HP to Cisco fiber
I've talked to HP and Cisco and neither side will commit to any kind of answer to this question, so I thought I'd ask it here: Does anyone know if a Cisco switch equipped with a 1000BASE-BX10-D SFP will connect to an HP switch equipped with a HP X122 1G SFP LC BX-U Transceiver J9143B SFP, assuming they are already talking over dual fiber links and both units support the single fiber sfp's? (they do). All the specs look like they should but Cisco and HP are doing the old 'will neither confirm nor deny interoperability'. Off list reply is fine, I'd like someone with a definite 'yes I did it and it works fine' or 'no I tried it and it did not', not 'it should' because that's where I'm at for the moment. - Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpunet.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
bidirectional fiber inline amps.
Due to some bundle size restrictions, we are looking at converting some runs over to use bi-directional fiber sfp's (the Cisco version is GLC-BX-D/GLC-BX-U). However a couple of our runs are farther than the spec 6.2 miles. Is anyone aware of a vendor that makes an inline bidirectional amp for this sort of application? I did some digging but either they do not exist or my google fu is weak today. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: bidirectional fiber inline amps.
Didn't see those. Thanks. Idiot moment for me. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 -Original Message- From: Jared Mauch [mailto:ja...@puck.nether.net] Sent: Tuesday, February 19, 2013 2:43 PM To: Eric J Esslinger Cc: 'nanog@nanog.org' Subject: Re: bidirectional fiber inline amps. On Feb 19, 2013, at 3:30 PM, Eric J Esslinger wrote: Due to some bundle size restrictions, we are looking at converting some runs over to use bi-directional fiber sfp's (the Cisco version is GLC-BX-D/GLC-BX-U). However a couple of our runs are farther than the spec 6.2 miles. Is anyone aware of a vendor that makes an inline bidirectional amp for this sort of application? I did some digging but either they do not exist or my google fu is weak today. So you really just want the 20km optics: GLC-BX-U20 GLC-BX-D20 Most places also make 40km and 80km optics of the same sort. - Jared This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
Tw telecom noc/routing contact needed
I've been fighting with an issue with a Time Warner Telecom customer whose site is unreachable from our ip blocks, as well as a number of other ip blocks within my upstream's network according to the call I made to them. All I'm getting through listed arin contacts are apparantly unmonitored maildrops and customer contact numbers that won't put me through to a live person without a valid TW phone or circuit number. Based on the behavior I suspect a reverse routing issue back to our ip blocks but have been unable to get much help from the other end of the problem. I need to speak to someone, and if someone reading this list can has info but doesn't want to share it, if they can pass my contact info on I can be contacted via this email or the phone number in my signature. Thank you. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: Tw telecom noc/routing contact needed
Someone from Time warner has gotten in contact with me, thanks. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 -Original Message- From: Eric J Esslinger Sent: Tuesday, January 22, 2013 10:49 AM To: 'nanog@nanog.org' Subject: Tw telecom noc/routing contact needed I've been fighting with an issue with a Time Warner Telecom customer whose site is unreachable from our ip blocks, as well as a number of other ip blocks within my upstream's network according to the call I made to them. All I'm getting through listed arin contacts are apparantly unmonitored maildrops and customer contact numbers that won't put me through to a live person without a valid TW phone or circuit number. Based on the behavior I suspect a reverse routing issue back to our ip blocks but have been unable to get much help from the other end of the problem. I need to speak to someone, and if someone reading this list can has info but doesn't want to share it, if they can pass my contact info on I can be contacted via this email or the phone number in my signature. Thank you. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
Verizon wireless (cdma/LTE) compatible ethernet connectable OOB access device.
