No route to host?

Question

Level 3

530 points

No route to host?

Hello,

So today, I came in and started looking at my server and can't seem to get any e-mail to leave it. It sits in the queue and says "No route to host". I've checked it with multiple accounts, Hotmail, yahoo, and a few customers e-mail addresses. Same thing on all of them.

Typing "host apple.com" in the terminal reports:
"apple.com has address 17.254.3.183"

So DNS seems to be working, I can connect with file sharing to the server, e-mail will still come INTO the server, I can ping the server, and the Web Server still responds from outside the network. I haven't made any changes that would stop it that I am aware of, if someone wanted to double check that port 25 is open from outside my network I would appreciate it. raoset.com

I can type: "Telnet raoset.com 25" and it connects just fine to my mail server from INSIDE my network.

Connected to raoset.com.
Escape character is '^]'.
220 raoset.com ESMTP Postfix

my postconf -n:

alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
enable serveroptions = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 0
mydestination = $myhostname,localhost.$mydomain,raoset.com,192.168.0.254,68.21.192.86,mail.raos et.com,127.0.0.1
mydomain = raoset.com
mydomain_fallback = localhost
myhostname = raoset.com
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
owner requestspecial = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd clientrestrictions = permit_mynetworks reject rblclient bl.spamcop.net reject rblclient dnsbl.sorbs.net reject rblclient relays.ordb.org permit
smtpd pw_server_securityoptions = gssapi,cram-md5,login,plain
smtpd recipientrestrictions = permit sasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpd sasl_authenable = yes
smtpd tls_keyfile =
smtpd use_pwserver = yes
unknown local_recipient_rejectcode = 550

I'm at a loss as to what to do, I need to get this back up and working. Any help would be greatly appreciated it!

Also... I tried going to web pages from the server (Just to test) And it says it "Safari can't open the page "HTTP://www.apple.com" because it could not connect to the server "www.apple.com""(Or insert your favorite website it says the same thing)

Not sure what other info would be helpful, but let me know and I'll try and post it!

TIA!
Jason

Multiple Macs, Mac OS X (10.4.5)

Posted on Mar 20, 2006 8:31 AM

Reply

Answer 1

pterobyte

Level 6

11,104 points

Mar 20, 2006 8:57 AM in response to Jason Pruim1

Well something must have been changed, either knowingly or unknowingly.

I would suspect that your server doesn't "know" where its router is (check network settings of your server), or that your router has problems.

Alex

P.S. Although this is not the cause of your problem (since you cannot surf from the server either), your mail settings are far from perfect. Once you got your connectivity issue sorted, you should fix at least the following:
1. You are missing the "mynetworks" parameter (i.e. you should add your allowed networks either manually or through SA->Mail->Settings->Relay->Accept SMTP relay only from....
2. mydestination should not contain IP numbers. Again, fix manually or remove from SA->Mail->Settings->Advanced->Hosting->Local Host Aliases

Reply

Answer 2

Jason Pruim1 Author

Level 3

530 points

Mar 20, 2006 11:13 AM in response to pterobyte

the address of the router is listed as the router, and that has not changed. and the router is serving the other computers perfectly fine. No problems on any other computers.

On the other stuff... Assuming that the "Mynetworks" parameter is filled in by "Accept SMTP relays only from these hots and networks" it is listed and I'm not sure why it's not displaying in the postconf

and the IP's were an attempt to get my mail server to accept mail for domain literals per: RFC1123 5.2.17

But apparently that is not where to do it.

Also... if the server can resolve addresses properly both inside, and outside my network wouldn't that lead it to be something other then the equipment used for connecting to the internet?

Reply

Answer 3

pterobyte

Level 6

11,104 points

Mar 20, 2006 11:24 AM in response to Jason Pruim1

Well, the DNS resolution can come out of it's cache as well. Typically a mail server looks up tons of domains.

Silly question: You did try and restart your server, didn't you?

Since you say, SA lists parameters that are not reflected in your configuration files, maybe something went out of sync. Try and check all relevant configuration files without SA. Also check all network parameters like subnet mask and so on.

Also, try and run a traceroute to the outside (will probably fail).

