One, this rule is unneeded --
DNAT net dmz:192.168.10.1 udp 25
-- (you only need tcp for SMTP) but it is harmless.Two, this rule is unneeded --
ACCEPT dmz fw tcp 113 #Added for qmail reverse lookup
-- since reverse lookup is a DNS activity (dport 53), and you have rules ACCEPTing both tcp and udp traffic to router port 53.
Now, from here, I can conenct to your Web home page. I can also connect to your SMTP server, but with a long delay:
[EMAIL PROTECTED]:~$ telnet kroffts.com 25
Trying [a.b.c.d - address deleted]...
Connected to dhcp024-210-193-152.woh.rr.com.
Escape character is '^]'.
[delay between 2 and 3 minutes here]
220 kroffts.dmz ESMTP
HELO comarre.com
250 kroffts.dmz
MAIL from: [EMAIL PROTECTED]
250 ok
RCPT To: [EMAIL PROTECTED]
250 ok
DATA
354 go ahead
THis is a test of my ability to send a message from an offsite
location to the test user on the mail server. Kory -- see if it
shows up.
.
250 ok 1072398018 qp 4166
quit
221 kroffts.dmz
Connection closed by foreign host.The length of the delay still points to a DNS problem as the likely culprit. ALthough you should check to see if the test message reflected in the above interaction actually reached lrpqmail's INBOX.
To pin the problem down, you need to do some more tests.
First, can the mail server resolve various types of FQNs? Examples would be
its own FQN
a LAN client's FQN
an external FQN (try comarre.com)The easy way to check this is by trying to ping the various FQNs from the mail server; ping first requests a lookup to get the relevant IP address, then does the ping. For example:
[EMAIL PROTECTED]:~$ ping celine.comarre.lan
PING celine.comarre.lan (192.168.1.23): 56 data bytes
64 bytes from 192.168.1.23: icmp_seq=0 ttl=254 time=736.0 ms
[...]You don't care if the server can actually ping, just if it can do the name-to- address mapping.
Second, can it do reverse lookups of LAN and external addresses? You can't use ping for this, and I don't recall what app like host or nslookup is available for Bering, but you'll need to find one.
Probably you will have some trouble with this, because I see an error in the mail server's /etc/resolv.conf file --
/etc/resolv.conf
domain kroffts.dmz
nameserver 127.0.0.1
nameserver 192.168.1.254
nameserver 192.168.10.254The first "nameserver" line points back to the mail server itself (as localhost), but your package list for it includes no DNS server. So delete that line and then try the tests. You probably do NOT need botrh other lines, and which you do need depends on how you have tinydns configured (if I remember right, tinydns only listens on one interface, not all interfaces ... you probably want it to listen on eth2 and leave in the last "nameserver" line above).
Now, it looks like you have not provided enough information to tinydns in the /etc/tinydns-private/root/data file. You have entries for the mail serve itself and for the router, but not for the LAN clients. Beause they have no entries, reverse lookups of their addresses will not resolve, retaining the same problem you had before. (At least I think this is so. I run BIND here, not tinydns, so I'm relying on reading the man pages for tinydns and tinydns-data at
http://www.die.net/doc/linux/man/man8/tinydns.8.html )
As to dnscache ... you have not provided any information about its configuration, and it (not tinydns) is what will handle reverse-lookup queries for off-LAN hosts (like my address when I try to telnet to the mail server's port 25). Although I recall someone else in this thread saying that dnscache and tinydns worked together well, my own recollection (admittedly from some years back) is that they will not both listen on the same por on the same interface (IP address). The tutorial discussion at http://cr.yp.to/djbdns.html does not seem to describe any configuration in which dnscache and tinydns run on the same server (though I may have missed one).
Someone who is using both on a LEAF/Bering router should step in here to help. Getting this right in your setting ... where you use tinydns to resolve LAN names, not names you are externally authoritative for ... is just sufficiently non-standard that getting it right may be tricky with these two separate programs (in contrast to the more integrated BIND, where it is as easy as pie).
Your problem with other users probably does derive from their having non-standard home directory locations ... but you'll need a qmail expert to help you sort that one out.
From now on, any time you test connectivity, wait 5 minutes (look at your watch, don't guess) before you conclude that some host cannot connect to the mail server (for SMTP, POP3, or anything else). If you skip this step, you won't be ruling out DNS problems as the cause.
At 08:15 PM 12/25/2003 -0500, Kory Krofft wrote:
On Tue, 23 Dec 2003 22:13:34 -0600, Lynn Avants wrote: >Kory. > <SNIP>
It took me about 4 days to get everything setup correctly >the first >time.... then life got much easier. This may not be much comfort, >but you >might want to take a day off and let your mind clear. Reading all the >different docs (I know you've read) on these programs and trying to >swallow all the information at once tends to really muddy the water. >There is something wrong with a configuration file or the logic of >your setup and a days rest is what allowed everything to clear up >again. > >After a mental rest, post the current config files to tinydns, >qmail, the >`ls -l` output of your user directories, the complete topology of >your >network, and the forwarding chains (from shorewall) to indicate >what services are being allowed and forwarded.
Lynn and all,
Happy Holiday Wishes!!!
