Solved Help needed with OpenSMTPD

fred974 · Nov 7, 2014

Hello everyone,

I wonder if someone here could help me troubleshooting my OpenSMTPD installation. I want to use OpenSMTPD as a local mail delivery and relay to Google's Gmail. All I want is for all the internal system email sent to root to be delivered to my Gmail account.

I have installed it via the port tree and below is my configuration file usr/local/etc/mail/smtpd.conf:

Code:

listen on 127.0.0.1 port 25
hostname "mail.domain.ltd"
map "aliases" { source db "/usr/local/etc/mail/aliases.db" }
map "secrets" { source db "/usr/local/etc/mail/secrets.db" }
accept for local deliver to mda "procmail -f -"
accept for all relay via "smtp.gmail.com" port 587 tls enable auth

When I run smtpd -dv, I get the following error message:

Code:

/usr/local/etc/mail/smtpd.conf:11: syntax error
/usr/local/etc/mail/smtpd.conf:14: syntax error
/usr/local/etc/mail/smtpd.conf:21: syntax error

Thank you all in advance,
Fred

rmoe · Nov 7, 2014

You might want to consider using a more simple ("adequate") package for that simple job. One example that is (supposed to be) safe and easy to configure and that has served me well for such simple jobs is mail/nullmailer.

OpenSMTPD is more of a full-fledged mail server like sendmail.

kpa · Nov 7, 2014

There's also mail/dma that might become the official replacement for Sendmail as the local mailer (providing smarthost capabilities as well of course) in FreeBSD in the future. It does pretty much what the equivalent solutions such as mail/ssmtp do but is licensed in a BSD-friendly manner.

Nulani · Nov 7, 2014

fred974 said:

Code:

listen on 127.0.0.1 port 25
hostname "mail.domain.ltd"
map "aliases" { source db "/usr/local/etc/mail/aliases.db" }
map "secrets" { source db "/usr/local/etc/mail/secrets.db" }
accept for local deliver to mda "procmail -f -"
accept for all relay via "smtp.gmail.com" port 587 tls enable auth

Please read a more recent version smtpd.conf(5) The current syntax is quite a bit different from the one you're using.

It should look something more like this:

Code:

listen on lo0 hostname mail.domain.tld
table aliases db:/etc/mail/aliases.db
table secrets db:/etc/mail/secrets.db

accept for local alias <aliases> deliver to mda "procmail -f -"
accept for all relay via secure+auth://smtp.gmail.com:587 auth <secrets>

This is of course assuming you're not running a horribly outdated version.

Oko · Nov 7, 2014

kpa said:
There's also mail/dma that might become the official replacement for Sendmail as the local mailer (providing smarthost capabilities as well of course) in FreeBSD in the future. It does pretty much what the equivalent solutions such as mail/ssmtp do but is licensed in a BSD-friendly manner.

+1 DragonFlyBSD mailing agent from an avid OpenBSD user (as you know OpenSMTPd came out of OpenBSD's kitchen). While OpenSMTPd is easer to configure than even Postfix, the fact is that it is a complete mail server and I am not sure what version is currently the default FreeBSD version, as all development is done on OpenBSD. DragonFly mailing agent is exactly what you need.

fred974 · Nov 7, 2014

Thank you very much for all your input.
Nulani you are right, the syntax I am using is way out of date..
I'll update the syntax and keep you posted.

I will later be using OpenSMTPd for the company mail server. This why I choose it. It will do maore than redirecting local email in the future.

fred974 · Nov 10, 2014

Hi Nulani ,

Following your reply, I have update my usr/local/etc/mail/smtpd.conf file with the following:

Code:

listen on 127.0.0.1 port 25 hostname garfield.myDomain.ltd
expire 4h
table aliases db:/usr/local/etc/mail/aliases.db
table secrets db:/usr/local/etc/mail/secrets.db
accept from local for local alias <aliases> deliver to mda "/usr/local/bin/procmail -f -"
accept from any for domain garfield.mydomain.ltd alias <aliases> deliver to mda "/usr/local/bin/procmail -f -"
accept from local for any relay via tls+auth://label@smtp.gmail.com:587 auth <secrets>

My set the following in my /usr/local/etc/mail/aliases file:

Code:

root:  serverstatus@gmail.com
sysadmin:  serverstatus@gmail.com

What I want to achieve here is that all emails sent to local users are sent to the external email address.

