English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
SMTP (out) communication
-
We're faced with a firewall problem passing traffic out using a virtual ip address for mdaemon (i.e. 192.168.21.xxx)
In the smtp (out) log (below) specifically the item in RED. Mdamon is using a loopback address which can not be seen by our firewall's NATing policies.
How can traffic like this be configured to use the default bound IP address?
Wed 2023-05-31 10:35:12.548: [02495910] REMOTE message: pd3501000270355.msg
Wed 2023-05-31 10:35:12.548: [02495910] * Session 02495910; child 0001
Wed 2023-05-31 10:35:12.548: [02495910] * From: xxxx@xxxxx.com
Wed 2023-05-31 10:35:12.548: [02495910] * To: xxxxx@xxx.com
Wed 2023-05-31 10:35:12.548: [02495910] * Subject: General Information
Wed 2023-05-31 10:35:12.548: [02495910] * Message-ID: <eme7ddca38-7d8c-434c-be84-1ac325c62cc9@486de2c9.com>
Wed 2023-05-31 10:35:12.548: [02495910] * Size: 169535; <j:\mdaemon\queues\remote\pd3501000270355.msg>
Wed 2023-05-31 10:35:12.548: [02495910] * DNSSEC service requested
Wed 2023-05-31 10:35:12.555: [02495910] Resolving MX record for stoweattorneys.com (DNS Server: 1.0.0.1)...
Wed 2023-05-31 10:35:12.671: [02495910] * P=010 S=001 D=stoweattorneys.com TTL=(5) MX=[aspmx.l.google.com]
Wed 2023-05-31 10:35:12.671: [02495910] * P=020 S=002 D=stoweattorneys.com TTL=(5) MX=[alt2.aspmx.l.google.com]
Wed 2023-05-31 10:35:12.671: [02495910] * P=020 S=005 D=xxx.com TTL=(5) MX=[alt1.aspmx.l.google.com]
Wed 2023-05-31 10:35:12.671: [02495910] * P=030 S=000 D=xxx.com TTL=(5) MX=[aspmx2.googlemail.com]
Wed 2023-05-31 10:35:12.671: [02495910] * P=030 S=003 D=xxx.com TTL=(5) MX=[aspmx5.googlemail.com]
Wed 2023-05-31 10:35:12.671: [02495910] * P=030 S=004 D=xxxx.com TTL=(5) MX=[aspmx3.googlemail.com]
Wed 2023-05-31 10:35:12.672: [02495910] * P=030 S=006 D=xxxx.com TTL=(5) MX=[aspmx4.googlemail.com]
Wed 2023-05-31 10:35:12.672: [02495910] Attempting SMTP connection to aspmx.l.google.com
Wed 2023-05-31 10:35:12.675: [02495910] Resolving A record for aspmx.l.google.com (DNS Server: 1.0.0.1)...
Wed 2023-05-31 10:35:12.693: [02495910] * D=aspmx.l.google.com TTL=(3) A=[142.251.111.26]
Wed 2023-05-31 10:35:12.693: [02495910] Attempting SMTP connection to 142.251.111.26:25
Wed 2023-05-31 10:35:12.695: [02495910] Waiting for socket connection...
Wed 2023-05-31 10:35:12.696: [02495910] * Connection established 127.0.0.1:39904 --> 142.251.111.26:25
-
Arron Staff
You can change the IP that is used for the logging by going to Setup / Domain Manager / Select the Domain / Host name & IP. In the IPv4 field enter the IP address you would like to be used. On our mail server we use the public IP address of our mail server.
You can also use the local IP address of the mail server.
I'm not sure this setting is going to address your issue, but it will change the IP address that is used in the logs. The actual traffic should all be controlled by the TCP/IP settings in the operating system.
-
Arron,
" Setup / Domain Manager / Select the Domain / Host name & IP."
This section you mentioned above is set to the virtual ip for the mdaemon mail server using the button, and then making a selection of the available IP addresses.
Loopback ip address is very odd in the smtp out log file and we need to change it to follow the ip we selected (above).
-
Looking into this further I took an example (below) and checked the firewall to see how it was being displayed.
Wed 2023-05-31 13:01:02.453: [02496666] * Connection established 127.0.0.1:53146 --> 198.8.14.170:25
It appears the firewall is using the ip address of the network card on the mail server ("192.168.21.178") but not the virtual ip address specified in "Setup / Domain Manager / Select the Domain / Host name & IP".
-
Arron Staff
I've been doing more testing and it looks like my initial response was incorrect. It is not using the IP address specified under Host name & IP like I thought it was. I would agree, it looks like its getting the IP address from the network adapter. I'm waiting for a confirmation from the developers.
