Postfix (Ubuntu 9.10 x64) said: 421 4.4.1 Connection timed out(in reply to end of DATA command)
in [Postfix]
|
Prev: Postfix (Ubuntu 9.10 x64) said: 421 4.4.1 Connection timed out (in reply to end of DATA command)
Next: Reject message
From: Stan Hoeppner on 30 May 2010 16:22 Ioannis Tsouvalas put forth on 5/30/2010 2:46 PM: > I have disabled shorewall on Postfix machine using #shorewall clear , but > I'm still working on clearing shorewall on the dedicated machine, but I > haven't managed to make it happen since all the NAT has been implemented on > the shorewall configuration. You may want to leave it for now if you've disabled firewalling on the Postfix VM. > I'm still trying to figure out a safe way to > move from shorewall to iptables. So here is the diagram in case that > anything else comes in mind. Shorewall is merely a nice front end for iptables. At this point, I'd move the Postfix VM out of the DMZ, putting it in the same subnet as the Exchange server, and disable any packet mangling being done by the Shorewall other than S/DNAT. In other words, make TCP/IP transmission identical from the F/W to both Postfix and Exchange, and allow Postfix and Exchange to communicate directly with one another, no firewall in between them. Run with this config for a while and see if the errors go away between Postfix and Exchange. If they do, but you still see the relevant errors while communicating with _external_ mail servers, then you can probably assume the problem is with Shorewall, and then focus your troubleshooting there. All of these VMs run on a single physical machine, correct? What machine is it, and what NICs does it have (make/model)? What knobs have you turned in ESX with regard to the virtual switch, VLANs, virtual NICs, etc? -- Stan > > NETWORK DIAGRAM > > > INTERNET > | > | > | > ADSL ROUTER +ZONE NET+ > | > ESXI VER. 4 UPDATE 1 |(PHYSICAL 1ST ADAPTER) > | > +===========================|===============================+ > | | | > | |VMXNET3(VIRT ADPT) | > | (SMTP/ACCEPT) | | > | +---------------------SHOREWALL +ZONE FIREWALL+ | > | | (UBUNTU X64) | > | | | | > | > | |VMXNET3(VIRT ADPT) | | VMXNET3(VIRT ADPT) | > | | | | > | > |POSTFIX +ZONE DMZ+ | +-----------------+ | > |(UBUNTU X64) |(SMTP/ | | > | | ACCEPT) | | > | | | > | > | |VMXNET3 | | > | |(VIRT ADPT) | > | > | | | > | > | | | | > | EXCHANGE 2007 +ZONE LOCAL+ | | > | WINDOWS SBS 2008 | | > +=====================================================|=====+ > > |(PHYSICAL 2ND > | > ADAPTER) > | > LOCAL SWITCH +ZONE > LOCAL+ > > > Ioannis > > > __________ Information from ESET Smart Security, version of virus signature > database 5155 (20100530) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > >
From: Stan Hoeppner on 30 May 2010 16:26
Ioannis Tsouvalas put forth on 5/30/2010 2:56 PM: > Stan, thanks again for your input, I am getting the idea and I'm working > towards that direction, still from 3 months testing this implementation has > moved to production, and I am working remotely, so "being careful" is one > way to describe my actions. I'm wondering why these errors didn't show up during testing. Something must have changed since testing was completed. Can you identify any things network related that you changed _after_ your formal testing was completed? > Ps. The net diagram looked much better when I was making it. I was trying to > figure out a way to display it correctly but this was the best of what I > could think of. Any suggestions are always welcome. Diagram looks fine on this end. IP addresses for each VM network interface may have helped a little. -- Stan |