Control Web Panel
WebPanel => Postfix => Topic started by: Thorth on September 23, 2024, 02:42:09 PM
-
Hi there.
First i want to explain the situation.I have 2 virtual machine.
- VM1: have 1 public IP pointing to 192.168.0.30
- VM2: have 1 public IP (diff from VM1) pointing to 192.168.0.34.
I can send emails to yahoo, gmail, etc, doesn't matter where, everything work, but if i want to send an email from a domain on VM1 to another domain on VM2 the connections is refused, cannot send it. This situation happen in both ways(VM1 to VM2 also VM2 to VM1).
I look in the mailog and i only got 1 msg "connection refused".
I don't know what to add or put so i can send emails from VM1 to VM2 and vice-versa.
Any ideas?
thanks in advanced
-
Forwarding on a standard router can only forward port 25, 465, 587 to 1 machine, and then has to be able to communicate back out via that same port.
rDNS has to be correctly setup as well as DMARC, DKIM, SPF and not to mentioned SSL or MTA-STS.
Pointing 1 public to a VM is good for test and learning.
But if you going to use these as a production server, they each need public IP's, not behind a NAT.
Using a NAT isn't going to get support from anyone really, since every router can be configured differently.
-
Thanks for your reply.
Basically i have an IaaS (Infrastructure as a Service) where i can make VM, VPN, etc.
IaaS managing for me DDOS, mirroring servers, back-up space, etc. (at a big lvl)
On that console i set the network adapter for in/out from public IP to private IP in any direction with any port, so not using the NAT ip from CentOS WebPanel.
rDNS is set for the main domain and IP of the server.
(https://i.ibb.co/CvRQ23J/p1.jpg)
I also set Dmark, SPF, DKIM, based on the several online tools, my email server is set correctly.
I can send emails for any other domains that are outside my VM (gmail, yahoo, ymail, etc) and everything is working like a charm.
I ran into a similar problem when i try to curl from VM1 to VM2, i added in /etc/hosts the domain with the local ip and curl work perfectly. I'm wondering if i have to do something similar.
Also 25, 465, 587 are open both direction, do i need to add in some conf file the same option like i did in /etc/hosts?
-
Check the mail logs to identify where your VM tries to connect to when you send emails from VM1 to VM2. Make sure the MX records of the recipient's domain directs emails to the correct host.
What does happen when you run
telnet MX.HOST.COM 25
traceroute MX.HOST.COM
(MX.HOST.COM - mx record of the destination mail domain)
on the source mail host ?
-
Hey.
Sorry to reply after all this long time.
So first i telnet & traceroute to the domain (not the mx record) both gave me answer and it's correct, since i add in /etc/hosts the domains with internal ip (192.168...), i need to curl data from 1 server to another.
Then i try to telnet & traceroute to the mx record (mail is the record for MX) and nothing, no answer.
I add on both server on /etc/hosts 192.168.0.x mail.domain.com and both telnet & traceroute give me answer.
When i try to send an email from 1 server to another, in mail queue, nothing, still refusing my email.
(https://i.ibb.co/C7VNmzn/printSCS.jpg)
I notice that the port 25 is open only on TCP and not on UDP...
-
It looks like the problem is caused by misconfiguration (invalid A,MX,CNAME records) of the DNS zones of the domains and/or by DNS resolvers on your VMs.
So my recommendation is to check the DNS zones and resolvers on both VMs.
-
Looks like you need to check your configuration in your NAT on your router to your internal IPs.
Again, ports can only be forwarded to 1 internal IP, not multiple.
And even then things get tricky, because unless you can set your rDNS correctly, SSL, etc. won't work like they should.
-
It looks like the problem is caused by misconfiguration (invalid A,MX,CNAME records) of the DNS zones of the domains and/or by DNS resolvers on your VMs.
So my recommendation is to check the DNS zones and resolvers on both VMs.
thanks for the reply.
On both vm everything is ok, rDNS, CNAME, etc... double check those info.
Maybe i need to add smt more on dns manager.
this is my DNS record for MX
(https://i.ibb.co/D51T04Z/dns1.jpg)
rDNS is correct, all my emails to Yahoo, gmail etc are delivered and everything is ok.
-
Looks like you need to check your configuration in your NAT on your router to your internal IPs.
Again, ports can only be forwarded to 1 internal IP, not multiple.
And even then things get tricky, because unless you can set your rDNS correctly, SSL, etc. won't work like they should.
all the other options are working correctly, webservsers, ssl, etc even emails to gmail, yahoo, or other domain.
I'm wonder if on postfix there is some options, idk to set other local ip to check, since when i try to curl from 1 vm to another i had to add those details in /etc/hosts ... or maybe i should add on /etc/hosts the public ip and the domain...
i ask a person that know some rules, and he said to me to check the IP that he send the emails (is internal or public)...
i'll keep search for a solution, but if u any of u got any idea what to do, or what to test i'm here for it
-
Hey again.
So i start to check my /etc/hosts and with small modification i add the mx record to my host file, when i try to telnet on port 25 i got the response (https://i.ibb.co/NjxpBJM/imgs3.jpg) ;D
But when i try to send an email i still get refused by postfix.
Is there an option to config on postfix to check for internal servers or smt like that, i'm asking this since the both VM are in the same local network.
-
Dude, just forget about outgoing emails to yahoo, gmail, etc because they have correcet MX records and can be resolved from any correctly configured and working host.
