Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
faq:tcpip [2010/02/23 16:01] – digitalman | faq:tcpip [2020/04/14 19:22] – Re-wording the FTP-HTML stuff and adder link (re: FireFox) digital man | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== TCP/IP ====== | + | ====== TCP/ |
Answers to Frequently Asked Questions regarding Synchronet and TCP/IP (the Internet protocol suite). | Answers to Frequently Asked Questions regarding Synchronet and TCP/IP (the Internet protocol suite). | ||
Line 6: | Line 6: | ||
* [[# | * [[# | ||
* [[# | * [[# | ||
- | * [[#relay_smtp|Why can't I relay Internet e-mail through my BBS]]? | + | * [[#relay_mail|Why can't I relay Internet e-mail through my BBS]]? |
- | * [[#tx_smtp|Why can't I send Internet e-mail from my BBS]]? | + | * [[#send_mail|Why can't I send Internet e-mail from my BBS]]? |
- | * [[#rx_smtp|Why can't my BBS receive Internet e-mail or inter-BBS instant messages]]? | + | * [[#receive_mail|Why can't my BBS receive Internet e-mail or inter-BBS instant messages]]? |
* [[# | * [[# | ||
* [[# | * [[# | ||
- | * [[#Why do some or all of my servers get bind errors when starting or recycling]]? | + | * [[#ftp_html|Why won't a web browser render HTML content from my FTP Server]]? |
- | * [[#How many nodes/ | + | * [[#bind|Why do some or all of my servers get bind errors when starting or recycling]]? |
+ | * [[#bandwidth|How many nodes/ | ||
+ | * [[# | ||
+ | * [[# | ||
+ | * [[# | ||
===== Ports ===== | ===== Ports ===== | ||
- | **Question: | + | :?: **Question: |
What inbound ports do I need to open in my firewall? | What inbound ports do I need to open in my firewall? | ||
- | **Answer: | + | :!: **Answer: |
Depends on which Synchronet servers and services you wish to make available to Internet clients and which ports you have configured those servers and services to listen on. | Depends on which Synchronet servers and services you wish to make available to Internet clients and which ports you have configured those servers and services to listen on. | ||
Line 27: | Line 31: | ||
|Telnet | |Telnet | ||
|SSH |22 |- |For SecureShell logins (recommended)| | |SSH |22 |- |For SecureShell logins (recommended)| | ||
- | |RLogin | + | |RLogin |
- | |SMTP | + | |SMTP |
+ | |Submission | ||
+ | |Submission/ | ||
|POP3 | |POP3 | ||
+ | |POP3/ | ||
|FTP |21 |- |Allows access to the BBS file/ | |FTP |21 |- |Allows access to the BBS file/ | ||
|HTTP | |HTTP | ||
+ | |HTTPS | ||
|NNTP | |NNTP | ||
|Gopher | |Gopher | ||
|IRC |6667 |- |Allows Internet Relay Chat (IRC) clients to connect to your BBS| | |IRC |6667 |- |Allows Internet Relay Chat (IRC) clients to connect to your BBS| | ||
- | |Finger | + | |Finger |
- | |SYSTAT | + | |SYSTAT |
- | |QOTD | + | |MSP |18 | |Allows incoming |
- | |MSP |18 |18 |Allows incoming inter-BBS instant messages | + | |WS |
+ | |WSS |11235 | ||
Enabling connectivity to Synchronet through your firewall is no different than enabling connectivity to any other TCP/IP server. Follow your firewall documentation for forwarding or opening ports for TCP/IP servers located " | Enabling connectivity to Synchronet through your firewall is no different than enabling connectivity to any other TCP/IP server. Follow your firewall documentation for forwarding or opening ports for TCP/IP servers located " | ||
+ | |||
+ | [[http:// | ||
===== Private IP ===== | ===== Private IP ===== | ||
- | **Question: | + | :?: **Question: |
How come my friends can't connect to my BBS at my 192.168.x.x, | How come my friends can't connect to my BBS at my 192.168.x.x, | ||
- | **Answer: | + | :!: **Answer: |
- | The IP address ranges listed above are reserved for use in private networks and are not publicly addressable from the Internet. See this document for technical details. | + | The IP address ranges listed above are reserved for use in private networks and are not publicly addressable from the Internet. See [[rfc> |
