| View previous topic :: View next topic |
| Author |
Message |
elmar283
Guru
Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands
|
 Posted: Mon Jun 06, 2011 11:14 am Post subject: mail.domain.ltd |
 |
|
For my server I use bind. I have a mailserver with postfix and courier-imap. Everything works fine. I can receive mail from inside and outside my network.
The only thing that isn't working from outside is connecting to imap with the address mail.eotter1979.xs4all.nl. eotter1979.xs4all.nl works fine.
I found out that this must be a DNS thing, because I can't ping mail.eotter1979.xs4all.nl from outside my network:
| Code: |
Last login: Sun Jun 5 14:27:50 2011 from eotter1979.xs4all.nl
elmaro@xs8:~$ ping mail.eotter1979.xs4all.nl
ping: unknown host mail.eotter1979.xs4all.nl
elmaro@xs8:~$ ping eotter1979.xs4all.nl
PING eotter1979.xs4all.nl (80.101.167.116) 56(84) bytes of data.
64 bytes from eotter1979.xs4all.nl (80.101.167.116): icmp_seq=1 ttl=62 time=35.5 ms
64 bytes from eotter1979.xs4all.nl (80.101.167.116): icmp_seq=2 ttl=62 time=35.9 ms
^C
--- eotter1979.xs4all.nl ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 35.535/35.719/35.903/0.184 ms
elmaro@xs8:~$ telnet eotter1979.xs4all.nl 25
Trying 80.101.167.116...
Connected to eotter1979.xs4all.nl.
Escape character is '^]'.
220 mail.eotter1979.xs4all.nl ESMTP Postfix
^]
telnet> quit
Connection closed.
elmaro@xs8:~$
|
Is it possible to make other DNS-servers know my mx-record so they know where to go?
Here are my configurations of bind:
| Code: |
elmarotter@masterserver ~ $ sudo cat /etc/bind/named.conf
Password:
/*
* Refer to the named.conf(5) and named(8) man pages, and the documentation
* in /usr/share/doc/bind-9 for more details.
* Online versions of the documentation can be found here:
* http://www.isc.org/software/bind/documentation
*
* If you are going to set up an authoritative server, make sure you
* understand the hairy details of how DNS works. Even with simple mistakes,
* you can break connectivity for affected parties, or cause huge amounts of
* useless Internet traffic.
*/
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
bindkeys-file "/etc/bind/bind.keys";
listen-on-v6 { none; };
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.178.28; };
allow-query {
127.0.0.1;
192.168.0.0/24;
192.168.178.0/24;
};
forward first;
forwarders {
// 123.123.123.123; // Your ISP NS
// 124.124.124.124; // Your ISP NS
// 4.2.2.1; // Level3 Public DNS
// 4.2.2.2; // Level3 Public DNS
8.8.8.8; // Google Open DNS
8.8.4.4; // Google Open DNS
194.109.6.66;
};
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
severity debug;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 53 allow { 127.0.0.1/32; } keys { "rndc-key"; };
};
acl mijnnetwerk {
192.168.0/24;
192.168.178.0/24;
};
view "internal" {
match-clients {
mijnnetwerk;
192.168.0.1;
localhost; };
recursion yes;
zone "eotter1979.xs4all.nl" {
type master;
file "pri/eotter1979.xs4all.nl.internal";
allow-transfer { any; };
};
};
view "external" {
match-clients { any; };
recursion no;
zone "." IN {
type hint;
file "named.cache";
};
zone "localhost" IN {
type master;
file "/pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
zone "eotter1979.xs4all.nl" {
type master;
file "pri/eotter1979.xs4all.nl.external";
allow-query { any; };
allow-transfer { 192.168.178.1; };
};
};
elmarotter@masterserver ~ $
|
| Code: |
elmarotter@masterserver ~ $ sudo cat /var/bind/pri/eotter1979.xs4all.nl.internal
$TTL 2d
@ IN SOA ns.eotter1979.xs4all.nl. masterserver.eotter1979.xs4all.nl. (
2008122612 ;serial
28800 ;refresh
14400 ;retry
604800 ;expire
86400) ;default minimum ttl
eotter1979.xs4all.nl. IN MX 0 mail.eotter1979.xs4all.nl.
eotter1979.xs4all.nl. IN MX 10 mailgateway.eotter1979.xs4all.nl.
eotter1979.xs4all.nl. IN TXT "v=spf1 ip4:80.101.167.116/32 mx ptr mx:mail.eotter1979.xs4all.nl ~all"
eotter1979.xs4all.nl. IN NS ns.eotter1979.xs4all.nl.