We have Verizon Wireless as our provider of choice for our company, and I've convinced those who are they that I need a completely OOB method for getting back in the NOC, as we don't have a full time NOC staff and internet coverage can be spotty around here in general, as we're a small town. The people who need the OOB management access are getting 4G Myfi devices with static IP addresses. What I need at our NOC is a 3 or 4G (our area only has 3G atm) Verizon compatible device with an wired ethernet link. I'm looking at several but wondered if anyone has any familiarity with such units. I just need a basic wwan-ethernet modem/bridge, I will be handling vpn termination, firewalling, access control, and such with my existing firewall. Off-list is fine. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
DNS Changer items
A) The DNS changer working group site http://www.dns-ok.us seems to be down for the clean people anyway. (Down for everyone agrees with me). B) Fox, CNN, and MSNBC have apparantly all run stories in the last couple of hours that essentially ended with 'Call your ISP if you have any questions' (gee thanks). And I'm told the ABC/CBS/NBC are running the same basic thing tonight, with the same basic ending. The more you know... __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: job screening question
I've dealt with: 1, (yes, no comp, tablet, game console, or other device, other than non-internet capable HDTV. They had also just purchased our fastest service package. They got irate said were switching to our competitor, who were cheaper anyway. Good news for them, we don't do minimum service contracts. Bad news for them, the competitor does. ) 2, 3, 6, 7, 8 also 'user has no power but computer is on UPS or generator and network gear is not'. More than once in most cases. Lots and lots of laptops with wireless card switch flipped to off accidently. And while I've never had a user call because they are unable to access a website because they are dead, I have had a non-user call/email about receiving NDR emails regarding email boxes belonging to one of our users we removed after notification that the owner was deceased. That's happened a few times. My call on dealing with that was something along the lines of 'That email address has either been changed or the account associated with it disconnected, and we are not at liberty to discuss the issue further due to customer privacy policies' which is exactly what I say when the other possibilities are true. Actually I had something similar to 'the user is dead'. Guy calls in to complain his internet is down. We dig through our system, no record he's a customer. After lots of hemming and hawing, admits he leeches unsecured wireless connection off next door neighbor. Next door neighbor's next of kin just had cable/internet turned off as she passed away, left power on while the move stuff out of house, so wireless signal was still present. For a while I had 3 businesses in the same building that shared the same internet connection; However only one was listed on the account/paid the bill. Problem A) slow internet (metrics showing that their inbound or outbound is pegged, also the company paying bought the cheapest package available) Problem B) Cross business compromising of information, printing stuff in other offices (two of them were even direct competitors, effectivly) sharing drives across bussinesses, a virus outbreak that kept respreading through the network because one office didn't seem to care they had a worm, and C) company that owned/paid for connection had a tendancy to ignore late notices, because of billing schedule stuff the cutoff's would happen on Thursday, the person at that company with the authority to write checks only worked Mon-Wed From: Owen DeLong [o...@delong.com] Sent: Friday, July 06, 2012 1:53 PM To: Keith Medcalf Cc: nanog@nanog.org Subject: Re: job screening question On Jul 6, 2012, at 11:41 AM, Keith Medcalf wrote: My response would be insufficient information provided for meaningful diagnosis. The following could be issues: ... the user does not have a computer ... the computer is not turned on ... the keyboard is not plugged in ... the user is a quadraplegic and cannot use the mouse or keyboard ... the user is blind and cannot find the computer ... the user has a computer but is not connected to a network ... the monitor is not turned on ... the brightness is turned down too far on the monitor ... the user is dead I would argue that the fact the user filed a ticket/contacted the helpdesk/whatever to raise the issue indicates that the user probably isn't dead. The rest are semi-legitimate somewhat amusing answers, but you missed many possibilities. When providing such a list of answers, always include an etc. at the end so as to indicate your understanding that the list is not complete. ;-) How does the user know that it cannot access the web site? When did users become things? Probably a candidate that made this mistake should be dismissed from consideration on that basis alone. Owen -Original Message- From: Matt Chung [mailto:itsmemattch...@gmail.com] Sent: Friday, 06 July, 2012 08:20 To: joseph.sny...@gmail.com Cc: nanog@nanog.org Subject: Re: job screening question A former manager of mine once told me you can gauge a persons understanding by the questions they ask and I personally agree with this statement. Most of us will be able to make a reasonable assessment of the person by listening to the content of their questions. I'm not looking for an immediate resolution, but trying to understand the thought process of the individual. I feel realistic scenarios provide some insight on the individual's analytical skills. A client cannot access the website http://xyz.com;. What do you do to troubleshoot this issue? Depending on the candidate, I've seen a variety of answers: 1) Can you ping the device? 2) Can you access the gateway? 3) What does the running config look like on the router 4) Is there a firewall in between I believe these questions may be asked in the right context provided there is enough information to isolate the issue to the network however the statement is devoid of anything
couple of questions regarding 'lifeline' and large scale nat...