+ | |||
+ | You do not want to advertise this IP address to the public since it is useless to anyone outside of your own private/ | ||
+ | |||
+ | ===== Public IP ===== | ||
+ | :?: **Question: | ||
+ | What is my public IP address? | ||
+ | |||
+ | :!: **Answer: | ||
+ | If you need to know your public IP address, you can usually query your router/ | ||
+ | |||
+ | If you use a [[module: | ||
+ | |||
+ | Another way that will accurately scan and diagnose your IP connectivity is [[http:// | ||
+ | |||
+ | |||
+ | ===== Relay Mail ===== | ||
+ | :?: **Question: | ||
+ | Why can't I relay Internet e-mail through my BBS? | ||
+ | |||
+ | :!: **Answer: | ||
+ | Indications of this problem include error messages in your e-mail client similar to the following: | ||
+ | 553 Relaying through this server requires authentication. Please authenticate before sending. | ||
+ | 550 Relay not allowed. | ||
+ | |||
+ | Or error messages similar to the following in your Synchronet Mail Server window/log output: | ||
+ | |||
+ | 0504 !SMTP ILLEGAL RELAY ATTEMPT from < | ||
+ | |||
+ | Where the from address is that of your mail sending host and the to address is that of an external mail recipient that you are attempting to send e-mail to. | ||
+ | |||
+ | It is common and normal to see " | ||
+ | |||
+ | By default, the Synchronet Mail Server disallows the relaying of SMTP e-mail messages received for an external recipient (not destined for a local BBS user account). | ||
+ | |||
+ | You can allow specific hosts or users to relay e-mail through your mail server by either: | ||
+ | Entering the sending host's IP address or hostname in your '' | ||
+ | This file may be edited with the SBBSCTRL: | ||
+ | |||
+ | or: | ||
+ | |||
+ | Use SMTP authentication: | ||
+ | Enable the mail server configuration option to allow authenticated users to relay mail. | ||
+ | This can be done by adding '' | ||
+ | Or, if using SBBSCTRL, checking the "Allow Authenticated Users to Relay Mail" checkbox on the SMTP tab of the Mail Server Configuration dialog. | ||
+ | |||
+ | Configure your e-mail client to use SMTP authentication to login to your mail server using your BBS user name (i.e. alias) and password. | ||
+ | |||
+ | The Synchronet Mail Server supports the following SMTP authentication schemes: | ||
+ | * PLAIN | ||
+ | * LOGIN | ||
+ | * CRAM-MD5 | ||
+ | (Note: password case sensitivity can be an issue when using CRAM-MD5 authentication) | ||
+ | |||
+ | ===== Send Mail ===== | ||
+ | :?: **Question: | ||
+ | Why can't I send Internet e-mail from my BBS? | ||
+ | |||
+ | :!: **Answer: | ||
+ | You must have the Synchronet SendMail thread enabled in your Synchronet Mail Server configuration. | ||
+ | If you do not see the following message in your Synchronet Mail Server window/log output when the server is started or recycled: | ||
+ | 0000 SendMail thread started | ||
+ | |||
+ | then you do not have the SendMail thread enabled and your system cannot deliver any Internet e-mail messages until it is enabled and recycled (delivery of any previously queued outbound messages will be attempted at that time). | ||
+ | |||
+ | If your Synchronet SendMail thread cannot deliver e-mail messages, it could be for any of the following reasons: | ||
+ | You have your mail server configured for " | ||
+ | Example errors indicating this condition include: | ||
+ | 0000 !SEND INVALID DNS server address | ||
+ | 0000 !SEND ERROR -1 obtaining MX records for someserver.com from 192.168.1.1 | ||
+ | |||
+ | The configured DNS server IP address should usually be set to that of your ISP's primary DNS server. | ||
+ | |||
+ | Note: Synchronet v3.13b can automatically detect and use your DNS server' | ||
+ | You'll know this feature is active when you see log lines similar to the following: | ||
+ | 0000 SEND using auto-detected DNS server address: 206.13.29.12 | ||
