Troubleshooting SMTP/TELNET

Ok, My SMTP is unable to accept connections from non-local subnets. Is
this an SMTP thing or something else... my inetd.conf file has TELNET
remarked out. So, I can actually NOT TELNET in to this box from
anywhere,but I CAN telnet in on port 25 from the local subnet. What can
block port 25 telnet sessions?

Carl

On 2005-01-31, Carl Hilton <(E-Mail Removed)> wrote:
> Ok, My SMTP is unable to accept connections from non-local subnets.

I think you should check your firewall settings.
Davide

--
Dogs crawl under fences... software crawls under Windows 95.

Carl Hilton wrote:
> Ok, My SMTP is unable to accept connections from non-local subnets.
Is
> this an SMTP thing or something else... my inetd.conf file has TELNET
> remarked out. So, I can actually NOT TELNET in to this box from
> anywhere,but I CAN telnet in on port 25 from the local subnet. What
can
> block port 25 telnet sessions?

So, you are not running the telnetd, but you are running a SMTP
(sendmail?) daemon that is set to listen for _all_ incoming
connections? Double check what it is prepared to accept. I have to
assume you're running sendmail till you say otherwise ;-)

What do you mean by "non-local" subnets? From the internet or LAN
based subnets different from the subnet of your SMTP server/daemon?

I presume you mean the internet -- this is good that connections are
blocked. Are the SYN packets (to port 25?) blocked by a firewall rule?
Or is this (additionally?) a sendmail configuration? Hopefully,
_both_ are in effect but your config is allowing other _LAN_ hosts to
use your sendmail as a GW MTA. Check that your firewall rules are not
allowing outside traffic through port 25. Most host based firewalls
and GWs allow outgoing SYN packets (including mail on port 25) and
their replies to pass through, which is OK for now.

RH/FC come with sendmail configured to _only_ accept connections from
localhost -- no other hosts can connect, neither local LAN nor
internet. I'm not sure of other distros. The other day someone posted
that their experience was that other distros _allow_ LAN host
connections to the listening sendmail daemon.

Do you have/use a gui tool to configure sendmail or do you use a text
editor? If the former, check for an option that allows sendmail to
accept (or reject) local LAN connections. This (accept local LAN
connections) is usually only done if you are running a sendmail gateway
for the LAN. Check your sendmail.mc file for DAEMON_OPTIONS. Mine (on
a RH box) reads:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Do NOT make any changes to sendmail.cf or sendmail.mc before making
backups! Repeat: do NOT make any changes without backups. Do not
trust your gui tool to make backups for you (if you are using one).
Read the /usr/share/sendmail-cf/README for some background and check
your distro docs for any info they provide about the MTA setup.

I'm reluctant to go further for fear I'll break your mail. Probably
not what you want. Check your MTA config and any docs with your
distro, then post back if you have questions on how to set things up
the way you want. Be sure to mention your distro and what mailer you
are using for your MTA. Perhaps a copy of your /etc/mail/sendmail.mc
with _all_ the comments stripped out.

If you attempt to make changes to the sendmail configuration via a text
editor, be sure you understand the use of sendmail.mc and the m4
processor to generate the sendmail.cf file. Directly editing
sendmail.cf is not for mere mortals.

If you're using another mailer the setup details will vary
significantly but the options (in this case) will be "conceptually"
similar. I'm just assuming you're using sendmail as that is the most
commonly used MTA.
..
hth,
prg
email above disabled

Carl Hilton <(E-Mail Removed)> wrote:
> Ok, My SMTP is unable to accept connections from non-local subnets. Is
> this an SMTP thing or something else... my inetd.conf file has TELNET
> remarked out. So, I can actually NOT TELNET in to this box from
> anywhere,but I CAN telnet in on port 25 from the local subnet. What can
> block port 25 telnet sessions?

What's your actual question? I see several possible candidates here...

* You want to accept SMTP connections from elsewhere
* You want to accept TELNET conections from the local network
* You want to accept TELNET connections from elsewhere

Why are you even considering telnet? Please look at using ssh instead!
Chris

Carl Hilton wrote:
> Ok, My SMTP is unable to accept connections from non-local subnets. Is
> this an SMTP thing or something else... my inetd.conf file has TELNET
> remarked out. So, I can actually NOT TELNET in to this box from
> anywhere,but I CAN telnet in on port 25 from the local subnet. What can
> block port 25 telnet sessions?
>
> Carl

You can have your SMTP only configured to accept mails from your
local box or you have a firewall that is blocking port 25.

Regards.


