From Newsgroup: comp.misc

I've got a FreeBSD running as a Lightsail instance at AWS. I asked AWS
to create a reverse dns for my host and also lift all restrictions on
port 25. They did so: the reverse dns has been created and I can get
mails from the outside, but I can't seem to go out on TCP port 25. That
still seems blocked at least as far as the hosts I've tried to reach.
This might not have anything to do with AWS. AWS said that "[e]mail
sending limitations have also been removed for any resources for the
region your EIP is located in." I believe them.

The host 69.164.210.174 can reach my host at mx.antartida.xyz just
fine. The host mx.antartida.xyz is also named a.antartida.xyz.

%telnet mx.antartida.xyz 25
Trying 34.197.192.71...
Connected to mx.antartida.xyz.
Escape character is '^]'.
220 a.antartida.xyz ESMTP Sendmail 8.17.1/8.17.1; Fri, 18 Oct 2024 10:24:01 -0300 (-03)
help
214-2.0.0 This is sendmail version 8.17.1
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
quit
221 2.0.0 a.antartida.xyz closing connection
Connection closed by foreign host.

The host 69.164.210.174 also runs an SMTP server, but someone seems to
block my path to it. It might not AWS as I also can't reach it from my personal computer (with a dynamic IP address). Here's a tcpdump from
host mx.antartida.xyz while trying to telnet to 69.164.210.174 on port
25.

--8<-------------------------------------------------------->8---
# tcpdump -n port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ena0, link-type EN10MB (Ethernet), capture size 262144 bytes 09:01:45.939473 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931741362 ecr 0], length 0
09:01:46.964516 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931742388 ecr 0], length 0
09:01:49.164532 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931744588 ecr 0], length 0
09:01:53.424248 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931748848 ecr 0], length 0
09:02:01.764542 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931757188 ecr 0], length 0
09:02:17.964527 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931773388 ecr 0], length 0
09:02:50.164521 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535, options [mss 8961,nop,wscale 6,sackOK,TS val 3931805588 ecr 0], length 0
^C
7 packets captured
243 packets received by filter
0 packets dropped by kernel --8<-------------------------------------------------------->8---

The view from host 69.164.210.174:

--8<-------------------------------------------------------->8---
# tcpdump -n host 34.197.192.71
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel --8<-------------------------------------------------------->8---

We can see TCP SYN packets being sent and none are acknowledged.

If I switch from port 25 to port 21, I can see my packets arrive (even
though there's no FTP server at 69.164.210.174).

From the Lightsail instance:

--8<-------------------------------------------------------->8---
%telnet 69.164.210.174 21
Trying 69.164.210.174...
telnet: connect to address 69.164.210.174: Connection refused --8<-------------------------------------------------------->8---

The view from 69.164.210.174:

--8<-------------------------------------------------------->8---
# tcpdump -n port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 13:31:04.679931 IP 34.197.192.71.43674 > 69.164.210.174.21: Flags [S], seq 2257976044, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2164055307 ecr 0], length 0
13:31:04.679989 IP 69.164.210.174.21 > 34.197.192.71.43674: Flags [R.], seq 0, ack 2257976045, win 0, length 0
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel --8<-------------------------------------------------------->8---

I get a TCP RST back as expected. I get essentially the same output
from tcpdump at both hosts. In other words, there's no connectivity
problem between the two. It's really port 25 that's being filtered.
(Each host is also able to ping each other.)

In summary, I can get e-mails from the outside, but I can't deliver
e-mails or reach Google SMTP servers either from the host
mx.antartida.xyz. So it's not just the host 69.164.210.174 that I can't
reach.

If I try a random SMTP such as the ones for cnn.com, say, I can't reach
them from mx.antartida.xyz, but I can from host 69.164.210.174. Host 69.164.210.174 is a personal mail server running netqmail, so I'm
getting the idea that host 69.164.210.174 has good reputation enough to
talk to, say, CNN's email servers, but not mx.antartida.xyz (which is an newly-born SMTP, just starting out in life).

So I must be blacklisted? I've looked around on the web and the queries
I've been able to issue say that I'm *not* blocked anywhere.

