Loading ...
Sorry, an error occurred while loading the content.

Re: OT: No route to host

Expand Messages
  • email builder
    ... 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in the Fedora system, BOTH ports fail with the same no route to host error. So
    Message 1 of 14 , Sep 1, 2006
    • 0 Attachment
      Spoke too soon in one regard:

      > TIA to anyone who can assist with a problem that is quite off topic. I
      > have
      > a fedora core 5 system dumped in my lap that is built on a virtual machine
      > inside of a windows O/S. Yuck. Problem is that there is a certain amount
      > of
      > connectivity out of the linux O/S, because wget works for almost anything,
      > a
      > browser loaded up in X windows works fine, DNS queries work just fine, but
      > postfix (and as I learned subsequently, just regular telnet) cannot connect
      > to most any host, complaining "no route to host". I'm not sure how to
      > figure
      > this one out, especially since only some types of connections fail. Is
      > this
      > purely outgoing port filtering on the local network firewall?? I have the
      > same results with and without the firewall on the fedora system (but there
      > is
      > still a physical home router type firewall between this and the rest of the
      > world).
      >
      > # telnet slashdot.org
      > Trying 66.35.250.150...
      > telnet: connect to address 66.35.250.150: No route to host
      > telnet: Unable to connect to remote host: No route to host
      >
      > Traceroute seems to find slashdot (although some of the other hosts I tried
      > didn't get that far):
      >
      > # traceroute slashdot.org
      > traceroute to slashdot.org (66.35.250.150), 30 hops max, 40 byte packets
      > 1 192.168.1.1 (192.168.1.1) 0.339 ms 1.067 ms 0.250 ms
      > <cut to protect the innocent>
      > 10 dcr2-so-2-0-0.SanFranciscosfo.savvis.net (204.70.192.90) 154.895 ms
      > 156.522 ms 151.836 ms
      > 11 bhr1-pos-0-0.SantaClarasc8.savvis.net (208.172.156.198) 164.649 ms
      > 161.233 ms 164.077 ms
      > 12 csr1-ve243.santaclarasc8.savvis.net (66.35.194.50) 154.987 ms
      > 152.728
      > ms 151.281 ms
      > 13 66.35.212.174 (66.35.212.174) 172.265 ms 172.805 ms 154.023 ms
      > 14 slashdot.org (66.35.250.150)(H!) 172.454 ms (H!) 175.008 ms (H!)
      > 173.155 ms
      >
      > Ahhh, in fact I see that this does work:
      >
      > # telnet slashdot.org 80
      > Trying 66.35.250.150...
      > Connected to slashdot.org (66.35.250.150).
      > Escape character is '^]'.
      >
      > So I guess it's just port filtering?? Yeeeah, that's my best guess.
      >
      > If I'm on the right track, is there anything I can do at all to bypass the
      > filter without changing it (not currently under my jurisdiction)? It looks
      > like port 465 gets through, etc, but this fedora box with postfix is trying

      25 seems to fail and 465 gets through from the HOST (windows) O/S, but in the
      Fedora system, BOTH ports fail with the same "no route to host" error. So
      that confuses me just a bit. Something to do with the bridged
      networking?....

      > to send out mails to other SMTP servers that are all listening on 25. My
      > guess is that the only place to fix it is at the router here... but I'd
      > love
      > to hear different...



      __________________________________________________
      Do You Yahoo!?
      Tired of spam? Yahoo! Mail has the best spam protection around
      http://mail.yahoo.com
    • Brian Collins
      ... I d recommend first looking at the host firewall, iptables. Do iptables -L -n and see what ports/hosts are tagged for DROP/REJECT. Also, try the
      Message 2 of 14 , Sep 1, 2006
      • 0 Attachment
        > > So I guess it's just port filtering?? Yeeeah, that's my best guess.
        > >
        > > If I'm on the right track, is there anything I can do at all to bypass
        > the
        > > filter without changing it (not currently under my jurisdiction)? It
        > looks
        > > like port 465 gets through, etc, but this fedora box with postfix is
        > trying
        >
        > 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in
        > the
        > Fedora system, BOTH ports fail with the same "no route to host" error. So
        > that confuses me just a bit. Something to do with the bridged
        > networking?....

