Author Topic: connection refused to a domain on another virtual machine  (Read 686 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
connection refused to a domain on another virtual machine
« on: September 23, 2024, 02:42:09 PM »
Hi there.

First i want to explain the situation.I have 2 virtual machine.

  • VM1: have 1 public IP pointing to 192.168.0.30
  • VM2: have 1 public IP (diff from VM1) pointing to 192.168.0.34.

I can send emails to yahoo, gmail, etc, doesn't matter where, everything work, but if i want to send an email from a domain on VM1 to another domain on VM2 the connections is refused, cannot send it. This situation happen in both ways(VM1 to VM2 also VM2 to VM1).

I look in the mailog and i only got 1 msg "connection refused".

I don't know what to add or put so i can send emails from VM1 to VM2 and vice-versa.
Any ideas?
thanks in advanced

Offline
*****
Re: connection refused to a domain on another virtual machine
« Reply #1 on: September 23, 2024, 03:45:27 PM »
Forwarding on a standard router can only forward port 25, 465, 587 to 1 machine, and then has to be able to communicate back out via that same port.

rDNS has to be correctly setup as well as DMARC, DKIM, SPF and not to mentioned SSL or MTA-STS.

Pointing 1 public to a VM is good for test and learning.
But if you going to use these as a production server, they each need public IP's, not behind a NAT.

Using a NAT isn't going to get support from anyone really, since every router can be configured differently.

Offline
*
Re: connection refused to a domain on another virtual machine
« Reply #2 on: September 23, 2024, 05:05:45 PM »
Thanks for your reply.

Basically i have an IaaS (Infrastructure as a Service) where i can make VM, VPN, etc.
IaaS managing for me DDOS, mirroring servers, back-up space, etc. (at a big lvl)

On that console i set the network adapter for in/out from public IP to private IP in any direction with any port, so not using the NAT ip from CentOS WebPanel.

rDNS is set for the main domain and IP of the server.

I also set Dmark, SPF, DKIM, based on the several online tools, my email server is set correctly.

I can send emails for any other domains that are outside my VM (gmail, yahoo, ymail, etc) and everything is working like a charm.

I ran into a similar problem when i try to curl from VM1 to VM2, i added in /etc/hosts the domain with the local ip and curl work perfectly. I'm wondering if i have to do something similar.

Also 25, 465, 587 are open both direction, do i need to add in some conf file the same option like i did in /etc/hosts?





Offline
**
Re: connection refused to a domain on another virtual machine
« Reply #3 on: September 23, 2024, 08:13:13 PM »
Check the mail logs to identify where your VM tries to connect to when you send emails from VM1 to VM2. Make sure the MX records of the recipient's domain directs emails to the correct host.

What does happen when you run

Code: [Select]
telnet MX.HOST.COM 25
traceroute MX.HOST.COM
(MX.HOST.COM - mx record of the destination mail domain)

on the source mail host ?

Offline
*
Re: connection refused to a domain on another virtual machine
« Reply #4 on: October 13, 2024, 09:34:04 AM »
Hey.
Sorry to reply after all this long time.

So first i telnet & traceroute to the domain (not the mx record) both gave me answer and it's correct, since i add in
Code: [Select]
/etc/hosts the domains with internal ip (192.168...), i need to curl data from 1 server to another.

Then i try to telnet & traceroute to the mx record (mail is the record for MX) and nothing, no answer.
I add on both server on /etc/hosts  192.168.0.x mail.domain.com and both telnet & traceroute give me answer.

When i try to send an email from 1 server to another, in mail queue, nothing, still refusing my email.


I notice that the port 25 is open only on TCP and not on UDP...

« Last Edit: October 13, 2024, 09:35:52 AM by Thorth »

Offline
**
Re: connection refused to a domain on another virtual machine
« Reply #5 on: October 13, 2024, 09:34:50 PM »
It looks like the problem is caused by misconfiguration (invalid A,MX,CNAME records) of the DNS zones of the domains and/or by DNS resolvers on your VMs.

So my recommendation is to check the DNS zones and resolvers on both VMs.

Offline
*****
Re: connection refused to a domain on another virtual machine
« Reply #6 on: October 13, 2024, 09:37:14 PM »
Looks like you need to check your configuration in your NAT on your router to your internal IPs.

Again, ports can only be forwarded to 1 internal IP, not multiple.
And even then things get tricky, because unless you can set your rDNS correctly, SSL, etc. won't work like they should.

Offline
*
Re: connection refused to a domain on another virtual machine
« Reply #7 on: October 15, 2024, 05:56:32 PM »
It looks like the problem is caused by misconfiguration (invalid A,MX,CNAME records) of the DNS zones of the domains and/or by DNS resolvers on your VMs.