+ | |||
+ | Your firewall, Internet Service Provider, or Anti-Virus software is blocking, intercepting, | ||
+ | Example errors indicating this condition include: | ||
+ | 0700 !SEND ERROR 60 connecting to SMTP server: smtp.somedomain.com | ||
+ | 0023 !SEND ERROR 110 connecting to SMTP server: mx.somesite.org | ||
+ | |||
+ | You can verify if this is the case by attempting to Telnet to a known public SMTP server (e.g. vert.synchro.net) on TCP port 25. | ||
+ | You should see a mail server version banner similar to the following: | ||
+ | 220 bbs.synchro.net Synchronet SMTP Server 1.362-Win32 Ready | ||
+ | |||
+ | If you cannot connect or do not see a mail server version banner, then something is filtering or blocking your outbound connections to TCP port 25. | ||
+ | |||
+ | If your ISP is blocking port 25, they will normally make an exception for their own mail servers (e.g. '' | ||
+ | |||
+ | If your ISP's mail server only allows e-mail to be sent from '' | ||
+ | |||
+ | One possible solution if **outbound** TCP port 25 is blocked by your ISP is to use an SMTP relay server which accepts connections on another TCP port (say, 587) and will then relay your mail to the destination mail server on port 25. If you wish, you can [[howto: | ||
+ | |||
+ | You have your mail server configured to use an external "Relay Server", | ||
+ | Example errors indicating this condition include: | ||
+ | 0000 !ERROR resolving hostname: badhostname.com | ||
+ | 0680 !SEND ERROR 60 connecting to SMTP server: 192.168.1.1 | ||
+ | |||
+ | You have your mail server configured to use an external "Relay Server", | ||
+ | Example errors indicating this condition include: | ||
+ | 0000 !Delivery attempt #1 FAILED (somehost.org replied with: "550 Relay not allowed." | ||
+ | 0000 !Delivery attempt #1 FAILED (somehost.org replied with: "553 Authentication required." | ||
+ | |||
+ | Synchronet v3.12+ supports the Plain, Login, and CRAM-MD5 methods of SMTP authentication when relaying mail through an external relay server. To enable SMTP authentication when relaying, add one of the '' | ||
+ | |||
+ | You have a message in your outbound e-mail queue that is flagged as 'in transit' | ||
+ | Example log message indicating this condition: | ||
+ | 0000 SEND Message #999 from Some User to someone@somesite.com - in transit | ||
+ | |||
+ | This condition can occur if the Synchronet SendMail thread is terminated unexpectedly while in the process of attempting the delivery an outbound e-mail message. The 'in transit' | ||
+ | |||
+ | If you only have one instance of the Synchronet SendMail thread active (the usual scenario), you can eliminate this problem by adding '' | ||
+ | In general, you need to check your Synchronet Mail Server window/log output for details about why Internet e-mail delivery attempts may be failing. | ||
+ | |||
+ | ===== Receive Mail ===== | ||
+ | |||
+ | :?: **Question: | ||
+ | Why can't my BBS receive Internet e-mail? | ||
+ | |||
+ | :!: **Answer: | ||
+ | You must have the Synchronet SMTP (mail) server running and listening for incoming connections on TCP port 25 (the standard SMTP port). You (or a friend) can test this basic connectivity by attempting to Telnet to port 25 (instead of port 23) at your BBS's hostname or [[#public IP]] address from a remote location on the Internet. The remote Telnet client should see a successful connection and a text message similar to the following: | ||
+ | 220 bbs.synchro.net Synchronet SMTP Server 1.362-Win32 Ready | ||
+ | |||
+ | You should also see evidence of the successful SMTP connection to the server in your Synchronet Mail Server window/log output. If you do not, then it's likely that your firewall or Internet Service Provider is blocking incoming connections to TCP port 25. Before concluding this is the case, verify that the remote Telnet client can connect to other SMTP servers first (e.g. '' | ||