        I'd recommend first looking at the host firewall, iptables. Do 'iptables -L
        -n' and see what ports/hosts are tagged for DROP/REJECT.

        Also, try the traceroute again, this time to one or more of the hosts that
        Postfix cannot reach.

        And since it's on a virtual machine, there may be other limitations here.
        I've never set up a VM inside Windows, so my expertise in that is nil.
        Whatever app set up the VM may have some "firewalling" in place, and Windows
        firewall may also come into play here. I can't help you there.

        --Brian
      • mouss
        ... Other possibilities: - some sites silently drop smtp packets from resedential IPs (DSL, ...) - some ISPs block outbound port 25.
        Message 3 of 14 , Sep 2, 2006
        • 0 Attachment
          Brian Collins wrote:
          >> [snip]
          >>> like port 465 gets through, etc, but this fedora box with postfix is
          >>>
          >> trying
          >>
          >> 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in
          >> the
          >> Fedora system, BOTH ports fail with the same "no route to host" error. So
          >> that confuses me just a bit. Something to do with the bridged
          >> networking?....
          >>
          >
          > I'd recommend first looking at the host firewall, iptables. Do 'iptables -L
          > -n' and see what ports/hosts are tagged for DROP/REJECT.
          >
          >

          Other possibilities:
          - some sites silently drop smtp packets from "resedential IPs" (DSL, ...)
          - some ISPs block outbound port 25.
        • email builder
          ... As I noted, same problem when I turn off iptables (service iptables stop). ... Good idea. I tried with gmail and get a full traceroute, but postifx nor
          Message 4 of 14 , Sep 3, 2006
          • 0 Attachment
            > > > So I guess it's just port filtering?? Yeeeah, that's my best guess.
            > > >
            > > > If I'm on the right track, is there anything I can do at all to bypass
            > > the
            > > > filter without changing it (not currently under my jurisdiction)? It
            > > looks
            > > > like port 465 gets through, etc, but this fedora box with postfix is
            > > trying
            > >
            > > 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in
            > > the
            > > Fedora system, BOTH ports fail with the same "no route to host" error.
            > So
            > > that confuses me just a bit. Something to do with the bridged
            > > networking?....
            >
            > I'd recommend first looking at the host firewall, iptables. Do 'iptables
            > -L
            > -n' and see what ports/hosts are tagged for DROP/REJECT.

            As I noted, same problem when I turn off iptables (service iptables stop).

            > Also, try the traceroute again, this time to one or more of the hosts that
            > Postfix cannot reach.

            Good idea. I tried with gmail and get a full traceroute, but postifx nor
            command line is able to get through:

            status=deferred (connect to alt1.gmail-smtp-in.l.google.com[64.233.185.27]:
            No route to host)

            # traceroute alt1.gmail-smtp-in.l.google.com
            traceroute to alt1.gmail-smtp-in.l.google.com (64.233.185.114), 30 hops max,
            40 byte packets
            1 192.168.1.1 (192.168.1.1) 0.000 ms 0.279 ms 0.202 ms
            <snip>
            10 * * *
            11 216.239.43.125 (216.239.43.125) 225.499 ms 221.527 ms 218.803 ms
            12 72.14.238.157 (72.14.238.157) 214.960 ms 72.14.232.147 (72.14.232.147)
            212.696 ms 209.425 ms
            13 72.14.238.198 (72.14.238.198) 208.795 ms 209.375 ms 72.14.238.194
            (72.14.238.194) 209.062 ms
            14 gsmtp185-2.google.com (64.233.185.114) 204.526 ms 203.651 ms 204.531
            ms
            # telnet alt1.gmail-smtp-in.l.google.com 25
            Trying 64.233.185.114...
            telnet: connect to address 64.233.185.114: No route to host
            Trying 64.233.185.27...
            telnet: connect to address 64.233.185.27: No route to host
            telnet: Unable to connect to remote host: No route to host

            I tried with servers that I control, and what it starts to look like is that
            the network here is blocking outgoing port 25 traffic, whereas I seem to get
            through on 465.