--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

In article <(E-Mail Removed) .com>,
Carl Hilton <(E-Mail Removed)> wrote:

> Ok, My SMTP is unable to accept connections from non-local subnets. Is
> this an SMTP thing or something else... my inetd.conf file has TELNET
> remarked out. So, I can actually NOT TELNET in to this box from
> anywhere,but I CAN telnet in on port 25 from the local subnet. What can
> block port 25 telnet sessions?
>
> Carl

Carl, I assume you are using a default configuration.

First, your immediate question: We have to distinguish telnet as a tool
vs. TELNET as a protocol. When your inetd.conf has TELNET marked out,
this means your box will not accept connections over the usual TELNET
port.

On the otherhand, we use the telnet program as a tool to test
connections to port 25, the SMTP port. You say you can do this from
your LAN but not from outside. You'll have to find out what's blocking
these connections... Might the firewall on your box, might be that
outbound port 25 connections are blocked by the ISP where you did your
outside test (Verizon does this to reduce spam), or etc.

My first guess is you did a test from someone's cable connection and
that ISP is blocking port 25. Try from several different types of
outside connections.

Once you can telnet your.domain 25 from outside IPs, then you'll have
to configure sendmail or postfix to accept connections from certain
locations but not be an "open relay" that will be abused. Also, if you
do have an open relay, you'll quickly become a pariah on the internet.

In my setup,
- port 25 connections are accepted
- sendmail is configured to accept any mail for valid addresses in the
local domain (user accounts, aliases in /etc/mail/aliases, and domains
specified in /etc/sendmail.cf)
- sendmail is configured to accept mail for outside addresses ONLY
from certain specific ips from which my users connect... (do this in
/etc/mail/access)
- I prefer to create an ssh tunnel for ports 25 and 110 so my remote
users can send mail with me having to edit /etc/mail/access. SMTP Auth
or STMP-after-POP would also help here.
- Note: run newaliases after editing /etc/mail/aliases and rebuild
access.db after editing /etc/mail/access

(Hope I have all of this right... I don't fiddle these things every day
and it's easy to forget things.)

Hope this helps.

-- Sally

--
Sally Shears (a.k.a. "Molly")
(E-Mail Removed) -or- (E-Mail Removed)
http://theWorld.com/~sshears

I mean different subnets on the same LAN... We are using various class
C subnets for our LAN. Also, there is NO firewalls between the
different subnets on the LAN. only between the LAN and the Internet.
Carl

I AM using SENDMAIL. downloaded from SENDMAIL.ORG, running on a
SLACKWARE LINUX box. I am using TELNET for troubleshooting SMTP
purporses ONLY. I have ALL my subnets listed by IP in my
/etc/mail/access and I HAVE refreshed/rebuilt the access.db.

my sendmail.mc:

divert(0)dnl
VERSIONID(`$Id: generic-linux.mc,v 8.1 1999/09/24 22:48:05 gshapiro Exp
$')
OSTYPE(linux)dnl
DOMAIN(generic)dnl
FEATURE(`access_db')
MAILER(local)dnl
MAILER(smtp)dnl
define(`confPRIVACY_FLAGS',`authwarnings,needmailh elo,needexpnhelo,needvrfyhelo,noexpn,restrictmailq ,restrictqrun')
Thanks for everybody's replies.

On 1 Feb 2005 03:57:57 -0800, Carl Hilton <(E-Mail Removed)> wrote:
> I AM using SENDMAIL. downloaded from SENDMAIL.ORG, running on a
> SLACKWARE LINUX box. I am using TELNET for troubleshooting SMTP
> purporses ONLY. I have ALL my subnets listed by IP in my
> /etc/mail/access and I HAVE refreshed/rebuilt the access.db.
>
> my sendmail.mc:
>
> divert(0)dnl
> VERSIONID(`$Id: generic-linux.mc,v 8.1 1999/09/24 22:48:05 gshapiro Exp
> $')
> OSTYPE(linux)dnl
> DOMAIN(generic)dnl
> FEATURE(`access_db')
> MAILER(local)dnl
> MAILER(smtp)dnl
> define(`confPRIVACY_FLAGS',`authwarnings,needmailh elo,needexpnhelo,needvrfyhelo,noexpn,restrictmailq ,restrictqrun')
> Thanks for everybody's replies.

What do your mail logs say when you attempt to telent to smtp server port
25 from other local subnets? Do you have proper routing to other local
subnets (can you ping/traceroute from the server to those client IPs)?

Yes, I have proper routing as I can PING the SMTP server from all
subnets. There is NO entry in the mail logs for failed smtp attempts.

Carl