms
      13 66.35.212.174 (66.35.212.174) 172.265 ms 172.805 ms 154.023 ms
      14 slashdot.org (66.35.250.150)(H!) 172.454 ms (H!) 175.008 ms (H!)
      173.155 ms

      Ahhh, in fact I see that this does work:

      # telnet slashdot.org 80
      Trying 66.35.250.150...
      Connected to slashdot.org (66.35.250.150).
      Escape character is '^]'.

      So I guess it's just port filtering?? Yeeeah, that's my best guess.

      If I'm on the right track, is there anything I can do at all to bypass the
      filter without changing it (not currently under my jurisdiction)? It looks
      like port 465 gets through, etc, but this fedora box with postfix is trying
      to send out mails to other SMTP servers that are all listening on 25. My
      guess is that the only place to fix it is at the router here... but I'd love
      to hear different...

      Thx!

      __________________________________________________
      Do You Yahoo!?
      Tired of spam? Yahoo! Mail has the best spam protection around
      http://mail.yahoo.com
    • email builder
      ... 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in the Fedora system, BOTH ports fail with the same no route to host error. So
      Message 2 of 14 , Sep 1, 2006
      • 0 Attachment
        Spoke too soon in one regard:

        > TIA to anyone who can assist with a problem that is quite off topic. I
        > have
        > a fedora core 5 system dumped in my lap that is built on a virtual machine
        > inside of a windows O/S. Yuck. Problem is that there is a certain amount
        > of
        > connectivity out of the linux O/S, because wget works for almost anything,
        > a
        > browser loaded up in X windows works fine, DNS queries work just fine, but
        > postfix (and as I learned subsequently, just regular telnet) cannot connect
        > to most any host, complaining "no route to host". I'm not sure how to
        > figure
        > this one out, especially since only some types of connections fail. Is
        > this
        > purely outgoing port filtering on the local network firewall?? I have the
        > same results with and without the firewall on the fedora system (but there
        > is
        > still a physical home router type firewall between this and the rest of the
        > world).
        >
        > # telnet slashdot.org
        > Trying 66.35.250.150...
        > telnet: connect to address 66.35.250.150: No route to host
        > telnet: Unable to connect to remote host: No route to host
        >
        > Traceroute seems to find slashdot (although some of the other hosts I tried
        > didn't get that far):
        >
        > # traceroute slashdot.org
        > traceroute to slashdot.org (66.35.250.150), 30 hops max, 40 byte packets
        > 1 192.168.1.1 (192.168.1.1) 0.339 ms 1.067 ms 0.250 ms
        > <cut to protect the innocent>
        > 10 dcr2-so-2-0-0.SanFranciscosfo.savvis.net (204.70.192.90) 154.895 ms
        > 156.522 ms 151.836 ms
        > 11 bhr1-pos-0-0.SantaClarasc8.savvis.net (208.172.156.198) 164.649 ms
        > 161.233 ms 164.077 ms
        > 12 csr1-ve243.santaclarasc8.savvis.net (66.35.194.50) 154.987 ms
        > 152.728
        > ms 151.281 ms
        > 13 66.35.212.174 (66.35.212.174) 172.265 ms 172.805 ms 154.023 ms
        > 14 slashdot.org (66.35.250.150)(H!) 172.454 ms (H!) 175.008 ms (H!)
        > 173.155 ms
        >
        > Ahhh, in fact I see that this does work:
        >
        > # telnet slashdot.org 80
        > Trying 66.35.250.150...
        > Connected to slashdot.org (66.35.250.150).
        > Escape character is '^]'.
        >
        > So I guess it's just port filtering?? Yeeeah, that's my best guess.
        >
        > If I'm on the right track, is there anything I can do at all to bypass the
        > filter without changing it (not currently under my jurisdiction)? It looks
        > like port 465 gets through, etc, but this fedora box with postfix is trying

        25 seems to fail and 465 gets through from the HOST (windows) O/S, but in the
        Fedora system, BOTH ports fail with the same "no route to host" error. So
        that confuses me just a bit. Something to do with the bridged
        networking?....

        > to send out mails to other SMTP servers that are all listening on 25. My
        > guess is that the only place to fix it is at the router here... but I'd
        > love
        > to hear different...