            So what I'd like to try is to make postfix either use 465 to send mail out
            (although not many SMTP servers will be listening on 465, will they?), or
            better yet, to create a SSH tunnel to another server I control that will let
            it use port 25. Is that possible? Anyone have any links where I can learn
            how to set that up and make postfix use it?

            Thx!!!



            > And since it's on a virtual machine, there may be other limitations here.
            > I've never set up a VM inside Windows, so my expertise in that is nil.
            > Whatever app set up the VM may have some "firewalling" in place, and
            > Windows
            > firewall may also come into play here. I can't help you there.
            >
            > --Brian
            >
            >
            >


            __________________________________________________
            Do You Yahoo!?
            Tired of spam? Yahoo! Mail has the best spam protection around
            http://mail.yahoo.com
          • email builder
            ... I think this is what is happening. I don t have control to have this fixed, so am wondering if I can make postfix use a SSH tunnel or something like
            Message 5 of 14 , Sep 3, 2006
            • 0 Attachment
              --- mouss <usebsd@...> wrote:

              > Brian Collins wrote:
              > >> [snip]
              > >>> like port 465 gets through, etc, but this fedora box with postfix is
              > >>>
              > >> trying
              > >>
              > >> 25 seems to fail and 465 gets through from the HOST (windows) O/S, but
              > in
              > >> the
              > >> Fedora system, BOTH ports fail with the same "no route to host" error.
              > So
              > >> that confuses me just a bit. Something to do with the bridged
              > >> networking?....
              > >>
              > >
              > > I'd recommend first looking at the host firewall, iptables. Do 'iptables
              > -L
              > > -n' and see what ports/hosts are tagged for DROP/REJECT.
              > >
              > >
              >
              > Other possibilities:
              > - some sites silently drop smtp packets from "resedential IPs" (DSL, ...)
              > - some ISPs block outbound port 25.

              I think this is what is happening. I don't have control to have this fixed,
              so am wondering if I can make postfix use a SSH tunnel or something like
              that...?


              __________________________________________________
              Do You Yahoo!?
              Tired of spam? Yahoo! Mail has the best spam protection around
              http://mail.yahoo.com
            • /dev/rob0
              ... If they are, and if properly configured, they ll reject you unless authenticated. ... At home I use openvpn to reach my relayhost. My ISP does not [yet?]
              Message 6 of 14 , Sep 4, 2006
              • 0 Attachment
                On Monday 04 September 2006 00:08, email builder wrote:
                > So what I'd like to try is to make postfix either use 465 to send
                > mail out (although not many SMTP servers will be listening on 465,

                If they are, and if properly configured, they'll reject you unless
                authenticated.

                > will they?), or better yet, to create a SSH tunnel to another server
                > I control that will let it use port 25. Is that possible? Anyone
                > have any links where I can learn how to set that up and make postfix

                At home I use openvpn to reach my relayhost. My ISP does not [yet?]
                block outbound SMTP, but I know from experience how important it is to
                block residential/end-user IP space, the land of zombies.

                It's quite trivial to set up a point-to-point tunnel in openvpn using
                static keys. Use the IP address of the remote peer as your relayhost.
                --
                Offlist mail to this address is discarded unless
                "/dev/rob0" or "not-spam" is in Subject: header
              • Sandy Drobic
                ... Why? 465 is the older SSL port, have you perhaps mistaken it for the submission port 587? ... I agree, a tunnel is the most robust way to route the traffic
                Message 7 of 14 , Sep 4, 2006
                • 0 Attachment
                  /dev/rob0 wrote:
                  > On Monday 04 September 2006 00:08, email builder wrote:
                  >> So what I'd like to try is to make postfix either use 465 to send
                  >> mail out (although not many SMTP servers will be listening on 465,
                  >
                  > If they are, and if properly configured, they'll reject you unless
                  > authenticated.