So I'm looking for advice on running my own mail server once again in
the complicated phase the Internet is going through. If you have any recommendations on this, I'd appreciate hearing about it. Thank you.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

On 18.10.2024 um 11:03 Uhr Lesley Esen wrote:

Subject: outgoing tcp port 25 blocked? how to prove it?

Use traceroute -T -p 25 <target>
Check where the last reply comes from.

You can test with srv1.dorfdsl.de, this should reply in all cases.
--
kind regards
Marco

Send spam to 1729242220muell@cartoonies.org

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

Marco Moock <mm+usenet-es@dorfdsl.de> writes:

On 18.10.2024 um 11:03 Uhr Lesley Esen wrote:

Subject: outgoing tcp port 25 blocked? how to prove it?

Use traceroute -T -p 25 <target>
Check where the last reply comes from.

You can test with srv1.dorfdsl.de, this should reply in all cases.

FreeBSD's traceroute doesn't have the -T option. So I don't know
informative this will be. (I'm just learning about the -T and -p
options. It seems very interesting and I don't know yet how it works.)

I cannot reach srv1.dorfdsl.de.

--8<-------------------------------------------------------->8---
%telnet srv1.dorfdsl.de 25
Trying 82.139.196.13...
telnet: connect to address 82.139.196.13: Operation timed out
Trying 2a01:170:118f:3::22...
telnet: connect to address 2a01:170:118f:3::22: No route to host
telnet: Unable to connect to remote host
%
--8<-------------------------------------------------------->8---

BTW, I don't know why modern telnet always tries an IPv6 in such cases.

(*) The traceroute to srv1.dorfdsl.de

--8<-------------------------------------------------------->8---
%traceroute -p 25 srv1.dorfdsl.de
traceroute to srv1.dorfdsl.de (82.139.196.13), 64 hops max, 40 byte packets
1 * * *
2 240.0.228.67 (240.0.228.67) 0.272 ms
240.0.228.64 (240.0.228.64) 0.254 ms
240.0.228.65 (240.0.228.65) 0.246 ms
3 242.2.120.71 (242.2.120.71) 0.856 ms 1.913 ms
242.2.120.195 (242.2.120.195) 1.009 ms
4 240.3.180.10 (240.3.180.10) 0.880 ms
240.3.180.11 (240.3.180.11) 0.935 ms
240.3.180.9 (240.3.180.9) 1.526 ms
5 242.10.82.177 (242.10.82.177) 1.471 ms
242.10.90.183 (242.10.90.183) 2.239 ms
242.2.213.197 (242.2.213.197) 1.199 ms
6 38.32.206.149 (38.32.206.149) 0.604 ms
100.100.4.78 (100.100.4.78) 1.399 ms
204.68.252.113 (204.68.252.113) 1.151 ms
7 * * *
8 be3083.ccr41.dca01.atlas.cogentco.com (154.54.30.53) 56.042 ms
be3084.ccr42.dca01.atlas.cogentco.com (154.54.30.65) 2.441 ms
port-channel5392.ccr92.dca04.atlas.cogentco.com (154.54.40.49) 1.736 ms
9 port-channel5042.ccr92.dca04.atlas.cogentco.com (154.54.162.221) 360.473 ms
port-channel5927.ccr92.dca04.atlas.cogentco.com (154.54.163.101) 1.882 ms
port-channel5042.ccr92.dca04.atlas.cogentco.com (154.54.162.221) 371.716 ms
10 be4188.ccr42.jfk02.atlas.cogentco.com (154.54.30.122) 58.424 ms
be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186) 72.891 ms
be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86) 72.750 ms
11 be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86) 72.794 ms 74.469 ms
be12194.ccr41.ams03.atlas.cogentco.com (154.54.56.94) 86.506 ms
12 be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42) 131.634 ms
be3874.rcr21.dus01.atlas.cogentco.com (154.54.62.229) 89.546 ms
be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42) 88.654 ms
13 be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13) 92.094 ms
be3875.rcr21.dus01.atlas.cogentco.com (154.54.73.25) 90.017 ms
be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13) 92.073 ms
14 r0-36.00.3bw.tal.de (78.41.51.246) 90.619 ms 90.477 ms 90.669 ms
15 r4-68.bw.tal.de (78.41.51.91) 89.592 ms
be3875.rcr21.dus01.atlas.cogentco.com (154.54.73.25) 91.501 ms
r4-68.bw.tal.de (78.41.51.91) 87.113 ms
16 r1-3.bf.tal.de (78.41.51.133) 87.305 ms
r4-68.bw.tal.de (78.41.51.91) 92.873 ms
r1-3.bf.tal.de (78.41.51.133) 87.977 ms
17 srv1.dorfdsl.de (82.139.196.13) 112.620 ms * 97.974 ms
%
--8<-------------------------------------------------------->8---

(*) Now from a host that is not blocked at all

A telnet session first.

