|
Home > Archive > Red Hat Topics > December 2005 > Can't "telnet mail-host 25"
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Can't "telnet mail-host 25"
|
|
| Xiangrong Cai 2005-11-28, 5:57 pm |
| Hi,
I am running linux 8.? standard distribution. I noticed that I can't do
"telnet server-host port" for a lot of ports, even though the server to
serve the port is running in server-host. For example, when I have
sendmail/smtp running on host mail-host(47.17.17.50), a "telnet
mail-host 25" from another linux/unix failed with message:
"Trying 47.17.170.50...
telnet: connect to address 47.17.170.50: Connection refused".
I can do this to port 21 (ftp) and 23 (telnet) once I make the proper
change to xinet.d config files, but I just can't make port 25 work.
The question: it this failure caused by TCP wrapper (the host to and
from allow each other), xinetd config, or PAM? Or something else? How to
fix this problem?
Thanks.
-- Karl
| |
| Splatter 2005-11-28, 8:46 pm |
| Xiangrong Cai wrote:
> Hi,
>
> I am running linux 8.? standard distribution. I noticed that I can't do
> "telnet server-host port" for a lot of ports, even though the server to
> serve the port is running in server-host. For example, when I have
> sendmail/smtp running on host mail-host(47.17.17.50), a "telnet
> mail-host 25" from another linux/unix failed with message:
>
> "Trying 47.17.170.50...
> telnet: connect to address 47.17.170.50: Connection refused".
>
> I can do this to port 21 (ftp) and 23 (telnet) once I make the proper
> change to xinet.d config files, but I just can't make port 25 work.
>
> The question: it this failure caused by TCP wrapper (the host to and
> from allow each other), xinetd config, or PAM? Or something else? How to
> fix this problem?
>
> Thanks.
>
> -- Karl
>
I'd check the firewall....
Good luck!
| |
| Xiangrong Cai 2005-11-29, 5:50 pm |
| Splatter wrote:
> Xiangrong Cai wrote:
>
>
>
> I'd check the firewall....
>
> Good luck!
>
Thanks for the response. However, I don't think there is firewall
involved. I am doing the test within the same intranet. Actually, the
two machines (47.17.170.50 and 47.17.170.28) are in the same subnet
(connected with a switch). Also, if it is because the firewall, then
port 21 and 23 should be blocked also.
One more piece of info: telnet localhost 25 works in host 50, but telnet
47.17.170.50 25 from host 28 doesn't work.
-- Karl
| |
| Ivan Marsh 2005-11-29, 5:50 pm |
| On Tue, 29 Nov 2005 12:18:51 -0500, Xiangrong Cai wrote:
> Splatter wrote:
>
> Thanks for the response. However, I don't think there is firewall
> involved.
You wouldn't get "Connection refused" if there was. That's a response from
the server. If it was a firewall issue you'd get nothing... and eventually
a timeout.
> One more piece of info: telnet localhost 25 works in host 50, but telnet
> 47.17.170.50 25 from host 28 doesn't work.
Are you sure a pop/imap server is running? If the port is open but nothing
servicing it you will get a connection refused message.
--
The USA Patriot Act is the most unpatriotic act in American history.
| |
|
| On Mon, 28 Nov 2005 18:31:23 -0500, Xiangrong Cai wrote this:
> Hi,
>
> I am running linux 8.? standard distribution. I noticed that I can't do
> "telnet server-host port" for a lot of ports, even though the server to
> serve the port is running in server-host. For example, when I have
> sendmail/smtp running on host mail-host(47.17.17.50), a "telnet mail-host
> 25" from another linux/unix failed with message:
>
> "Trying 47.17.170.50...
> telnet: connect to address 47.17.170.50: Connection refused".
>
telnet -l user 47.17.170.50 25 ?
Anything in /var/log/messages /var/log/secure ?
> I can do this to port 21 (ftp) and 23 (telnet) once I make the proper
> change to xinet.d config files, but I just can't make port 25 work.
>
> The question: it this failure caused by TCP wrapper (the host to and from
> allow each other), xinetd config, or PAM? Or something else? How to fix
> this problem?
>
> Thanks.
