[JDEV] jabberd behind NAT fails s2s interoperation

Justin Georgeson jgeorgeson at unboundtech.com
Thu Sep 26 10:49:59 CDT 2002 

I'm not sure what a PTR is. The name that your server call itself (the 
<host> or -h value) should resolve to the ip address of your server. In 
your case, the external IP of the NAT box. Since you have the forwarding 
in place, the traffic would go to your jabber server, which should then 
validate the key.

matthew c. mead wrote:
> Yeah, I found that one out by trying.  I still don't see what's
> going wrong.
> 
> Does dialback require that the ip address specified by the A
> record for the server name have a PTR which points back to the
> server name?
> 
> 
> 
> -matt
> 
> On Thu, Sep 26, 2002 at 09:21:41AM -0500, Justin Georgeson wrote:
> 
>>I don't have time to look at the trace right now, but will try to today. 
>>  Dialback/s2s does not use ssl, so turning it off will have zero effect 
>>on this.
>>
>>matthew c. mead wrote:
>>
>>>Thanks for the explanation.
>>>
>>>Is this key the ssl certificate that I built?  If so, would it
>>>being self-signed be a problem?  Should I go back to no ssl?
>>>
>>>Following is the debug output from a send from mmead at goof.com to
>>>mmead at jabber.org.
>>>
>>>Does it make any sense to you?
>>>
>>>Thanks for your help!
>>>
>>>
>>>
>>>-matt
>>>
>>>Wed Sep 25 19:31:45 2002  deliver.c:474 DELIVER 1:jabber.org <message to='mmead at jabber.org' from='mmead at goof.com/Psi'>
>>><body>test</body></message>
>>>Wed Sep 25 19:31:45 2002  deliver.c:678 delivering to instance 'dnsrv'
>>>Wed Sep 25 19:31:45 2002  dnsrv.c:264 dnsrv: Creating lookup request queue for jabber.org
>>>Wed Sep 25 19:31:45 2002  dnsrv.c:273 dnsrv: Transmitting lookup request: <host>jabber.org</host>
>>>Wed Sep 25 19:31:45 2002  dnsrv.c:159 DNSRV CHILD: Read from buffer: <host>jabber.org</host>Wed Sep 25 19:31:45 2002  mtq 817E900 leaving to pth
>>>
>>>Wed Sep 25 19:31:45 2002  dnsrv.c:112 dnsrv: Recv'd lookup request for jabber.org
>>>Wed Sep 25 19:31:45 2002  mio.c:607 mio while loop topWed Sep 25 19:31:45 2002  srv_resolv.c:112 srv: SRV resolution of _jabber._tcp.jabber.org
>>>
>>>Wed Sep 25 19:31:45 2002  srv_resolv.c:99 srv: Standard resolution of jabber.org
>>>Wed Sep 25 19:31:45 2002  dnsrv.c:123 Resolved jabber.org((null)): 208.245.212.108      resend to:s2s
>>>Wed Sep 25 19:31:45 2002  dnsrv.c:338 incoming resolution: <host ip='208.245.212.108' to='s2s'>jabber.org</host>
>>>Wed Sep 25 19:31:45 2002  deliver.c:474 DELIVER 4:s2s <route to='s2s' ip='208.245.212.108'><message to='mmead at jabber.org' from='mmead at goof.com/Psi'>
>>><body>test</body></message></route>
>>>Wed Sep 25 19:31:45 2002  deliver.c:678 delivering to instance 's2s'
>>>Wed Sep 25 19:31:45 2002  dialback_out.c:192 dbout packet[208.245.212.108]: <message to='mmead at jabber.org' from='mmead at goof.com/Psi'>
>>><body>test</body></message>
>>>Wed Sep 25 19:31:45 2002  dialback_out.c:212 outgoing packet with key jabber.org/goof.com and located existing 0
>>>Wed Sep 25 19:31:45 2002  dialback_out.c:99 Attempting to connect to jabber.org/goof.com at 208.245.212.108
>>>Wed Sep 25 19:31:45 2002  mio.c:527 calling the connect handler for mio object 81F5280
>>>Wed Sep 25 19:31:45 2002  dialback_out.c:329 dbout read: fd 21 flag 4 key jabber.org/goof.com
>>>Wed Sep 25 19:31:45 2002  log.c:116 <log type='notice' from='jabber.org'>failed to establish connection</log>
>>>Wed Sep 25 19:31:45 2002  deliver.c:474 DELIVER 3:jabber.org <log type='notice' from='jabber.org'>failed to establish connection</log>
>>>Wed Sep 25 19:31:45 2002  deliver.c:678 delivering to instance 'elogger'
>>>20020925T23:31:45: [notice] (jabber.org): failed to establish connection
>>>Wed Sep 25 19:31:45 2002  deliver.c:606 delivery failed (Server Connect Failed)
>>>Wed Sep 25 19:31:45 2002  log.c:116 <log type='notice' from='jabber.org'>bouncing a packet to mmead at jabber.org from mmead at goof.com/Psi: Server Connect Failed</log>
>>>Wed Sep 25 19:31:45 2002  deliver.c:474 DELIVER 3:jabber.org <log type='notice' from='jabber.org'>bouncing a packet to mmead at jabber.org from mmead at goof.com/Psi: Server Connect Failed</log>
>>>Wed Sep 25 19:31:45 2002  deliver.c:678 delivering to instance 'elogger'
>>>20020925T23:31:45: [notice] (jabber.org): bouncing a packet to mmead at jabber.org from mmead at goof.com/Psi: Server Connect Failed