When I login as sysadmin and do:
mail -v [email]serverstatus@gmail.com[/email]

Code:

Subject: test email
This is a test email
EOT
<<< 220 localhost ESMTP OpenSMTPD
>>> EHLO localhost
<<< 250-localhost Hello localhost [local], pleased to meet you
<<< 250-8BITMIME
<<< 250-ENHANCEDSTATUSCODES
<<< 250-SIZE 36700160
<<< 250-DSN
<<< 250 HELP
>>> MAIL FROM:<sysadmin@garfield.mydomain.ltd>
<<< 250 2.0.0: Ok
>>> RCPT TO:<serverstatus@gmail.com>
<<< 250 2.1.5 Destination address valid: Recipient ok
>>> DATA
<<< 354 Enter mail, end with "." on a line by itself
>>> .
<<< 250 2.0.0: 8d7cc799 Message accepted for delivery
>>> QUIT
<<< 221 2.0.0: Bye

... at a glance everything seem ok but looking at the /var/log/maillog it's not all ok..
cat /var/log/maillog | grep smtpd,return the following:

Code:

Nov 10 10:37:20 garfield smtpd[2255]: smtp-in: New session 92553b18192cbc94 from host 1001@localhost [local]
Nov 10 10:37:20 garfield smtpd[2255]: smtp-in: Accepted message 3eca107b on session 92553b18192cbc94: from=<sysadmin@garfield.mydomain.ltd>, to=<serverstatus@gmail.com>, size=273, ndest=1, proto=ESMTP
Nov 10 10:37:20 garfield smtpd[2255]: smtp-in: Closing session 92553b18192cbc94
Nov 10 10:37:20 garfield smtpd[2253]: smtp-out: Connecting to tls://IPv6:2a00:1450:400c:c01::6c:587 (wj-in-x6c.1e100.net) on session ef4abd40d01fffaf...
Nov 10 10:37:20 garfield smtpd[2253]: smtp-out: Error on session ef4abd40d01fffaf: Connection failed: No route to host
Nov 10 10:37:20 garfield smtpd[2253]: smtp-out: Disabling route [] <-> IPv6:2a00:1450:400c:c01::6c (wj-in-x6c.1e100.net) for 800s
Nov 10 10:37:22 garfield smtpd[2253]: smtp-out: No valid route for [connector:[]->[relay:smtp.gmail.com,port=587,starttls,auth=secrets:label,mx],0x0]
Nov 10 10:37:31 garfield smtpd[2253]: relay: TempFail for 3eca107bae209fa4: session=0000000000000000, from=<sysadmin@garfield.mydomain.ltd>, to=<serverstatus@gmail.com>, rcpt=<->, source=-, relay=smtp.gmail.com, delay=11s, stat=Network error on destination MXs

Using telnet I cannot connect to the google server in the error either
telnet wj-in-x6c.1e100.net 587

Code:

Trying 2a00:1450:400c:c01::6c...
telnet: connect to address 2a00:1450:400c:c01::6c: No route to host
telnet: Unable to connect to remote host

If I disable PF firewall, the problem is the same.

In my gmail account I have enabled pop and imap forwarding.

Is there anything else to do on the gmail side?

Do I need to change my hostname garfield.myDomain.ltd to garfield.myDomain.com?

Is there any chance you could help me to identify the problem please?
How can I be sure that my ISP is not blocking the connection?

Thank you.

Fred

Nulani · Nov 10, 2014

Are you able to ping6 2a00:1450:400c:c01::6c? Is IPv6 working for you otherwise? If not, you will have to either fix your IPv6 connectivity or disable it.

And if you are, then, yes, maybe your ISP is blocking port 587. Would be pretty unusual.

rmoe · Nov 10, 2014

If you can't telnet it, chances are you can't ping it neither. From what I see in the log and from here (Gmail almost certainly hands out different IPs depending on where you ask from) the IP looks OK for Gmail but you have a network problem (and not a mailer or port problem).

Are you sure that your provider/your subscription support IPv6? If so, is your routing correctly set up? If your answer is yes, kindly post a (IPv6) traceroute to smtp.gmail.com.

fred974 · Nov 10, 2014

Hi guys,

Thank your for the reply.