Alex

Reply

Answer 4

Jason Pruim1 Author

Level 3

530 points

Mar 20, 2006 11:33 AM in response to pterobyte

the server has been restarted a few times (Wishful thinking)

Some of the look ups I was doing though I was specifying another server not just my own, and all came back with IP's (Dont' know if they were right but I'm assuming they are)

the results of the trace route:

Traceroute has started ...

traceroute to apple.com (17.254.3.183), 64 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 16.118 ms 3.420 ms 0.688 ms
2 192.168.0.1 (192.168.0.1) 0.728 ms !N 9.741 ms !N 6.864 ms !N

never seen it to the !N thing before, maybe significant? Trying to look at the config files manually right now, just wanted to get this info out to you.

Also... SA Seems to be freezing on me when I'm looking at the mail tab, Going to try and look at other stuff after I force quit it and see if it happens on the other as well....

Reply

Answer 5

Jason Pruim1 Author

Level 3

530 points

Mar 20, 2006 11:43 AM in response to Jason Pruim1

Okay, the info out of main.cf (I'm assuming the right file?) says this:

# THE FOLLOWING DEFAULTS ARE SET BY APPLE
#
# bind to localhost only
#
inet_interfaces = all

# turn off relaying for local subnet
#
mynetworks_style = host

# mydomain_fallback: optional domain to use if mydomain is not set and
# myhostname is not fully qualified. It is ignored if neither are true.
#
mydomain_fallback = localhost

# The mailbox sizelimit parameter controls the maximal size of a
# mailbox or maildir file (in fact, it limits the size of any file
# that is written to upon local delivery) The default is 50 MBytes.
# This limit must not be set smaller than the message size limit.
#
mailbox sizelimit = 0

smtpd tls_keyfile =
myhostname = raoset.com
mailbox_transport = cyrus
enable serveroptions = yes
smtpd sasl_authenable = yes
smtpd use_pwserver = yes
smtpd recipientrestrictions = permit sasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpd pw_server_securityoptions = gssapi,cram-md5,login,plain
mydestination = $myhostname,localhost.$mydomain,raoset.com,mail.raoset.com,127.0.0.1
mydomain = raoset.com
owner requestspecial = no
recipient_delimiter = +
alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
smtpd clientrestrictions = permit_mynetworks reject rblclient bl.spamcop.net reject rblclient dnsbl.sorbs.net reject rblclient relays.ordb.org permit
maps rbldomains =
message sizelimit = 0

Are there other files I should look in? I'll keep digging also...

Thanks for your help! I at least feel like I'm getting SOMEWHERE, even if it isn't fixed YET! 🙂

Reply

Answer 6

pterobyte

Level 6

11,104 points

Mar 20, 2006 11:55 AM in response to Jason Pruim1

I can connect to your mail server and it is running just fine.

As I said before, since you cannot even surf the web from your server, you do have a connectivity issue and not a mail issue.

So from what it looks, you can get to your server, but your server cannot connect to the outside world. This points to a network configuration issue.

So you should check anything network related.

It's getting late here, so I won't be able to be of much assistance before tomorrow again.

Alex

Reply

Answer 7

Jason Pruim1 Author

Level 3

530 points

Mar 20, 2006 12:09 PM in response to pterobyte

everything that I can check says it's working normally. all the other computers in the office are operating normally...

if it makes a difference, I did notice 2 distinct entries in the SMTP logs

Mar 20 15:05:38 raoserv1 postfix/smtp[6752]: connect to sbcmx5.prodigy.net[207.115.20.20]: No route to host (port 25)
Mar 20 15:05:47 raoserv1 postfix/smtp[6696]: 595B2890DC: to=<raoset@hotmail.com>, relay=none, delay=3148, status=deferred (connect to mx2.hotmail.com[65.54.244.168]: No route to host)

Does it matter that one says "No route to host" and the other has all the "delay=348, status=deferred" stuff on it? Just something I noticed and throw out to anyone willing to take a look 🙂

Reply

Answer 8

Jason Pruim1 Author

Level 3

530 points

Mar 20, 2006 1:06 PM in response to Jason Pruim1

Okay, so I spoke too soon... Aparentily MY computer can connect to the internet, but the others in the office have started not being able to access the internet, I am looking at my switch, and my router at this point to see if I can determine what happened.