We're toying with the idea of a low bitrate 'lifeline' internet on our cable system, maybe even bundled with a certain level of cable service. First question, if you happen to be doing something like this, what bit rates are you providing. Second question, though 'real' internet customers all get real IP's, what would you think of doing something like this with 'large scale' nat instead. Understand, we're only talking about basic internet, something like a 256k/96k (or similar) connect, not something that would be used by a serious user. (One thing we are looking at is some older dial up users we still have, most of which could go onto cable just fine but don't want to pay the price). Also when I say large scale, I doubt I'd have more than a few thousand customers for this. We're not a large ISP/cable company by any means. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
question regarding US requirements for journaling public email (possible legislation?)
Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am on a holiday morning). Sorry to drop what is possibly just someone misunderstanding something or pulling my leg on the list, but over the holidays I ran into one of my buddies that is also a network admin type and he was griping about mail journalling, which I already do for our corporate email accounts. However, his discussion was in terms of all customer email... Which I said was probably a bad thing to do. His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers. I've seen nothing, and my google fu has turned up nothing other than corporate requirements, so I ask here. Has anyone heard of such a bill working it's way through either side of congress? (I am speaking specifically of full email journaling, not just logs, which I do archive for significant amounts of time.) I also don't want to discuss the pros, cons, merits, costs, goods, or evils of such a requirement, just wanted to know if this is something I should be looking forward towards maybe needing to implement. Thanks for your attention and may you have a low incident new year. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: question regarding US requirements for journaling public email (possible legislation?)
Based on a some I have received off list it seems no-one has ever heard of such a proposal that has had any serious traction so I assume the gentleman was either mistaken, paranoid, or trying to pull a joke on me. Thank you for the responses everyone. You can now get back to your regularly scheduled regulatory headaches. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 -Original Message- From: Eric J Esslinger [mailto:eesslin...@fpu-tn.com] Sent: Thursday, January 05, 2012 9:57 AM To: 'nanog@nanog.org' Subject: question regarding US requirements for journaling public email (possible legislation?) Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am on a holiday morning). Sorry to drop what is possibly just someone misunderstanding something or pulling my leg on the list, but over the holidays I ran into one of my buddies that is also a network admin type and he was griping about mail journalling, which I already do for our corporate email accounts. However, his discussion was in terms of all customer email... Which I said was probably a bad thing to do. His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers. I've seen nothing, and my google fu has turned up nothing other than corporate requirements, so I ask here. Has anyone heard of such a bill working it's way through either side of congress? (I am speaking specifically of full email journaling, not just logs, which I do archive for significant amounts of time.) I also don't want to discuss the pros, cons, merits, costs, goods, or evils of such a requirement, just wanted to know if this is something I should be looking forward towards maybe needing to implement. Thanks for your attention and may you have a low incident new year. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: Well Lookie Here, Barracuda Networks tries to get me to fall into their trap again...
The vmware image is more expensive than the midrange hardware. (and you pay for how many processors it will use, ram, features like multi domain support, etc...) __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 -Original Message- From: Jeremy Parr [mailto:jeremyp...@gmail.com] Sent: Thursday, December 22, 2011 3:54 PM To: Jon Lewis; nanog@nanog.org Subject: Re: Well Lookie Here, Barracuda Networks tries to get me to fall into their trap again... On 22 December 2011 14:07, Jon Lewis jle...@lewis.org wrote: Presumably, Barracuda's hardware is i386/i686 compatible commodity parts. It's probably not at all useless. Just attach a USB DVD drive or USB flash drive, wipe the disk(s) and install your favorite Linux distro. It may take some doing to get all/most of the features Barracuda provides setup on your own...but if you don't have the time/expertise to do it, that's why companies like Barracuda exist. The hardware Barracuda charges you a very pretty penny for is very low end. $3000 or so that they charge for a mid-level spam filters gets you a single power supply, single hard disk, and a low end processor. According to their site it does appear they offer the product as VM image. This would eliminate the stupid hardware markup and their attempt at backdating updates. This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
recommendations for external montioring services?