I haven't got IPv6 set[]up on my system, so naturally
ping6 2a00:1450:400c:c01::6c returns

Code:

ping6: UDP connect: No route to host

Why is it using IPv6?

This is how my network is set[]up:
/etc/rc.conf

Code:

### Local network configuration ###
hostname="garfield.myDomain.ltd"
#if lagg breaks we'll neeed this uncommented
#ifconfig_bce0="inet 192.168.1.195 netmask 255.255.255.0"
#defaultrouter="192.168.1.1"

### lagg Failover Mode
cloned_interfaces="lagg0"
ifconfig_bce0="up"
ifconfig_bce1="up"
ifconfig_lagg0="laggproto lacp laggport bce0 laggport bce1" # ExtIf
ipv4_addrs_lagg0="192.168.1.195/24"
defaultrouter="192.168.1.1"

Do I need to set[]up IPv6 in order to use OpenSMTP with Gmail?
If yes, will adding the following be enough?

Code:

ipv6_enable="YES"
ipv6_ifconfig_lagg0="0:0:0:0:0:ffff:c0a8:1c3"
ipv6_defaultrouter="0:0:0:0:0:ffff:c0a8:101"

Can IPv6 and IPv4 live happy together or will I need to remove the IPv4 settings?

Thank you very much
Fred

rmoe · Nov 11, 2014

It uses IPv6 because that's what ping6 is made for. And, No, you do not need IPv6 to use OpenSMTP.

OpenSMTP doesn't care about IP(v4) or IPv6; that's just a transport layer issue. It simply looks for the MX (DNS) records for gmail.com, finds "smtp.gmail.com" as mail server in charge and asks the system to resolve that host name. Obviously your system thinks it's IPv6 connected and such hands back an IPv6 for the gmail mail server which actually does have IPv6 connectivity.

As Nulani already correctly told you, you must either have (and properly configure) IPv6 support or if you don't have IPv6 connectivity (through your network provider), which seems to be the case, you must disable IPv6 in your /etc/rc.conf (ip6addrctl_enable="NO").

As a sidenote, I'm bewildered by OpenSMTP happily tweeting "success" to you while actually it failed due to the transport layer. I don't know OpenSMTP (beyond a basic overview) but that strikes me as odd. A properly working SMTP server should have complained about a transport error.

Nulani · Nov 11, 2014

rmoe said:
As a sidenote, I'm bewildered by OpenSMTP happily tweeting "success" to you while actually it failed due to the transport layer. I don't know OpenSMTP (beyond a basic overview) but that strikes me as odd. A properly working SMTP server should have complained about a transport error.

The message was successfully received (for relaying). Neither the client or the daemon knows that the route is broken at that point. OpenSMTPD then tries to relay the message and fails; and what would normally happen is that the message gets bounced.

Disable IPv6 and it ought to work.

fred974 · Nov 11, 2014

Hi guys,
I have corrected the LAGG setting in my /etc/rc.conf.

Now when I do mail -v [EMAIL]serverstatus@gmail.com[/EMAIL], I get the following:
cat /var/log/maillog | grep smtpd

Code:

Nov 11 21:57:37 garfield smtpd[2240]: smtp-in: New session 14e2c0e8139312cd from host 1001@localhost [local]
Nov 11 21:57:37 garfield smtpd[2240]: smtp-in: Accepted message 99b02f05 on session 14e2c0e8139312cd: from=<sysadmin@garfield.mydomain.ltd>, to=<serverstatus@gmail.com>, size=251, ndest=1, proto=ESMTP
Nov 11 21:57:37 garfield smtpd[2240]: smtp-in: Closing session 14e2c0e8139312cd
Nov 11 21:57:37 garfield smtpd[2238]: smtp-out: No valid route for [connector:[]->[relay:smtp.gmail.com,port=587,starttls,auth=secrets:label,mx],0x0]
Nov 11 21:57:37 garfield smtpd[2238]: relay: TempFail for 99b02f0508c9ba31: session=0000000000000000, from=<sysadmin@garfield.mydomain.ltd>, to=<serverstatus@gmail.com>, rcpt=<->, source=-, relay=smtp.gmail.com, delay=0s, stat=Network error on destination MXs

If I telnet to smtp.gmail.com, I can see that it try IPv6 first then realised move on to IPv4...

telnet smtp.gmail.com 587

Code:

Trying 2a00:1450:400c:c00::6c...
telnet: connect to address 2a00:1450:400c:c00::6c: No route to host
Trying 173.194.78.109...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP cv7sm28977555wjc.3 - gsmtp
^]
telnet> quit
Connection closed.

