ichat federation with Ichat - authorization not coming through

Question

ichat federation with Ichat - authorization not coming through

hi all,

Having a bit of trouble federating ichat with google talk servers.

Specifically, authorizations are not making it through to end users.

the google talk servers are all listed via IP in the ichat federation server settings.

ichat server restarts ok, no log errors

from a ichat account, i enter a gmail buddy and he does not receive the auth.

nothing is being blocked by the firewalls.

Ive added in the SRV records into the dns server for google talk.

Im seeing this in the logs which is odd.

Jul 22 16:54:41 mail jabberd/s2s[95286]: [7] [::ffff:209.85.224.84, port=52560] incoming connection

Jul 22 16:54:41 mail jabberd/s2s[95286]: [7] [::ffff:209.85.224.84, port=52560] incoming stream online (id dgwkyu6fz9aodmgo3cx8vwi7gdy9i7axtrw6yckb)

Jul 22 16:54:41 mail jabberd/s2s[95286]: [7] [::ffff:209.85.224.84, port=52560] received dialback auth request for route 'ichat.mysublime.net/gmail.com'

Jul 22 16:54:41 mail jabberd/s2s[95286]: sending a packet to domain not in the whitelist, dropping it

Jul 22 16:54:59 mail jabberd/s2s[95286]: [7] [::ffff:209.85.224.84, port=52560] disconnect, packets: 1

here are the DNS entries that i was recommended to put in.

I'm just getting the reverse path updated for ichat.mysublime.net

it should be 203.167.225.186

Does anyone have any ideas on where to from here?

Cheers

Cowan

macbook pro, Mac OS X (10.6.6)

Posted on Jul 24, 2011 8:51 PM

Reply

Answer 1

Jul 24, 2011 8:57 PM in response to Cowan Pettigrew

here is some additional text that comes through in the logs when a gtalk user try's to suth with our ichat server.

Jul 25 15:11:30: --- last message repeated 3 times ---

Jul 25 15:32:45 mail jabberd/resolver[95280]: [_xmpp-server._tcp.gmail.com] resolved to 74.125.53.125:5269 (300 seconds to live)

Jul 25 15:32:46 mail jabberd/resolver[95280]: [_xmpp-server._tcp.gmail.com] resolved to 74.125.53.125:5269 (1800 seconds to live)

Jul 25 15:32:46 mail jabberd/resolver[95280]: [_xmpp-server._tcp.gmail.com] resolved to 74.125.47.125:5269 (1800 seconds to live)

Jul 25 15:32:46 mail jabberd/resolver[95280]: [_xmpp-server._tcp.gmail.com] resolved to 74.125.45.125:5269 (1800 seconds to live)

Jul 25 15:32:46: --- last message repeated 1 time ---

Jul 25 15:32:46 mail jabberd/s2s[95286]: sending a packet to domain not in the whitelist, dropping it

Jul 25 15:54:44 mail jabberd/s2s[95286]: [7] [::ffff:74.125.94.87, port=60862] incoming connection

Jul 25 15:54:44 mail jabberd/s2s[95286]: [7] [::ffff:74.125.94.87, port=60862] incoming stream online (id 50xwqi6l2781zbiodbn3g22kaarp2q3dryy4bk4l)

Jul 25 15:54:44 mail jabberd/s2s[95286]: [7] [::ffff:74.125.94.87, port=60862] received dialback auth request for route 'ichat.mysublime.net/gmail.com'

Jul 25 15:54:44 mail jabberd/s2s[95286]: sending a packet to domain not in the whitelist, dropping it

Jul 25 15:55:03 mail jabberd/s2s[95286]: [7] [::ffff:74.125.94.87, port=60862] disconnect, packets: 1

Reply

Answer 2

Tim Harris

Level 4

1,481 points

Jul 25, 2011 12:38 AM in response to Cowan Pettigrew

First,

you have two reverse records for your server. 203.167.225.186 - you only need one.

Second - don't add SRV records for gmail... that's their job, but you should ideally have them for your servers.