--8<-------------------------------------------------------->8---
%telnet srv1.dorfdsl.de 25
Trying 2a01:170:118f:3::22...
Connected to srv1.dorfdsl.de.
Escape character is '^]'.
220 srv1.dorfdsl.de ESMTP Sendmail 8.17.1.9/8.17.1.9/Debian-2+deb12u2; Fri, 18 Oct 2024 19:37:36 +0200; (No UCE/UBE) logging access from: kontesti.me(OK)-kontesti.me [IPv6:2600:3c03:0:0:f03c:91ff:fe96:40c1]
quit
221 2.0.0 srv1.dorfdsl.de closing connection
Connection closed by foreign host.
%
--8<-------------------------------------------------------->8---

Now the traceroute. Looking at the traceroute, I can't tell the
difference between this host and the blocked-FreeBSD one. Can you
clarify that a little? Thanks!

--8<-------------------------------------------------------->8---
%sudo traceroute -T -p 25 srv1.dorfdsl.de
[sudo] password for dbastos:
traceroute to srv1.dorfdsl.de (82.139.196.13), 30 hops max, 60 byte packets
1 10.206.9.32 (10.206.9.32) 0.072 ms 0.075 ms 0.068 ms
2 10.206.35.101 (10.206.35.101) 0.211 ms 0.214 ms 10.206.35.102 (10.206.35.102) 0.226 ms
3 10.206.32.1 (10.206.32.1) 3.712 ms 3.718 ms 3.714 ms
4 lo0-0.gw1.cjj1.us.linode.com (173.255.239.101) 0.499 ms 0.377 ms 0.334 ms
5 ae37.r02.lga01.ien.netarch.akamai.com (23.203.156.50) 1.580 ms ae31.r01.lga01.ien.netarch.akamai.com (23.203.156.16) 1.612 ms ae30.r02.ewr01.ien.netarch.akamai.com (23.203.154.42) 0.922 ms
6 * nyk-b17-link.ip.twelve99.net (62.115.171.40) 2.001 ms 2.282 ms
7 * * *
8 ldn-bb2-link.ip.twelve99.net (62.115.139.247) 71.638 ms 71.720 ms *
9 ldn-b3-link.ip.twelve99.net (62.115.122.181) 72.927 ms ldn-b3-link.ip.twelve99.net (62.115.120.75) 70.386 ms 70.375 ms
10 interlinkgmbh-ic-381329.ip.twelve99-cust.net (62.115.154.161) 69.886 ms 71.229 ms 70.610 ms
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 r4-fra1-de.as5405.net (94.103.180.7) 86.291 ms 86.283 ms 87.435 ms
17 cust-syseleven.fra1-de.as5405.net (45.153.82.5) 111.473 ms 111.469 ms 111.466 ms
18 r2-2.3bf.tal.de (78.41.51.242) 92.897 ms 92.305 ms 92.885 ms
19 * * *
20 srv1.dorfdsl.de (82.139.196.13) 114.786 ms 114.442 ms r4-fra1-de.as5405.net (94.103.180.7) 101.827 ms
--8<-------------------------------------------------------->8---
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

Lesley Esen <lesen@wimezu.com> writes:

Marco Moock <mm+usenet-es@dorfdsl.de> writes:

On 18.10.2024 um 11:03 Uhr Lesley Esen wrote:

Subject: outgoing tcp port 25 blocked? how to prove it?

Use traceroute -T -p 25 <target>
Check where the last reply comes from.

You can test with srv1.dorfdsl.de, this should reply in all cases.