Does this mean that I still have a problem somewhere in my network setup?

Thank you,

Fred

Nulani · Nov 12, 2014

We don't know anything about your network setup, so it's difficult to say. The relevant sections from rc.conf and the output from ifconfig might help.

If you don't have IPv6 connectivity, why have IPv6 enabled at all?

fred974 · Nov 12, 2014

Hi Nulani,
I've provided the content of my rc.conf file in event 10.
Here it is again as I have changed it a bit..
/etc/rc.conf

Code:

hostname="garfield.mydomain.ltd"
ip6addrctl_enable="NO"
ifconfig_bce0="up"
ifconfig_bce1="up"
defaultrouter="192.168.1.1"
cloned_interfaces="lagg0"
# LACP
ifconfig_lagg0="inet 192.168.1.185 netmask 255.255.255.0 laggproto lacp laggport bce0 laggport bce1"

# Jail network interface aliases
ifconfig_lagg0_alias0="inet 192.168.1.125 netmask 255.255.255.0" # webjail
ifconfig_lagg0_alias1="inet 192.168.1.130 netmask 255.255.255.0" # sqljail
ifconfig_lagg0_alias2="inet 192.168.1.145 netmask 255.255.255.0" # mailjail

/etc/hosts

Code:

::1  localhost localhost.mydomain.ltd
127.0.0.1  localhost localhost.mydomain.ltd
192.168.1.185  garfield.mydomain.ltd  # FreeBSDHost
192.168.1.125  web.mydomain.ltd  # weberver
192.168.1.130  mysql.mydomain.ltd  # dbserver
192.168.1.145  mail.mydomain.ltd  # mailserver

/etc/resolv.conf

Code:

# https://www.whatsmydns.net/dns/uk/virgin-media.html
# Primary DNS: 194.168.4.100
# Secondary DNS: 194.168.8.100
nameserver 194.168.4.100
nameserver 194.168.8.100

My router gateway is 192.168.1.1, should I type this instead?

/boot/loader.conf

Code:

zfs_load="YES"
vfs.root.mountfrom="zfs:zroot"
if_lagg_load="YES"
accf_data_load="YES"
accf_http_load="YES"
ahci_load="YES"
aio_load="YES"
autoboot_delay="3"
cc_htcp_load="YES"
amdtemp_load="YES"
net.inet.tcp.hostcache.cachelimit="0"
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gpt.enable="1"
kern.geom.label.gptid.enable="0"
loader_logo="orb"

/etc/sysctl.conf

Code:

kern.ipc.maxsockbuf=4194304   
net.inet.tcp.sendbuf_max=4194304   
net.inet.tcp.recvbuf_max=4194304   
net.inet.tcp.cc.algorithm=htcp   
net.inet.tcp.cc.htcp.adaptive_backoff=1
net.inet.tcp.cc.htcp.rtt_scaling=1
net.inet.ip.forwarding=1   
net.inet.ip.fastforwarding=1   
kern.ipc.soacceptqueue=1024   
net.inet.tcp.mssdflt=1460   
net.inet.tcp.nolocaltimewait=1   
net.inet.tcp.experimental.initcwnd10=1
net.inet.tcp.syncache.rexmtlimit=0  
net.inet.ip.rtexpire=2   
net.inet.ip.rtminexpire=2   
net.inet.tcp.syncookies=0   
net.inet.ip.check_interface=1   
net.inet.ip.process_options=0   
net.inet.ip.redirect=0   
net.inet.ip.stealth=1   
net.inet.icmp.drop_redirect=1   
net.inet.tcp.drop_synfin=1   
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.icmp_may_rst=0   
net.inet.tcp.msl=5000   
net.inet.tcp.path_mtu_discovery=0  
net.inet.udp.blackhole=1   
net.inet.tcp.blackhole=2   
security.bsd.see_other_uids=0   
security.jail.allow_raw_sockets=1   
security.jail.enforce_statfs=2   
security.jail.set_hostname_allowed=0   
security.jail.socket_unixiproute_only=1
security.jail.sysvipc_allowed=0   
security.jail.chflags_allowed=0   
net.local.stream.sendspace=164240   
net.local.stream.recvspace=164240

I hope I have provided enough information to help you to help me

Thank you all

rmoe · Nov 12, 2014

Let's do this in simple steps.