        __________________________________________________
        Do You Yahoo!?
        Tired of spam? Yahoo! Mail has the best spam protection around
        http://mail.yahoo.com
      • Brian Collins
        ... I d recommend first looking at the host firewall, iptables. Do iptables -L -n and see what ports/hosts are tagged for DROP/REJECT. Also, try the
        Message 3 of 14 , Sep 1, 2006
        • 0 Attachment
          > > So I guess it's just port filtering?? Yeeeah, that's my best guess.
          > >
          > > If I'm on the right track, is there anything I can do at all to bypass
          > the
          > > filter without changing it (not currently under my jurisdiction)? It
          > looks
          > > like port 465 gets through, etc, but this fedora box with postfix is
          > trying
          >
          > 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in
          > the
          > Fedora system, BOTH ports fail with the same "no route to host" error. So
          > that confuses me just a bit. Something to do with the bridged
          > networking?....

          I'd recommend first looking at the host firewall, iptables. Do 'iptables -L
          -n' and see what ports/hosts are tagged for DROP/REJECT.

          Also, try the traceroute again, this time to one or more of the hosts that
          Postfix cannot reach.

          And since it's on a virtual machine, there may be other limitations here.
          I've never set up a VM inside Windows, so my expertise in that is nil.
          Whatever app set up the VM may have some "firewalling" in place, and Windows
          firewall may also come into play here. I can't help you there.

          --Brian
        • mouss
          ... Other possibilities: - some sites silently drop smtp packets from resedential IPs (DSL, ...) - some ISPs block outbound port 25.
          Message 4 of 14 , Sep 2, 2006
          • 0 Attachment
            Brian Collins wrote:
            >> [snip]
            >>> like port 465 gets through, etc, but this fedora box with postfix is
            >>>
            >> trying
            >>
            >> 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in
            >> the
            >> Fedora system, BOTH ports fail with the same "no route to host" error. So
            >> that confuses me just a bit. Something to do with the bridged
            >> networking?....
            >>
            >
            > I'd recommend first looking at the host firewall, iptables. Do 'iptables -L
            > -n' and see what ports/hosts are tagged for DROP/REJECT.
            >
            >

            Other possibilities:
            - some sites silently drop smtp packets from "resedential IPs" (DSL, ...)
            - some ISPs block outbound port 25.
          • email builder
            ... As I noted, same problem when I turn off iptables (service iptables stop). ... Good idea. I tried with gmail and get a full traceroute, but postifx nor
            Message 5 of 14 , Sep 3, 2006
            • 0 Attachment
              > > > So I guess it's just port filtering?? Yeeeah, that's my best guess.
              > > >
              > > > If I'm on the right track, is there anything I can do at all to bypass
              > > the
              > > > filter without changing it (not currently under my jurisdiction)? It
              > > looks
              > > > like port 465 gets through, etc, but this fedora box with postfix is
              > > trying
              > >
              > > 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in
              > > the
              > > Fedora system, BOTH ports fail with the same "no route to host" error.
              > So
              > > that confuses me just a bit. Something to do with the bridged
              > > networking?....
              >
              > I'd recommend first looking at the host firewall, iptables. Do 'iptables
              > -L
              > -n' and see what ports/hosts are tagged for DROP/REJECT.

              As I noted, same problem when I turn off iptables (service iptables stop).

              > Also, try the traceroute again, this time to one or more of the hosts that
              > Postfix cannot reach.

              Good idea. I tried with gmail and get a full traceroute, but postifx nor
              command line is able to get through:

              status=deferred (connect to alt1.gmail-smtp-in.l.google.com[64.233.185.27]:
              No route to host)