>
> -- Karl
| |
| S P Arif Sahari Wibowo 2005-11-29, 5:50 pm |
| On Mon, 28 Nov 2005, Xiangrong Cai wrote:
> I am running linux 8.? standard distribution. I noticed that I
> can't do "telnet server-host port" for a lot of ports, even
> though the server to serve the port is running in server-host.
> For example, when I have sendmail/smtp running on host
> mail-host(47.17.17.50), a "telnet mail-host 25" from another
> linux/unix failed with message:
> "Trying 47.17.170.50...
> telnet: connect to address 47.17.170.50: Connection refused".
Are you sure the server program actually up and accepting
connection at that interface? Use ps and netstat to make sure.
Are you sure there is no firewall? Try iptables -L and see what
come out.
Some program use the hosts_access control files,
/etc/hosts.allow and /etc/hosts.deny
take a look what's in the file, as well.
--
(Stephan Paul) Arif Sahari Wibowo
_____ _____ _____ _____
/____ /____/ /____/ /____
_____/ / / / _____/ http://www.arifsaha.com/
| |
| Xiangrong Cai 2005-11-30, 5:48 pm |
| Ivan Marsh wrote:
> On Tue, 29 Nov 2005 12:18:51 -0500, Xiangrong Cai wrote:
>
>
>
> You wouldn't get "Connection refused" if there was. That's a response from
> the server. If it was a firewall issue you'd get nothing... and eventually
> a timeout.
>
>
>
>
> Are you sure a pop/imap server is running? If the port is open but nothing
> servicing it you will get a connection refused message.
>
sendmail is running and I think it serves port 25. Actually, when doing "telnet
localhost 25", I can use the SMTP commands like helo, mail from, rcpt to, data,
etc to send an email.
113% ps -ef | grep sendmail
root 1629 1 0 Nov21 ? 00:00:00 sendmail: accepting connections
smmsp 1638 1 0 Nov21 ? 00:00:00 sendmail: Queue runner@01:00:00
kcai 20214 3395 0 13:42 pts/9 00:00:00 grep sendmail
87% (using sudo) iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
When the host is solaris2.5.1, with similar setting (i.e., sendmail is running),
I can do both "telnet localhost 25" from local machine and "telnet solaris-host
25" from another machine, Linux or Solaris.
When doing ethereal, these are the two tcp packet exchanges (from 50 "telnet
xx.28 25, where xx.28 is running the sendmail):
50->28: tcp 34672 -> smtp [SYN] Seq=0 Ack=0 Win=5840 Len=0 ...
28->50: tcp [TCP ZeroWindow] smtp -> 34672 [RST, ACK] Seq=0 Ack=0, Win=0 Len=0
So it seems the [TCP ZeroWindow] resets the TCP connection. From the web, it
shows that [TCP ZeroWindow] normally means that there is no network buffer. But
obviously this is not true, since I can do several other tcp connections [like
telnet, ssh, ftp] without a problem. So the question is: Who set the [TCP
ZeroWindow] in this case? I don't think it is the Linux Kernel. Must be some
application like tcp warpper, xinetd, pam, or something.
As I mentioned earlier, there is no firewall involved. hosts.allow and
hosts.deny are setting OK [telnet and ftp work fine], and there is no related
messages shown in the /var/log/messages and /var/log/secure. That's why I send
the email to this newsgroup in the first place. It is just confusing to me :-).
All I can think about is tcpwrapper (hosts.allow and hosts.deny), xinetd, and
pam. But it seems none of them is sending the refusing message.
| |
| Ivan Marsh 2005-11-30, 5:48 pm |
| On Wed, 30 Nov 2005 14:14:22 -0500, Xiangrong Cai wrote:
> Ivan Marsh wrote:
>
> sendmail is running and I think it serves port 25. Actually, when doing
> "telnet localhost 25", I can use the SMTP commands like helo, mail from,
> rcpt to, data, etc to send an email.
sendmail is an MTA (mail transfer agent) not a pop/imap daemon. You need
dovecot or qpopper or something like that running in addition to sendmail.
