On Fri, 18 Jan 2002, Tzafrir Cohen wrote: > Date: Fri, 18 Jan 2002 02:00:14 +0200 (IST) > From: Tzafrir Cohen <[EMAIL PROTECTED]> > To: Tal Amir <[EMAIL PROTECTED]> > Cc: the linux-il mailing list <[EMAIL PROTECTED]> > Subject: Re: access problem > > On Thu, 17 Jan 2002, Tal Amir wrote: > > > On Fri, 18 Jan 2002, Tzafrir Cohen wrote: > > > > > Date: Fri, 18 Jan 2002 01:08:00 +0200 (IST) > > > From: Tzafrir Cohen <[EMAIL PROTECTED]> > > > To: Tal Amir <[EMAIL PROTECTED]> > > > Cc: the linux-il mailing list <[EMAIL PROTECTED]> > > > Subject: Re: access problem > > > > > > On Thu, 17 Jan 2002, Tal Amir wrote: > > > > > > > hi all, > > > > > > > > this is kind of trickey, so i'll try to be as clear as i can. > > > > i have a RH 6.2 machine at work, functioning as a mail-relay to an > > > > exchange server sitting in the local LAN, with NAT address. > > > > the linux machine is in a DMZ, with 1 nic, real ip. > > > > everything worked wonderfull for more then 2 years, until last week, when > > > > someone did a hard reset to that machine. > > > > > > > > > > Yuck. It is possible that some files got trashed in the process. > > > > thats my guess to... ;( > > > > > > > > > as for now, users that try to telnet this machine > > > > ssh is installed, but that does not explain why telnet isnt working. > > i use ssh most of the time. > > ssh works and telnet doesn't work from the same place?
yes. not all access is blocked,only some ports. (telnet,pop,smtp) > > > > > > > or get mail from it (using ms outlook) are > > > > getting stuck in the autontication.the mail client gets stuck on > > > > "verifying username and password" for 1-2 > > > > minuetes, and then gives up with a connection timeout. > > > > > > Outlook has very strange-looking error messages. Figuring them out is not > > > always easy. > > > > > > telnet your-server 110 > > > > > > If and when a (tcp) connection is established, try writing the following: > > > > > > USER username > > > PASS topsecretpasswordinplaintext > > > QUIT > > > > > > (wu-imapd is very polite, and will give you a prompt for every step. > > > > > > > telnet to port's 110 and 25 works. only mail clients cant get to > > authonticate. this is the most wierd part (?!) > > > > > > > > > i forgot to mention that some users use this machine as a pop3 server, and > > > > others use the exchange (all mail messages > > > > are forwarded to teh exchange, except for users that have "CL username" in > > > > sendmail.conf . > > > > from the outside, all services work just fine. > > > > > > > > this is not a firewall problem, since i unloaded the policy, tried and got > > > > nothing as well. > > > > for some reason, i cannot get to authonticate (as pop3 or telnet) from the > > > > internal network. > > > > there is nothing preventing me to access in hosts.deny . > > > > i am able to ping that machine from the inside, but thats about all i can > > > > do. nothing more. > > > > i did not change anything,or even touched that machine since the last > > > > time it worked, so there is no way that i did > > > > something wrong in any of the configurationfiles. > > > > the only change that was "made" was that hard reset. (boy, is that guy > > > > gonna get it) ;) > > > > > > > > any idea's are welcomed. > > > > tal. > > > > > > Let's go one step at a time: > > > > > > * Is anybody listening on the ports of the internal interfaces? Perhaps > > > your programs only listen on specific IPs? > > > > > > > there ARE NO internal interfaces. > > 1 interface (eth0) with 1 real ip. this machine is in a dmz, and the > > firewall translates everything to it. this is why its accesible from both > > internal and external locations, and vice versa (it can access NAT > > addresses). > > > > > Use netstat -ln --tcp and see if any service listens on an address that is > > > not 0.0.0.0 (=all interfaces). > > > > > > > > > * Do packets from the clients get to the server? > > > Use tcpdump or any other sniffer. This could be a DNS problem or a routing > > > problem. > > > > > > > no routing problem. as i said, i can ping it from the internal LAN. > > also from outside. this is not the problem. > > > > This does not eliminate routing problems. This also does not eliminate DNS > problems. maybe.. > > For instance: from your description I understand that remote access to the > mail server is through port-forwarding or something similar. > > Is it possible that your mail clients try to access the "remote interface" > (due to DNS mis-configuration or whatever) and fail? i access it directly by ip. there is no name resolution of any kind in that proccess. and even if there was, i couldnt get anywhere, could i ? > > The fact that you can ping does not necessariliy means that you can > establish a TCP connection, and vice-versa. > > DNS issues can be more problematic, since clients can (and sometimes do) > cache the answer to DNS queries. > > I had an issue once which was related to a change of DNS address. One > cleint computer was not able to access a host after a DNS change. pinging > to the host name sent ping packets to the new address, but still the mail > client would not connect. I killed the mail client, and restartedit, but > it would still not conect. In the end it turned out that the DNS caching > was done by the over-protective pop3 proxy of Norton Anti-Virus. > > What does tcpdump tell you? shows a connection from the accessing location. a connection is established, only authontication does not accour. ms-outlook\express, fetchmail, nothing... > > > > > > * Have you looked at the logs? Any connection attempts logged? > > > > > another thing i forgot to mention : syslogd is running but not logging > > anything. the last log entry is at the same date when the hard reset > > acourd. i dont think that there is a connection, but go figure.. > > Totally queit? Too quiet? > > -- ----------------------------------- _|_|_ Best Regard's , ( ) * Amir Tal, /v\ / System Administrator /( )X (m_m) | | ICQ : 15748705 | (_)_ __ | | | '_ \| | | \ \/ / | | | | | | |_| |> < |_)_|_|_| |_|__,_/_/\ http://whatsup.homelinux.com ----------------------------------- ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
