[JDEV] jabberd behind NAT fails s2s interoperation

matthew c. mead mmead at goof.com
Thu Sep 26 11:41:14 CDT 2002 

That's what is happening.  Something's getting hosed up.  My
guess at this point is the implementation is passing ip addresses
to the other server rather than a FQDN.

A PTR record is a DNS record that maps an ip address to a FQDN.


-matt

On Thu, Sep 26, 2002 at 10:49:59AM -0500, Justin Georgeson wrote:
> I'm not sure what a PTR is. The name that your server call itself (the 
> <host> or -h value) should resolve to the ip address of your server. In 
> your case, the external IP of the NAT box. Since you have the forwarding 
> in place, the traffic would go to your jabber server, which should then 
> validate the key.
> 
> matthew c. mead wrote:
> > Yeah, I found that one out by trying.  I still don't see what's
> > going wrong.
> > 
> > Does dialback require that the ip address specified by the A
> > record for the server name have a PTR which points back to the
> > server name?
> > 
> > 
> > 
> > -matt
> > 
> > On Thu, Sep 26, 2002 at 09:21:41AM -0500, Justin Georgeson wrote:
> > 
> >>I don't have time to look at the trace right now, but will try to today. 
> >>  Dialback/s2s does not use ssl, so turning it off will have zero effect 
> >>on this.
> >>
> >>matthew c. mead wrote:
> >>
> >>>Thanks for the explanation.
> >>>
> >>>Is this key the ssl certificate that I built?  If so, would it
> >>>being self-signed be a problem?  Should I go back to no ssl?
> >>>
> >>>Following is the debug output from a send from mmead at goof.com to
> >>>mmead at jabber.org.
> >>>
> >>>Does it make any sense to you?
> >>>
> >>>Thanks for your help!
> >>>
> >>>
> >>>
> >>>-matt
> >>>
> >>>Wed Sep 25 19:31:45 2002  deliver.c:474 DELIVER 1:jabber.org <message to='mmead at jabber.org' from='mmead at goof.com/Psi'>
> >>><body>test</body></message>
> >>>Wed Sep 25 19:31:45 2002  deliver.c:678 delivering to instance 'dnsrv'
> >>>Wed Sep 25 19:31:45 2002  dnsrv.c:264 dnsrv: Creating lookup request queue for jabber.org
> >>>Wed Sep 25 19:31:45 2002  dnsrv.c:273 dnsrv: Transmitting lookup request: <host>jabber.org</host>
> >>>Wed Sep 25 19:31:45 2002  dnsrv.c:159 DNSRV CHILD: Read from buffer: <host>jabber.org</host>Wed Sep 25 19:31:45 2002  mtq 817E900 leaving to pth
> >>>
> >>>Wed Sep 25 19:31:45 2002  dnsrv.c:112 dnsrv: Recv'd lookup request for jabber.org
> >>>Wed Sep 25 19:31:45 2002  mio.c:607 mio while loop topWed Sep 25 19:31:45 2002  srv_resolv.c:112 srv: SRV resolution of _jabber._tcp.jabber.org
> >>>
> >>>Wed Sep 25 19:31:45 2002  srv_resolv.c:99 srv: Standard resolution of jabber.org
> >>>Wed Sep 25 19:31:45 2002  dnsrv.c:123 Resolved jabber.org((null)): 208.245.212.108      resend to:s2s
> >>>Wed Sep 25 19:31:45 2002  dnsrv.c:338 incoming resolution: <host ip='208.245.212.108' to='s2s'>jabber.org</host>
> >>>Wed Sep 25 19:31:45 2002  deliver.c:474 DELIVER 4:s2s <route to='s2s' ip='208.245.212.108'><message to='mmead at jabber.org' from='mmead at goof.com/Psi'>
> >>><body>test</body></message></route>
> >>>Wed Sep 25 19:31:45 2002  deliver.c:678 delivering to instance 's2s'
> >>>Wed Sep 25 19:31:45 2002  dialback_out.c:192 dbout packet[208.245.212.108]: <message to='mmead at jabber.org' from='mmead at goof.com/Psi'>
> >>><body>test</body></message>
> >>>Wed Sep 25 19:31:45 2002  dialback_out.c:212 outgoing packet with key jabber.org/goof.com and located existing 0
> >>>Wed Sep 25 19:31:45 2002  dialback_out.c:99 Attempting to connect to jabber.org/goof.com at 208.245.212.108
> >>>Wed Sep 25 19:31:45 2002  mio.c:527 calling the connect handler for mio object 81F5280
> >>>Wed Sep 25 19:31:45 2002  dialback_out.c:329 dbout read: fd 21 flag 4 key jabber.org/goof.com
> >>>Wed Sep 25 19:31:45 2002  log.c:116 <log type='notice' from='jabber.org'>failed to establish connection</log>
> >>>Wed Sep 25 19:31:45 2002  deliver.c:474 DELIVER 3:jabber.org <log type='notice' from='jabber.org'>failed to establish connection</log>
> >>>Wed Sep 25 19:31:45 2002  deliver.c:678 delivering to instance 'elogger'
> >>>20020925T23:31:45: [notice] (jabber.org): failed to establish connection
> >>>Wed Sep 25 19:31:45 2002  deliver.c:606 delivery failed (Server Connect Failed)
> >>>Wed Sep 25 19:31:45 2002  log.c:116 <log type='notice' from='jabber.org'>bouncing a packet to mmead at jabber.org from mmead at goof.com/Psi: Server Connect Failed</log>
> >>>Wed Sep 25 19:31:45 2002  deliver.c:474 DELIVER 3:jabber.org <log type='notice' from='jabber.org'>bouncing a packet to mmead at jabber.org from mmead at goof.com/Psi: Server Connect Failed</log>
> >>>Wed Sep 25 19:31:45 2002  deliver.c:678 delivering to instance 'elogger'
> >>>20020925T23:31:45: [notice] (jabber.org): bouncing a packet to mmead at jabber.org from mmead at goof.com/Psi: Server Connect Failed