eotter1979.xs4all.nl. IN A 192.168.0.1
www.eotter1979.xs4all.nl. IN A 192.168.0.1
ns.eotter1979.xs4all.nl. IN A 192.168.0.1
mail.eotter1979.xs4all.nl. IN A 192.168.0.1
router.eotter1979.xs4all.nl. IN A 192.168.0.1
masterserver.eotter1979.xs4all.nl. IN A 192.168.0.1
pikkabird.eotter1979.xs4all.nl IN A 192.168.0.2
deepthought.eotter1979.xs4all.nl. IN A 192.168.0.3
arthurdent.eotter1979.xs4all.nl. IN A 192.168.0.4
root.eotter1979.xs4all.nl. IN A 192.168.0.1
ftp.eotter1979.xs4all.nl. IN A 192.168.0.1
mailgateway.eotter1979.xs4all.nl. IN A 192.168.0.1
elmarotter@masterserver ~ $
|
| Code: |
elmarotter@masterserver ~ $ sudo cat /var/bind/pri/eotter1979.xs4all.nl.external
$TTL 2d
@ IN SOA ns.eotter1979.xs4all.nl. masterserver.eotter1979.xs4all.nl. (
2008122601 ; Serial
28800 ; Refresh
14400 ; Retry
604800 ; Expire - 1 week
86400 ) ; Minimum
eotter1979.xs4all.nl. IN MX 0 mail.eotter1979.xs4all.nl.
eotter1979.xs4all.nl. IN MX 10 mailgateway.eotter1979.xs4all.nl.
eotter1979.xs4all.nl. IN TXT "v=spf1 ip4:80.101.167.116/32 mx ptr mx:mail.eotter1979.xs4all.nl ~all"
eotter1979.xs4all.nl. IN NS ns.80.101.167.116.
www.eotter1979.xs4all.nl. IN A 80.101.167.116
ns.eotter1979.xs4all.nl. IN A 80.101.167.116
mail.eotter1979.xs4all.nl. IN A 80.101.167.116
ftp.eotter1979.xs4all.nl. IN A 80.101.167.116
masterserver.eotter1979.xs4all.nl. IN A 80.101.167.116
mailgateway.eotter1979.xs4all.nl. IN A 80.101.167.116
elmarotter@masterserver ~ $
|
|
|
| Back to top |
|
 |
wanie
n00b
Joined: 03 Jun 2011
Posts: 9
Location: Germany
|
| Posted: Tue Jun 07, 2011 9:12 pm Post subject: Re: mail.domain.ltd |
|
|
| elmar283 wrote: |
Is it possible to make other DNS-servers know my mx-record so they know where to go?
|
I'm not really a proffesional with dns, so please correct me if i am wrong.
This is really just a assumption from me:
I think you manage your own zone, right?
Think mx records are not used to connect with some imap/pop client to your subdomain "mail".
If you manage your own zone, you have to open your bind server for public.
But a nmap to eotter1979.xs4all.nl show me:
53/tcp closed domain
So i can ask any dns server, who is eotter1979.xs4all.nl, and got the answer 80.101.167.116.
But if i trying to ask your zone-server, who is mail.eotter1979.xs4all.nl i got the answer:
# dig @eotter1979.xs4all.nl mail.eotter1979.xs4all.nl
; <<>> DiG 9.7.3 <<>> @eotter1979.xs4all.nl mail.eotter1979.xs4all.nl
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Does this sounds right, or am I completely wrong? |
|
| Back to top |
|
|
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland
|
| Posted: Tue Jun 07, 2011 10:39 pm Post subject: |
|
|
| Code: | # dig MX eotter1979.xs4all.nl.
; <<>> DiG 9.7.3 <<>> MX eotter1979.xs4all.nl.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31652
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;eotter1979.xs4all.nl. IN MX
;; AUTHORITY SECTION:
xs4all.nl. 10800 IN SOA ns.xs4all.nl. hostmaster.xs4all.nl. 2011060800 28800 1800 604800 28800
;; Query time: 203 msec
;; SERVER: 10.23.14.240#53(10.23.14.240)
;; WHEN: Wed Jun 8 00:34:22 2011
;; MSG SIZE rcvd: 88 |
Doesn't look good. I am able to find your domain, but there is no MX entry.
As wanie already suggested, are you managing the correct DNS server?
Does the parent server point to your DNS Server to resolve those names?
It your DNS Server publically reachable? (from what I can see, like wanie, it is not reachable.
