Loading ...
Sorry, an error occurred while loading the content.

RE: OT: No route to host

Expand Messages
  • Brian Collins
    ... I d recommend first looking at the host firewall, iptables. Do iptables -L -n and see what ports/hosts are tagged for DROP/REJECT. Also, try the
    Message 1 of 14 , Sep 1, 2006
    • 0 Attachment
      > > So I guess it's just port filtering?? Yeeeah, that's my best guess.
      > >
      > > If I'm on the right track, is there anything I can do at all to bypass
      > the
      > > filter without changing it (not currently under my jurisdiction)? It
      > looks
      > > like port 465 gets through, etc, but this fedora box with postfix is
      > trying
      >
      > 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in
      > the
      > Fedora system, BOTH ports fail with the same "no route to host" error. So
      > that confuses me just a bit. Something to do with the bridged
      > networking?....

      I'd recommend first looking at the host firewall, iptables. Do 'iptables -L
      -n' and see what ports/hosts are tagged for DROP/REJECT.

      Also, try the traceroute again, this time to one or more of the hosts that
      Postfix cannot reach.

      And since it's on a virtual machine, there may be other limitations here.
      I've never set up a VM inside Windows, so my expertise in that is nil.
      Whatever app set up the VM may have some "firewalling" in place, and Windows
      firewall may also come into play here. I can't help you there.

      --Brian
    • mouss
      ... Other possibilities: - some sites silently drop smtp packets from resedential IPs (DSL, ...) - some ISPs block outbound port 25.
      Message 2 of 14 , Sep 2, 2006
      • 0 Attachment
        Brian Collins wrote:
        >> [snip]
        >>> like port 465 gets through, etc, but this fedora box with postfix is
        >>>
        >> trying
        >>
        >> 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in
        >> the
        >> Fedora system, BOTH ports fail with the same "no route to host" error. So
        >> that confuses me just a bit. Something to do with the bridged
        >> networking?....
        >>
        >
        > I'd recommend first looking at the host firewall, iptables. Do 'iptables -L
        > -n' and see what ports/hosts are tagged for DROP/REJECT.
        >
        >

        Other possibilities:
        - some sites silently drop smtp packets from "resedential IPs" (DSL, ...)
        - some ISPs block outbound port 25.
      • email builder
        ... As I noted, same problem when I turn off iptables (service iptables stop). ... Good idea. I tried with gmail and get a full traceroute, but postifx nor
        Message 3 of 14 , Sep 3, 2006
        • 0 Attachment
          > > > So I guess it's just port filtering?? Yeeeah, that's my best guess.
          > > >
          > > > If I'm on the right track, is there anything I can do at all to bypass
          > > the
          > > > filter without changing it (not currently under my jurisdiction)? It
          > > looks
          > > > like port 465 gets through, etc, but this fedora box with postfix is
          > > trying
          > >
          > > 25 seems to fail and 465 gets through from the HOST (windows) O/S, but in
          > > the
          > > Fedora system, BOTH ports fail with the same "no route to host" error.
          > So
          > > that confuses me just a bit. Something to do with the bridged
          > > networking?....
          >
          > I'd recommend first looking at the host firewall, iptables. Do 'iptables
          > -L
          > -n' and see what ports/hosts are tagged for DROP/REJECT.

          As I noted, same problem when I turn off iptables (service iptables stop).

          > Also, try the traceroute again, this time to one or more of the hosts that
          > Postfix cannot reach.

          Good idea. I tried with gmail and get a full traceroute, but postifx nor
          command line is able to get through:

          status=deferred (connect to alt1.gmail-smtp-in.l.google.com[64.233.185.27]:
          No route to host)