>>>Wed Sep 25 19:31:45 2002  deliver.c:474 DELIVER 1:goof.com <message to='mmead at goof.com/Psi' from='mmead at jabber.org' type='error'>
>>><body>test</body><error code='502'>Server Connect Failed</error></message>
>>>Wed Sep 25 19:31:45 2002  deliver.c:678 delivering to instance 'sessions'
>>>Wed Sep 25 19:31:45 2002  deliver.c:94 (8128300)incoming packet <message to='mmead at goof.com/Psi' from='mmead at jabber.org' type='error'>
>>><body>test</body><error code='502'>Server Connect Failed</error></message>
>>>
>>>
>>>On Wed, Sep 25, 2002 at 05:59:27PM -0500, Justin Georgeson wrote:
>>>
>>>
>>>>Dialback works by the sending server giving the receiving server a key. 
>>>>The receiving server does a DNS lookup and contacts the returned IP 
>>>>address. Then the key is verified. If the verification if succsessful, 
>>>>the receiving server tells the sending server it's ok to proceed. While 
>>>>trying to figure out the internals I noticed that the process seems to 
>>>>start again in the middle when the receiving server contacts the looked 
>>>>up IP to verify the key. This contact marks the beginning of a dialback 
>>>>connection where the sending server becomes a receiving server. It all 
>>>>got very confusing trying to look at all the packets in the log file and 
>>>>trace it by hand.
>>>>
>>>>From the error message, I would say it is definitely a dialback issue, 
>>>>and it is probably the server on the other end not being able to verify 
>>>>the server behind the NAT. Run the server in debug mode and capture the 
>>>>output ( jabberd .... -D > debug.log 2>&1). Then look for entries in 
>>>>dialback*.c
>>>>
>>>>matthew c. mead wrote:
>>>>
>>>>
>>>>>Anybody?
>>>>>
>>>>>Anyone familiar with how dial back works?  I have to assume
>>>>>that's what's failing...
>>>>>
>>>>>
>>>>>-matt
>>>>>
>>>>>On Wed, Sep 25, 2002 at 09:41:03AM -0400, matthew c. mead wrote:
>>>>>
>>>>>
>>>>>
>>>>>>I've asked on JADMIN but haven't gotten any response.  I'm hoping
>>>>>>someone here has more knowledge of the issues involved:
>>>>>>
>>>>>>I just recently installed a jabber server at goof.com.
>>>>>>Unfortunately, I cannot get it to interoperate with other jabber
>>>>>>servers using s2s.
>>>>>>
>>>>>>I do not have control over the PTR record for the external ip
>>>>>>addresses my server answers.
>>>>>>
>>>>>>Is there some way to get s2s working despite this?  Sending from
>>>>>>goof.com to external servers yields a connect failure.  Sending
>>>>>
>>>>>>from external servers to goof.com yields that the remote server
>>>>>
>>>>>
>>>>>>does not have permission to respond with the specified ip
>>>>>>address.
>>>>>>
>>>>>>My NAT box allows all outbound connections.  It has forwarding
>>>>>>rules to forward inbound packets it receives for TCP ports 5222,
>>>>>>5223, 5269, and 7000 to the machine running the jabber server.
>>>>>>
>>>>>>Any ideas?
>>>>>>
>>>>>>Thanks!
>>>>>>
>>>>>>
>>>>>>
>>>>>>-matt
>>>>>>
>>>>>>-- 
>>>>>>matthew c. mead
>>>>>>
>>>>>>http://www.goof.com/~mmead/
>>>>>>_______________________________________________
>>>>>>jdev mailing list
>>>>>>jdev at jabber.org
>>>>>>http://mailman.jabber.org/listinfo/jdev
>>>>>>
>>>>>
>>>>>
>>>>-- 
>>>>Justin Georgeson
>>>>UnBound Technologies, Inc.
>>>>http://www.unboundtech.com
>>>>Main   713.329.9330
>>>>Fax    713.460.4051
>>>>Mobile 512.789.1962
>>>>
>>>>5295 Hollister Road
>>>>Houston, TX 77040
>>>>Real Applications using Real Wireless Intelligence(tm)
>>>>
>>>>_______________________________________________
>>>>jdev mailing list
>>>>jdev at jabber.org
>>>>http://mailman.jabber.org/listinfo/jdev
>>>>
>>>
>>>
>>-- 
>>Justin Georgeson
>>UnBound Technologies, Inc.
>>http://www.unboundtech.com
>>Main   713.329.9330
>>Fax    713.460.4051
>>Mobile 512.789.1962
>>
>>5295 Hollister Road
>>Houston, TX 77040
>>Real Applications using Real Wireless Intelligence(tm)
>>
>>_______________________________________________
>>jdev mailing list
>>jdev at jabber.org
>>http://mailman.jabber.org/listinfo/jdev
>>
> 
> 

-- 
Justin Georgeson
UnBound Technologies, Inc.
http://www.unboundtech.com
Main   713.329.9330
Fax    713.460.4051
Mobile 512.789.1962

5295 Hollister Road
Houston, TX 77040
Real Applications using Real Wireless Intelligence(tm)

More information about the JDev mailing list