Does your gateway host 192.168.1.1 have full internet connectivity (telnet, ping, ...)?
Does your server properly connect to to your gateway host (e.g. can you telnet to it)?
Does your routing on your gateway host work properly, i.e. can you reach the internet/be reachable from the internet from/to other hosts in your LAN?

Also: kindly provide the ifconfig output Nulani asked for.
For good measure also add the output of both, route -n show default and route -n show 194.168.4.100 (your name server. no special meaning, just some outside host you should be able to reach anyway). Finally the output of host smtp.gmail.com to be sure your name resolution works.

fred974 · Nov 12, 2014

Hi rmoe,

I really appreciate your help here. Thank you very much.

The network consists of a few Windows laptops and all the users on these laptops are able to perform day to day tasks such as browsing the internet, Skype, email etc.

Just to clarify, the DSL modem provided by our ISP (Virgin Media) acts as the gateway/DNS server. We don't have one of our own yet.

Below is the requested information:

ping 192.168.1.1 (from Windows)

Code:

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms

ping 192.168.1.1 (from FreeBSD server)

Code:

PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.320 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.322 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.311 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.332 ms
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.311/0.321/0.332/0.007 ms

telnet 192.168.1.1 (from FreeBSD server)

Code:

Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
^]
telnet> q
Connection closed.

ifconfig

Code:

bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
  ether f0:4d:a2:00:55:fe
  inet6 fe80::f24d:a2ff:fe00:55fe%bce0 prefixlen 64 scopeid 0x1
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
  ether f0:4d:a2:00:55:fe
  inet6 fe80::f24d:a2ff:fe00:5600%bce1 prefixlen 64 scopeid 0x2
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
bce2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
  ether f0:4d:a2:00:56:02
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect
bce3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
  ether f0:4d:a2:00:56:04
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
pfsync0: flags=0<> metric 0 mtu 1500
  syncpeer: 0.0.0.0 maxupd: 128 defer: off
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
  ether f0:4d:a2:00:55:fe
  inet 192.168.1.185 netmask 0xffffff00 broadcast 192.168.1.255
  inet6 fe80::f24d:a2ff:fe00:55fe%lagg0 prefixlen 64 scopeid 0x8
  inet 192.168.1.125 netmask 0xffffff00 broadcast 192.168.1.255
  inet 192.168.1.130 netmask 0xffffff00 broadcast 192.168.1.255
  inet 192.168.1.145 netmask 0xffffff00 broadcast 192.168.1.255
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect
  status: active
  laggproto lacp lagghash l2,l3,l4
  laggport: bce1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
  laggport: bce0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
  options=80000<LINKSTATE>
  inet6 fe80::f24d:a2ff:fe00:5602%tun0 prefixlen 64 scopeid 0x9
  inet 10.8.20.1 --> 10.8.20.2 netmask 0xffffffff
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
  Opened by PID 2263

host smtp.gmail.com

Code:

smtp.gmail.com is an alias for gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com has address 173.194.67.108
gmail-smtp-msa.l.google.com has address 173.194.67.109
gmail-smtp-msa.l.google.com has IPv6 address 2a00:1450:400c:c05::6d

route -n show default

Code:

  route to: 0.0.0.0
destination: 0.0.0.0
  mask: 0.0.0.0
  gateway: 192.168.1.1
  fib: 0
  interface: lagg0
  flags: <UP,GATEWAY,DONE,STATIC>
recvpipe  sendpipe  ssthresh  rtt,msec  mtu  weight  expire
  0  0  0  0  1500  1  0

route -n show 194.168.4.100

Code:

  route to: 194.168.4.100
destination: 0.0.0.0
  mask: 0.0.0.0
  gateway: 192.168.1.1
  fib: 0
  interface: lagg0
  flags: <UP,GATEWAY,DONE,STATIC>
recvpipe  sendpipe  ssthresh  rtt,msec  mtu  weight  expire
  0  0  0  0  1500  1  0

In addition, I also tried setting up the network to only use one interface without LAGG and the results above were the same

Code:

## ipv4 - native address
ifconfig_bce0="inet 192.168.1.185/24"
defaultrouter="192.168.1.1"

I never used the route -n show default before but I assume that I have a problem there am I right?