          # traceroute alt1.gmail-smtp-in.l.google.com
          traceroute to alt1.gmail-smtp-in.l.google.com (64.233.185.114), 30 hops max,
          40 byte packets
          1 192.168.1.1 (192.168.1.1) 0.000 ms 0.279 ms 0.202 ms
          <snip>
          10 * * *
          11 216.239.43.125 (216.239.43.125) 225.499 ms 221.527 ms 218.803 ms
          12 72.14.238.157 (72.14.238.157) 214.960 ms 72.14.232.147 (72.14.232.147)
          212.696 ms 209.425 ms
          13 72.14.238.198 (72.14.238.198) 208.795 ms 209.375 ms 72.14.238.194
          (72.14.238.194) 209.062 ms
          14 gsmtp185-2.google.com (64.233.185.114) 204.526 ms 203.651 ms 204.531
          ms
          # telnet alt1.gmail-smtp-in.l.google.com 25
          Trying 64.233.185.114...
          telnet: connect to address 64.233.185.114: No route to host
          Trying 64.233.185.27...
          telnet: connect to address 64.233.185.27: No route to host
          telnet: Unable to connect to remote host: No route to host

          I tried with servers that I control, and what it starts to look like is that
          the network here is blocking outgoing port 25 traffic, whereas I seem to get
          through on 465.

          So what I'd like to try is to make postfix either use 465 to send mail out
          (although not many SMTP servers will be listening on 465, will they?), or
          better yet, to create a SSH tunnel to another server I control that will let
          it use port 25. Is that possible? Anyone have any links where I can learn
          how to set that up and make postfix use it?

          Thx!!!



          > And since it's on a virtual machine, there may be other limitations here.
          > I've never set up a VM inside Windows, so my expertise in that is nil.
          > Whatever app set up the VM may have some "firewalling" in place, and
          > Windows
          > firewall may also come into play here. I can't help you there.
          >
          > --Brian
          >
          >
          >


          __________________________________________________
          Do You Yahoo!?
          Tired of spam? Yahoo! Mail has the best spam protection around
          http://mail.yahoo.com
        • email builder
          ... I think this is what is happening. I don t have control to have this fixed, so am wondering if I can make postfix use a SSH tunnel or something like
          Message 4 of 14 , Sep 3, 2006
          • 0 Attachment
            --- mouss <usebsd@...> wrote:

            > Brian Collins wrote:
            > >> [snip]
            > >>> like port 465 gets through, etc, but this fedora box with postfix is
            > >>>
            > >> trying
            > >>
            > >> 25 seems to fail and 465 gets through from the HOST (windows) O/S, but
            > in
            > >> the
            > >> Fedora system, BOTH ports fail with the same "no route to host" error.
            > So
            > >> that confuses me just a bit. Something to do with the bridged
            > >> networking?....
            > >>
            > >
            > > I'd recommend first looking at the host firewall, iptables. Do 'iptables
            > -L
            > > -n' and see what ports/hosts are tagged for DROP/REJECT.
            > >
            > >
            >
            > Other possibilities:
            > - some sites silently drop smtp packets from "resedential IPs" (DSL, ...)
            > - some ISPs block outbound port 25.

            I think this is what is happening. I don't have control to have this fixed,
            so am wondering if I can make postfix use a SSH tunnel or something like
            that...?


            __________________________________________________
            Do You Yahoo!?
            Tired of spam? Yahoo! Mail has the best spam protection around
            http://mail.yahoo.com
          • /dev/rob0
            ... If they are, and if properly configured, they ll reject you unless authenticated. ... At home I use openvpn to reach my relayhost. My ISP does not [yet?]
            Message 5 of 14 , Sep 4, 2006
            • 0 Attachment
              On Monday 04 September 2006 00:08, email builder wrote:
              > So what I'd like to try is to make postfix either use 465 to send
              > mail out (although not many SMTP servers will be listening on 465,

              If they are, and if properly configured, they'll reject you unless
              authenticated.

              > will they?), or better yet, to create a SSH tunnel to another server
              > I control that will let it use port 25. Is that possible? Anyone
              > have any links where I can learn how to set that up and make postfix

              At home I use openvpn to reach my relayhost. My ISP does not [yet?]
              block outbound SMTP, but I know from experience how important it is to
              block residential/end-user IP space, the land of zombies.

