Hello,

I have setup the RH 7.1 with DNS and POP3 daemons. My problems:

[1] DNS
It is started when booted up and I can add the zones files without problems, but it seems can't resolve domain names well.

In Win2k, I have typed "nslookup -q=any kevincheung.com ns.227media.com",
I've got:

DNS request timed out.

(the "kevincheung.com" is hosted in my server)
(DNS servers I registered in InterNIC are as follows)

ns.227media.com
216.194.79.100
ns2.227media.com
216.194.79.110

In my server, I entered "dig kevincheung.com" and got the following info:

; <<>> DiG 9.1.0 <<>> kevincheung.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51768
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;kevincheung.com. IN A

;; ANSWER SECTION:
kevincheung.com. 38400 IN A 216.234.161.166

;; AUTHORITY SECTION:
kevincheung.com. 38400 IN NS ns.227media.com.
kevincheung.com. 38400 IN NS ns2.227media.com.

;; ADDITIONAL SECTION:
ns.227media.com. 38400 IN A 216.194.79.100
ns2.227media.com. 38400 IN A 216.194.79.110

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 15 02:40:31 2001
;; MSG SIZE rcvd: 125

The above content is the correct zone data of kevincheung.com

Thus, how to solve the problem so that I can get the domains solved
correctly in other servers/computers?


[2] POP3
The POP3 and Secure POP3 are enabled using the TCP Protocol and to prove
that, I entered "netstat -vat" via SSH and here is the info.

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:32768 *:* LISTEN
tcp 0 0 * :pop3s *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 * :pop3 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 216.194.79.106:domain *:* LISTEN
tcp 0 0 216.194.79.105:domain *:* LISTEN
tcp 0 0 216.194.79.104:domain *:* LISTEN
tcp 0 0 216.194.79.103:domain *:* LISTEN
tcp 0 0 216.194.79.102:domain *:* LISTEN
tcp 0 0 216.194.79.101:domain *:* LISTEN
tcp 0 0 216.194.79.100:domain *:* LISTEN
tcp 0 0 216.194.79.99:domain *:* LISTEN
tcp 0 0 216.194.79.110:domain *:* LISTEN
tcp 0 0 216.194.79.109:domain *:* LISTEN
tcp 0 0 216.194.79.108:domain *:* LISTEN
tcp 0 0 216.194.79.107:domain *:* LISTEN
tcp 0 0 216.194.79.98:domain *:* LISTEN
tcp 0 0 216.194.79.97:domain *:* LISTEN
tcp 0 0 server-copet.net:domain *:* LISTEN
tcp 0 0 server.227media.:domain *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:5879 *:* LISTEN
tcp 0 0 server.227media.co:smtp *:* LISTEN
tcp 0 0 *:https *:* LISTEN

However, when I use Outless Express and the error said the connection is
failed.

Thus, can you suggest me how to solve the problem, so that I can receive my
mails through the Outlook Express?

Please reply me soon.

Thanks,

Kevin

[ 15 June 2001: Message edited by: ckevin ]

It's too early in the morning to be thinking about DNS, but I can comment on your POP3 situation.

First, what POP3 daemon are you using? Are you using the same program for both POP3 and POP3-SSL, or two different ones?

Second, you need to isolate where the problem is. Do the following to diagnose:

1. From the server system, telnet to localhost port 110. "telnet localhost 110" should do this. If you get a POP3D banner, it means that your POP3 service is actually working.

2. From a remote system telnet to the server computer on port 110. "telnet 192.168.1.1 110" will do this, substituting the correct IP address -- do this by IP address rather than by hostname to eliminate another point of failure. If you get a POP3D banner, it means that your POP3 service is working AND you can connect to it via a remote machine.

3. While you've telnetted to port 110 on the machine, try to log in using the following commands:

user username
pass password
list
quit

If it lets you log in, the "list" command should list all your mail. If this works, it means that the POP3 service is configured correctly to allow logins.

Tell me where in this process you run into trouble.

If #1 fails, it means that the POP3 service isn't even runng properly.

If #1 passes but #2 fails, it means most likely that your connection is being blocked by a firewall or TCP wrappers.

If #2 passes but #3 fails, it means there's a configuration problem with the POP3 server that's not letting you log in.

If #3 passes, then you've configured Outlook incorrectly.

I hope this helps!

