Somewhat OT email addresses
Rick Stevens
rstevens at vitalstream.com
Fri Feb 17 19:41:52 UTC 2006
On Fri, 2006-02-17 at 13:23 +1100, Graeme Nichols wrote:
> Rick Stevens wrote:
> > On Thu, 2006-02-16 at 12:19 -0500, Jeff Kinz wrote:
> >
> >>On Thu, Feb 16, 2006 at 01:29:32PM +1100, Graeme Nichols wrote:
> >>
> >>>Hello Folks,
> >>>
> >>>I know this is somewhat OT but I was wondering if it is possible to send
> >>>an email with an address in the following format; username@[IP address]
> >>>
> >>>I have been fiddling around because a person with whom I was writing to
> >>>has suddenly become unknown, possibly because of DNS failure, I'm not
> >>>sure, and the mail is returned undeliverable as the domain is unknown.
> >>>They are having the same problem sending mail to me.
> >>>
> >>>I did a ping on my ISP's SMTP mail server and while there was a 100%
> >>>failure rate on the packets, most probably due to some firewall setting,
> >>>I was given the IP address, in this case, 203.12.160.34
> >>>
> >>>I sent a test email to name at 203.12.160.34 but it bounced with the
> >>>following error;
> >>
> >>
> >>
> >>Graeme, I see one issue here that you would need to fix, assuming you
> >>are trying to send am email to someone other than yourself.
> >>
> >>You need to enter the IP address of their domain (or their domain's SMTP
> >>server), not the IP of your ISP's SMTP server.
> >
> >
> > Graeme, Jeff's right. You can't send mail to YOUR SMTP server and
> > expect it to go out.
>
> Hi Rick, yes, I can understand that now.
> >
> > If sending mail to "yourfriend at theirdomain.tld" doesn't work, you're
> > probably having an issue with DNS. A quick test is if you can surf the
> > web on your machine. If not, then you definitely have a DNS issue.
> > This can be caused by several factors: you haven't configured the DNS
> > on your machine properly (this is the "/etc/resolv.conf" file), or you
> > have DNS blocked by a firewall somewhere (either via iptables on your
> > machine or by the firewall on your router or modem...possibly both).
> >
> > Your /etc/resolv.conf file should contain AT A MINIMUM, one line:
> >
> > nameserver ip-address-of-your-ISP's-DNS-server
> >
> > For example:
> >
> > nameserver 64.7.192.162
> >
> > Ideally, you'd have two or three lines, one for each of your ISP's DNS
> > servers:
> >
> > nameserver 64.7.192.162
> > nameserver 64.7.192.163
>
> My /etc/resolv.conf only had their primary DNS so I added the second
> line containing their secondary DNS.
> >
> > If you don't know your ISP's DNS server addresses, ask them for them.
> > If you still can't get them, use the lines above. They're for our
> > DNS servers and I don't mind if you use them. Being the wonderful human
> > being I am, I won't even charge you for their use! :-)
>
> Ohhh... thank you Rick. Your blood is worth bottling you know. :-)
(Hic! It is in bottles!) :-)
> >
> > Next, you have to check your firewall settings. On your local machine,
> > use "iptables -L -n". You MUST permit TCP and UDP connections to port
> > 53 on your machine for DNS to work. Appropriate lines to add to your
> > /etc/sysconfig/iptables file are:
> >
> > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
> > -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 53 -j ACCEPT
> > -A INPUT -p udp -m udp --sport 53 -j ACCEPT
>
> My /etc/sysconfig/iptables file contains the following:-
>
> [graeme at barney ~]$ sudo /sbin/iptables -L -n
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
> ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
> tcp dpt:22
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
> icmp-host-prohibited
> You have new mail in /var/spool/mail/graeme
> [graeme at barney ~]$
>
> While I haven't expressly allowed your above it appears that I have
> covered it in the ALL or am I having myself on? I used the graphical
> interface and selected the highest security when I set up my firewall.
> So far I don't seem to have had a problem but that may be good luck
> rather than good management.
Well, it's covered in the 'state RELATED, ESTABLISHED" rule. When you
make a DNS query (allowed by the OUTPUT chain), replies will be tagged
as "ESTABLISHED" by the INPUT chain and allowed.
> Would you suggest that I add your suggestion directly into the file as
> you have written them? IPtables is a black art to me :-)
No, you're fine.
> > Also check the firewall on your router or cable/DSL modem and verify
> > they allow incoming and outgoing TCP and UDP messages using port 53.
>
> Again, my router has the following set:-
>
> Telnet Telnet traffic is blocked from the WAN to the LAN
> FTP FTP traffic is blocked from the WAN to the LAN
> TFTP TFTP traffic is blocked from the WAN to the LAN
> Web Web traffic is blocked from the WAN to the LAN
> SNMP SNMP traffic is blocked from the WAN
> Ping Ping traffic is blocked from the WAN
>
> That is all I can set up in my router, a Billion ADSL Router Switch
> 5100. I guess that everything that is not blocked above is allowed.
No, you're OK. If you can browse the web, DNS is working.
> Thanks for the help Rick. Its much appreciated. And thanks to Jeff,
> Brett and Martin as well for their assistance, all of which is appreciated.
I'm sure we're all glad to help. I am, at least.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- "Yeah, but you're taking the universe out of context." -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list