<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/3.14.3"> </HEAD> <BODY> On Fri, 2007-08-31 at 10:18 +0800, Ed Greshko wrote: <BLOCKQUOTE TYPE=CITE> <PRE> Timothy Murphy wrote: > Andy Green wrote: > >> Somebody in the thread at some point said: >> >>>> telnet <myserver> 993 >>>> I just get >>>> Trying <server IP address> >>>> and nothing further, until I type ctrl-C. >>> Check /var/log/messages to see if anything is logged. The behavior of >>> telnet sounds like the behavior of openssl. It's probably not the >> No, he doesn't even get a tcp connection established. If I telnet to my >> IMAP server I see >> >> telnet 192.168.0.xx 993 >> Trying 192.168.0.xx... >> Connected to 192.168.0.xx. >> Escape character is '^]'. >> >> I would first confirm that something is still listening on your external >> network interface on 993. > > Thanks for all the responses. > > nmap seems to show that port 993 is open: > ===================================== > [tim@martha ~]$ nmap 86.43.71.228 > > Starting Nmap 4.20 ( <A HREF="http://insecure.org">http://insecure.org</A> ) at 2007-08-31 02:13 CEST > Interesting ports on 86.43.71.228: > Not shown: 1688 closed ports > PORT STATE SERVICE > 80/tcp open http > 135/tcp filtered msrpc > 139/tcp filtered netbios-ssn > 445/tcp filtered microsoft-ds > 593/tcp filtered http-rpc-epmap > 993/tcp filtered imaps > 1720/tcp filtered H.323/Q.931 > 2001/tcp open dc > 5190/tcp open aol Except that if you read the man page for nmap you find.... Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. And [egreshko@misty ~]$ telnet 86.43.71.228 993 Trying 86.43.71.228... Times out.... > > Nmap finished: 1 IP address (1 host up) scanned in 20.467 seconds > ===================================== > > But "netstat -anp --tcp" does not show anything listening on 993 > ===================================== > [tim@martha ~]$ sudo netstat -anp --tcp > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 0 127.0.0.1:8000 0.0.0.0:* > LISTEN 1745/nasd > tcp 0 0 127.0.0.1:2208 0.0.0.0:* > LISTEN 1637/hpiod > tcp 0 0 0.0.0.0:139 0.0.0.0:* > LISTEN 1878/smbd > tcp 0 0 0.0.0.0:631 0.0.0.0:* > LISTEN 1654/cupsd > tcp 0 0 127.0.0.1:25 0.0.0.0:* > LISTEN 1714/sendmail: acce > tcp 0 0 0.0.0.0:445 0.0.0.0:* > LISTEN 1878/smbd > tcp 0 0 127.0.0.1:2207 0.0.0.0:* > LISTEN 1642/python > tcp 0 0 0.0.0.0:33215 0.0.0.0:* > LISTEN 1443/rpc.statd > tcp 0 0 192.168.1.149:34676 86.43.71.228:2001 > ESTABLISHED 3298/ssh > tcp 0 0 :::901 :::* > LISTEN 1680/xinetd > tcp 0 0 :::111 :::* > LISTEN 1422/rpcbind > tcp 0 0 :::22 :::* > LISTEN 1668/sshd > tcp 0 0 :::631 :::* > LISTEN 1654/cupsd > ===================================== > > I can telnet 993 on my server without problem: > ===================================== > [tim@alfred ~]$ telnet localhost 993 > Trying 127.0.0.1... > Connected to localhost.localdomain (127.0.0.1). > Escape character is '^]'. > ^] > telnet> quit > Connection closed. > ===================================== > > And "iptables -L" seems to allow this connection: > ===================================== > ... > Chain net2fw (1 references) > target prot opt source destination > ACCEPT 0 -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere icmp > echo-request > ACCEPT tcp -- anywhere anywhere tcp dpt:http > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh > ACCEPT tcp -- anywhere anywhere tcp dpt:https > ACCEPT tcp -- anywhere anywhere tcp > dpt:appserv-http > ACCEPT udp -- anywhere anywhere udp > dpt:appserv-http > ACCEPT tcp -- anywhere anywhere tcp dpt:smtp > ACCEPT tcp -- anywhere anywhere tcp dpt:imaps > Drop 0 -- anywhere anywhere > LOG 0 -- anywhere anywhere LOG level info > prefix `Shorewall:net2fw:DROP:' > DROP 0 -- anywhere anywhere > ... > ===================================== > > So my best guess is that there is something wrong > with my dovecot configuration. > I "yum remove"d and "yum install"ed dovecot > (and re-edited dovecot.conf), > but that didn't seem to make any difference. > >> Why not tcpdump it over your ssh session to the server while you try to >> connect and see what you can see. >> >> Another more exotic workaround would be, on your local machine >> >> ssh root@myserver -N -L993:localhost:993 >> >> while this runs, 993 (the first number) on your local client box will >> magically be an encrypted wormhole to port 993 on myserver. Try running >> that in one terminal session, and temporarily alter kmail to go look at >> localhost for IMAP instead of myserver. > > I'll try these tomorrow. > Thanks very much for your help anyway. > -- First Law of Bicycling: No matter which way you ride, it's uphill and against the wind. </PRE> </BLOCKQUOTE> I had a problem with my app/web server listening on "::::80" awhile back. I'd try to connect (telnet, browser, etc.) and it'd just sit there. I switched to listen on "0.0.0.0:80" and it all worked like a charm. I'm terribly ignorant on IPv6 so I can't speak to what the root problem was, but the work-around did the trick. <TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%"> <TR> <TD> <TABLE CELLSPACING="0" WIDTH="450"> <TR> <TD> <TABLE WIDTH="250"> <TR> <TD> -- Mark C. Allman, PMP </TD> </TR> <TR> <TD> -- Allman Professional Consulting, Inc. </TD> </TR> <TR> <TD> -- <A HREF="http://www.allmanpc.com">www.allmanpc.com</A>, 617-947-4263 </TD> </TR> </TABLE> </TD> <TD> <TABLE WIDTH="200"> <TR> <TD ALIGN="left" VALIGN="top"> <IMG SRC="cid:1188527732.4609.43.camel@prez.allmanpc.com" ALIGN="bottom" BORDER="0"> </TD> </TR> </TABLE> </TD> </TR> </TABLE> BusinessMsg -- the secure, managed, J2EE/AJAX Enterprise IM/IC solution. </TD> </TR> </TABLE> </BODY> </HTML>