Action # 1:
root /root # nslookup 216.234.161.166
Server: ns1.mydomain.com
Address: 12.34.56.78

Name: server-copet.net
Address: 216.234.161.166

Action # 2:
root /root # nslookup
Default Server: ns1.mydomain.com
Address: 12.34.56.78
# DNS propagation across the Internet may take longer
# so using ns.227media.com nameserver, not mine
> server ns.227media.com
Default Server: ns.227media.com
Address: 216.194.79.100

> set type=any
> kevincheung.com
Server: ns.227media.com
Address: 216.194.79.100

*** ns.227media.com can't find kevincheung.com: No response from server

Action # 3:
root /root # nslookup
Default Server: ns1.mydomain.com
Address: 12.34.56.78

> server ns.227media.com
Default Server: ns.227media.com
Address: 216.194.79.100

> server-copet.net
Server: ns.227media.com
Address: 216.194.79.100

*** ns.227media.com can't find server-copet.net: No response from server

Action # 4:
root /root # ping ns.227media.com
PING ns.227media.com (216.194.79.100): 56 data bytes
64 bytes from 216.194.79.100: icmp_seq=0 ttl=245 time=84.217 ms
64 bytes from 216.194.79.100: icmp_seq=1 ttl=245 time=84.839 ms
^C

ns.227media.com is up and running but it doesn't respond to server-copet.net nor kevincheung.com. If ns.227media.com has been reloaded and it still doesn't resolve your domains, tell them to fix it.

As for the pop3 problem, try to connect thru IP, not hostname.

[ 15 June 2001: Message edited by: freebsd ]

Originally posted by Craig McPherson:
<STRONG>If #1 passes but #2 fails, it means most likely that your connection is being blocked by a firewall or TCP wrappers.</STRONG>

Craig McPherson, thanks your help with details. I have tested it but #2 fails, in the "xinetd" process, I enable both POP3 and Telnet services and I check with "netstat", both POP3 and Telnet port are listened.


tcp 0 0 * :pop3s *:* LISTEN
tcp 0 0 * :pop3 *:* LISTEN
tcp 0 0 * :telnet *:* LISTEN


Thus, can you confirm me it is a server connection being blocked by a firewall? If not, can you suggest any other solution?

[ 15 June 2001: Message edited by: ckevin ]

Originally posted by freebsd:
<STRONG>ns.227media.com is up and running but it doesn't respond to server-copet.net nor kevincheung.com. If ns.227media.com has been reloaded and it still doesn't resolve your domains, tell them to fix it.</STRONG>

Thanks your help freebsd, however, I have restart the DNS again, but it still can't resolve my domains. I'm the admin of the server so can anyone suggest me how to fix that, do you think it's a firewall problem and not the problem at my side?

Thanks.

Kevin

P.S.
The IP 216.194.79.100, 216.194.79.110 and 216.234.161.166 are on the same server.

[ 15 June 2001: Message edited by: ckevin ]

ckevin:

Let me make sure I understood your last message. When you're on the server machine, you can telnet to its own port 110, but when you're on another machine, you can't telnet to port 110 on that machine?

If that's the case, then it could be one of two things blocking your connection:

1. A firewall, in which case either you'll get an immediately "connection refused" OR no response at all until the connection times out.

2. TCP Wrappers, in which case you'll seem to connect then get an immediate "connection closed by remote host."

If your connection is being blocked by TCP Wrappers, the problem is easy to fix: add "ALL:ALL" to your /etc/hosts.allow file and remove everything from your /etc/hosts.deny

If it's a firewall that's blocking your connection, it's a bit more elaborate. Does your distribution use a 2.2 kernel or a 2.4 kernel? In either case, I can give you an example firewall script that will open up those ports on your machine to the outside world.

I think the case is [1] and I need your firewall scripts cause it just has no response at all until the connection times out.

I have checked the Service access control and it allow access from all hosts. Since I'm using RH 7.1, I believe it should be 2.4 kernel, right?

Thanks your help.

Kevin

Okay, I will give you an example firewall script.

Does your machine have only one network interface, or does it have two interfaces: one for the Internet and one for an internal network? If the latter, does it do IP masquerading for the internal network?

I'll assume for the moment that your box is not acting as a router, and just has one single network interface.

This is a simple iptables firewall that will block all connection attemps from outside except for DNS, POP3, POP3S, HTTP, and SMTP. You should customize it for your system. It's very bare-bones.


UNPRIV=1024:65535
iptables -F
iptables -F -t nat
iptables -Z
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A INPUT -p tcp --sport $UNPRIV --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --sport $UNPRIV --dport 995 -j ACCEPT
iptables -A INPUT -p tcp --sport $UNPRIV --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


[ 16 June 2001: Message edited by: Craig McPherson ]

Thank you very much, Craig McPherson. My server is only for internet connection and have 1 NIC only.