FreeBSD's traceroute doesn't have the -T option. So I don't know
informative this will be. (I'm just learning about the -T and -p
options. It seems very interesting and I don't know yet how it
works.)

I installed tcptraceroute on FreeBSD. Here's the output. I'm puzzled
as to the result. It seems to reach srv1.dorfdsl.de (82.139.196.13) at
hop 16, but it continues on without getting any answer from who knows
what until it gives up. (Let me know if you'd like to see the reverse
DNS of each hop.)

%sudo tcptraceroute -n -p 25 srv1.dorfdsl.de
Selected device ena0, address 172.26.5.226, port 25 for outgoing packets Tracing the path to srv1.dorfdsl.de (82.139.196.13) on TCP port 80 (http), 30 hops max
1 * * *
2 240.0.228.66 0.261 ms 0.212 ms 0.336 ms
3 242.2.121.195 1.631 ms 0.556 ms 11.656 ms
4 240.3.184.11 1.429 ms 1.416 ms 1.431 ms
5 242.10.90.51 8.191 ms 1.416 ms 1.214 ms
6 204.68.252.113 1.128 ms 1.145 ms 1.116 ms
7 * * *
8 154.54.40.49 1.571 ms 1.543 ms 1.556 ms
9 154.54.30.42 6.534 ms 6.779 ms 6.718 ms
10 154.54.30.186 72.423 ms 72.448 ms 72.587 ms
11 154.54.56.94 86.317 ms 86.475 ms 86.257 ms
12 154.54.62.229 89.603 ms 89.564 ms 89.571 ms
13 78.41.51.246 90.505 ms 90.580 ms 90.739 ms
14 78.41.51.91 87.700 ms 87.002 ms 86.761 ms
15 78.41.51.133 87.272 ms 87.397 ms 87.344 ms
16 82.139.196.13 129.743 ms 102.913 ms 101.489 ms
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Destination not reached
%

I cannot reach srv1.dorfdsl.de.

--8<-------------------------------------------------------->8---
%telnet srv1.dorfdsl.de 25
Trying 82.139.196.13...
telnet: connect to address 82.139.196.13: Operation timed out
Trying 2a01:170:118f:3::22...
telnet: connect to address 2a01:170:118f:3::22: No route to host
telnet: Unable to connect to remote host
%
--8<-------------------------------------------------------->8---

BTW, I don't know why modern telnet always tries an IPv6 in such cases.

(*) The traceroute to srv1.dorfdsl.de

--8<-------------------------------------------------------->8---
%traceroute -p 25 srv1.dorfdsl.de
traceroute to srv1.dorfdsl.de (82.139.196.13), 64 hops max, 40 byte packets
1 * * *
2 240.0.228.67 (240.0.228.67) 0.272 ms
240.0.228.64 (240.0.228.64) 0.254 ms
240.0.228.65 (240.0.228.65) 0.246 ms
3 242.2.120.71 (242.2.120.71) 0.856 ms 1.913 ms
242.2.120.195 (242.2.120.195) 1.009 ms
4 240.3.180.10 (240.3.180.10) 0.880 ms
240.3.180.11 (240.3.180.11) 0.935 ms
240.3.180.9 (240.3.180.9) 1.526 ms
5 242.10.82.177 (242.10.82.177) 1.471 ms
242.10.90.183 (242.10.90.183) 2.239 ms
242.2.213.197 (242.2.213.197) 1.199 ms
6 38.32.206.149 (38.32.206.149) 0.604 ms
100.100.4.78 (100.100.4.78) 1.399 ms
204.68.252.113 (204.68.252.113) 1.151 ms
7 * * *
8 be3083.ccr41.dca01.atlas.cogentco.com (154.54.30.53) 56.042 ms
be3084.ccr42.dca01.atlas.cogentco.com (154.54.30.65) 2.441 ms
port-channel5392.ccr92.dca04.atlas.cogentco.com (154.54.40.49) 1.736 ms
9 port-channel5042.ccr92.dca04.atlas.cogentco.com (154.54.162.221) 360.473 ms
port-channel5927.ccr92.dca04.atlas.cogentco.com (154.54.163.101) 1.882 ms
port-channel5042.ccr92.dca04.atlas.cogentco.com (154.54.162.221) 371.716 ms
10 be4188.ccr42.jfk02.atlas.cogentco.com (154.54.30.122) 58.424 ms
be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186) 72.891 ms
be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86) 72.750 ms
11 be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86) 72.794 ms 74.469 ms
be12194.ccr41.ams03.atlas.cogentco.com (154.54.56.94) 86.506 ms
12 be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42) 131.634 ms
be3874.rcr21.dus01.atlas.cogentco.com (154.54.62.229) 89.546 ms
be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42) 88.654 ms
13 be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13) 92.094 ms
be3875.rcr21.dus01.atlas.cogentco.com (154.54.73.25) 90.017 ms
be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13) 92.073 ms
14 r0-36.00.3bw.tal.de (78.41.51.246) 90.619 ms 90.477 ms 90.669 ms
15 r4-68.bw.tal.de (78.41.51.91) 89.592 ms
be3875.rcr21.dus01.atlas.cogentco.com (154.54.73.25) 91.501 ms
r4-68.bw.tal.de (78.41.51.91) 87.113 ms
16 r1-3.bf.tal.de (78.41.51.133) 87.305 ms
r4-68.bw.tal.de (78.41.51.91) 92.873 ms
r1-3.bf.tal.de (78.41.51.133) 87.977 ms
17 srv1.dorfdsl.de (82.139.196.13) 112.620 ms * 97.974 ms
%
--8<-------------------------------------------------------->8---