-
Understood. Thank you for your help.
-
Arron Staff
MDaemon is getting the IP from the connected socket. If you do not have MDaemon configured to bind to outbound sockets, then the operating system chooses the IP.
If you want to use a different IP, you can configure MDaemon to bind to outbound sockets.
Go to Setup | Server Settings | DNS & IPs | Binding and check "Enable outbound IP binding" and tell it what IP to use.
-
It is, and has been bound (see screen shot below).
Also, looking at what is actually bound please see the output of netstat -an (below).
TCP 192.168.21.251:25 0.0.0.0:0 LISTENING
TCP 192.168.21.251:80 0.0.0.0:0 LISTENING
TCP 192.168.21.251:135 192.168.21.164:27549 ESTABLISHED
TCP 192.168.21.251:135 192.168.21.164:27550 ESTABLISHED
TCP 192.168.21.251:135 192.168.21.176:61993 ESTABLISHED
TCP 192.168.21.251:135 192.168.21.176:61994 ESTABLISHED
TCP 192.168.21.251:143 0.0.0.0:0 LISTENING
TCP 192.168.21.251:366 0.0.0.0:0 LISTENING
TCP 192.168.21.251:443 0.0.0.0:0 LISTENING
TCP 192.168.21.251:444 0.0.0.0:0 LISTENING
TCP 192.168.21.251:465 0.0.0.0:0 LISTENING
TCP 192.168.21.251:587 0.0.0.0:0 LISTENING
TCP 192.168.21.251:993 0.0.0.0:0 LISTENING
TCP 192.168.21.251:993 192.168.21.177:55965 ESTABLISHED
TCP 192.168.21.251:993 192.168.21.177:56050 ESTABLISHED
TCP 192.168.21.251:1000 0.0.0.0:0 LISTENING
TCP 192.168.21.251:2216 192.168.21.164:27537 ESTABLISHED
UDP 192.168.21.251:4069 *:*
-
Arron Staff
In MDaemon under Setup / Domain Manager / Select a domain / Host Name & IP, do you have the option enabled for "This domain recognizes only connections made to these IPs" checked?
Do you have multiple domains?
Is the box checked for all domains?
Are there any errors in MDaemon's system log on startup when it tries to bind to the IPs?
-
"In MDaemon under Setup / Domain Manager / Select a domain / Host Name & IP, do you have the option enabled for "This domain recognizes only connections made to these IPs" checked?"
Yes.
"Do you have multiple domains?"
We have two, one **.local and another which is public. They both share the same internal virtual ip address which was selected in
"Setup / Domain Manager / Select a domain / Host Name & IP" using the "Detect button"."Is the box checked for all domains?"
Both have "This domain recognizes only connections...." this flag enabled.
"Are there any errors in MDaemon's system log on startup when it tries to bind to the IPs?"
No. However, just to be sure, I stopped and restarted the system so the any possible errors would post in the current log file, and still no binding errors.
-
Arron Staff
What version of MDaemon are you using?
-
The version is V21.5.1
-
Arron Staff
If you uncheck "Enable outbound IP binding" and "This domain recognizes only connections made to these IPs" for both domains, what happens? Does the OS choose the desired IP?
It's very suspicious that MDaemon is reporting that a socket bound to localhost has connected to anything other than localhost. A socket bound to localhost should only be able to connect to localhost. Localhost traffic does not leave the machine (it is not routed over the network).
What IP does your firewall report that the connection is coming from?
-
If you uncheck "Enable outbound IP binding" and "This domain recognizes only connections made to these IPs" for both domains, what happens? Does the OS choose the desired IP?
No change after making the corrections. Mdaemon reports 127.0.0.1
What IP does your firewall report that the connection is coming from?
This clustered virtual machine has a fixed IP address (192.168.21.178).
Mdaemon has a bound and fixed virtual ip of (192.168.21.251). All traffic in and out of Mdaemon must have this IP address for all communications to work correctly. Our firewall NATs the internal address (192.168.21.251) to our pulic mail address.
Because traffic isn't leaving Mdaemon on the correct ip 192.168.21.251 our firewall sees (127.0.0.1) as 192.168.21.178
Traffic leaving the firewall with a source of 192.168.21.178 can not be sent back to 192.168.21.251 because if obviously didn't originate from the server but rather Mdaemon (192.168.21.251)
NOTE: On a seperate community post regarding certificates not verifying:
SSL negotiation successful (TLS 1.2, 255 bit key exchange, 128 bit AES encryption)
SSL certificate is not valid (CRYPT_E_NO_REVOCATION_CHECK)We now realize both of these issues are related. This verification leaves our system using127.0.0.1, the firewall see this as 192.168.21.178, so the reply back from our firewall isn't directed correctly to our bound and fixed virtual ip of (192.168.21.251), but rather 192.168.21.178, so Mdaemon is seeing the reply at all and notes the drop as "SSL certificate is not valid"
What now?