If anyone has experience with a Netopia 4541 ADSL router/modem let me know 🙂

The hub, is a netgear fast ethernet switch FS116 but is not managed, so I would think if there was a problem with it the entire network would be down, but I'll try plugging into different ports on the hub to see what happens.

Reply

Answer 9

pterobyte

Level 6

11,104 points

Mar 21, 2006 12:01 AM in response to Jason Pruim1

Okay, so I spoke too soon... Aparentily MY computer
can connect to the internet, but the others in the
office have started not being able to access the
internet, I am looking at my switch, and my router at
this point to see if I can determine what happened.

Yes, this is most likely where you will find the problem.
You may want to post in the networking section.

Reply

Answer 10

Jason Pruim1 Author

Level 3

530 points

Mar 21, 2006 4:54 AM in response to pterobyte

Just as an update, something got changed in my router (Which shouldn't have) and I'm a little concerned about how it happened, since I'm the only one with access... So we change all the usernames and passwords in it to prevent it from happening again. Thanks for your help! It may have taken me a few days to figure it out without your help.

Reply

Answer 11

pterobyte

Level 6

11,104 points

Mar 21, 2006 4:56 AM in response to Jason Pruim1

Glad you got it sorted. 🙂

Alex

Reply

Answer 12

Mar 23, 2006 8:06 AM in response to Jason Pruim1

Here's a utility thaty may assist in providing future debug information.
<hr>

<pre>#!/bin/bash
#
# Name:
# saslfinger
#
# Drafted by Ralf Hildebrandt
# written by Patrick Koetter
# Initial release: August, 13th 2004 - a Friday... 😉
# Modification by Dale Walsh (a C version is in the works)

#####################################################################
# VARIABLES #
#####################################################################
set -e
scriptname="${0##*/}"
scriptversion=0.9.9.2-MODIFIED

declare -a sasl_dirs valid_sasl_lib_names

# Expanded to cover more OS installation variants
sasl_dirs=(/usr/lib/sasl \
/var/lib/sasl \
/opt/lib/sasl \
/usr/lib/sasl2 \
/usr/lib/sasl2/disabled \
/usr/lib/sasl2/openldap \
/var/lib/sasl2 \
/opt/lib/sasl2 \
/usr/local/lib/sasl2 \
/usr/pkg/lib)

# Find out what tool we use
if test -x "$(which ldd)" ; then
ldd_tool="ldd"
elif test -x "$(which otool)" ; then
ldd_tool="otool -L"
fi

# original
#sasl_libs=(libsasl.so libsasl2.so)
# modified to include .dylib
#sasl_libs=(libsasl.so libsasl2.so libsasl.dylib libsasl2.dylib libsasl2.2.dylib)

# compressed to actual required search criteria using break
sasl_libs=(libsasl2 libsasl)

#####################################################################
# COMMANDS AND FUNCTIONS #
#####################################################################

export PATH="/bin:/sbin:/usr/bin:/usr/sbin:$PATH"

function start () {
echo "${scriptname} - postfix Cyrus sasl configuration $(date)"
echo "version: ${scriptversion}"
echo "mode: ${mode} SMTP AUTH"
}

function end () {
echo "-- end of ${scriptname} output --"
}

function postconf_get () {
postconf -h ${1};
}

function get_saslpasswd () {
postconf -h smtp_sasl_password_maps | sed -e s/^.*://;
}

function get_mail_version () {
declare -a systems
local systems=("/etc/redhat-release" "/etc/fedora-release" "/etc/slackware-version" "/etc/issue" "/etc/motd")
echo "-- basics --"
echo "Postfix: v$(postconf_get mail_version)"
for ltables in $(postconf -m | sed -e s/^.*://) ; do
if [ "${ltables}" ]; then
echo -e " Lookup Table: ${ltables}"
fi
done; echo
for system in ${systems[@]}; do
if [[ -e ${system} ]]; then
echo "System: $(cat ${system})"
break
else
continue
fi
done
}