                  Why? 465 is the older SSL port, have you perhaps mistaken it for the
                  submission port 587?

                  >> will they?), or better yet, to create a SSH tunnel to another server
                  >> I control that will let it use port 25. Is that possible? Anyone
                  >> have any links where I can learn how to set that up and make postfix
                  >
                  > At home I use openvpn to reach my relayhost. My ISP does not [yet?]
                  > block outbound SMTP, but I know from experience how important it is to
                  > block residential/end-user IP space, the land of zombies.
                  >
                  > It's quite trivial to set up a point-to-point tunnel in openvpn using
                  > static keys. Use the IP address of the remote peer as your relayhost.

                  I agree, a tunnel is the most robust way to route the traffic to the
                  remote host.

                  Sandy

                  --
                  List replies only please!
                  Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
                • /dev/rob0
                  ... No, I know what SMTPS is, and yes, it should be configured like a submission port. At least mine are. ### NOTE !!!! submission is a symlink to the
                  Message 8 of 14 , Sep 4, 2006
                  • 0 Attachment
                    On Monday 04 September 2006 11:17, Sandy Drobic wrote:
                    > >> So what I'd like to try is to make postfix either use 465 to send
                    > >> mail out (although not many SMTP servers will be listening on 465,
                    > >
                    > > If they are, and if properly configured, they'll reject you unless
                    > > authenticated.
                    >
                    > Why? 465 is the older SSL port, have you perhaps mistaken it for
                    > the submission port 587?

                    No, I know what SMTPS is, and yes, it should be configured like a
                    submission port. At least mine are.

                    ### NOTE !!!! "submission" is a symlink to the smtpd(8) binary.
                    submission inet n - n - - submission
                    -o smtpd_etrn_restrictions=reject
                    -o smtpd_delay_reject=no
                    -o smtpd_client_restrictions=
                    -o smtpd_recipient_restrictions=class_relay,reject
                    ## "class_relay" is a restriction class: permit_mynetworks,
                    ## permit_sasl_authenticated
                    ### NOTE !!!! "smtps" is a symlink to the smtpd(8) binary.
                    smtps inet n - n - - smtps
                    -o smtpd_tls_wrappermode=yes
                    -o smtpd_etrn_restrictions=reject
                    -o smtpd_delay_reject=no
                    -o smtpd_client_restrictions=
                    -o smtpd_recipient_restrictions=class_relay,reject

                    FWIW, I found that the "-o smtpd_delay_reject=no" didn't work. I had to
                    unset smtpd_client_restrictions, because my main.cf has a greet pause
                    in smtpd_client_restrictions (and "smtpd_delay_reject=yes").
                    --
                    Offlist mail to this address is discarded unless
                    "/dev/rob0" or "not-spam" is in Subject: header
                  • Sandy Drobic
                    ... That was the point I was trying to point at. This is your configuration, but it is not neccessarily the usual requirement. You might as well say TLS
                    Message 9 of 14 , Sep 4, 2006
                    • 0 Attachment
                      /dev/rob0 wrote:
                      > On Monday 04 September 2006 11:17, Sandy Drobic wrote:
                      >>>> So what I'd like to try is to make postfix either use 465 to send
                      >>>> mail out (although not many SMTP servers will be listening on 465,
                      >>> If they are, and if properly configured, they'll reject you unless
                      >>> authenticated.
                      >> Why? 465 is the older SSL port, have you perhaps mistaken it for
                      >> the submission port 587?
                      >
                      > No, I know what SMTPS is, and yes, it should be configured like a
                      > submission port. At least mine are.

                      That was the point I was trying to point at. This is your configuration,
                      but it is not neccessarily the usual requirement.

                      You might as well say TLS encryption is only meant for authenticated
                      users. While it makes sense to encrypt any email submission with plain
                      text authentication, TLS was also meant for unauthenticated mail
                      submission. There is not much difference between TLS and SSL, so why offer
                      SSL only for authenticated users?