Hope someone can help me spot the problem.

Thank you

rmoe · Nov 13, 2014

I'm sorry, fred, but I'm short on time right now. So I'll just point out some quick remarks after glancing over your output.

Don't worry about the route -n show default output. That looks normal to me. I noticed some interfaces having IPv6 addresses though and lagg0 has one mixed in, too. Unless you have a real need for IPv6 you should certainly properly disable it completely.

kpa · Nov 13, 2014

rmoe said:
I noticed some interfaces having IPv6 addresses though and lagg0 has one mixed in, too. Unless you have a real need for IPv6 you should certainly properly disable it completely.

Those are just fe80::* link-local addresses, they are completely as they should be. No need to disable them, in fact you'll have to disable IPv6 completely with a custom kernel to properly disable them.

fred974 · Nov 13, 2014

So does my network setup look good to you kpa? What else can I try to solve this issue? Is there some debug I can implement?

kpa · Nov 13, 2014

Hmm this is odd:

Code:

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::f24d:a2ff:fe00:5602%tun0 prefixlen 64 scopeid 0x9
inet 10.8.20.1 --> 10.8.20.2 netmask 0xffffffff
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 2263

I think I gave you a script for OpenVPN? In that script there is probably something like:

Code:

ifconfig ${dev} inet6 -ifdisabled

Remove that line, it is probably making the system think that there is IPv6 connectivity over the tun0 interface although no addresses bound on it.

You can disable IPv6 on tun0 without restarting OpenVPN by ifconfig tun0 inet6 ifdisabled.

fred974 · Nov 13, 2014

Hi kpa, yes, you did give me script and indeed, I found the line you referenced in it. I have commented the line:

Code:

#/sbin/ifconfig ${dev} inet6 -ifdisabled

I have rebooted the physical server but unfortunately, I am still unable to send email.

Code:

Nov 13 15:21:01 garfield smtpd[2254]: smtp-in: New session 7480292bd6c4976c from host 0@localhost [local]
Nov 13 15:21:01 garfield smtpd[2254]: smtp-in: Accepted message 83a9456d on session 7480292bd6c4976c: from=<root@garfield.mydomain.ltd>, to=<serverstatus@gmail.com>, size=245, ndest=1, proto=ESMTP
Nov 13 15:21:01 garfield smtpd[2254]: smtp-in: Closing session 7480292bd6c4976c
Nov 13 15:21:01 garfield smtpd[2252]: smtp-out: Connecting to tls://IPv6:2a00:1450:400c:c00::6c:587 (wg-in-x6c.1e100.net) on session 16a50b3ecc7b968c...
Nov 13 15:21:01 garfield smtpd[2252]: smtp-out: Error on session 16a50b3ecc7b968c: Connection failed: No route to host
Nov 13 15:21:01 garfield smtpd[2252]: smtp-out: Disabling route [] <-> IPv6:2a00:1450:400c:c00::6c (wg-in-x6c.1e100.net) for 800s
Nov 13 15:21:03 garfield smtpd[2252]: smtp-out: No valid route for [connector:[]->[relay:smtp.gmail.com,port=587,starttls,auth=secrets:label,mx],0x0]
Nov 13 15:21:12 garfield smtpd[2252]: relay: TempFail for 83a9456d10f8f239: session=0000000000000000, from=<root@garfield.mydomain.ltd>, to=<serverstatus@gmail.com>, rcpt=<->, source=-, relay=smtp.gmail.com, delay=11s, stat=Network error on destination MXs
Nov 13 15:21:35 garfield smtpd[2254]: smtp-in: New session 7480292cf19275bc from host 0@localhost [local]
Nov 13 15:21:35 garfield smtpd[2254]: smtp-in: Accepted message 23704ff5 on session 7480292cf19275bc: from=<root@garfield.mydomain.ltd>, to=<serverstatus@gmail.com>, size=245, ndest=1, proto=ESMTP
Nov 13 15:21:35 garfield smtpd[2254]: smtp-in: Closing session 7480292cf19275bc
Nov 13 15:21:35 garfield smtpd[2252]: smtp-out: No valid route for [connector:[]->[relay:smtp.gmail.com,port=587,starttls,auth=secrets:label,mx],0x0]
Nov 13 15:21:35 garfield smtpd[2252]: relay: TempFail for 23704ff59341eb87: session=0000000000000000, from=<root@garfield.mydomain.ltd>, to=<serverstatus@gmail.com>, rcpt=<->, source=-, relay=smtp.gmail.com, delay=0s, stat=Network error on destination MXs