V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation. |
|
| Back to top |
|
|
elmar283
Guru
Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands
|
| Posted: Thu Jun 09, 2011 7:59 pm Post subject: Port 53 |
|
|
I think I know what went wrong. Port 53 was closed because of the following line in named.conf:
| Code: |
allow-transfer { 192.168.178.1; };
|
Instead of
| Code: |
allow-transfer { any; };
|
The only concern with the last is that anyone can use the dns-server, if I'm not mistaken.
Right now the mail.eotter1979.xs4all.nl stille doesn't work, but that could be because other DNS-server has to ajust, right? |
|
| Back to top |
|
|
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland
|
| Posted: Thu Jun 09, 2011 9:34 pm Post subject: |
|
|
I am not sure, if you want to allow transfers (zone updates) from any source. set that to none;.
tcp/53 is answering, but still no reply on udp/53.
assuming that are behind a nat router.
how is you port forwarding configured? is port udp/53 forwarded to you dns server?
(you may need to configure your internal hosts to use your dns server, instead of an external one, as all (return) traffic will get forwarded to this dns server)
V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation. |
|
| Back to top |
|
|
elmar283
Guru
Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands
|
| Posted: Sun Jun 12, 2011 12:01 pm Post subject: |
|
|
I have an router with iptables. My router is directly connected to my modem with the address 192.168.178.28.
In my modem I have allowed port 53 TCP and UDP to that address.
De DNS is on my router.
I use the following iptables rule to open the ports on my router:
| Code: |
export LAN=eth0
export WAN=eth1
iptables -A INPUT -p TCP --dport 53 -i ${WAN} -j ACCEPT
iptables -A INPUT -p UDP --dport 53 -i ${WAN} -j ACCEPT
|
The iptables route all traffic from 192.168.178.28 (eth1) to 192.168.0.1 (eth0).
iptables -L states:
| Code: | elmarotter@masterserver ~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:dn6-nlm-aud
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:943
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:6266
ACCEPT tcp -- anywhere anywhere tcp dpt:echo
ACCEPT tcp -- anywhere anywhere tcp dpt:2703
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 anywhere
ACCEPT all -- anywhere 192.168.0.0/16
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
And iptables -t nat -L:
| Code: |
elmarotter@masterserver ~ $ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:6882 to:192.168.0.4:6882
DNAT tcp -- anywhere anywhere tcp dpt:6888 to:192.168.0.3:6888
DNAT tcp -- anywhere anywhere tcp dpt:11451 to:192.168.0.4:11451
DNAT udp -- anywhere anywhere udp dpt:ipsec-nat-t to:192.168.0.4:4500
DNAT udp -- anywhere anywhere udp dpt:mdns to:192.168.0.4:5353
DNAT tcp -- anywhere anywhere tcp dpt:28712 to:192.168.0.4:28712
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
|
So the port udp 53 should be open but it isn't:
| Code: |
elmarotter@masterserver ~ $ sudo nmap -sU -P0 -p 53 80.101.167.116
Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-12 13:56 CEST
Nmap scan report for eotter1979.xs4all.nl (80.101.167.116)
Host is up (0.011s latency).
PORT STATE SERVICE
53/udp closed domain
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
|
So I think it is something in '/etc/bind/named.conf' that is not right. But I still don't know what that is. |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Sun Jun 12, 2011 4:08 pm Post subject: |
|
|
| Code: |
53/udp closed domain
|
this indicates that nothing is listening on port 53
it does not mean that the firewall is disallowing traffic
if a daemon is listening, but the firewall is dropping packets, you would see "filtered", and not "closed"
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
wanie
n00b
Joined: 03 Jun 2011
Posts: 9
Location: Germany
|
| Posted: Mon Jun 20, 2011 8:46 pm Post subject: |
|
|
| Did you find the answer of you problem, elmar283? |
|
| Back to top |
|
|
elmar283
Guru
Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands
|
| Posted: Thu Jun 23, 2011 11:00 am Post subject: |
|
|
Sorry for the delayed response.
It is still not working. I'll now just connect through eotter1979.xs4all.nl.
Could it be since I'm on a subdomain that the domain xs4all.nl does not allow me to add a MX record? |
|
| Back to top |
|
|
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland
|
| Posted: Thu Jun 23, 2011 7:02 pm Post subject: |
|
|
Well you somehow need to tell xs4all.nl that all dns traffic for eotter1979.xs4all.nl. should be either forwarded to your dns server, or that xs4all.nl handles all your dns traffic (including your mx record)
and in the former case you need to get your dns working - the is still no reply from it.
V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation. |
|
| Back to top |
|
|
|
Networking & Security