                      > ### NOTE !!!! "submission" is a symlink to the smtpd(8) binary.
                      > submission inet n - n - - submission
                      > -o smtpd_etrn_restrictions=reject
                      > -o smtpd_delay_reject=no
                      > -o smtpd_client_restrictions=
                      > -o smtpd_recipient_restrictions=class_relay,reject
                      > ## "class_relay" is a restriction class: permit_mynetworks,
                      > ## permit_sasl_authenticated
                      > ### NOTE !!!! "smtps" is a symlink to the smtpd(8) binary.
                      > smtps inet n - n - - smtps
                      > -o smtpd_tls_wrappermode=yes
                      > -o smtpd_etrn_restrictions=reject
                      > -o smtpd_delay_reject=no
                      > -o smtpd_client_restrictions=
                      > -o smtpd_recipient_restrictions=class_relay,reject

                      I was just trying to find what the basic master.cf from the default
                      installation contains, but I don't seem to have a copy of it. My
                      configuration is also modified (sasl_authentication), so I don't know
                      exactly what I added/deleted and what was set as default.

                      Sandy
                      --
                      List replies only please!
                      Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
                    • /dev/rob0
                      ... It wouldn t matter because TTBOMK (I hope someone will correct me if wrong) no MTA will use any port other than 25 for mail exchange with other hosts,
                      Message 10 of 14 , Sep 4, 2006
                      • 0 Attachment
                        On Monday 04 September 2006 12:11, Sandy Drobic wrote:
                        > >> Why? 465 is the older SSL port, have you perhaps mistaken it for
                        > >> the submission port 587?
                        > >
                        > > No, I know what SMTPS is, and yes, it should be configured like a
                        > > submission port. At least mine are.
                        >
                        > That was the point I was trying to point at. This is your
                        > configuration, but it is not neccessarily the usual requirement.
                        >
                        > You might as well say TLS encryption is only meant for authenticated
                        > users. While it makes sense to encrypt any email submission with
                        > plain text authentication, TLS was also meant for unauthenticated
                        > mail submission. There is not much difference between TLS and SSL, so
                        > why offer SSL only for authenticated users?

                        It wouldn't matter because TTBOMK (I hope someone will correct me if
                        wrong) no MTA will use any port other than 25 for mail exchange with
                        other hosts, unless of course overridden by a non-default transport(5)
                        (or equivalent). SMTPS was only intended for submission.

                        > I was just trying to find what the basic master.cf from the default
                        > installation contains, but I don't seem to have a copy of it. My

                        Checking my source/conf/master.cf :

                        #submission inet n - n - - smtpd
                        # -o smtpd_enforce_tls=yes
                        # -o smtpd_sasl_auth_enable=yes
                        # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                        #smtps inet n - n - - smtpd
                        # -o smtpd_tls_wrappermode=yes
                        # -o smtpd_sasl_auth_enable=yes
                        # -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                        Mine has smtpd_sasl_auth_enable=yes already set, and I think my
                        "smtpd_tls_auth_only = yes" negates the need for "smtpd_enforce_tls =
                        yes". (I don't care about forcing $mynetworks to use TLS.)
                        --
                        Offlist mail to this address is discarded unless
                        "/dev/rob0" or "not-spam" is in Subject: header
                      • /dev/rob0
                        ... I meant to mention that any TLS-capable MTA can use STARTTLS on 25. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in
                        Message 11 of 14 , Sep 4, 2006
                        • 0 Attachment
                          On Monday 04 September 2006 12:31, I wrote:
                          > On Monday 04 September 2006 12:11, Sandy Drobic wrote:
                          > > You might as well say TLS encryption is only meant for
                          > > authenticated users. While it makes sense to encrypt any email
                          > > submission with plain text authentication, TLS was also meant for
                          > > unauthenticated mail submission. There is not much difference
                          > > between TLS and SSL, so why offer SSL only for authenticated users?