> >>>Wed Sep 25 19:31:45 2002  deliver.c:474 DELIVER 1:goof.com <message to='mmead at goof.com/Psi' from='mmead at jabber.org' type='error'>
> >>><body>test</body><error code='502'>Server Connect Failed</error></message>
> >>>Wed Sep 25 19:31:45 2002  deliver.c:678 delivering to instance 'sessions'
> >>>Wed Sep 25 19:31:45 2002  deliver.c:94 (8128300)incoming packet <message to='mmead at goof.com/Psi' from='mmead at jabber.org' type='error'>
> >>><body>test</body><error code='502'>Server Connect Failed</error></message>
> >>>
> >>>
> >>>On Wed, Sep 25, 2002 at 05:59:27PM -0500, Justin Georgeson wrote:
> >>>
> >>>
> >>>>Dialback works by the sending server giving the receiving server a key. 
> >>>>The receiving server does a DNS lookup and contacts the returned IP 
> >>>>address. Then the key is verified. If the verification if succsessful, 
> >>>>the receiving server tells the sending server it's ok to proceed. While 
> >>>>trying to figure out the internals I noticed that the process seems to 
> >>>>start again in the middle when the receiving server contacts the looked 
> >>>>up IP to verify the key. This contact marks the beginning of a dialback 
> >>>>connection where the sending server becomes a receiving server. It all 
> >>>>got very confusing trying to look at all the packets in the log file and 
> >>>>trace it by hand.
> >>>>
> >>>>From the error message, I would say it is definitely a dialback issue, 
> >>>>and it is probably the server on the other end not being able to verify 
> >>>>the server behind the NAT. Run the server in debug mode and capture the 
> >>>>output ( jabberd .... -D > debug.log 2>&1). Then look for entries in 
> >>>>dialback*.c
> >>>>
> >>>>matthew c. mead wrote:
> >>>>
> >>>>
> >>>>>Anybody?
> >>>>>
> >>>>>Anyone familiar with how dial back works?  I have to assume
> >>>>>that's what's failing...
> >>>>>
> >>>>>
> >>>>>-matt
> >>>>>
> >>>>>On Wed, Sep 25, 2002 at 09:41:03AM -0400, matthew c. mead wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>>I've asked on JADMIN but haven't gotten any response.  I'm hoping
> >>>>>>someone here has more knowledge of the issues involved:
> >>>>>>
> >>>>>>I just recently installed a jabber server at goof.com.
> >>>>>>Unfortunately, I cannot get it to interoperate with other jabber
> >>>>>>servers using s2s.
> >>>>>>
> >>>>>>I do not have control over the PTR record for the external ip
> >>>>>>addresses my server answers.
> >>>>>>
> >>>>>>Is there some way to get s2s working despite this?  Sending from
> >>>>>>goof.com to external servers yields a connect failure.  Sending
> >>>>>
> >>>>>>from external servers to goof.com yields that the remote server
> >>>>>
> >>>>>
> >>>>>>does not have permission to respond with the specified ip
> >>>>>>address.
> >>>>>>
> >>>>>>My NAT box allows all outbound connections.  It has forwarding
> >>>>>>rules to forward inbound packets it receives for TCP ports 5222,
> >>>>>>5223, 5269, and 7000 to the machine running the jabber server.
> >>>>>>
> >>>>>>Any ideas?
> >>>>>>
> >>>>>>Thanks!
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>-matt
> >>>>>>
> >>>>>>-- 
> >>>>>>matthew c. mead
> >>>>>>
> >>>>>>http://www.goof.com/~mmead/
> >>>>>>_______________________________________________
> >>>>>>jdev mailing list
> >>>>>>jdev at jabber.org
> >>>>>>http://mailman.jabber.org/listinfo/jdev
> >>>>>>
> >>>>>
> >>>>>
> >>>>-- 
> >>>>Justin Georgeson
> >>>>UnBound Technologies, Inc.
> >>>>http://www.unboundtech.com
> >>>>Main   713.329.9330
> >>>>Fax    713.460.4051
> >>>>Mobile 512.789.1962
> >>>>
> >>>>5295 Hollister Road
> >>>>Houston, TX 77040
> >>>>Real Applications using Real Wireless Intelligence(tm)
> >>>>
> >>>>_______________________________________________
> >>>>jdev mailing list
> >>>>jdev at jabber.org
> >>>>http://mailman.jabber.org/listinfo/jdev
> >>>>
> >>>
> >>>
> >>-- 
> >>Justin Georgeson
> >>UnBound Technologies, Inc.
> >>http://www.unboundtech.com
> >>Main   713.329.9330
> >>Fax    713.460.4051
> >>Mobile 512.789.1962
> >>
> >>5295 Hollister Road
> >>Houston, TX 77040
> >>Real Applications using Real Wireless Intelligence(tm)
> >>
> >>_______________________________________________
> >>jdev mailing list
> >>jdev at jabber.org
> >>http://mailman.jabber.org/listinfo/jdev
> >>
> > 
> > 
> 
> -- 
> Justin Georgeson
> UnBound Technologies, Inc.
> http://www.unboundtech.com
> Main   713.329.9330
> Fax    713.460.4051
> Mobile 512.789.1962
> 
> 5295 Hollister Road
> Houston, TX 77040
> Real Applications using Real Wireless Intelligence(tm)
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 

-- 
matthew c. mead

http://www.goof.com/~mmead/

More information about the JDev mailing list