Timeout, on access to MTA/25, from offsite over SSH tunnel

To: debian-user@lists.debian.org
Subject: Timeout, on access to MTA/25, from offsite over SSH tunnel
From: Ron Leach <ronleach@tesco.net>
Date: Mon, 03 Aug 2015 10:46:13 +0100
Message-id: <[🔎] 55BF3865.8010501@tesco.net>

List good morning,

I am trying to access our MTA from offsite over an SSH tunnel, but theMUA (Thunderbird) is reporting a timeout on accessing the MTA.

The server is Wheezy; sshd is running; the tunnel is set up toterminate on the same server that runs the MTA (exim), as well asrunning other services; exim is running; the same SSH tunnel worksfine for access over the tunnel to other services (sftp, imap) on thesame server. Additionally, when not using a tunnel, offsite devicescan access the MTA without difficulty; exim is allowing connections.The server host is behind a NAT (forwarding of port 22 is working fineto this server) and the server LAN address is 192.168.0.199

The device running the MUA is usually a laptop (and the same symptomsoccur whether a laptop is running Windows/Putty, Fedora/gSTM, orWheezy/gSTM), and the laptops are set to tunnel to the server (using aDNS lookup) and create a Dynamic tunnel on (say) port 9999.

The MUA is set to proxy over localhost port 9999 (this picks up theSSH tunnel). The MUA's IMAP server configuration is 192.168.0.199(note that this is also the host that the SSH tunnel terminates on)and access to the IMAP mail store over the SSH tunnel works withoutproblems. This indicates that the MUA proxy is working, that thetunnel is working, that the MUA's IMAP server configuration is ok andits access to the IMAP service is working.

The MUA's outbound email server is also configured as 192.168.0.199.(The MTA and the IMAP server are both running on this server,192.168.0.199.) Access to the MTA, over the SSH tunnel, for outboundemail results in the MUA reporting an access timeout, and this isbefore any STARTTLS or any login attempt.

I wondered whether there might be some 'routing' problem on theserver, at the point of the SSH tunnel output (as it were) that meantthat a packet for 192.168.0.199 - which is itself - takes a long timeto get to itself, or even gets lost. So I did another test, loggingin to the server (not over a tunnel, just from the LAN) and issued:


$ telnet 192.168.0.199 25

which was followed by a delay of around a couple of seconds or so before

220 mail.domain.tld ESMTP Exim 4.80 Mon, 03 Aug 2015, 08:37 +0200

which looks good - except, possibly, for the delay. I checked again,this time using localhost instead of 192.168.0.199:


$ telnet localhost 25

which was followed by a delay of around a second before

220 mail.domain.tld ESMTP Exim 4.80 Mon, 03 Aug 2015, 08:39 +0200

So, on this server, using 'localhost' to access some running serviceon the machine is a second or so faster than using its LAN IP address.Incidentally, this server employs a geo-stationary satellite and itsDNS resolution is over the satellite link. I wondered whether theserver might be doing a DNS lookup for 192.168.0.199, but it wouldn't,would it?

May I ask the list for some advice how to avoid the timeout? I'm opento suggestions as to how to alter the arrangements while keepingoutbound email from the laptops over an SSH tunnel. If possible, I'dlike to keep the MUA configurations as 192.168.0.199 because thatmeans the MUA would continue to work even if a different tunnel isused that terminates on some other LAN machine - but I am open toreconsidering that.


I'd be grateful for any suggestions or insights,

regards, Ron

Reply to:

Prev by Date: Re: Kerberos-secured NFSv4: nss_getpwnam: name '8' does not map into domain
Next by Date: Re: cannot register @forum
Previous by thread: Re: Kerberos-secured NFSv4: nss_getpwnam: name '8' does not map into domain
Next by thread: adobe flash player in iceweasel does not work anymore in jessie
Index(es):
- Date
- Thread