(*) Now from a host that is not blocked at all

A telnet session first.

--8<-------------------------------------------------------->8---
%telnet srv1.dorfdsl.de 25
Trying 2a01:170:118f:3::22...
Connected to srv1.dorfdsl.de.
Escape character is '^]'.
220 srv1.dorfdsl.de ESMTP Sendmail 8.17.1.9/8.17.1.9/Debian-2+deb12u2; Fri, 18 Oct 2024 19:37:36 +0200; (No UCE/UBE) logging access from: kontesti.me(OK)-kontesti.me [IPv6:2600:3c03:0:0:f03c:91ff:fe96:40c1]
quit
221 2.0.0 srv1.dorfdsl.de closing connection
Connection closed by foreign host.
%
--8<-------------------------------------------------------->8---

Now the traceroute. Looking at the traceroute, I can't tell the
difference between this host and the blocked-FreeBSD one. Can you
clarify that a little? Thanks!

--8<-------------------------------------------------------->8---
%sudo traceroute -T -p 25 srv1.dorfdsl.de
[sudo] password for dbastos:
traceroute to srv1.dorfdsl.de (82.139.196.13), 30 hops max, 60 byte packets
1 10.206.9.32 (10.206.9.32) 0.072 ms 0.075 ms 0.068 ms
2 10.206.35.101 (10.206.35.101) 0.211 ms 0.214 ms 10.206.35.102 (10.206.35.102) 0.226 ms
3 10.206.32.1 (10.206.32.1) 3.712 ms 3.718 ms 3.714 ms
4 lo0-0.gw1.cjj1.us.linode.com (173.255.239.101) 0.499 ms 0.377 ms 0.334 ms
5 ae37.r02.lga01.ien.netarch.akamai.com (23.203.156.50) 1.580 ms ae31.r01.lga01.ien.netarch.akamai.com (23.203.156.16) 1.612 ms ae30.r02.ewr01.ien.netarch.akamai.com (23.203.154.42) 0.922 ms
6 * nyk-b17-link.ip.twelve99.net (62.115.171.40) 2.001 ms 2.282 ms
7 * * *
8 ldn-bb2-link.ip.twelve99.net (62.115.139.247) 71.638 ms 71.720 ms *
9 ldn-b3-link.ip.twelve99.net (62.115.122.181) 72.927 ms ldn-b3-link.ip.twelve99.net (62.115.120.75) 70.386 ms 70.375 ms
10 interlinkgmbh-ic-381329.ip.twelve99-cust.net (62.115.154.161) 69.886 ms 71.229 ms 70.610 ms
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 r4-fra1-de.as5405.net (94.103.180.7) 86.291 ms 86.283 ms 87.435 ms
17 cust-syseleven.fra1-de.as5405.net (45.153.82.5) 111.473 ms 111.469 ms 111.466 ms
18 r2-2.3bf.tal.de (78.41.51.242) 92.897 ms 92.305 ms 92.885 ms
19 * * *
20 srv1.dorfdsl.de (82.139.196.13) 114.786 ms 114.442 ms r4-fra1-de.as5405.net (94.103.180.7) 101.827 ms
--8<-------------------------------------------------------->8---