              # traceroute alt1.gmail-smtp-in.l.google.com
              traceroute to alt1.gmail-smtp-in.l.google.com (64.233.185.114), 30 hops max,
              40 byte packets
              1 192.168.1.1 (192.168.1.1) 0.000 ms 0.279 ms 0.202 ms
              <snip>
              10 * * *
              11 216.239.43.125 (216.239.43.125) 225.499 ms 221.527 ms 218.803 ms
              12 72.14.238.157 (72.14.238.157) 214.960 ms 72.14.232.147 (72.14.232.147)
              212.696 ms 209.425 ms
              13 72.14.238.198 (72.14.238.198) 208.795 ms 209.375 ms 72.14.238.194
              (72.14.238.194) 209.062 ms
              14 gsmtp185-2.google.com (64.233.185.114) 204.526 ms 203.651 ms 204.531
              ms
              # telnet alt1.gmail-smtp-in.l.google.com 25
              Trying 64.233.185.114...
              telnet: connect to address 64.233.185.114: No route to host
              Trying 64.233.185.27...
              telnet: connect to address 64.233.185.27: No route to host
              telnet: Unable to connect to remote host: No route to host

              I tried with servers that I control, and what it starts to look like is that
              the network here is blocking outgoing port 25 traffic, whereas I seem to get
              through on 465.

              So what I'd like to try is to make postfix either use 465 to send mail out
              (although not many SMTP servers will be listening on 465, will they?), or
              better yet, to create a SSH tunnel to another server I control that will let
              it use port 25. Is that possible? Anyone have any links where I can learn
              how to set that up and make postfix use it?

              Thx!!!



              > And since it's on a virtual machine, there may be other limitations here.
              > I've never set up a VM inside Windows, so my expertise in that is nil.
              > Whatever app set up the VM may have some "firewalling" in place, and
              > Windows
              > firewall may also come into play here. I can't help you there.
              >
              > --Brian
              >
              >
              >


              __________________________________________________
              Do You Yahoo!?
              Tired of spam? Yahoo! Mail has the best spam protection around
              http://mail.yahoo.com
            • email builder
              ... I think this is what is happening. I don t have control to have this fixed, so am wondering if I can make postfix use a SSH tunnel or something like
              Message 6 of 14 , Sep 3, 2006
              • 0 Attachment
                --- mouss <usebsd@...> wrote:

                > Brian Collins wrote:
                > >> [snip]
                > >>> like port 465 gets through, etc, but this fedora box with postfix is
                > >>>
                > >> trying
                > >>
                > >> 25 seems to fail and 465 gets through from the HOST (windows) O/S, but
                > in
                > >> the
                > >> Fedora system, BOTH ports fail with the same "no route to host" error.
                > So
                > >> that confuses me just a bit. Something to do with the bridged
                > >> networking?....
                > >>
                > >
                > > I'd recommend first looking at the host firewall, iptables. Do 'iptables
                > -L
                > > -n' and see what ports/hosts are tagged for DROP/REJECT.
                > >
                > >
                >
                > Other possibilities:
                > - some sites silently drop smtp packets from "resedential IPs" (DSL, ...)
                > - some ISPs block outbound port 25.

                I think this is what is happening. I don't have control to have this fixed,
                so am wondering if I can make postfix use a SSH tunnel or something like
                that...?


                __________________________________________________
                Do You Yahoo!?
                Tired of spam? Yahoo! Mail has the best spam protection around
                http://mail.yahoo.com
              • /dev/rob0
                ... If they are, and if properly configured, they ll reject you unless authenticated. ... At home I use openvpn to reach my relayhost. My ISP does not [yet?]
                Message 7 of 14 , Sep 4, 2006
                • 0 Attachment
                  On Monday 04 September 2006 00:08, email builder wrote:
                  > So what I'd like to try is to make postfix either use 465 to send
                  > mail out (although not many SMTP servers will be listening on 465,

                  If they are, and if properly configured, they'll reject you unless
                  authenticated.

                  > will they?), or better yet, to create a SSH tunnel to another server
                  > I control that will let it use port 25. Is that possible? Anyone
                  > have any links where I can learn how to set that up and make postfix

                  At home I use openvpn to reach my relayhost. My ISP does not [yet?]
                  block outbound SMTP, but I know from experience how important it is to
                  block residential/end-user IP space, the land of zombies.

