/ckeen/phlog/2018-12-21-the-most-embarrassing-admin-mistake.md on vernunftzentrum.de

You are viewing proxied material from vernunftzentrum.de. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.

	2018-12-21
	__t_h_e__m_o_s_t__e_m_b_a_r_r_a_s_s_i_n_g__a_d_m_i_n__m_i_s_t_a_k_e_
	oday I have to share a rather embarrassing admin story that has come
	o a happy end yesterday. I started running a small mailserver for my
	avourite human 2 years ago. I have been using an OpenBSD VM with
	pensmtpd and dovecot which I have documented in my old blog[0].
	nitially I have used digital ocean as my hoster. I have written a
	mall shell script that periodically try to ping the host and run
	etcat on the smtpd port to check that it is still up and running.
	owever at one point digital ocean hosed my VM image, so I migrated
	t from a backup over to vultr.com.
	ll is fine until the human started mentioning strange issues with
	ails. Some would not get delivered or be delayed for some days.
	he sympthoms would always be the same: E-Mail is entered in a web
	hop's order form, mails would not arrive and no connection attempts
	ere visible in the logs.
	y test script didn't show any problem, the server was always
	eachable. This has changed.
	esterday a mail I have send would bounce and my script would
	omplain. While checking into the issue I have noticed that the
	cript cecks only with:
	c mail.example.com 25 \| head -n1 \| grep grep -q ^220.*OpenSMTPD
	o this would check whatever the nameserver resolves it to. BUT this
	erver has ipv4 and ipv6 connectivity and corresponding MX entries in
	ts DNS records. So I have fixed the script to explicitly check for
	OTH address families.
	nd lo and behold it showed an error. I could not connect to the ipv4
	ddress to reach the smtpd!
	have found out, that vultr.com blocks port 25 unless you ask
	upport to lift the ban due to spam! This has been in there for OVER
	YEAR without me noticing it. So I asked support to lift the ban
	hich they did eventually after I declined to provide a photocopy of
	y national ID (which is illegal unless explicitly required by law
	ere). Still no connectivity.
	wondered. Then I remembered having set up gray listing on the host
	or v4 while on the digital ocean VM, I have since disabled spamd on
	his VM but forgot about the pf filter rule redirecting traffic. So
	fter fixing that I finally got to receive mail via ipv4.
	o my lesson from this: Tests matter, do them properly so you know
	hen something does not work. Also ipv6 is doing pretty good in the
	ealms of email I would have expected more problems than the
	ccasionally missing email. Also don't forget about your firewall
	ettings. Check everything with a ports scanner.
	hat's all folks. This is my most embarrassing admin story of the
	ear.
	__References________________________________________________________
	0]: http://pestilenz.org/~ckeen/blog/posts/opensmtpd.html