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

On 18.10.2024 um 15:03 Uhr Lesley Esen wrote:

%sudo tcptraceroute -n -p 25 srv1.dorfdsl.de
Selected device ena0, address 172.26.5.226, port 25 for outgoing
packets Tracing the path to srv1.dorfdsl.de (82.139.196.13) on TCP
port 80 (http), 30 hops max

This traceroute implementation uses -p for the source port.
Dest is 80, so you check the wrong thing. Look at the manpage (I don't
have FreeBSD here) for the destination port to set.
--
kind regards
Marco

Send spam to 1729256580muell@cartoonies.org

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

Marco Moock <mm+usenet-es@dorfdsl.de> writes:

On 18.10.2024 um 15:03 Uhr Lesley Esen wrote:

%sudo tcptraceroute -n -p 25 srv1.dorfdsl.de
Selected device ena0, address 172.26.5.226, port 25 for outgoing
packets Tracing the path to srv1.dorfdsl.de (82.139.196.13) on TCP
port 80 (http), 30 hops max

This traceroute implementation uses -p for the source port.
Dest is 80, so you check the wrong thing. Look at the manpage (I don't
have FreeBSD here) for the destination port to set.

Thanks. That makes sense. The output now makes sense. Completely
blocked right from the first hop. Perhaps AWS did not actually unblock outbound tcp 25; perhaps they unblocked only inbound tcp 25.

%tcptraceroute -n srv1.dorfdsl.de 25
Selected device ena0, address 172.26.5.226, port 22831 for outgoing packets Tracing the path to srv1.dorfdsl.de (82.139.196.13) on TCP port 25 (smtp), 30 hops max
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Destination not reached
%
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

Lesley Esen <lesen@wimezu.com> writes:

# tcpdump -n port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ena0, link-type EN10MB (Ethernet), capture size 262144 bytes 09:01:45.939473 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags [S], seq 1665376094, win 65535,

172.26.*.* is private, not public, IP address space. If that's the TCP
source address being sent to the remote hosts, it's not surprising
you're not getting an answer. If I'm reading your article right, the
public IP address 34.197.192.71.

If you can't solve the problem directly, you may need to relay outbound
mail via some AWS mail forwarder, if they have them.

The host 69.164.210.174 also runs an SMTP server, but someone seems to
block my path to it. It might not AWS as I also can't reach it from my personal computer (with a dynamic IP address).

Try "netstat -an4" on 69.164.210.174 to verify that the mail server is
indeed listening on port 25. Also, if that host is behind a NAT
firewall, you may also need to configure the firewall to enable port
forwarding for port 25.
-WBE
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

Winston <wbe@UBEBLOCK.psr.com.invalid> writes:

Lesley Esen <lesen@wimezu.com> writes:

# tcpdump -n port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on ena0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:01:45.939473 IP 172.26.5.226.37963 > 69.164.210.174.25: Flags
[S], seq 1665376094, win 65535,

172.26.*.* is private, not public, IP address space. If that's the TCP source address being sent to the remote hosts, it's not surprising
you're not getting an answer. If I'm reading your article right, the
public IP address 34.197.192.71.

That's the public IP address, yes. This is typical on the AWS network.
Each instance gets a private and a public IP address. I never see the
public IP address in the instance, but the packets must be being
rewritten by the AWS network because I can communicate with the outside
world just fine.

If you can't solve the problem directly, you may need to relay outbound
mail via some AWS mail forwarder, if they have them.

I think that's also possible.

The host 69.164.210.174 also runs an SMTP server, but someone seems to
block my path to it. It might not AWS as I also can't reach it from my
personal computer (with a dynamic IP address).

Try "netstat -an4" on 69.164.210.174 to verify that the mail server is
indeed listening on port 25.