function get_sasl_dirs () {
local i=0
local sasldir=""
for sasldir in ${sasl_dirs[@]}; do
if [ -d ${sasldir} ]; then
valid_sasldirs[$i]=${sasldir}
let "i = $i + 1"
fi
done
if ! [[ ${valid_sasldirs[@]} ]]; then
echo -e "\aCould not find any valid Cyrus SASL directories."
echo "Cyrus SASL is required to setup SMTP AUTH!"
exit 72
fi
}

function get_sasl_support () {
local sasllib=""
echo "-- $1 is linked to --"
for sasllib in ${sasl_libs[@]}; do
local ldd_res="$($ldd_tool "$(postconf_get daemon_directory)/${1}" | egrep -e "${sasllib}" 2>/dev/null)"
if [ -n "${ldd_res}" ]; then
echo "${ldd_res}"
break
fi
done
}

function get_smtp_dialogue () {
echo "-- mechanisms on ${1} --"
if echo "EHLO $HOSTNAME\r\nQUIT\r\n" | nc -w 1 -v ${1} 25 2>/dev/null | egrep "AUTH" 2>/dev/null; then
echo
elif echo "EHLO $HOSTNAME\r\nQUIT\r\n" | netcat -w 1 -v ${1} 25 2>/dev/null | egrep "AUTH" 2>/dev/null; then
echo
else
(echo "EHLO $HOSTNAME"; sleep 2) | telnet ${1} 25 2>/dev/null | egrep "(AUTH)"
fi
}

function get_maincf () {
if test ${1} = "smtpd"; then
local authparams="(^smtpd_sasl_*|broken_sasl_auth_clients|^smtpd_use_tls|^smtpd_tls_* |^smtpd_use_pw_server)"

elif test ${1} = "smtp"; then
local authparams="(^smtp_sasl_*|^relayhost|^smtp_use_tls|^smtp_tls_*)"
fi

for daemon in ${1}; do
echo "-- active SMTP AUTH and TLS parameters for ${1} --"
if postconf -n | egrep -i ${authparams} 2> /dev/null; then
continue
else
echo -e "\aNo active SMTP AUTH and TLS parameters for ${1} in main.cf!"
echo "SMTP AUTH can't work!"
exit 72
fi
done
}

function get_sasl_apps () {
active_services[0]=""
if [[ $(egrep -v "^#.*smtpd_sasl_application_name" $(postconf_get config_directory)/master.cf |\
egrep "^.*smtpd_sasl_application_name" 2>/dev/null) ]]; then
active_services=$(egrep -v "^#.*smtpd_sasl_application_name" $(postconf_get config_directory)/master.cf |\
egrep "^.*smtpd_sasl_application_name" | sed 's/.*-o smtpd_sasl_application_name=//g' | awk '{print $1}')
else
active_services[0]="smtpd"
fi
}

function get_service_config () {
# Add /etc/postfix/sasl to valid_sasldirs for Debian users.
sasl_dirs[100]="/etc/postfix/sasl"
local o=1
local sasldir=""
local service=""
for sasldir in ${sasl_dirs[@]}; do
local i=1
for service in ${active_services[@]}; do
if [ -e ${sasldir}/${service}.conf ]; then
valid_services[$i$o]=${sasldir}/${service}.conf
let "i = $i + 1"
elif ! [ -e ${sasldir}/${service}.conf ]; then
continue
fi
done
let "o+=1"
done
if ! [[ ${valid_services[@]} ]]; then
echo; echo -e "\aThere is no smtpd.conf that defines what SASL should do for Postfix."
echo "SMTP AUTH can't work!"; echo
exit 72
fi
}

function list_service_configs () {
local smtpdconf=""
for smtpdconf in ${valid_services[@]}; do
echo "-- content of ${smtpdconf} --"
cat ${smtpdconf} | sed -e 's/.*ldapdb_id.*/ldapdb_id: --- replaced ---/;s/.*sql_user:.*/sql_user: --- replaced ---/g;'\
-e 's/.*ldapdb_pw:.*/ldapdb_pw: --- replaced ---/g;s/.*sql_passwd:.*/sql_passwd: --- replaced ---/g'
echo
done
}

