On Thu, 17 Jan 2002, Tal Amir wrote: > On Fri, 18 Jan 2002, Tzafrir Cohen wrote: > > > Date: Fri, 18 Jan 2002 01:08:00 +0200 (IST) > > From: Tzafrir Cohen <[EMAIL PROTECTED]> > > To: Tal Amir <[EMAIL PROTECTED]> > > Cc: the linux-il mailing list <[EMAIL PROTECTED]> > > Subject: Re: access problem > > > > On Thu, 17 Jan 2002, Tal Amir wrote: > > > > > hi all, > > > > > > this is kind of trickey, so i'll try to be as clear as i can. > > > i have a RH 6.2 machine at work, functioning as a mail-relay to an > > > exchange server sitting in the local LAN, with NAT address. > > > the linux machine is in a DMZ, with 1 nic, real ip. > > > everything worked wonderfull for more then 2 years, until last week, when > > > someone did a hard reset to that machine. > > > > > > > Yuck. It is possible that some files got trashed in the process. > > thats my guess to... ;( > > > > > > as for now, users that try to telnet this machine > > ssh is installed, but that does not explain why telnet isnt working. > i use ssh most of the time.
ssh works and telnet doesn't work from the same place? > > > > or get mail from it (using ms outlook) are > > > getting stuck in the autontication.the mail client gets stuck on > > > "verifying username and password" for 1-2 > > > minuetes, and then gives up with a connection timeout. > > > > Outlook has very strange-looking error messages. Figuring them out is not > > always easy. > > > > telnet your-server 110 > > > > If and when a (tcp) connection is established, try writing the following: > > > > USER username > > PASS topsecretpasswordinplaintext > > QUIT > > > > (wu-imapd is very polite, and will give you a prompt for every step. > > > > telnet to port's 110 and 25 works. only mail clients cant get to > authonticate. this is the most wierd part (?!) > > > > > > i forgot to mention that some users use this machine as a pop3 server, and > > > others use the exchange (all mail messages > > > are forwarded to teh exchange, except for users that have "CL username" in > > > sendmail.conf . > > > from the outside, all services work just fine. > > > > > > this is not a firewall problem, since i unloaded the policy, tried and got > > > nothing as well. > > > for some reason, i cannot get to authonticate (as pop3 or telnet) from the > > > internal network. > > > there is nothing preventing me to access in hosts.deny . > > > i am able to ping that machine from the inside, but thats about all i can > > > do. nothing more. > > > i did not change anything,or even touched that machine since the last > > > time it worked, so there is no way that i did > > > something wrong in any of the configurationfiles. > > > the only change that was "made" was that hard reset. (boy, is that guy > > > gonna get it) ;) > > > > > > any idea's are welcomed. > > > tal. > > > > Let's go one step at a time: > > > > * Is anybody listening on the ports of the internal interfaces? Perhaps > > your programs only listen on specific IPs? > > > > there ARE NO internal interfaces. > 1 interface (eth0) with 1 real ip. this machine is in a dmz, and the > firewall translates everything to it. this is why its accesible from both > internal and external locations, and vice versa (it can access NAT > addresses). > > > Use netstat -ln --tcp and see if any service listens on an address that is > > not 0.0.0.0 (=all interfaces). > > > > > > * Do packets from the clients get to the server? > > Use tcpdump or any other sniffer. This could be a DNS problem or a routing > > problem. > > > > no routing problem. as i said, i can ping it from the internal LAN. > also from outside. this is not the problem. > This does not eliminate routing problems. This also does not eliminate DNS problems. For instance: from your description I understand that remote access to the mail server is through port-forwarding or something similar. Is it possible that your mail clients try to access the "remote interface" (due to DNS mis-configuration or whatever) and fail? The fact that you can ping does not necessariliy means that you can establish a TCP connection, and vice-versa. DNS issues can be more problematic, since clients can (and sometimes do) cache the answer to DNS queries. I had an issue once which was related to a change of DNS address. One cleint computer was not able to access a host after a DNS change. pinging to the host name sent ping packets to the new address, but still the mail client would not connect. I killed the mail client, and restartedit, but it would still not conect. In the end it turned out that the DNS caching was done by the over-protective pop3 proxy of Norton Anti-Virus. What does tcpdump tell you? > > > * Have you looked at the logs? Any connection attempts logged? > > > another thing i forgot to mention : syslogd is running but not logging > anything. the last log entry is at the same date when the hard reset > acourd. i dont think that there is a connection, but go figure.. Totally queit? Too quiet? -- Tzafrir Cohen /"\ mailto:[EMAIL PROTECTED] \ / ASCII Ribbon Campaign Taub 229, 972-4-829-3942, X Against HTML Mail http://www.technion.ac.il/~tzafrir / \ ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