%netstat -an4 | grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 69.164.210.174:25 194.169.175.47:34740 TIME_WAIT tcp 0 0 69.164.210.174:25 194.169.175.47:40116 TIME_WAIT

Thanks!
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

In article <87sest1f8u.fsf@wimezu.com>, Lesley Esen <lesen@wimezu.com> wrote:

FreeBSD's traceroute doesn't have the -T option. So I don't know
informative this will be. (I'm just learning about the -T and -p
options. It seems very interesting and I don't know yet how it works.)

Install tcptraceroute then.

Almost certainly the ISP is blocking port 25 even when they claim they are
not, but they will want proof.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

In article <877ca519ph.fsf@wimezu.com>, Lesley Esen <lesen@wimezu.com> wrote: >Thanks. That makes sense. The output now makes sense. Completely

blocked right from the first hop. Perhaps AWS did not actually unblock >outbound tcp 25; perhaps they unblocked only inbound tcp 25.

%tcptraceroute -n srv1.dorfdsl.de 25
Selected device ena0, address 172.26.5.226, port 22831 for outgoing packets >Tracing the path to srv1.dorfdsl.de (82.139.196.13) on TCP port 25 (smtp), 30 hops max
1 * * *
2 * * *
3 * * *

That looks like your machine is blocking it since you don't even see your router. Or else your router is blocking it.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

I think that's also possible.

The host 69.164.210.174 also runs an SMTP server, but someone seems to
block my path to it. It might not AWS as I also can't reach it from my
personal computer (with a dynamic IP address).

Try "netstat -an4" on 69.164.210.174 to verify that the mail server is
indeed listening on port 25.

I sent a message saying what the problem likely is, but since wimezu.com is
a fake address, it bounced. Too bad.
--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

On Sat, 19 Oct 2024 09:11:11 -0300, Lesley Esen wrote:

That's the public IP address, yes. This is typical on the AWS network.
Each instance gets a private and a public IP address. I never see the
public IP address in the instance, but the packets must be being
rewritten by the AWS network because I can communicate with the outside
world just fine.

AS a data point ... I ran an outbound mail server on an AWS instance
(FreeBSD) for four years (I stopped because I now have fast access at
home).

It connected with a mail server run by me, though. So I wonder if it's
your ISO blocking an AWS IP range.
--
Using UNIX since v6 (1975)...

Use the BIG mirror service in the UK:
http://www.mirrorservice.org
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

John Levine <johnl@taugh.com> writes:

I think that's also possible.

The host 69.164.210.174 also runs an SMTP server, but someone seems to >>>> block my path to it. It might not AWS as I also can't reach it from my >>>> personal computer (with a dynamic IP address).

Try "netstat -an4" on 69.164.210.174 to verify that the mail server is
indeed listening on port 25.

I sent a message saying what the problem likely is, but since wimezu.com is
a fake address, it bounced. Too bad.

Sorry about that. I'd appreciate if you can post it here. Thank you!
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.misc

kludge@panix.com (Scott Dorsey) writes:

In article <877ca519ph.fsf@wimezu.com>, Lesley Esen <lesen@wimezu.com> wrote:

Thanks. That makes sense. The output now makes sense. Completely
blocked right from the first hop. Perhaps AWS did not actually unblock >>outbound tcp 25; perhaps they unblocked only inbound tcp 25.

%tcptraceroute -n srv1.dorfdsl.de 25
Selected device ena0, address 172.26.5.226, port 22831 for outgoing packets >>Tracing the path to srv1.dorfdsl.de (82.139.196.13) on TCP port 25
(smtp), 30 hops max
1 * * *
2 * * *
3 * * *

That looks like your machine is blocking it since you don't even see your router. Or else your router is blocking it.
--scott

That's a good thing to check. I don't think I have a firewall in my
FreeBSD. For instance, I don't have any configuration for pf in my rc.conf---full rc.conf below. As far as I know, I should have
pf_enable="YES". It's what the documentation says at

https://docs.freebsd.org/en/books/handbook/firewalls/

%sudo pfctl -s nat
pfctl: /dev/pf: No such file or directory
%sudo pfctl -s rules
pfctl: /dev/pf: No such file or directory