Where does IP address 209.85.224.84 fit into your network setup.?

What settings have you got in your Server Admins for federations

Tim

Reply

Answer 3

Jul 25, 2011 2:37 PM in response to Tim Harris

Hi Tim,

thanks for getting in touch.

We have 2 reverse records as this mini mac svr is also our email svr.

mail.mysublime.net = 203.167.225.186

ichat.mysublime.net = 203.167.225.186

The host name of the svr is mail. it is in the realm of MYSUBLIME.NET

On your second point, i got told to put those entries into my DNS svr, is that not correct?

DNS is running on the main PDC, also a mini mac server in a different subnet.

Re the server admin settings, here is a pic of what i have. I got told in a earlier post to enter the IP addresses of the google talk servers rather than talk.google.com.

in fact if i try to enter talk.google.com i cant get ichat to restart.

Reply

Answer 4

Jul 25, 2011 2:39 PM in response to Cowan Pettigrew

please ignore the last line,

in fact if i try to enter talk.google.com i cant get ichat to restart.

typo.

Reply

Answer 5

Jul 25, 2011 2:45 PM in response to Cowan Pettigrew

HI Tim,

"Where does IP address 209.85.224.84 fit into your network setup.?"

the IP above is from a gmail/google talk user who is attempting to send me a buddy invite to my ichat account.

C

Reply

Answer 6

Jul 25, 2011 10:14 PM in response to Cowan Pettigrew

Tim,

After reading another your very very f*&king helpful posts im going to delete the srv records ive entered in DNS.

C

Reply

Answer 7

Jul 25, 2011 10:18 PM in response to Cowan Pettigrew

ok, that didn't work

when i send a add gmail buddy from my ichat account to gmail suer the logs show this.

Jul 26 17:16:24: --- last message repeated 1 time ---

Jul 26 17:16:24 mail jabberd/s2s[6559]: [7] [::ffff:209.85.224.81, port=57429] incoming connection

Jul 26 17:16:24 mail jabberd/s2s[6559]: [7] [::ffff:209.85.224.81, port=57429] incoming stream online (id eu55py39py7mknomkrc1pj8eg0epcxg2obwnvlrj)

Jul 26 17:16:24 mail jabberd/s2s[6559]: [7] [::ffff:209.85.224.81, port=57429] received dialback auth request for route 'ichat.mysublime.net/gmail.com'

Jul 26 17:16:24 mail jabberd/s2s[6559]: sending a packet to domain not in the whitelist, dropping it

Jul 26 17:16:43 mail jabberd/s2s[6559]: [7] [::ffff:209.85.224.81, port=57429] disconnect, packets: 1

Reply

Answer 8

Tim Harris

Level 4

1,481 points

Jul 26, 2011 1:18 PM in response to Cowan Pettigrew

Try this:

1) change to "allow federated with all domains

I see you have removed the SRV records - that is good 'cos there were sending traffic to Gmail servers - and not your own.

If that fixes the problem - we can then move to locking you server down and adding the corect DNS records.

Note that you still have two PTR records - you must fix that - by removing the ichat.mysublime.net

;; QUESTION SECTION:

;186.225.167.203.in-addr.arpa. IN PTR

;; ANSWER SECTION:

186.225.167.203.in-addr.arpa. 86400 IN PTR mail.mysublime.net.

186.225.167.203.in-addr.arpa. 86400 IN PTR ichat.mysublime.net.

Remove the ichat

Reply

Answer 9

Jul 26, 2011 1:55 PM in response to Tim Harris

Hi Tim,

I'm getting the rev ptr bit removed now. thanks again for your help on this.

Once the ptr is gone, ill give it another go and get back to you.

Cheers

Reply

Answer 10

Jul 26, 2011 11:22 PM in response to Cowan Pettigrew

Hi Tim,

ok we are now federating ok and auth's are coming through with the allow all option.

I'd like to flick that back to the whitelist if i can.

You mentioned fixing my DNS, did you have some additional thoughts?

Thanks

Reply