Hi, My customers have reported that 1 server cannot email another server - both are ispconfig 3.05.4p8 and debian jesse I ran ifconfig and have the correct IP info and gateway displayed here, i can ping the other server but email wont connect to it from both ends. I tailed the mail.log and see that the email is "network unreachable", I then log in to ISPCONFIG admin and go to system-server config and see this: IP 127.0.0.1 - netmask 255.255.255.0 - gateway 0.0.0.0 nameserver 8.8.8.8.8.8.4.4. on 1 server and the other is: using a local ip address, which is also wrong. this info was updated months ago but updated in /etc/network/interfaces and not in admin. Is it ok for me to update this info to the correct info, save and reboot????
The interface/ip info on that page is not used at all unless you enable the 'Network configuration' checkbox at the top, and as the message says, 'The network configuration option is only available for Debian and Ubuntu Servers. Do not enable this option if your network interface is not eth0.' If you edited /etc/network/interfaces directly, you don't need to do anything with the Server Config settings for that. Try logging in to each server and run 'ifconfig' and 'route -n' .. assuming those servers are both on the same local network, check especially that your netmasks are correct.
You might have port 25 closed in your firewall; can anything else on the internet connect to that mail server?
thanks for reply. Ok thanks for clarification on first point. I have had both interfaces open in front of me and both display same subnet and gateway and nameservers. Both have different ip, they are Internet facing with live IPS. There is no firewall other than what ispconfig ships with. External hosts have no problem sending email and I have no problems with receiving. But both machines cannot connect with ssh, telnet etc giving 'network unreachable'. But I can ping. Very odd.
1 server is: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-dovecot-pop3imap -N fail2ban-postfix-sasl -N fail2ban-pureftpd -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 25 -j fail2ban-postfix-sasl -A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap -A INPUT -p tcp -m multiport --dports 21 -j fail2ban-pureftpd -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A fail2ban-dovecot-pop3imap -j RETURN -A fail2ban-postfix-sasl -j RETURN -A fail2ban-pureftpd -j RETURN -A fail2ban-ssh -s 116.31.116.49/32 -j REJECT --reject-with icmp-port-unreachable -A fail2ban-ssh -j RETURN 2 server is: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-dovecot-pop3imap -N fail2ban-postfix-sasl -N fail2ban-pureftpd -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 25 -j fail2ban-postfix-sasl -A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap -A INPUT -p tcp -m multiport --dports 21 -j fail2ban-pureftpd -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A fail2ban-dovecot-pop3imap -j RETURN -A fail2ban-postfix-sasl -j RETURN -A fail2ban-pureftpd -j RETURN -A fail2ban-ssh -s 116.31.116.49/32 -j REJECT --reject-with icmp-port-unreachable -A fail2ban-ssh -j RETURN
quick interpretation: you have no firewall rules, only hooks for fail2ban (which currently has a single host 116.31.116.49 blocked for ssh service). Can you paste the ouput of 'ifconfig -a' and 'route -n' ? And are these physical or virtual servers ?
server 2 ifconfig -a: eth0 Link encap:Ethernet HWaddr 00:1d:09:64:04:d5 inet addr:79.77.184.118 Bcast:79.77.184.119 Mask:255.255.255.252 inet6 addr: fe80::21d:9ff:fe64:4d5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:73793 errors:0 dropped:1 overruns:0 frame:0 TX packets:78273 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:14153987 (13.4 MiB) TX bytes:49880843 (47.5 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:63483 errors:0 dropped:0 overruns:0 frame:0 TX packets:63483 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:13393006 (12.7 MiB) TX bytes:13393006 (12.7 MiB) route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 79.77.184.117 0.0.0.0 UG 0 0 0 eth0 79.77.184.116 0.0.0.0 255.255.255.252 U 0 0 0 eth0 server 1: eth0 Link encap:Ethernet HWaddr c8:60:00:de:f6:cb inet addr:79.77.184.116 Bcast:79.77.184.119 Mask:255.255.255.252 inet6 addr: fe80::ca60:ff:fede:f6cb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:97968 errors:0 dropped:1 overruns:0 frame:0 TX packets:110367 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:41705895 (39.7 MiB) TX bytes:124142966 (118.3 MiB) Interrupt:20 Memory:f7f00000-f7f20000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:18061 errors:0 dropped:0 overruns:0 frame:0 TX packets:18061 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:102244866 (97.5 MiB) TX bytes:102244866 (97.5 MiB) Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 79.77.184.117 0.0.0.0 UG 0 0 0 eth0 79.77.184.116 0.0.0.0 255.255.255.252 U 0 0 0 eth0 i see the routes are wrong, i assume this is the fault
your netmask is probably wrong, you can't use .116 on a /30 subnet (normally .. you can do funny stuff to eek some life out of those, but I wouldn't mess with it if you can avoid it). ie. 79.77.184.116/30 affords the use of 2 ip addresses, .117 and .118, which normally will be your server's address and it's gateway. Or if the subnet is correct, you should likely have a different IP address and gateway on the .116 machine. Verify with your colocation provider/isp/whomever assigned the addrs.
i have run my netmask through a alculator and it says 116-119, so it looks ok. But i am greatful for anything i am overlooking or missing
As above, .116/30 gives you 2 usable ip addresses. The .116 address is the network address, and .119 is the broadcast address, don't use those for hosts. If your modem is .117, you only have a single .118 you can use. If the netmask is different (eg. 255.255.255.248) you could use the .116 address. Eg. you can see this at http://www.aboutmyip.com/AboutMyXApp/SubnetCalculator.jsp?ipAddress=79.77.184.116&cidr=30 .. change the cidr to /29 and .116 will be found between the first and last host addrs. If the ISP is sure you should have 4 addrs, maybe your modem shouldn't be in a routing mode, but bridging to them? (and again, the netmask would then be different) If not, and they're routing you a /30 and expecting you to use all four ip addresses "if you want to," you're going to have to use the aforementioned 'funny stuff' and I don't have a lot of hands-on experience with that. You'd probably have to start by seeing what your modem can do, and ask the ISP if they know of any solution that your particular modem could work with (pppoe to your servers? yuck...). And maybe complain that doing normal ip subnetting is much easier.
When i spoke with them after ordering the IP's they stated that all of them are usable. I will contact them in the morning to confirm with them, originally they didnt sound to sure as i did ask if i could use all or just 2, they said i have 5 useable. Then if that is the case, they gave me the wrong subnet to use. I will post response tomorrow.
If they gave you a /29 you have 6 usable ip addrs, but say one is for your modem, then you have 5 for server use. That would make sense. If that's the case, you can use .113-.118, with .117 being your modem (gateway for all your hosts). If you're adventurous and don't want to wait, set your netmask to 255.255.255.248 on everything (servers and modem) and see if everything works.
they definitely stated 116-119. so i gotta check with them in the morning. the servers are working and have been fine for over a year, its just the mail from server 1 to 2 and vice versa.