So I think it's disabled. It's completely disabled at AWS as well:

https://prnt.sc/29bBWY8bTT25

--8<-------------------------------------------------------->8--- hostname="a.antartida.xyz"
ec2_configinit_enable=YES
ec2_fetchkey_enable=YES
ec2_loghostkey_enable=YES
firstboot_freebsd_update_enable=YES
firstboot_pkgs_enable=YES
ntpd_enable=YES
dev_aws_disk_enable=YES
growfs_enable="YES"
ifconfig_DEFAULT="SYNCDHCP accept_rtadv"
sshd_enable="YES"
firstboot_pkgs_list="awscli"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
rtsold_flags="-M /usr/local/libexec/rtsold-M -a"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
sendmail_enable="YES"
milteropendkim_enable="YES"
milteropendkim_flags="-x /usr/local/etc/mail/opendkim.conf" --8<-------------------------------------------------------->8---

I also don't see any process that could be firewall-related---full
pstree below.

%pstree
-+= 00001 root /sbin/init
|--= 00283 root dhclient: system.syslog (dhclient)
|--= 00286 root dhclient: ena0 [priv] (dhclient)
|--= 00347 _dhcp dhclient: ena0 (dhclient)
|--= 00384 root /usr/sbin/rtsold -M /usr/local/libexec/rtsold-M -a
|--= 00389 root rtsold: rtsold.llflags (rtsold)
|--= 00390 root rtsold: rtsold.script (rtsold)
|--= 00391 root rtsold: rtsold.sendmsg (rtsold)
|--= 00392 root rtsold: system.syslog (rtsold)
|--= 00491 root /sbin/devd
|--= 00693 root /usr/sbin/syslogd -s
|--= 00752 ntpd /usr/sbin/ntpd -p /var/db/ntp/ntpd.pid -c /etc/ntp.conf -f /va
|-+= 00822 root sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups (sshd)
| \-+= 89365 root sshd: lesen [priv] (sshd)
| \-+- 89367 lesen sshd: lesen@pts/0 (sshd)
| \-+= 89368 lesen -sh (sh)
| \-+= 89380 lesen pstree
| \--- 89381 lesen ps -axwwo user,pid,ppid,pgid,command
|--= 00832 root /usr/sbin/cron -s
|--= 05136 mailnull /usr/local/sbin/opendkim -x /usr/local/etc/mail/opendkim.c
|--= 60767 lesen keyboxd --homedir /home/lesen/.gnupg --daemon
|--= 60769 lesen dirmngr --homedir /home/lesen/.gnupg --daemon
|-+= 60771 lesen gpg-agent --homedir /home/lesen/.gnupg --use-standard-soc
| \--- 60772 lesen scdaemon --multi-server
|-+= 81681 root screen -S shell (screen-4.9.1)
| \--= 81682 lesen -/bin/sh
|-+= 82130 root screen -S sendmail (screen-4.9.1)
| \-+= 82131 lesen -/bin/sh
| \--= 82309 lesen emacs a.antartida.xyz.mc (emacs-29.1)
|-+= 00769 root /bin/sh /usr/local/bin/svscanboot
| |-+- 00777 root svscan /service
| | \-+- 00783 root supervise loop
| | \-+- 00788 root tcpserver -HR 0.0.0.0 119 /home/lesen/usenet1/loop.exe
| | |--- 89105 root /home/lesen/usenet1/loop.exe
| | \--- 89346 root /home/lesen/usenet1/loop.exe
| \--- 00778 root readproctitle service errors: ...BC2A3}> T NIL)\n8: (READ-BY
|--= 00852 root /usr/libexec/getty 3wire ttyu0
|--= 00844 root /usr/libexec/getty Pc ttyv0
|--= 00845 root /usr/libexec/getty Pc ttyv1
|--= 00846 root /usr/libexec/getty Pc ttyv2
|--= 00847 root /usr/libexec/getty Pc ttyv3
|--= 00848 root /usr/libexec/getty Pc ttyv4
|--= 00849 root /usr/libexec/getty Pc ttyv5
|--= 00850 root /usr/libexec/getty Pc ttyv6
\--= 00851 root /usr/libexec/getty Pc ttyv7
%
--- Synchronet 3.20a-Linux NewsLink 1.114