              It's quite trivial to set up a point-to-point tunnel in openvpn using
              static keys. Use the IP address of the remote peer as your relayhost.
              --
              Offlist mail to this address is discarded unless
              "/dev/rob0" or "not-spam" is in Subject: header
            • Sandy Drobic
              ... Why? 465 is the older SSL port, have you perhaps mistaken it for the submission port 587? ... I agree, a tunnel is the most robust way to route the traffic
              Message 6 of 14 , Sep 4, 2006
              • 0 Attachment
                /dev/rob0 wrote:
                > On Monday 04 September 2006 00:08, email builder wrote:
                >> So what I'd like to try is to make postfix either use 465 to send
                >> mail out (although not many SMTP servers will be listening on 465,
                >
                > If they are, and if properly configured, they'll reject you unless
                > authenticated.

                Why? 465 is the older SSL port, have you perhaps mistaken it for the
                submission port 587?

                >> will they?), or better yet, to create a SSH tunnel to another server
                >> I control that will let it use port 25. Is that possible? Anyone
                >> have any links where I can learn how to set that up and make postfix
                >
                > At home I use openvpn to reach my relayhost. My ISP does not [yet?]
                > block outbound SMTP, but I know from experience how important it is to
                > block residential/end-user IP space, the land of zombies.
                >
                > It's quite trivial to set up a point-to-point tunnel in openvpn using
                > static keys. Use the IP address of the remote peer as your relayhost.

                I agree, a tunnel is the most robust way to route the traffic to the
                remote host.

                Sandy

                --
                List replies only please!
                Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
              • /dev/rob0
                ... No, I know what SMTPS is, and yes, it should be configured like a submission port. At least mine are. ### NOTE !!!! submission is a symlink to the
                Message 7 of 14 , Sep 4, 2006
                • 0 Attachment
                  On Monday 04 September 2006 11:17, Sandy Drobic wrote:
                  > >> So what I'd like to try is to make postfix either use 465 to send
                  > >> mail out (although not many SMTP servers will be listening on 465,
                  > >
                  > > If they are, and if properly configured, they'll reject you unless
                  > > authenticated.
                  >
                  > Why? 465 is the older SSL port, have you perhaps mistaken it for
                  > the submission port 587?

                  No, I know what SMTPS is, and yes, it should be configured like a
                  submission port. At least mine are.

                  ### NOTE !!!! "submission" is a symlink to the smtpd(8) binary.
                  submission inet n - n - - submission
                  -o smtpd_etrn_restrictions=reject
                  -o smtpd_delay_reject=no
                  -o smtpd_client_restrictions=
                  -o smtpd_recipient_restrictions=class_relay,reject
                  ## "class_relay" is a restriction class: permit_mynetworks,
                  ## permit_sasl_authenticated
                  ### NOTE !!!! "smtps" is a symlink to the smtpd(8) binary.
                  smtps inet n - n - - smtps
                  -o smtpd_tls_wrappermode=yes
                  -o smtpd_etrn_restrictions=reject
                  -o smtpd_delay_reject=no
                  -o smtpd_client_restrictions=
                  -o smtpd_recipient_restrictions=class_relay,reject

                  FWIW, I found that the "-o smtpd_delay_reject=no" didn't work. I had to
                  unset smtpd_client_restrictions, because my main.cf has a greet pause
                  in smtpd_client_restrictions (and "smtpd_delay_reject=yes").
                  --
                  Offlist mail to this address is discarded unless
                  "/dev/rob0" or "not-spam" is in Subject: header
                • Sandy Drobic
                  ... That was the point I was trying to point at. This is your configuration, but it is not neccessarily the usual requirement. You might as well say TLS
                  Message 8 of 14 , Sep 4, 2006
                  • 0 Attachment
                    /dev/rob0 wrote:
                    > On Monday 04 September 2006 11:17, Sandy Drobic wrote:
                    >>>> So what I'd like to try is to make postfix either use 465 to send
                    >>>> mail out (although not many SMTP servers will be listening on 465,
                    >>> If they are, and if properly configured, they'll reject you unless
                    >>> authenticated.
                    >> Why? 465 is the older SSL port, have you perhaps mistaken it for
                    >> the submission port 587?
                    >
                    > No, I know what SMTPS is, and yes, it should be configured like a
                    > submission port. At least mine are.

                    That was the point I was trying to point at. This is your configuration,
                    but it is not neccessarily the usual requirement.