                  It's quite trivial to set up a point-to-point tunnel in openvpn using
                  static keys. Use the IP address of the remote peer as your relayhost.
                  --
                  Offlist mail to this address is discarded unless
                  "/dev/rob0" or "not-spam" is in Subject: header
                • Sandy Drobic
                  ... Why? 465 is the older SSL port, have you perhaps mistaken it for the submission port 587? ... I agree, a tunnel is the most robust way to route the traffic
                  Message 8 of 14 , Sep 4, 2006
                  • 0 Attachment
                    /dev/rob0 wrote:
                    > On Monday 04 September 2006 00:08, email builder wrote:
                    >> So what I'd like to try is to make postfix either use 465 to send
                    >> mail out (although not many SMTP servers will be listening on 465,
                    >
                    > If they are, and if properly configured, they'll reject you unless
                    > authenticated.

                    Why? 465 is the older SSL port, have you perhaps mistaken it for the
                    submission port 587?

                    >> will they?), or better yet, to create a SSH tunnel to another server
                    >> I control that will let it use port 25. Is that possible? Anyone
                    >> have any links where I can learn how to set that up and make postfix
                    >
                    > At home I use openvpn to reach my relayhost. My ISP does not [yet?]
                    > block outbound SMTP, but I know from experience how important it is to
                    > block residential/end-user IP space, the land of zombies.
                    >
                    > It's quite trivial to set up a point-to-point tunnel in openvpn using
                    > static keys. Use the IP address of the remote peer as your relayhost.

                    I agree, a tunnel is the most robust way to route the traffic to the
                    remote host.

                    Sandy

                    --
                    List replies only please!
                    Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
                  • /dev/rob0
                    ... No, I know what SMTPS is, and yes, it should be configured like a submission port. At least mine are. ### NOTE !!!! submission is a symlink to the
                    Message 9 of 14 , Sep 4, 2006
                    • 0 Attachment
                      On Monday 04 September 2006 11:17, Sandy Drobic wrote:
                      > >> So what I'd like to try is to make postfix either use 465 to send
                      > >> mail out (although not many SMTP servers will be listening on 465,
                      > >
                      > > If they are, and if properly configured, they'll reject you unless
                      > > authenticated.
                      >
                      > Why? 465 is the older SSL port, have you perhaps mistaken it for
                      > the submission port 587?

                      No, I know what SMTPS is, and yes, it should be configured like a
                      submission port. At least mine are.

                      ### NOTE !!!! "submission" is a symlink to the smtpd(8) binary.
                      submission inet n - n - - submission
                      -o smtpd_etrn_restrictions=reject
                      -o smtpd_delay_reject=no
                      -o smtpd_client_restrictions=
                      -o smtpd_recipient_restrictions=class_relay,reject
                      ## "class_relay" is a restriction class: permit_mynetworks,
                      ## permit_sasl_authenticated
                      ### NOTE !!!! "smtps" is a symlink to the smtpd(8) binary.
                      smtps inet n - n - - smtps
                      -o smtpd_tls_wrappermode=yes
                      -o smtpd_etrn_restrictions=reject
                      -o smtpd_delay_reject=no
                      -o smtpd_client_restrictions=
                      -o smtpd_recipient_restrictions=class_relay,reject

                      FWIW, I found that the "-o smtpd_delay_reject=no" didn't work. I had to
                      unset smtpd_client_restrictions, because my main.cf has a greet pause
                      in smtpd_client_restrictions (and "smtpd_delay_reject=yes").
                      --
                      Offlist mail to this address is discarded unless
                      "/dev/rob0" or "not-spam" is in Subject: header
                    • Sandy Drobic
                      ... That was the point I was trying to point at. This is your configuration, but it is not neccessarily the usual requirement. You might as well say TLS
                      Message 10 of 14 , Sep 4, 2006
                      • 0 Attachment
                        /dev/rob0 wrote:
                        > On Monday 04 September 2006 11:17, Sandy Drobic wrote:
                        >>>> So what I'd like to try is to make postfix either use 465 to send
                        >>>> mail out (although not many SMTP servers will be listening on 465,
                        >>> If they are, and if properly configured, they'll reject you unless
                        >>> authenticated.
                        >> Why? 465 is the older SSL port, have you perhaps mistaken it for
                        >> the submission port 587?
                        >
                        > No, I know what SMTPS is, and yes, it should be configured like a
                        > submission port. At least mine are.

                        That was the point I was trying to point at. This is your configuration,
                        but it is not neccessarily the usual requirement.