I'm not looking to monitor a massive infrastructure: 3 web sites, 2 mail servers (pop,imap,submission port, https webmail), 4 dns servers (including lookups to ensure they're not listening but not talking), and one inbound mx. A few network points to ping to ensure connectivity throughout my system. Scheduled notification windows (for example, during work hours I don't want my phone pinged unless it's everything going offline. Off hours I do. Secondary notifications if problem persists to other users, or in the event of many triggers. That sort of thing). Sensitivity settings (If web server 1 shows down for 5 min, that's not a big deal. Another one if it doesn't respond to repeated queries within 1 minute is a big deal) A Weekly summary of issues would be nice. (especially the 'well it was down for a short bit but we didn't notify as per settings') I don't have a lot of money to throw at this. I DO have detailed internal monitoring of our systems but sometimes that is not entirely useful, due to the fact that there are a few 'single points of failure' within our network/notification system, not to mention if the monitor itself goes offline it's not exactly going to be able to tell me about it. (and that happened once, right before the mail server decided to stop receiving mail). __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
Dnssec and ptr records
Quick question for those who have researched things more closely. I have signed all my forward zones and think I've crossed my I's and dotted my T's, but one thing I'm not sure of... Are we supposed to setup signing for reverse dns zones? __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: Dnssec and ptr records
-Original Message- From: Phil Regnauld [mailto:regna...@nsrc.org] Sent: Tuesday, October 18, 2011 9:18 AM To: Eric J Esslinger Cc: 'nanog@nanog.org' Subject: Re: Dnssec and ptr records Eric J Esslinger (eesslinger) writes: Quick question for those who have researched things more closely. I have signed all my forward zones and think I've crossed my I's and dotted my T's, but one thing I'm not sure of... Are we supposed to setup signing for reverse dns zones? Hi Eric, Let me reverse the question: why wouldn't you ? Cheers, Phil Well it makes sense we should, just that all the examples, discussion, and such I've read dealt with forward records. I guess I get to dig some more. Thanks. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
RE: Dnssec and ptr records
-Original Message- From: John Curran [mailto:jcur...@arin.net] Sent: Tuesday, October 18, 2011 11:56 AM To: Eric J Esslinger Cc: nanog@nanog.org Operators' Group Subject: Re: Dnssec and ptr records (Presuming, of course, that you've got an ARIN assignment or allocation. If you're in a provider-assigned block, you'll need to chat with your ISP about the DS linkage for your PTR zones... /John ) On Oct 18, 2011, at 12:31 PM, John Curran wrote: On Oct 18, 2011, at 10:21 AM, Eric J Esslinger wrote: Well it makes sense we should, just that all the examples, discussion, and such I've read dealt with forward records. I guess I get to dig some more. Thanks. Eric - Your in-addr zone first needs to be signed and then the DS records are put in the parent in-addr zone to link into the signed IN-ADDR.ARPA hierarchy. In the ARIN region, this can be done via the DNSSEC DS record management in ARIN Online or via the RESTful provisioning interface. ARIN DNSSEC Project overview: https://www.arin.net/resources/dnssec/ ARIN Online/DNSEC Tutorials: https://www.arin.net/knowledge/dnssec/index.html FYI, /John John Curran President and CEO ARIN Thank you. That gives me information to work with, and I now have a solid understanding of what I need to do for the proper delegation setup. I'll have to talk to my current ISP for the blocks I currently have, though I don't believe they do dnssec at this time. I am expecting to get an Arin allocation shortly (and return their existing allocations to us) as we are going multihomed soon. I may just have to wait till then to get everything fully setup. This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: Internet mauled by bears
-Original Message- From: Suresh Ramasubramanian [mailto:ops.li...@gmail.com] On Mon, Sep 19, 2011 at 4:16 PM, Eugen Leitl eu...@leitl.org wrote: He pointed out that these are the kind of problems city folk probably don't have in an urban area because there is a bear shortage. And backwoods towns have rednecks with shotguns, and bubba the backhoe driver exists everywhere there's a road .. To be honest, while we have had some 'shotgun peppered' fiber runs in our rural TN town (mostly in one spot, due to dove hunters), after comparing notes with a lady that works for Mediacom I think it is preferable to having to have security escorts for their crews in some rough urban areas because gangs will shoot up plant then wait for the crews to show up so they can rob them. Everyone has issues as which are as diverse as the areas we deploy in. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
ping me please...