--
The USA Patriot Act is the most unpatriotic act in American history.
| |
| Xiangrong Cai 2005-11-30, 5:48 pm |
| Yes, you are right. I did nmap to both the linux host 28 and solaris host 75.
Linux host doesn't show port 25, while solaris host 75 shows the port 25 is open.
That question being answered, I still have one more question: what is the
difference between "telnet localhost 25" from localhost and "telnet 47.17.170.28
25" from a remote host? Why in the first form, somebody (I think it is sendmail)
serves the port 25, while in the second form, nobody servers port 25?
Ivan Marsh wrote:
> On Wed, 30 Nov 2005 14:14:22 -0500, Xiangrong Cai wrote:
>
>
>
>
>
>
> sendmail is an MTA (mail transfer agent) not a pop/imap daemon. You need
> dovecot or qpopper or something like that running in addition to sendmail.
>
| |
| Mr. Box 2005-11-30, 8:46 pm |
| Hi
Are you tried with the netstat command?
# netstat -na | grep LISTEN
You have to find the row that means the port 25 in listening.
But, if you want that smtp server accept connection by other servers, the
port 25 must to be listening for ALL interface!
So...
you have to see 0.0.0.0:25
and NOT 127.0.0.1:25
Box
PS
please, forgive my english!!!
"Xiangrong Cai" <kcai@nortel.com> ha scritto nel messaggio
news:dmlar1$9vt$1@zcars129.ca.nortel.com...
> Yes, you are right. I did nmap to both the linux host 28 and solaris host
> 75. Linux host doesn't show port 25, while solaris host 75 shows the port
> 25 is open.
>
> That question being answered, I still have one more question: what is the
> difference between "telnet localhost 25" from localhost and "telnet
> 47.17.170.28 25" from a remote host? Why in the first form, somebody (I
> think it is sendmail) serves the port 25, while in the second form, nobody
> servers port 25?
>
| |
| Ivan Marsh 2005-12-01, 8:48 pm |
| > Ivan Marsh wrote:
On Wed, 30 Nov 2005 17:58:41 -0500, Xiangrong Cai wrote:
[vbcol=seagreen]
> Yes, you are right. I did nmap to both the linux host 28 and solaris
> host 75. Linux host doesn't show port 25, while solaris host 75 shows
> the port 25 is open.
>
> That question being answered, I still have one more question: what is
> the difference between "telnet localhost 25" from localhost and "telnet
> 47.17.170.28 25" from a remote host? Why in the first form, somebody (I
> think it is sendmail) serves the port 25, while in the second form,
> nobody servers port 25?
Localhost never hits your network adapter. It's a virtual device. I'm not
sure why that makes any difference in your case but I suppose it could
where sendmail is concerned.
Please don't top post.
--
The USA Patriot Act is the most unpatriotic act in American history.
| |
| Robert Nichols 2005-12-01, 8:48 pm |
| In article <dmlar1$9vt$1@zcars129.ca.nortel.com>,
Xiangrong Cai <kcai@nortel.com> wrote:
:
:That question being answered, I still have one more question: what is
:the difference between "telnet localhost 25" from localhost and "telnet
:47.17.170.28 25" from a remote host? Why in the first form, somebody (I
:think it is sendmail) serves the port 25, while in the second form,
:nobody servers port 25?
Perhaps because you have sendmail configured to listen only on the
loopback address, as in this excerpt from sendmail.mc:
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
That or a firewall not allowing inbound port 25 are the only two likely
explanations.
--
Bob Nichols AT comcast.net I am "RNichols42"
| |
| Xiangrong Cai 2005-12-01, 8:48 pm |
| Robert Nichols wrote:
> In article <dmlar1$9vt$1@zcars129.ca.nortel.com>,
> Xiangrong Cai <kcai@nortel.com> wrote:
> :
> :That question being answered, I still have one more question: what is
> :the difference between "telnet localhost 25" from localhost and "telnet
> :47.17.170.28 25" from a remote host? Why in the first form, somebody (I
> :think it is sendmail) serves the port 25, while in the second form,
> :nobody servers port 25?