                        You might as well say TLS encryption is only meant for authenticated
                        users. While it makes sense to encrypt any email submission with plain
                        text authentication, TLS was also meant for unauthenticated mail
                        submission. There is not much difference between TLS and SSL, so why offer
                        SSL only for authenticated users?

                        > ### NOTE !!!! "submission" is a symlink to the smtpd(8) binary.
                        > submission inet n - n - - submission
                        > -o smtpd_etrn_restrictions=reject
                        > -o smtpd_delay_reject=no
                        > -o smtpd_client_restrictions=
                        > -o smtpd_recipient_restrictions=class_relay,reject
                        > ## "class_relay" is a restriction class: permit_mynetworks,
                        > ## permit_sasl_authenticated
                        > ### NOTE !!!! "smtps" is a symlink to the smtpd(8) binary.
                        > smtps inet n - n - - smtps
                        > -o smtpd_tls_wrappermode=yes
                        > -o smtpd_etrn_restrictions=reject
                        > -o smtpd_delay_reject=no
                        > -o smtpd_client_restrictions=
                        > -o smtpd_recipient_restrictions=class_relay,reject

                        I was just trying to find what the basic master.cf from the default
                        installation contains, but I don't seem to have a copy of it. My
                        configuration is also modified (sasl_authentication), so I don't know
                        exactly what I added/deleted and what was set as default.

                        Sandy
                        --
                        List replies only please!
                        Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
                      • /dev/rob0
                        ... It wouldn t matter because TTBOMK (I hope someone will correct me if wrong) no MTA will use any port other than 25 for mail exchange with other hosts,
                        Message 11 of 14 , Sep 4, 2006
                        • 0 Attachment
                          On Monday 04 September 2006 12:11, Sandy Drobic wrote:
                          > >> Why? 465 is the older SSL port, have you perhaps mistaken it for
                          > >> the submission port 587?
                          > >
                          > > No, I know what SMTPS is, and yes, it should be configured like a
                          > > submission port. At least mine are.
                          >
                          > That was the point I was trying to point at. This is your
                          > configuration, but it is not neccessarily the usual requirement.
                          >
                          > You might as well say TLS encryption is only meant for authenticated
                          > users. While it makes sense to encrypt any email submission with
                          > plain text authentication, TLS was also meant for unauthenticated
                          > mail submission. There is not much difference between TLS and SSL, so
                          > why offer SSL only for authenticated users?

                          It wouldn't matter because TTBOMK (I hope someone will correct me if
                          wrong) no MTA will use any port other than 25 for mail exchange with
                          other hosts, unless of course overridden by a non-default transport(5)
                          (or equivalent). SMTPS was only intended for submission.

                          > I was just trying to find what the basic master.cf from the default
                          > installation contains, but I don't seem to have a copy of it. My

                          Checking my source/conf/master.cf :

                          #submission inet n - n - - smtpd
                          # -o smtpd_enforce_tls=yes
                          # -o smtpd_sasl_auth_enable=yes
                          # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                          #smtps inet n - n - - smtpd
                          # -o smtpd_tls_wrappermode=yes
                          # -o smtpd_sasl_auth_enable=yes
                          # -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                          Mine has smtpd_sasl_auth_enable=yes already set, and I think my
                          "smtpd_tls_auth_only = yes" negates the need for "smtpd_enforce_tls =
                          yes". (I don't care about forcing $mynetworks to use TLS.)
                          --
                          Offlist mail to this address is discarded unless
                          "/dev/rob0" or "not-spam" is in Subject: header
                        • /dev/rob0
                          ... I meant to mention that any TLS-capable MTA can use STARTTLS on 25. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in
                          Message 12 of 14 , Sep 4, 2006
                          • 0 Attachment
                            On Monday 04 September 2006 12:31, I wrote:
                            > On Monday 04 September 2006 12:11, Sandy Drobic wrote:
                            > > You might as well say TLS encryption is only meant for
                            > > authenticated users. While it makes sense to encrypt any email
                            > > submission with plain text authentication, TLS was also meant for
                            > > unauthenticated mail submission. There is not much difference
                            > > between TLS and SSL, so why offer SSL only for authenticated users?