So my recommendation is to check the DNS zones and resolvers on both VMs.
thanks for the reply.
On both vm everything is ok, rDNS, CNAME, etc... double check those info.
Maybe i need to add smt more on dns manager.
this is my DNS record for MX

rDNS is correct, all my emails to Yahoo, gmail etc are delivered and everything is ok.

Offline
*
Re: connection refused to a domain on another virtual machine
« Reply #8 on: October 15, 2024, 06:00:55 PM »
Looks like you need to check your configuration in your NAT on your router to your internal IPs.

Again, ports can only be forwarded to 1 internal IP, not multiple.
And even then things get tricky, because unless you can set your rDNS correctly, SSL, etc. won't work like they should.
all the other options are working correctly, webservsers, ssl, etc even emails to gmail, yahoo, or other domain.

I'm wonder if on postfix there is some options, idk to set other local ip to check, since when i try to curl from 1 vm to another i had to add those details in /etc/hosts ... or maybe i should add on /etc/hosts the public ip and the domain...

i ask a person that know some rules, and he said to me to check the IP that he send the emails (is internal or public)...

i'll keep search for a solution, but if u any of u got any idea what to do, or what to test i'm here for it

Offline
*
Re: connection refused to a domain on another virtual machine
« Reply #9 on: October 20, 2024, 09:34:32 AM »
Hey again.
So i start to check my
Code: [Select]
/etc/hosts and with small modification i add the mx record to my host file, when i try to telnet on port 25 i got the response    ;D

But when i try to send an email i still get refused by postfix.
Is there an option to config on postfix to check for internal servers or smt like that, i'm asking this since the both VM are in the same local network.

Offline
**
Re: connection refused to a domain on another virtual machine
« Reply #10 on: October 20, 2024, 01:06:21 PM »
Dude, just forget about outgoing emails to yahoo, gmail, etc because they have correcet MX records and can be resolved from any correctly configured and working host.

Your VMs are behind NAT. So:

1. Check the MX records of your domains, make sure they are correct and working.
2. Check resolvers on your VMs. The resolvers can resolve the IP address of the MX records.
3. Check if routing from one VM to MX record of the domain hosted on another VM is ok.

Offline
*
Re: connection refused to a domain on another virtual machine
« Reply #11 on: October 20, 2024, 01:31:27 PM »
Maybe i did not express myself correctly.

Everything outside is working, outgoing mails, income mails, rDNS, PTR, DKIM, NS, etc.

With all the tools used to test the conf. (starting from mxtoolbox, mail-tester.com to diff. dns checkers, etc) got a green response and
 everything is ok, i can send and receive (emails) from others domains outside VMs network.

If i try to telnet, curl, ping, dig. whatever from others servers, everything is working and got a correct response.

My problem is between my VMs inside the same network.

I don't how to check, cuz' with all the commands i know everything is ok (i used them from outside my network, diff servers, ip etc.).

I don't know how DNS MX record should look so everything is ok between my 2 WM.

Offline
**
Re: connection refused to a domain on another virtual machine
« Reply #12 on: October 20, 2024, 03:14:40 PM »
Remove any extra lines from /etc/hosts added by you:

1. On VM1 can you resolve the MX records of the domain hosted on VM2 ?
2. Can you connect to the port 25 from VM1 to the host/IP resolved in p1 ?
3. Does the traceroute command executed on VM1 to the host/ip resolved in p1 look good (VM2 is accessible) ?

Offline
*
Re: connection refused to a domain on another virtual machine
« Reply #13 on: October 20, 2024, 03:36:15 PM »
Remove any extra lines from /etc/hosts added by you:

1. On VM1 can you resolve the MX records of the domain hosted on VM2 ?
2. Can you connect to the port 25 from VM1 to the host/IP resolved in p1 ?
3. Does the traceroute command executed on VM1 to the host/ip resolved in p1 look good (VM2 is accessible) ?

i remove all the line from
Code: [Select]
/etc/hosts
 For 1.
  • dig command work & get the correct response (on the main domain)
  • dig command & ping on mx record is ok i get the response

For 2.
  • the connection is refused when i try to telnet from vm1 to vm2

For 3.
  • traceroute is not permited


Offline
**
Re: connection refused to a domain on another virtual machine
« Reply #14 on: October 20, 2024, 05:28:06 PM »
Disable CSF/IPtables and run tests 2,3 again. If the tests are passed with the disabled CSF/iptables then check your CSF/iptables  rules.