After a great home holiday I have done as Lynn, suggests and put this problem aside for a day. I am posting this this as a fresh start to debugging my DMZ web and mail server issues. Rather than try some fancy ascii art, I am just going to describe my network setup. It is quite simple:
Cable modem access to internet connected to a Bering 1.2 router with 3 interfaces set to the default config for a system with a DMZ. The router acts as a small file server for mail client storage with a small ide disk and samba.
eth0 - external I/F DHCP
eth1 - connects to loc lan mostly windows boxen using DHCP but assigns fixed IP's based on mac address domain is kroffts.home 192.168.1
eth2 - dmz, connects to single machine running stripped down Bering 1.2 with weblet, ssh and qmail domain is kroffts.dmz
192.168.10
The plan is to have the dmz host a mail server and web server for the domain kroffts.com which is registered at dnsexit.com who provides the dynamic dns service which points to my IP as updated with ez-ipupdate. My goal is to host my own email so I can set my own limits on message size and have [EMAIL PROTECTED] without paying fees to a hosting service. Additionally I am trying to learn new skills in how to setup and configure such services. The web server is a bonus over the mail server and will host very simple semi private pages.
So far, the web server works and is visible from outside the network but not from inside since I changed the dmz domain from kroffts.com to kroffts.dmz. Qmail is running but with the domain set at kroffts.dmz, I cannot send mail or receive it. While testing with the dmz domain set to kroffts.com I was able to send and receive mail but pop access was very slow and some mail clients would time out. The user lrpqmail was the only one able to receive mail.
Now the config files:
Router========================================== packages in use
1) initrd 2) ezipupd 3) local 4) modules 5) pump 6) shorwall 7) ulogd 8) samba 9) dhcpd 10) dnscache 11) tinydns 12) weblet
/etc/hosts
127.0.0.1 localhost.kroffts.home localhost 192.168.1.254 markii 192.168.1.1 coventry.kroffts.home coventry 192.168.10.1 kroffts.dmz dmz kroffts_web
/etc/resolv.conf
domain kroffts.home nameserver 127.0.0.1 nameserver 192.168.1.254
/etc/tinydns-private/env/DNSTYPE
PRIVATE
/etc/tinydns-private/env/IP
127.0.0.1
/etc/tinydns-private/env/DOMAINS
1.168.192.in-addr.arpa kroffts.home 10.168.192.in-addr.arpa kroffts.dmz
/etc/tinydns-private/root/data
=localhost:127.0.0.1 localhost:127.0.0.1:a 1.0.0.127.in-addr.arpa:127.0.0.1:a kroffts.home:127.0.0.1:a 1.168.192.in-addr.arpa:127.0.0.1:a
=markii.kroffts.home:192.168.1.254 =coventry.kroffts.home:192.168.1.1
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept DNS connections from the firewall to the network
#
DROP net fw tcp 67,68
DROP net fw tcp 4662
DROP net fw udp 4662
DROP net fw icmp 8
ACCEPT fw net tcp 80
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
ACCEPT dmz fw tcp 53
ACCEPT dmz fw udp 53
#
# Accept SSH connections from the local network for administration of the DMZ
#
ACCEPT loc dmz tcp 22
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
#
#Enable Samba ports
ACCEPT loc fw udp 137,138
ACCEPT loc fw tcp 139
#
#Open http and mail ports on dmz
DNAT net dmz:192.168.10.1:80 tcp 80
DNAT net dmz:192.168.10.1 tcp 25
DNAT net dmz:192.168.10.1 udp 25
ACCEPT dmz fw tcp 113 #Added for qmail reverse lookup
ACCEPT loc dmz tcp 25
ACCEPT dmz net tcp 110
ACCEPT loc dmz tcp 110
ACCEPT loc dmz udp 110
ACCEPT loc dmz tcp 80
DNAT net dmz:192.168.10.1 tcp 110
DNAT net dmz:192.168.10.1 udp 110
DNAT loc dmz:192.168.10.1:80 tcp 80 - 24.210.193.152
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
DMZ================================================= Packages loaded 1) initrd 2) local 3) modules 4) pump (not currently used) 5) daemontl 6) qmail 7) sshd 8) weblet
/etc/network/interfaces
iface eth0 inet static address 192.168.10.1 masklen 24 broadcast 192.168.10.255 gateway 192.168.10.254
/etc/resolv.conf domain kroffts.dmz nameserver 127.0.0.1 nameserver 192.168.1.254 nameserver 192.168.10.254
Qmail stuff
/var/qmail/control/me
kroffts.dmz
/var/qmail/control/rcpthosts
kroffts.dmz kroffts.com kroffts.home
/var/qmail/control/locals
kroffts.dmz
/var/qmail/control/defaultdomain
kroffts.dmz
/var/qmail/control/plusdomain
kroffts.dmz
/var/qmail/service/pop3d/run
#!/bin/sh exec /usr/bin/softlimit -m 2000000 \ /usr/bin/tcpserver -v -R 0 pop-3 /var/qmail/bin/qmail-popup \ kroffts.dmz /usr/bin/checkpassword /var/qmail/bin/qmail-pop3d \ Maildir 2>&1
/etc/tcp.smtp
127.:allow,RELAYCLIENT="" 192.168.:allow,RELAYCLIENT=""
# ls -l /home/lrpqmail drwx------ 5 lrpqmail lrpqmail 100 Dec 24 18:46 Maildir
# ls -l /server/home/kkrofft drwx------ 5 kkrofft mailuser 120 Dec 16 23:11 Maildir
Thanks to all who are able to suggest what I need to fix. I am sure I need work on the tinydns config on the router and some user config assistance on the qmail server side.
Thank you,
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