function list_sasl_dirs () {
local sasldir=""
for sasldir in ${valid_sasldirs[@]}; do
echo "-- listing of ${sasldir} --"; ls -alL ${sasldir}; echo
done
}

function get_mastercf () {
echo "-- active services in $(postconf_get config_directory)/master.cf --"
echo "$(egrep "(^# service type|$yes$)" $(postconf_get config_directory)/master.cf)"
echo "$(cat $(postconf_get config_directory)/master.cf | egrep -v "^#")"
}

function check_saslpasswd () {
saslpasswd=$(postconf_get smtp_sasl_password_maps | sed -e s/^.*://)
if ! [ $(get_saslpasswd) ]; then
echo -e "\aCannot find the smtp_sasl_password_maps parameter in main.cf."
echo "Client-side SMTP AUTH cannot work without this parameter!"
exit 78
elif [ -e $(get_saslpasswd) ]; then
echo "-- permissions for $(get_saslpasswd) --"; echo "`ls -al ${saslpasswd}`"; echo
if [ -e $(get_saslpasswd).db ]; then
echo "-- permissions for $(get_saslpasswd).db --"; echo "`ls -al ${saslpasswd}.db`"; echo
if [ $(get_saslpasswd) -nt $(get_saslpasswd).db ]; then
echo -e "\a$(get_saslpasswd).db is older than $(get_saslpasswd)!"
echo "Run the following command as root to sync $(get_saslpasswd).db:"
echo; echo -e "\tpostmap `postconf -h smtp_sasl_password_maps`"; echo
exit 65
else
echo "$(get_saslpasswd).db is up to date."
fi
else
echo; echo -e "\aThere is no $(get_saslpasswd).db!"
exit 78
fi
elif ! [ -e $(get_saslpasswd) ]; then
echo; echo -e "\aYou have set smtp_sasl_password_maps = ${saslpasswd}"
echo "in main.cf, but $(get_saslpasswd) does not seem to be there."
echo "Please check and run ${scriptname} again."
exit 78
fi
}

function get_smtp_dialogue_wrapper () {
local host=""
if [ -r $(get_saslpasswd) ]; then
for host in $(awk '!/^#/ {print $1}' ${saslpasswd}); do
get_smtp_dialogue ${host}; echo
done
elif ! [ -r $(get_saslpasswd) ]; then
echo -e "\aYou don't have the correct permissions to read $(get_saslpasswd)."
echo "The telnet test, which gets the AUTH mechanisms offered by your remote"
echo "MTA(s), requires reading this file. Become either root to access"
echo "$(get_saslpasswd), or allow your current user, ${USER}, to read it."; echo
exit 0
fi
}

function server () {
mode="server-side"
start; echo
get_mail_version; echo
get_sasl_support smtpd; echo
get_maincf smtpd; echo
get_maincf smtpd; echo
get_sasl_dirs; echo
list_sasl_dirs; echo
get_sasl_apps; echo
get_service_config; echo
list_service_configs; echo
get_mastercf; echo
get_smtp_dialogue localhost; echo
end; echo
exit 0
}

function client () {
mode="client-side"
start; echo
get_mail_version; echo
get_sasl_support smtp; echo
get_maincf smtp; echo
get_sasl_dirs; echo
list_sasl_dirs; echo
check_saslpasswd; echo
get_mastercf; echo
get_smtp_dialogue_wrapper; echo
end; echo
exit 0
}

function usage () {
cat << _EOF

saslfinger -s Check server-side SMTP AUTH configuration
saslfinger -c Check client-side SMTP AUTH configuration
saslfinger -h Print this message.

Read man (1) saslfinger for a detailed discussion on what ${scriptname} may do for you.

_EOF
}

no_args=0
if [ ${#} -eq ${no_args} ]; then
echo; echo -e "\aUsage: `basename ${0}` [-chs]"
echo "Use \"`basename ${0}` -h\" to find out what the options mean."
echo; exit 65
fi

while getopts "chs" option; do
case ${option} in
c )
client
;;
s )
server
;;
h )
usage
;;
esac
done
shift $(($OPTIND - 1))

exit 0
</pre>

Reply