>
> Perhaps because you have sendmail configured to listen only on the
> loopback address, as in this excerpt from sendmail.mc:
>
> dnl #
> dnl # The following causes sendmail to only listen on the IPv4 loopback address
> dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
> dnl # address restriction to accept email from the internet or intranet.
> dnl #
> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>
> That or a firewall not allowing inbound port 25 are the only two likely
> explanations.
>
Thanks all who responsed. I learned a lot and I think I know part of the reason
now :-)
Here is the output per Mr. Box's comments:
96% netstat -na | grep LISTEN | grep 25
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
On the solaris2.5.1 though, it is:
1% netstat -na | grep LISTEN | grep 25
*.25 *.* 0 0 0 0 LISTEN
So on my Linux I am listening only to 127.0.0.1:25, not 0.0.0.0:25. But it seems
to me my sendmail is not configured to do so (I am not familiar with sendmail
config though). Can somebody find the problem for me? Here is my sendmail.mc.
You can see that the line "DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,
Name=MTA')dnl" [enclosed by <<<<< >>>>> below] is commented out. And I really
don't think there is any firewall configured to block port 25 in the machine,
which is a desktop for my daily work.
92% more sendmail.mc
divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`SMART_HOST',`ussmtp.us.nortel.com')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)
dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun
')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
<<<<<<<<<<<<<<<
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl NOTE: binding both
IPv4 and IPv6 daemon to the same port requires[vbcol=seagreen]
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
FEATURE(`accept_unresolvable_domains')dn
l
dnl FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Cwlocalhost.localdomain
| |
| Robert Nichols 2005-12-02, 5:47 pm |
| In article <dmn8oe$bu6$1@zcars129.ca.nortel.com>,
Xiangrong Cai <kcai@nortel.com> wrote:
:Robert Nichols wrote:
:> In article <dmlar1$9vt$1@zcars129.ca.nortel.com>,
:> Xiangrong Cai <kcai@nortel.com> wrote:
:> :
:> :That question being answered, I still have one more question: what is
:> :the difference between "telnet localhost 25" from localhost and "telnet
:> :47.17.170.28 25" from a remote host? Why in the first form, somebody (I
:> :think it is sendmail) serves the port 25, while in the second form,
:> :nobody servers port 25?
:>
:> Perhaps because you have sendmail configured to listen only on the
:> loopback address, as in this excerpt from sendmail.mc:
:>
:> dnl #
:> dnl # The following causes sendmail to only listen on the IPv4 loopback address
:> dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
:> dnl # address restriction to accept email from the internet or intranet.
:> dnl #
:> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
:>
:> That or a firewall not allowing inbound port 25 are the only two likely
:> explanations.
:>
:
:Thanks all who responsed. I learned a lot and I think I know part of the reason
:now :-)
:
:Here is the output per Mr. Box's comments:
:
:96% netstat -na | grep LISTEN | grep 25
:tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
:
:On the solaris2.5.1 though, it is:
:1% netstat -na | grep LISTEN | grep 25
: *.25 *.* 0 0 0 0 LISTEN
:
:So on my Linux I am listening only to 127.0.0.1:25, not 0.0.0.0:25. But it seems
:to me my sendmail is not configured to do so (I am not familiar with sendmail
:config though). Can somebody find the problem for me? Here is my sendmail.mc.
:You can see that the line "DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,
:Name=MTA')dnl" [enclosed by <<<<< >>>>> below] is commented out. And I really
:don't think there is any firewall configured to block port 25 in the machine,
:which is a desktop for my daily work.
[SNIP]
Your sendmail is listening only on the local loopback address. Did
/etc/sendmail.cf get rebuilt after you edited the sendmail.mc file?
Check the file modification times, and grep for "DaemonPortOptions" in
your sendmail.cf file. In many Linux distributions you just need to run
"make" in the /etc/mail directory, but it's also common for that to be
done automatically when the sendmail service is started, so I'm not sure
what your problem might be. Perhaps 'make' isn't installed on your
system. The command to rebuild sendmail.cf manually is:
mv sendmail.cf sendmail.cf.bak
m4 sendmail.mc >sendmail.cf
--
Bob Nichols AT comcast.net I am "RNichols42"
|
|
|
|
|