I have just turned up and migrated to a new circuit. I'm getting a few reports from one customer that some of his users are unable to reach his system. If I could get people on the list to ping 65.5.48.2, and if it fails, to do a traceroute and email it to me offlist? I'd appreciate it. Thanks. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: ping me please... Think I've got enough data, thanks
-Original Message- From: Eric J Esslinger [mailto:eesslin...@fpu-tn.com] Sent: Thursday, June 23, 2011 8:08 AM To: 'nanog@nanog.org' Subject: ping me please... I have just turned up and migrated to a new circuit. I'm getting a few reports from one customer that some of his users are unable to reach his system. If I could get people on the list to ping 65.5.48.2, and if it fails, to do a traceroute and email it to me offlist? I'd appreciate it. Thanks. I think I've got enough data. If there's a problem it's specific to a few users of that one customer and I need them to give me more information to isolate it. None of my looking glass tests (I was aware of traceroute.org and used ~50 of the sites before coming to the list. I also saw no problems). Thank you for the help. Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
RE: blocking annoying 'bounce mail' feature from customers use. (Solution, mostly)
-Original Message- From: Eric J Esslinger [mailto:eesslin...@fpu-tn.com] Sent: Wednesday, May 25, 2011 11:10 AM To: 'nanog@nanog.org' Subject: blocking annoying 'bounce mail' feature from customers use. Mac Mail (and others) have a feature that allows my customers to generate a fake NDR message and send it back through my server. I get about a customer every few months that discovers this 'solution' to spam emails, and when it happens they cause delivery problems for my customer mail server by generating backscatter. Today I just ended up on a list that won't take me off for quite a while (or unless I pay). Does anyone know of a way for me to block the following, using postfix, either via refusing to accept the mail or by dropping it in /dev/null: Mail from or postmaster that originates within our customer IP blocks/is sent using authentication at the submission port and/or that does not have a valid local recipient. I can't find any ready made recipies online for this sort of thing in a short dig around for it, and while I think it's possible, I was wondering if anyone else was already dealing with this and could say 'oh yeah just put line blah in header_checks'. I would think it would be simple once you find it but you know how it is. (I've already dealt with the customer in question but I'm getting tired of this popping up every month or three.) __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 A couple of people asked me to follow up with a solution if I found one. What I did was perhaps not elegant, but functional. I was hindered by a lack of time and lack of clear understanding of something in the header checks (namely, that the various postfix UCE 'checks' are not stateful and only can do multiple comparisons against a single line at a time. I can't check to: and from: both using header_checks if/endifs. I don't have time to learn how to build a custom milter atm so this will have to do for now, though that would likely be the ideal solution). After some research, some trial and error, and some suggestions, this is what I came up with: For all of the clients that have this capability on the windows side (I don't have direct access to a mac at this time, and apparantly everyone using this is using mailwasher and similar apps) it appears the following line in the body_checks filter catches all of them: /mail.local: unknown name:/ DISCARD I had one other user that I've located that was a problem after that. I fixed his issue by discussion with him and some jusdicious port filtering; His issue was a bit more complex: He is running his own mail server in my static range; He doesn't have a good spam filtering setup, specifically his new spam filter is unaware of actual valid email addresses on his domain, thus accepts a lot of illegitimate email for his domain, which the server then bounces with an invalid recipient. Since he realized he had a problem with getting on bounce lists last month, he decided the solution was a custom delivery filter. Bounce messages from his server are relayed through our public mail server. Since he doesn't see any issues with maintaining this solution on his end, I see no issue with blocking his smtp access to our mail server. BTW: If anyone out there has a mac and wishes to generate a bounce to my address above so I can check my filters against what mac mail generates, I'd appreciate it. I can send an email directly to you for that purpose. (a bounce to fpu-tn.com will get through because it's our corporate mail server and not filtering the same way). Thanks to the list for the assistance rendered. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
blocking annoying 'bounce mail' feature from customers use.