                    You might as well say TLS encryption is only meant for authenticated
                    users. While it makes sense to encrypt any email submission with plain
                    text authentication, TLS was also meant for unauthenticated mail
                    submission. There is not much difference between TLS and SSL, so why offer
                    SSL only for authenticated users?

                    > ### NOTE !!!! "submission" is a symlink to the smtpd(8) binary.
                    > submission inet n - n - - submission
                    > -o smtpd_etrn_restrictions=reject
                    > -o smtpd_delay_reject=no
                    > -o smtpd_client_restrictions=
                    > -o smtpd_recipient_restrictions=class_relay,reject
                    > ## "class_relay" is a restriction class: permit_mynetworks,
                    > ## permit_sasl_authenticated
                    > ### NOTE !!!! "smtps" is a symlink to the smtpd(8) binary.
                    > smtps inet n - n - - smtps
                    > -o smtpd_tls_wrappermode=yes
                    > -o smtpd_etrn_restrictions=reject
                    > -o smtpd_delay_reject=no
                    > -o smtpd_client_restrictions=
                    > -o smtpd_recipient_restrictions=class_relay,reject

                    I was just trying to find what the basic master.cf from the default
                    installation contains, but I don't seem to have a copy of it. My
                    configuration is also modified (sasl_authentication), so I don't know
                    exactly what I added/deleted and what was set as default.

                    Sandy
                    --
                    List replies only please!
                    Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
                  • /dev/rob0
                    ... It wouldn t matter because TTBOMK (I hope someone will correct me if wrong) no MTA will use any port other than 25 for mail exchange with other hosts,
                    Message 9 of 14 , Sep 4, 2006
                    • 0 Attachment
                      On Monday 04 September 2006 12:11, Sandy Drobic wrote:
                      > >> Why? 465 is the older SSL port, have you perhaps mistaken it for
                      > >> the submission port 587?
                      > >
                      > > No, I know what SMTPS is, and yes, it should be configured like a
                      > > submission port. At least mine are.
                      >
                      > That was the point I was trying to point at. This is your
                      > configuration, but it is not neccessarily the usual requirement.
                      >
                      > You might as well say TLS encryption is only meant for authenticated
                      > users. While it makes sense to encrypt any email submission with
                      > plain text authentication, TLS was also meant for unauthenticated
                      > mail submission. There is not much difference between TLS and SSL, so
                      > why offer SSL only for authenticated users?

                      It wouldn't matter because TTBOMK (I hope someone will correct me if
                      wrong) no MTA will use any port other than 25 for mail exchange with
                      other hosts, unless of course overridden by a non-default transport(5)
                      (or equivalent). SMTPS was only intended for submission.

                      > I was just trying to find what the basic master.cf from the default
                      > installation contains, but I don't seem to have a copy of it. My

                      Checking my source/conf/master.cf :

                      #submission inet n - n - - smtpd
                      # -o smtpd_enforce_tls=yes
                      # -o smtpd_sasl_auth_enable=yes
                      # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                      #smtps inet n - n - - smtpd
                      # -o smtpd_tls_wrappermode=yes
                      # -o smtpd_sasl_auth_enable=yes
                      # -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                      Mine has smtpd_sasl_auth_enable=yes already set, and I think my
                      "smtpd_tls_auth_only = yes" negates the need for "smtpd_enforce_tls =
                      yes". (I don't care about forcing $mynetworks to use TLS.)
                      --
                      Offlist mail to this address is discarded unless
                      "/dev/rob0" or "not-spam" is in Subject: header
                    • /dev/rob0
                      ... I meant to mention that any TLS-capable MTA can use STARTTLS on 25. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in
                      Message 10 of 14 , Sep 4, 2006
                      • 0 Attachment
                        On Monday 04 September 2006 12:31, I wrote:
                        > On Monday 04 September 2006 12:11, Sandy Drobic wrote:
                        > > You might as well say TLS encryption is only meant for
                        > > authenticated users. While it makes sense to encrypt any email
                        > > submission with plain text authentication, TLS was also meant for
                        > > unauthenticated mail submission. There is not much difference
                        > > between TLS and SSL, so why offer SSL only for authenticated users?

