Error Sending Email: Network is unreachable
-
Every so often, my email server complains that email can't be sent:
… server postfix/smtp ... dsn=4.4.1, status=deferred (connect to ... Network is unreachable)When this happens, if I reboot my pfSense system and flush my email queue, the messages are delivered almost instantly.
I've searched this forum for similar problems, but I have not been able to find problems similar to mine. Can someone give some advice on how to diagnose this problem?
-
What version of pfSense, and is there anything in Status - System logs - System - Gateways?
-
I'm SO sorry for forgetting the details.
pfSense: 2.1.5-RELEASE (i386)
I have snort enabled, so my system log only goes back a few minutes. I don't believe this is snort-related because I don't block any outbound traffic. However, I'd be happy to disable that if you think it would be a good diagnostic step. Nothing listed in the gateways log:
Apr 10 08:25:37 – apinger: alarm canceled: WAN_CABLEGW(xxx.xxx.xxx.xxx) *** down ***
Apr 14 14:40:02 -- apinger: Starting Alarm Pinger, apinger(19472)The problem appeared today at 14:32:26 (just before I rebooted the router).
-
2.1.x had an issue with apinger making your WAN go up & down like a yo-yo under certain mysterious circumstances. Is your gateway "flapping" up & down, according to your log?
-
Not with this version. I have a bonded T1 Internet connection which never goes down and a Cable Internet that fails from time to time (until you reset the cable modem). In general, this has been working fairly well since 2.1.5 came out. The log entries I posted were the last two in the Gateways section. We had some Cable outages on April 10 but were good through most of March.
-
Are you on a static public IP or does your ISP like to change it up regularly?
-
We have static IPs from our ISPs.
-
Check Status - RRD Graphs - Quality around the times you get the errors to see if there is an issue with your link.
-
I don't see any breaks in the graphs.
What I'm hoping to get here are some theories of what might be happening and some ideas of how to prove or disprove those theories (even if it's something to look at the next time the problem occurs).
I looked for similar problems online, and this was the closest I could find:
http://www.reddit.com/r/networking/comments/15qowe/pfsense_routing_issues/
Unfortunately, it doesn't explain anything about why the problem happened or why the fix worked. -
I've seen cases like this where the ISP changes your IP address and pfSense doesn't pick up the change until reboot, but that isn't the case here.
-
I've disabled snort for now, so the system log goes back days instead of minutes. That will allow me to view the system log when this problem occurs again.
I was working with the impression that some email was still working while other email was not. Turns out that this is not the case (at least not on April 14). All SMTP connections from our mail server to servers outside our network failed with "Network is unreachable".
I am also working with the impression that other Internet traffic is still working when this happens. I have verified this by checking a web server log that shows we were receiving web traffic. I can also confirm that inbound SMTP was working to our mail filter at that time.
If you can think of anything else I should check or test, please let me know.
-
If everything was working except for one server having a problem outbound only, then I would likely focus on that one server. It doesn't sound like a global problem with pfSense. Do you have any outbound NAT rules to translate your mailserver IP to a public one that matches your mail certificate or something like that? Anything funny in the system log of the mail server when it has this problem? When it has the problem, can you manually do anything on the box or go anywhere?
-
No, there's nothing of interest in the mail server system log.
Yes I have NAT rules. I use 1:1 NAT for each public-facing machine.
The next time I have a problem, I'll try to access the Internet from the mail server (likely just use a browser to visit google.com).
-
It could be an issue with the mail server not being able to get DNS resolution (for whatever reason). The message "(connect to … Network is unreachable)" might come out when the name of the remote target system cannot be resolved (as well as when the name to IP is resolved but the remote system is actually not reachable). Perhaps it is just names of other mail servers that cannot be resolved, which would be a reason for it to effect the mail server but for other users/clients to be happily working away on the internet.
When the problem happens again, try various different sites - other mail servers and regular web sites.
-
The problem happened again, so here's what I was able to test/determine:
-
Once the problem happens, no email goes out to the Internet from that computer (several different servers were attempted)
-
DNS lookups work
-
From that computer I cannot ping google.com (which works typically)
-
From that computer, I can access the Internet using a web browser – I suspect because I have ports 80 and 443 load balanced with a different Internet connection.
-
I did not see anything unusual in the mail server's mail.log
-
I did not see anything unusual in the mail server's system.log
-
I hadn't mentioned before that networking internally to that server works as normal.
It feels like pfSense receives the packet for SMTP connection and doesn't know what to do with it. One thing I forgot to test was SMTP connection from another computer on the same network ( something like this: telnet aspmx.l.google.com 25 ). I'll try that next time.
Is there any way to determine how pfSense is routing a connection?
Any other suggestions?
-