Mac Mail (and others) have a feature that allows my customers to generate a fake NDR message and send it back through my server. I get about a customer every few months that discovers this 'solution' to spam emails, and when it happens they cause delivery problems for my customer mail server by generating backscatter. Today I just ended up on a list that won't take me off for quite a while (or unless I pay). Does anyone know of a way for me to block the following, using postfix, either via refusing to accept the mail or by dropping it in /dev/null: Mail from or postmaster that originates within our customer IP blocks/is sent using authentication at the submission port and/or that does not have a valid local recipient. I can't find any ready made recipies online for this sort of thing in a short dig around for it, and while I think it's possible, I was wondering if anyone else was already dealing with this and could say 'oh yeah just put line blah in header_checks'. I would think it would be simple once you find it but you know how it is. (I've already dealt with the customer in question but I'm getting tired of this popping up every month or three.) __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
A bit off topic: Video streaming/video on demand server
My company has been using an online video service for certain shows on our local access channel, to stream them live over the internet and make them available as video on demand. This is stuff like city and county meetings, parades, that sort of thing. We're getting complaints because the ads had become very intrusive and annoying (budwiser swimsuit girls dancing across the screen in the middle of watching the Alderman meeting, for example). They are balking at the yearly 'subscription' cost, especially as we don't even come close to needed the amount of bandwidth/storage that provides. So I've been asked to look into setting up something locally (we have more than enough bandwidth to support what little use we're getting, with plenty of room to grow), but I really don't know where to start. So I'm looking for some help, perhaps experience with products, or someone who could consult with us on this. Also, my content creator needs an easy path to get the content online. He does his editing with a computer but trying to get him to convert formats and such is somewhat difficult. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
Need to talk to Charter email contact
Good afternoon, I'm looking for some cluefull help from someone at Charter. I've got a static IP customer unable to deliver mail to charter.net customers and I can get no help trying to get in through the 'front door' of tech support. I've been forwarded to the residential spanish technicians 3 times so far to get rid of me. Customer is unable to get any connection to ib1.charter.net on port 25 thus is unable to use the unbl...@charter.netmailto:unbl...@charter.net method of clearing this up. The few people I've talked to that understand what I'm talking about say that his connection timing out is 'impossible to be an issue on the Charter side', but there is no block preventing his email on our side (and he can successfully send to aol, bellsouth, hotmail, gmail, yahoo, comcast, etc..) DNS is configured with mx, forward and reverse records properly setup. Can contact me off list by phone or email. Thanks in advance. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: Need to talk to Charter email contact
And a followup I've got someone in their mail group and we're working on clearing up the issue. Thank you everyone for the replies and help. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 -Original Message- From: Eric J Esslinger [mailto:eesslin...@fpu-tn.com] Sent: Friday, March 26, 2010 1:54 PM To: 'nanog@nanog.org' Subject: Need to talk to Charter email contact Good afternoon, I'm looking for some cluefull help from someone at Charter. I've got a static IP customer unable to deliver mail to charter.net customers and I can get no help trying to get in through the 'front door' of tech support. I've been forwarded to the residential spanish technicians 3 times so far to get rid of me. Customer is unable to get any connection to ib1.charter.net on port 25 thus is unable to use the unbl...@charter.netmailto:unbl...@charter.net method of clearing this up. The few people I've talked to that understand what I'm talking about say that his connection timing out is 'impossible to be an issue on the Charter side', but there is no block preventing his email on our side (and he can successfully send to aol, bellsouth, hotmail, gmail, yahoo, comcast, etc..) DNS is configured with mx, forward and reverse records properly setup. Can contact me off list by phone or email. Thanks in advance. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
DNS question, null MX records
I have a domain that exists solely to cname A records to another domain's websites. There is no MX server for that domain, there is no valid mail sent as from that domain. However when I hooked it up I immediately started getting bounces and spam traffic attemtping to connect to the cnamed A record, which has no inbound mail server (It's actually hitting the firewall in front of it). (The domain name is actually several years old and has been sitting without dns for a while) I found a reference to a null MX proposal, constructed so: example.comINMX 0 . Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: DNS question, null MX records