                          I meant to mention that any TLS-capable MTA can use STARTTLS on 25.
                          --
                          Offlist mail to this address is discarded unless
                          "/dev/rob0" or "not-spam" is in Subject: header
                        • Sandy Drobic
                          ... That is a good point. I wouldn t put my hand into the fire for it, but I believe Lotus Domino did route to port 465 in the older versions that didn t
                          Message 12 of 14 , Sep 4, 2006
                          • 0 Attachment
                            /dev/rob0 wrote:
                            > On Monday 04 September 2006 12:11, Sandy Drobic wrote:
                            >>>> Why? 465 is the older SSL port, have you perhaps mistaken it for
                            >>>> the submission port 587?
                            >>> No, I know what SMTPS is, and yes, it should be configured like a
                            >>> submission port. At least mine are.
                            >> That was the point I was trying to point at. This is your
                            >> configuration, but it is not neccessarily the usual requirement.
                            >>
                            >> You might as well say TLS encryption is only meant for authenticated
                            >> users. While it makes sense to encrypt any email submission with
                            >> plain text authentication, TLS was also meant for unauthenticated
                            >> mail submission. There is not much difference between TLS and SSL, so
                            >> why offer SSL only for authenticated users?
                            >
                            > It wouldn't matter because TTBOMK (I hope someone will correct me if
                            > wrong) no MTA will use any port other than 25 for mail exchange with
                            > other hosts, unless of course overridden by a non-default transport(5)
                            > (or equivalent). SMTPS was only intended for submission.

                            That is a good point.

                            I wouldn't put my hand into the fire for it, but I believe Lotus Domino
                            did route to port 465 in the older versions that didn't support STARTTLS.
                            While googling, I found the RFC 2487 where STARTTLS was apparently
                            introduced 1999. I haven't found anything for smtps, but I believe it is a
                            bit older and was used before STARTTLS.

                            >> I was just trying to find what the basic master.cf from the default
                            >> installation contains, but I don't seem to have a copy of it. My
                            >
                            > Checking my source/conf/master.cf :
                            >
                            > #submission inet n - n - - smtpd
                            > # -o smtpd_enforce_tls=yes
                            > # -o smtpd_sasl_auth_enable=yes
                            > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                            > #smtps inet n - n - - smtpd
                            > # -o smtpd_tls_wrappermode=yes
                            > # -o smtpd_sasl_auth_enable=yes
                            > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                            Ah, very good, I should have thought about looking into the source myself.
                            (^-^)

                            Okay, I think I can agree to your point of view, at least for present
                            usage of smtps. The missing routing default for port 465 does make it
                            unusable for automatic mail routing.

                            Can a veteran shed some light about the history of SMTPS and STARTTLS? I
                            haven't found anything really useful with Google.

                            Sandy
                            --
                            List replies only please!
                            Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
                          • email builder
                            ... Ah, right, of course. Duh. ... Perfect. The tip is much appreciated! __________________________________________________ Do You Yahoo!? Tired of spam?
                            Message 13 of 14 , Sep 8, 2006
                            • 0 Attachment
                              --- /dev/rob0 <rob0@...> wrote:

                              > On Monday 04 September 2006 00:08, email builder wrote:
                              > > So what I'd like to try is to make postfix either use 465 to send
                              > > mail out (although not many SMTP servers will be listening on 465,
                              >
                              > If they are, and if properly configured, they'll reject you unless
                              > authenticated.

                              Ah, right, of course. Duh.

                              > > will they?), or better yet, to create a SSH tunnel to another server
                              > > I control that will let it use port 25. Is that possible? Anyone
                              > > have any links where I can learn how to set that up and make postfix
                              >
                              > At home I use openvpn to reach my relayhost. My ISP does not [yet?]
                              > block outbound SMTP, but I know from experience how important it is to
                              > block residential/end-user IP space, the land of zombies.
                              >
                              > It's quite trivial to set up a point-to-point tunnel in openvpn using
                              > static keys. Use the IP address of the remote peer as your relayhost.

                              Perfect. The tip is much appreciated!


                              __________________________________________________
                              Do You Yahoo!?
                              Tired of spam? Yahoo! Mail has the best spam protection around
                              http://mail.yahoo.com
                            Your message has been successfully submitted and would be delivered to recipients shortly.