                        I meant to mention that any TLS-capable MTA can use STARTTLS on 25.
                        --
                        Offlist mail to this address is discarded unless
                        "/dev/rob0" or "not-spam" is in Subject: header
                      • Sandy Drobic
                        ... That is a good point. I wouldn t put my hand into the fire for it, but I believe Lotus Domino did route to port 465 in the older versions that didn t
                        Message 11 of 14 , Sep 4, 2006
                        • 0 Attachment
                          /dev/rob0 wrote:
                          > On Monday 04 September 2006 12:11, Sandy Drobic wrote:
                          >>>> Why? 465 is the older SSL port, have you perhaps mistaken it for
                          >>>> the submission port 587?
                          >>> No, I know what SMTPS is, and yes, it should be configured like a
                          >>> submission port. At least mine are.
                          >> That was the point I was trying to point at. This is your
                          >> configuration, but it is not neccessarily the usual requirement.
                          >>
                          >> You might as well say TLS encryption is only meant for authenticated
                          >> users. While it makes sense to encrypt any email submission with
                          >> plain text authentication, TLS was also meant for unauthenticated
                          >> mail submission. There is not much difference between TLS and SSL, so
                          >> why offer SSL only for authenticated users?
                          >
                          > It wouldn't matter because TTBOMK (I hope someone will correct me if
                          > wrong) no MTA will use any port other than 25 for mail exchange with
                          > other hosts, unless of course overridden by a non-default transport(5)
                          > (or equivalent). SMTPS was only intended for submission.

                          That is a good point.

                          I wouldn't put my hand into the fire for it, but I believe Lotus Domino
                          did route to port 465 in the older versions that didn't support STARTTLS.
                          While googling, I found the RFC 2487 where STARTTLS was apparently
                          introduced 1999. I haven't found anything for smtps, but I believe it is a
                          bit older and was used before STARTTLS.

                          >> I was just trying to find what the basic master.cf from the default
                          >> installation contains, but I don't seem to have a copy of it. My
                          >
                          > Checking my source/conf/master.cf :
                          >
                          > #submission inet n - n - - smtpd
                          > # -o smtpd_enforce_tls=yes
                          > # -o smtpd_sasl_auth_enable=yes
                          > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                          > #smtps inet n - n - - smtpd
                          > # -o smtpd_tls_wrappermode=yes
                          > # -o smtpd_sasl_auth_enable=yes
                          > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                          Ah, very good, I should have thought about looking into the source myself.
                          (^-^)

                          Okay, I think I can agree to your point of view, at least for present
                          usage of smtps. The missing routing default for port 465 does make it
                          unusable for automatic mail routing.

                          Can a veteran shed some light about the history of SMTPS and STARTTLS? I
                          haven't found anything really useful with Google.

                          Sandy
                          --
                          List replies only please!
                          Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
                        • email builder
                          ... Ah, right, of course. Duh. ... Perfect. The tip is much appreciated! __________________________________________________ Do You Yahoo!? Tired of spam?
                          Message 12 of 14 , Sep 8, 2006
                          • 0 Attachment
                            --- /dev/rob0 <rob0@...> wrote:

                            > On Monday 04 September 2006 00:08, email builder wrote:
                            > > So what I'd like to try is to make postfix either use 465 to send
                            > > mail out (although not many SMTP servers will be listening on 465,
                            >
                            > If they are, and if properly configured, they'll reject you unless
                            > authenticated.

                            Ah, right, of course. Duh.

                            > > will they?), or better yet, to create a SSH tunnel to another server
                            > > I control that will let it use port 25. Is that possible? Anyone
                            > > have any links where I can learn how to set that up and make postfix
                            >
                            > At home I use openvpn to reach my relayhost. My ISP does not [yet?]
                            > block outbound SMTP, but I know from experience how important it is to
                            > block residential/end-user IP space, the land of zombies.
                            >
                            > It's quite trivial to set up a point-to-point tunnel in openvpn using
                            > static keys. Use the IP address of the remote peer as your relayhost.

                            Perfect. The tip is much appreciated!


                            __________________________________________________
                            Do You Yahoo!?
                            Tired of spam? Yahoo! Mail has the best spam protection around
                            http://mail.yahoo.com
                          Your message has been successfully submitted and would be delivered to recipients shortly.