                            I meant to mention that any TLS-capable MTA can use STARTTLS on 25.
                            --
                            Offlist mail to this address is discarded unless
                            "/dev/rob0" or "not-spam" is in Subject: header
                          • Sandy Drobic
                            ... That is a good point. I wouldn t put my hand into the fire for it, but I believe Lotus Domino did route to port 465 in the older versions that didn t
                            Message 13 of 14 , Sep 4, 2006
                            • 0 Attachment
                              /dev/rob0 wrote:
                              > On Monday 04 September 2006 12:11, Sandy Drobic wrote:
                              >>>> Why? 465 is the older SSL port, have you perhaps mistaken it for
                              >>>> the submission port 587?
                              >>> No, I know what SMTPS is, and yes, it should be configured like a
                              >>> submission port. At least mine are.
                              >> That was the point I was trying to point at. This is your
                              >> configuration, but it is not neccessarily the usual requirement.
                              >>
                              >> You might as well say TLS encryption is only meant for authenticated
                              >> users. While it makes sense to encrypt any email submission with
                              >> plain text authentication, TLS was also meant for unauthenticated
                              >> mail submission. There is not much difference between TLS and SSL, so
                              >> why offer SSL only for authenticated users?
                              >
                              > It wouldn't matter because TTBOMK (I hope someone will correct me if
                              > wrong) no MTA will use any port other than 25 for mail exchange with
                              > other hosts, unless of course overridden by a non-default transport(5)
                              > (or equivalent). SMTPS was only intended for submission.

                              That is a good point.

                              I wouldn't put my hand into the fire for it, but I believe Lotus Domino
                              did route to port 465 in the older versions that didn't support STARTTLS.
                              While googling, I found the RFC 2487 where STARTTLS was apparently
                              introduced 1999. I haven't found anything for smtps, but I believe it is a
                              bit older and was used before STARTTLS.

                              >> I was just trying to find what the basic master.cf from the default
                              >> installation contains, but I don't seem to have a copy of it. My
                              >
                              > Checking my source/conf/master.cf :
                              >
                              > #submission inet n - n - - smtpd
                              > # -o smtpd_enforce_tls=yes
                              > # -o smtpd_sasl_auth_enable=yes
                              > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                              > #smtps inet n - n - - smtpd
                              > # -o smtpd_tls_wrappermode=yes
                              > # -o smtpd_sasl_auth_enable=yes
                              > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                              Ah, very good, I should have thought about looking into the source myself.
                              (^-^)

                              Okay, I think I can agree to your point of view, at least for present
                              usage of smtps. The missing routing default for port 465 does make it
                              unusable for automatic mail routing.

                              Can a veteran shed some light about the history of SMTPS and STARTTLS? I
                              haven't found anything really useful with Google.

                              Sandy
                              --
                              List replies only please!
                              Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
                            • email builder
                              ... Ah, right, of course. Duh. ... Perfect. The tip is much appreciated! __________________________________________________ Do You Yahoo!? Tired of spam?
                              Message 14 of 14 , Sep 8, 2006
                              • 0 Attachment
                                --- /dev/rob0 <rob0@...> wrote:

                                > On Monday 04 September 2006 00:08, email builder wrote:
                                > > So what I'd like to try is to make postfix either use 465 to send
                                > > mail out (although not many SMTP servers will be listening on 465,
                                >
                                > If they are, and if properly configured, they'll reject you unless
                                > authenticated.

                                Ah, right, of course. Duh.

                                > > will they?), or better yet, to create a SSH tunnel to another server
                                > > I control that will let it use port 25. Is that possible? Anyone
                                > > have any links where I can learn how to set that up and make postfix
                                >
                                > At home I use openvpn to reach my relayhost. My ISP does not [yet?]
                                > block outbound SMTP, but I know from experience how important it is to
                                > block residential/end-user IP space, the land of zombies.
                                >
                                > It's quite trivial to set up a point-to-point tunnel in openvpn using
                                > static keys. Use the IP address of the remote peer as your relayhost.

                                Perfect. The tip is much appreciated!


                                __________________________________________________
                                Do You Yahoo!?
                                Tired of spam? Yahoo! Mail has the best spam protection around
                                http://mail.yahoo.com
                              Your message has been successfully submitted and would be delivered to recipients shortly.