I've had a couple of off-list comments already about using it as/donating it to a spam trap; That is a good idea and I actually thought of that. However, the address was formerly used for email addresses for our customers and for our business (some 10 years ago it was registered, but has not had any valid dns records set for roughly 6 years), and we still deal from time to time with mail being sent to old addresses on that domain for various reasons (several dns registrations, for example, we've had to help these people go through the fax change system because we don't want to go to the trouble of setting up to receive email on this domain again) So in any case, due to customer privacy concerns we feel we can't do that. Also I have set the spf -all on it, for those that look for these records to auot-reject email from the domain. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 -Original Message- From: Eric J Esslinger [mailto:eesslin...@fpu-tn.com] Sent: Tuesday, December 15, 2009 9:18 AM To: 'nanog@nanog.org' Subject: DNS question, null MX records I have a domain that exists solely to cname A records to another domain's websites. There is no MX server for that domain, there is no valid mail sent as from that domain. However when I hooked it up I immediately started getting bounces and spam traffic attemtping to connect to the cnamed A record, which has no inbound mail server (It's actually hitting the firewall in front of it). (The domain name is actually several years old and has been sitting without dns for a while) I found a reference to a null MX proposal, constructed so: example.comINMX 0 . Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
RE: DNS question, null MX records *summary of on list and off list replies*
A. Use a valid domain mapped to an unroutable or loopback instead of the . I've decided to use 127.0.0.1 B. Set spf -all, for those who bother to check that to stop inbound mail from your domain. Already had that in place C. Donate the spam to someone who would use it. I can't donate the existing incoming email due to privacy concerns, however, project honeypot uses subdomains (f...@bar.example.com) for it's spam traps and wants unused subdomains so it's traps will be 'clean to start'. I'll see if I can get that done. D. Expect some spammers to detect any MX strangeness you use and bypass it in favor of your A record. Understandable, and none of the referenced records in the DNS files accept mail from outside, connections are silently dropped at the firewall. This is just an attempt to cut the mess coming in because of the A record down in size. E. Set up an actual mail server routing all mail to /dev/null. I'd rather just drop the traffic rather than have another service to maintain/secure/update __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 -Original Message- From: Eric J Esslinger [mailto:eesslin...@fpu-tn.com] Sent: Tuesday, December 15, 2009 9:18 AM To: 'nanog@nanog.org' Subject: DNS question, null MX records I have a domain that exists solely to cname A records to another domain's websites. There is no MX server for that domain, there is no valid mail sent as from that domain. However when I hooked it up I immediately started getting bounces and spam traffic attemtping to connect to the cnamed A record, which has no inbound mail server (It's actually hitting the firewall in front of it). (The domain name is actually several years old and has been sitting without dns for a while) I found a reference to a null MX proposal, constructed so: example.comINMX 0 . Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers. This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
iGlass CMTS monitoring solution
We've been looking at the iGlass's cable system monitoring solution for monitoring our cable system; It integrates with billing to give the ability, at a csr level, to allow them to directly lookup the status of a customer's cable modem (for example, online, offline, negotiationg, flapping), history, and also integrates with the CMTS and will make SNMP polls of the modems to see signal levels, CPE's attached, configured speed vs current actual speed, etc. I was wondering if anyone had any comments for or against them, or of alternative companies or even open source alternatives. I'm perfectly fine with 'roll your own' but Nagios/cacti type monitoring really just doesn't cut it where this is concerned. We're 10k customers. Contacting me offlist is fine. Thanks. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
RE: Is your ISP blocking outgoing port 25?
I am the ISP, and we currently don't. However, I inherited this setup and have been slowly fixing glaring holes (those are fairly well gone now) and not so glaring one. When our new firewall gets in, I will be rolling in port 25 blocks on dynamic IP addresses. The static ips will be unfiltered. Customers may send outbound mail through our SMTP server, or connect via alternate ports to their SMTP server. From: Zhiyun Qian [zhiy...@umich.edu] Sent: Thursday, June 18, 2009 2:36 PM To: nanog@nanog.org Subject: Is your ISP blocking outgoing port 25? It has been long heard that many ISPs block outgoing port 25 for the purpose of reducing spam originated from their network. I wonder which ISPs are still doing so. I know comcast has been doing that but they cancelled it after many complaints. It seems to be the same case for Verizon. ATT is the major one that I know of that is still enforcing this policy. But they said they can unblock port 25 upon request. I am not sure how easy it is. One simple way to test if your ISP is blocking outgoing port 25 is to try: telnet mx2.hotmail.com 25 or telnet gmail-smtp-in.l.google.com 25. If the connection fails, it could be due to the fact your ISP is blocking outgoing port 25, although it can also be other reasons such as local firewall configuration. Can someone perform the test and let me know result if possible? Thanks a lot! Regards. -Zhiyun This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