So from what I gather OpenSMTPD will try IPv6 first and fall back to IPv4 which is fine. Also as I can telnet to mx.google.com , I assumed that my network path is fine.

Just to make give a complete picture to the people who is trying to help me here. below are the 2 scripts that kpa gave me to get OpenVPN to work:
up.sh

Code:

 #!/bin/sh

ANCHOR="openvpn"

#/sbin/ifconfig ${dev} inet6 -ifdisabled

  /sbin/pfctl -a ${ANCHOR} -F rules
  /sbin/pfctl -a ${ANCHOR} -F nat
  /sbin/pfctl -a ${ANCHOR} -f - <<EOT
  nat on ${OPENVPN_wan} inet from ${dev}:network to any -> (${OPENVPN_wan}:0) port 1024:65535
  pass quick on ${dev} all
  pass in quick on ${OPENVPN_wan} inet proto udp from any to (${OPENVPN_wan}) port ${local_port_1}
  EOT

down.sh

Code:

 #!/bin/sh

/sbin/pfctl -a openvpn -F rules
/sbin/pfctl -a openvpn -F nat

I already disabled IPv6
/etc/rc.conf

Code:

ip6addrctl_enable="NO"

I tried to send email using telnet but I hit a brick wall.
telnet smtp.gmail.com 587

Code:

Trying 2a00:1450:400c:c00::6d...
telnet: connect to address 2a00:1450:400c:c00::6d: No route to host
Trying 173.194.67.108...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP bf6sm35996006wjb.13 - gsmtp
HELO garfiel.mydomain.ltd
250 mx.google.com at your service
MAIL FROM: root@garfiel.mydomain.ltd
530 5.7.0 Must issue a STARTTLS command first. bf6sm35996006wjb.13 - gsmtp

rmoe · Nov 13, 2014

fred

The brickwall in your telnet attempt is nothing to do with your network but with TLS (you explicitely connect to port 587). I guess it would work on port 25 (standard not TLS SMTP).

I suggested and still strongly suggest that you try to isolate/spot the problem (rather than testing/trying wildly). One important step to do that was to check your network configuration and proper working. From what I see so far your network seems to work almost.

Right now my approach would be to comment out the jails and jail-related stuff to have as simple and standard as possible a network setup.
You see, unlike with former versions, FreeBSD now has IPv6 working by default. So, if you have something somewhere that asks for or seems to use IPv6 (like the script setting) FreeBSD might bring it up (and seems to do so in your configuration).

It is, generally speaking, a bad idea to stat with a all-features-in approach unless one has plenty solid experience. I usually suggest to start with a plain setup, in your case with IPv4 and (whatever)SMTP. Once that works properly, you can add lagg in a next step. And once that works fine you can add your jails.

To lift up your spirit somewhat in that unpleasant situation let me remind you: FreeBSD can do all that. In fact, it does do it in many installations. All you need to do is to go step by step rather than trying the whole she-bang at once.

fred974 · Nov 13, 2014

Hi rmoe Thank you for your reply, It did bring a smile to my face.
I'll make a backup on my current rc.conf and start from basic stuff as you suggested.

fred974 · Nov 16, 2014

Hi,

I've been working on this all weekend without any success. I have stripped my /etc/rc.conf to the absolute bare minimum and no matter what I tried, I always end up with the same error message.

Just a question here. Do I NEED A DNS SERVER for this to work?

Does the error below mean a DNS issue on my server or the Google mail server?

Code:

Network error on destination MXs

Thank you