Your VMs are behind NAT. So:
1. Check the MX records of your domains, make sure they are correct and working.
2. Check resolvers on your VMs. The resolvers can resolve the IP address of the MX records.
3. Check if routing from one VM to MX record of the domain hosted on another VM is ok.
-
Maybe i did not express myself correctly.
Everything outside is working, outgoing mails, income mails, rDNS, PTR, DKIM, NS, etc.
With all the tools used to test the conf. (starting from mxtoolbox, mail-tester.com to diff. dns checkers, etc) got a green response and
everything is ok, i can send and receive (emails) from others domains outside VMs network.
If i try to telnet, curl, ping, dig. whatever from others servers, everything is working and got a correct response.
My problem is between my VMs inside the same network.
I don't how to check, cuz' with all the commands i know everything is ok (i used them from outside my network, diff servers, ip etc.).
I don't know how DNS MX record should look so everything is ok between my 2 WM.
-
Remove any extra lines from /etc/hosts added by you:
1. On VM1 can you resolve the MX records of the domain hosted on VM2 ?
2. Can you connect to the port 25 from VM1 to the host/IP resolved in p1 ?
3. Does the traceroute command executed on VM1 to the host/ip resolved in p1 look good (VM2 is accessible) ?
-
Remove any extra lines from /etc/hosts added by you:
1. On VM1 can you resolve the MX records of the domain hosted on VM2 ?
2. Can you connect to the port 25 from VM1 to the host/IP resolved in p1 ?
3. Does the traceroute command executed on VM1 to the host/ip resolved in p1 look good (VM2 is accessible) ?
i remove all the line from /etc/hosts
For 1.
- dig command work & get the correct response (on the main domain)
- dig command & ping on mx record is ok i get the response
For 2.
- the connection is refused when i try to telnet from vm1 to vm2
For 3.
- traceroute is not permited
-
Disable CSF/IPtables and run tests 2,3 again. If the tests are passed with the disabled CSF/iptables then check your CSF/iptables rules.
-
Disable CSF/IPtables and run tests 2,3 again. If the tests are passed with the disabled CSF/iptables then check your CSF/iptables rules.
Test 2 failed buit test 3 work, i got the traceroute for test 3
-
1. Did you disable CSF/Firewall on both VMs ? Does it try to access the VM2 from VM1 using public or private IP ?
2. What did the test 2 show exactly when it failed ?
3. does "nslookup MX.DOMAIN.COM" (replace MX.DOMAIN.COM with the actual MX record of the domain hosted on VM2) executed on VM1 shows the same result as "dig" ?
-
1. Did you disable CSF/Firewall on both VMs ? Does it try to access the VM2 from VM1 using public or private IP ?
2. What did the test 2 show exactly when it failed ?
3. does "nslookup MX.DOMAIN.COM" (replace MX.DOMAIN.COM with the actual MX record of the domain hosted on VM2) executed on VM1 shows the same result as "dig" ?
For 1:
- Yes i did disabled firewall on both VM
- he try to access VM2 using public ip
For 2:
- Connection refused print-screen down
(https://i.ibb.co/hDKfQVQ/poza1.jpg)
For 3:
- Post the picture below with all comands (nslookup, dig, telnet)
(https://i.ibb.co/7jmJtjg/poza3.jpg)
-
If you disabled CSF/Firewall, dig, nslookup show correct answers but you can't connect to the port 25 of another VM then there is some networking problem. It could be your router or some other device used to manage traffic. I am afraid the CWP community is unable to help you with it because it requires deeper understanding of your infrastructure and network configuration.
-
If you disabled CSF/Firewall, dig, nslookup show correct answers but you can't connect to the port 25 of another VM then there is some networking problem. It could be your router or some other device used to manage traffic. I am afraid the CWP community is unable to help you with it because it requires deeper understanding of your infrastructure and network configuration.
I will check my router NAT config then.
thank u very much for your help
-
thank u very much for your help
No problem. I wish you to find root of the problem and solve it to get maximum from your infrastructure and CWP panel.
-
thank u very much for your help
No problem. I wish you to find root of the problem and solve it to get maximum from your infrastructure and CWP panel.
I will post here the solution i found, so if anybody get into the same issue maybe they can find the solution.
-
Hi again.
I found out the solution for this issue.
So basically since they are in a private network (those two VM, have local ip) there is a conflict on port 25 when they try to send internally between server.
The solution:
Edit /etc/hosts and add the local IP and the domains from the other machine (the MX record for each)
Edit /etc/postfix/transport and there add info from others domain like
- DOMAIN.com smtp:192.168.0.XX:25
- .DOMAIN.com smtp:192.168.0.XX:25
Run the command postmap /etc/postfix/transport from terminal
What this solution will do is not seding the email via internet and relay the emails to the machine where is hosted, like an internal email. The details in transport file will filter emails based on domain. This way i was able to send emails both internal and to other domain outside the network.
-
Did you check what happens when CWP rebuilds the mail config ? Does it not remove the extra records (transport policy) added by hand ?
Just for information if someone decides to apply the same solution.
Thank you.
-
I did not check this, but it's a good point, i should check soon. Also idk maybe it's a good idea for cwp since there is an option there for email exchange i think is the same, to add this option, to relay emails. I'll be back with the situation after rebuild postfix
-
Alright so i try the rebuild of the server.
On rebuild of the server /etc/postfix/transport will reset so is need it to add again so everyone will try this solution, must remember this, on every rebuild transport file will reset and need to be completed with the domains and the command postmap /etc/postfix/transport must be run again