-
Arron Staff
We haven't been able to find anything wrong with how MDaemon is binding to an IP yet, but we are still testing.
What type of firewall are you using?
-
We're using a sonicwall NSA2700 in High Availablility state.
-
Arron Staff
If you run the following command in an Adminstartor powershell command prompt on the MDaemon server what is returned for the SkipAsSource value for 192.168.21.251?
Get-NetIPAddress | ft IPAddress, InterfaceAlias, SkipAsSource
What is the SkipAsSource value for 192.168.21.178?
If you set SkipAsSource to true for 192.168.21.178, does it change the behavior?
-
Arron Staff
Can you also install WireShark and capture some outbound SMTP traffic from MDaemon and send me the capture so we can take a look at it?
You can send it to arron.caruth @ mdaemon.com.
-
Arron,
Based on the problems we've experienced where the system appeareas to be configured correctly, yet isn't working properly. I made the choice to uninstall, reinstall and then recovered the configurations. Additionally, I cleaned up the network card using a utlity that restored its original integrity on both the virtual and physical server.
Please see both areas highlighted in yellow which demonstrates normal behavior.
Tue 2023-06-06 08:10:29.691: [02522887] Resolving A record for cluster5.us.messagelabs.com (DNS Server: 1.0.0.1)...
Tue 2023-06-06 08:10:29.708: [02522887] * D=cluster5.us.messagelabs.com TTL=(0) A=[67.219.246.212]
Tue 2023-06-06 08:10:29.708: [02522887] * D=cluster5.us.messagelabs.com TTL=(0) A=[67.219.250.217]
Tue 2023-06-06 08:10:29.708: [02522887] * D=cluster5.us.messagelabs.com TTL=(0) A=[67.219.247.99]
Tue 2023-06-06 08:10:29.708: [02522887] * D=cluster5.us.messagelabs.com TTL=(0) A=[67.219.247.195]
Tue 2023-06-06 08:10:29.708: [02522887] * D=cluster5.us.messagelabs.com TTL=(0) A=[67.219.250.221]
Tue 2023-06-06 08:10:29.708: [02522887] * D=cluster5.us.messagelabs.com TTL=(0) A=[67.219.246.211]
Tue 2023-06-06 08:10:29.708: [02522887] Randomly picked 67.219.250.221 from list of possible hosts
Tue 2023-06-06 08:10:29.708: [02522887] Attempting SMTP connection to 67.219.250.221:25
Tue 2023-06-06 08:10:29.709: [02522887] Waiting for socket connection...
Tue 2023-06-06 08:10:29.808: [02522887] * Connection established 192.168.21.251:53099 --> 67.219.250.221:25
Tue 2023-06-06 08:10:29.808: [02522887] Waiting for protocol to start...
Tue 2023-06-06 08:10:29.922: [02522887] <-- 220 server-9.tower-637.messagelabs.com ESMTP
Tue 2023-06-06 08:10:29.922: [02522887] --> EHLO mail.hsmc-ul.com
Tue 2023-06-06 08:10:30.020: [02522887] <-- 250-server-9.tower-637.messagelabs.com
Tue 2023-06-06 08:10:30.020: [02522887] <-- 250-STARTTLS
Tue 2023-06-06 08:10:30.020: [02522887] <-- 250-PIPELINING
Tue 2023-06-06 08:10:30.020: [02522887] <-- 250 8BITMIME
Tue 2023-06-06 08:10:30.020: [02522887] --> STARTTLS
Tue 2023-06-06 08:10:30.126: [02522887] <-- 220 ready for TLS
Tue 2023-06-06 08:10:30.339: [02522887] SSL negotiation successful (TLS 1.2, 256 bit key exchange, 256 bit AES encryption)
Tue 2023-06-06 08:10:30.406: [02522887] SSL certificate is valid (matches cluster5.us.messagelabs.com and is signed by recognized CA)
Tue 2023-06-06 08:10:30.406: [02522887] --> EHLO mail.hsmc-ul.com
Tue 2023-06-06 08:10:30.503: [02522887] <-- 250-server-9.tower-637.messagelabs.com
Tue 2023-06-06 08:10:30.503: [02522887] <-- 250-PIPELINING
Tue 2023-06-06 08:10:30.503: [02522887] <-- 250 8BITMIME
..
.
That again for all your help.
-
Arron Staff
Thanks for letting me know and I'm glad its working for you now!
- 1 / 2
- 2
