[ previous ] [ next ] [ threads ]
 
 From:  Vince Van De Coevering <vpv at figaros dot com>
 To:  "'mOnO at SpectraTechnology dot Net'" <mOnO at SpectraTechnology dot Net>, "'m0n0wall at lists dot m0n0 dot ch'" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] axentra email server problems
 Date:  Thu, 22 Dec 2005 08:15:57 -0800
This is clearly a DNS issue.

My suggestion is that you set up a local DNS server that returns the
non-nat'd IP Addresses for your mail servers.  BIND has a feature (the views
directive) that allows it to answer based on the IP address of the
requesting server.

You set up a view for each zone that needs a answer.  My servers usually
have 2, internal and external.  The internal view returns 10.x.x.x addresses
for each of my servers while the external view returns the actual internet
address.

Notice how each view has its own zone files. I removed the actual IP
addresses from the allow-transfer directives, those would typically be
addresses separated by ;

The internal view matches the IP addresses I defined as local
The blackhole directive drops requests from IP addresses I defined as Fake



Here's a sample named.conf file
acl "local" {
        localhost;
        127.0.0.1;
        10.1.0.0/8;
        10.2.0.0/8;
};

acl "fake" {
        0.0.0.0/8;      // Null Address
        1.0.0.0/8;      // IANA reserved (popular fake)
        2.0.0.0/8;
        224.0.0.0/3;    // Multicast Address
        192.168.0.0/16;     // Non routable IP addresses
        172.16.0.0/12;  // commonly used in DOS attacks
};

options {
        #forward first;
        forwarders {
              63.105.16.2;  //my ISPs public name servers
              63.105.16.4;
        };
        directory "/var/bind";
        listen-on {127.0.0.1; 10.1.0.6; };
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        query-source address * port 53;
        allow-transfer { IP addresses of secondary name servers go here };
        blackhole { fake; };
        pid-file "/var/run/named/named.pid";
};

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

view "internal" {
        match-clients { local; };
        recursion yes;
        zone "." IN {
                type hint;
                file "pri/named.ca";
                };

        zone "localhost" IN {
                type master;
                file "pri/localhost.zone";
                allow-update { none; };
                };

        zone "0.0.127.in-addr.arpa" IN {
                type master;
                file "pri/named.local";
                allow-update { none; };
                };

        zone "1.192.in-addr.arpa" IN {
                type master;
                file "pri/mydomain.rev.internal";
                allow-update { none; };
                };

        zone "mydomain.com" IN {
                type master;
                file "pri/mydomain.com.internal";
                allow-update { none; };
                };

        include "/etc/bind/named_slaves.conf";
};

view "external" {
        match-clients { any; };
        recursion no;
        zone "." IN {
                type hint;
                file "pri/named.ca";
                };

        zone "localhost" IN {
                type master;
                file "pri/localhost.zone";
                allow-update { none; };
                };

        zone "0.0.127.in-addr.arpa" IN {
                type master;
                file "pri/named.local";
                allow-update { none; };
                };

        zone "22.111.63.in-addr.arpa" IN {
                type master;
                file "pri/mydomain.rev.external";
                allow-update { none; };
                };
        zone "mydomain.com" IN {
                type master;
                file "pri/mydomain.com.external";
                allow-update { none; };
                allow-transfer { IP addr of domain seconds };
                };
        include "/etc/bind/named_slaves.conf";
};
include "/etc/bind/rndc.key";
****** End Named.conf



Vince Van De Coevering
IT Manager
Figaro's Italian Pizza, Inc.
503-371-9318 x216
vpv at figaros dot com

> -----Original Message-----
> From: Spectra [mailto:mOnO at SpectraTechnology dot Net] 
> Sent: December 21, 2005 9:12 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] axentra email server problems
> 
> 
> 
> "It is not possible to access NATed services using the WAN IP 
> address from
> within LAN (or an optional network)."
> 
> This has become a huge headache for us.
> 
> We have two email servers on our dmz.  both are running 
> axentra software,
> version 2.4.  Both servers can send and receive emails from any email
> server on the internet with the exception of each other, 
> because the two
> servers are on the same network.  currently we have the dns forwarder
> enabled (using the internal ip addresses of the servers), so 
> both servers
> should be able to 'see' each other via the internal ip.
> 
> however, emails cannot be sent or received between the two servers.
> 
> interestingly enough, the axentra software has an override 
> that allows for
> the use of an external smtp server.  setting this to some smtp server
> outside our network allows for the sending and receiving of emails.
> 
> does this sound like a dns or smtp issue?
> 
> has anyone else had a similar problem?
> 
> what have you done to overcome this?
> 
> i hope i'm being clear enough; let me know if this is confusing.
> 
> -- 
> m0n0 wanna be
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>