However, can you provide me step by step on how to get it work in my server? Cause I don't have any experience dealing with firewall before.

Thanks your help again. :)

Kevin

ok, i finally check out the IPchains and IPTables were installed with my RH7.1 and run on every bootup, after I stopped them, I can get the DNS and POP3 working without problem, anyone think it is not secure to turn them off? I hope there won't generate any security problem.

thanks all especially Craig McPherson, cheers.


Kevin

oh, by the way i wish to use the Secure POP3 but it fails.

When using the local server and type:

telnet 216.194.79.100 995

the error said, 'Connection closed by the foreign host' and if using my Win2k computer, it said connection failed.

I'm quite sure POP3 can be used but Secure POP3 (Port 995) can't... Can anyone suggest me how to solve?

Both TCP port are listen:

tcp 0 0 *:pop3s *:* LISTEN
tcp 0 0 *:pop3 *:* LISTEN

Well, your system uses EITHER IPChains or IPTables depending on the kernel version. The firewall itself is inside the kernel itself: the "ipchains" and "iptables" programs are just userspace programs that feed the firewall in the kernel.

You should read up on how Iptables works, and set up a firewall script like the one I posted above. If you want to try that one out, just save it as a script, make that script executable, and then run it. It's just an example, I haven't field-tested it, but it should work.

About your POP3S: it looks like since you get "connection closed by the foreign host", it's possibly being blocked by TCP Wrappers.

What's in your /etc/hosts.allow and /etc/hosts.deny?

I have put nothing in both /etc/hosts.allow and /etc/hosts.deny files.

I see all the services like telnet, POP3 and POP3s run from /usr/sbin/PROGRAM (eg. /usr/sbin/ipop3d) and they are individually can be set for Allow access from All hosts or deny. Thus, when I put ALL:ALL in /etc/hosts.allow file, the result is the same.

By the way, I just telnet to 995 port using the server itself and not my Win2k computer. Thus, it is strange to see the TCP port is listen but I can't use it in my server.

Thanks,

Kevin

[ 16 June 2001: Message edited by: ckevin ]

I wish to run the scripts at /sbin, but it fails, so I try to run it by lines, and I got the following errors:

/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device
or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.1a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Can anyone suggest me how to solve it?

Try this:

modprobe iptable_filter

ok now, the DNS problem is fixed.

For the Secure POP3, when I telnet using my server:

[kevin@server kevin]$ telnet server.227media.com 995
Trying 127.0.0.1...
Connected to server.227media.com.
Escape character is '^]'.
Connection closed by foreign host.

AND

[kevin@server kevin]$ netstat -vat | grep pop3
tcp 0 0 * :pop3s *:* LISTEN
tcp 0 0 * :pop3 *:* LISTEN
tcp 0 0 server.227media.c :pop3s server.227media.c:37395 TIME_WAIT
tcp 0 0 server.227media.c :pop3s server.227media.c:37398 TIME_WAIT

Please advice.

Thanks very much,

Craig McPherson

PS. IPTables and IPChains were both installed in the default server installation of RH7.1 and they are just booted up by default, so I need to choose 1 and modify the config. see RH (http://www.redhat.com/support/docs/gotchas/7.1/gotchas-71.html)

[ 17 June 2001: Message edited by: ckevin ]

Originally posted by Craig McPherson:
<STRONG>Try this:

modprobe iptable_filter</STRONG>

I have got the same result:

[root@server /sbin]# ./modprobe iptable_filter
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device
or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod iptable_filter failed

The DNS is up now and if it is not need for fixing the POP3s, then forget this problem :)

Try the "lsmod" command and post its output here.

[kevin@server /sbin]$ ./lsmod
Module Size Used by
autofs 11264 1 (autoclean)
tulip 38544 1 (autoclean)
ipchains 38976 0 (unused)
usb-uhci 20720 0 (unused)
usbcore 49664 1 [usb-uhci]

Any clue?

You need to rmmod ipchains, then you'll be able to use iptables instead.

oh, thanks your help, but how about POPs problem? Any idea? It seems I can run all services now except POP3s.

Thanks your great help!

Kevin

Well, POP3-SSL isn't a plain-text transfer, so you won't see any sort of banner if you just telnet to the port. The POP3-SSL daemon will except you to be sending encrypted data to it.

Have you tried just configuring a mail client to connect to the server with POP3-SSL and try to download mail? Can you download mail with normal POP3? That'd be the first thing to try...

yes, i can download the mail using standard POP3, but when I use the POP3s, it rejects... I'm using Outlook Express.

Thanks your help.

Kevin