+ | |||
+ | If your firewall or Internet Service Provider is blocking incoming connections to TCP port 25 (many consumer-class ISPs do), then you won't be able to receive Internet e-mail on your BBS. Fixing your firewall configuration is rather simple, but changing ISPs is often not. One possible work-around is having a mail proxy (3rd party server) receive the e-mail for you and forward it to a non-standard, | ||
+ | |||
+ | ===== FTP Connect ===== | ||
+ | |||
+ | :?: **Question: | ||
+ | Why can't users connect to my FTP server? | ||
+ | |||
+ | :!: **Answer: | ||
+ | You must have the Synchronet FTP server running and listening for incoming connections on TCP port 21 (the standard FTP port). See the previous answer about methods of testing this basic connectivity using a remote Telnet client. | ||
+ | |||
+ | If your FTP server window/log indicates an accepted FTP connection, then it's not a connectivity problem and probably a login failure. | ||
+ | |||
+ | FTP sessions require a login. If you have not created a [[: | ||
+ | |||
+ | ===== FTP NAT ===== | ||
+ | :?: **Question: | ||
+ | Why do FTP clients lock-up or time-out when listing directories or downloading files from my FTP server? | ||
+ | |||
+ | :!: **Answer: | ||
+ | Your BBS computer is probably behind a Network Address Translator ([[rfc> | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | **Note**: Most web browsers use //passive// FTP transfer mode by default, though this may be configurable. | ||
+ | |||
+ | **Note**: Some FTP clients (e.g. the Windows command-line FTP client, '' | ||
+ | |||
+ | Enabling the logging of FTP data channel activity can help diagnose these kinds of problems. This can be done by adding the '' | ||
+ | |||
+ | If you're having problems with passive (PASV) transfers through your NAT/ | ||
+ | If the remote client is attempting to connect to your [[#private IP]] address (your NAT device isn't translating the PASV response from the FTP server) and you have a static [[#public IP]] address, you can work-around this limitation of your NAT device by using the '' | ||
+ | |||
+ | This problem can be identified (on the client) by finding a comma-separated [[#private IP]] address in the PASV response received from the FTP server (in response to a directory or file transfer request from the client). | ||
+ | |||
+ | Example: | ||
+ | |||
+ | # ftp yourbbs.synchro.net | ||
+ | Connected to yourbbs.synchro.net (70.19.142.182). | ||
+ | 220 Please enter your user name. | ||
+ | Name (yourbbs.synchro.net: | ||
+ | 331 User name okay, give your full e-mail address as password. | ||
+ | Password: | ||
+ | 230 Guest logged in. | ||
+ | ftp> passive | ||
+ | Passive mode on. | ||
+ | ftp> dir | ||
+ | 227 Entering Passive Mode (192, | ||
+ | |||
+ | Use an FTP client that supports passive mode and can display all the responses received-from the FTP server to help identify this particular problem. The FTP client must be running on a system outside your private network, so you may need a friend to assist you with this. | ||
+ | |||
+ | If you have a dynamically-assigned IP address (via DHCP), then your IP address may change at some point, so setting the '' | ||
+ | |||
+ | If your firewall cannot dynamically open/ | ||
+ | |||
+ | ===== FTP HTML ===== | ||
+ | :?: **Question: | ||
+ | Why will a web browser not (no longer) render the HTML content sent by the Synchronet FTP Server (i.e. '' | ||
+ | |||
+ | :!: **Answer: | ||
+ | For security reasons, modern web browsers (e.g. Google Chrome) have stopped rendering HTML content served by protocols other than HTTP or HTTPS. | ||
+ | * [[https:// | ||
+ | |||
+ | Some web browsers (e.g. Microsoft Edge) are removing FTP support altogether. | ||
+ | * [[https:// | ||
+ | |||
+ | ===== Bind ===== | ||
+ | :?: **Question: | ||
+ | Why do some or all of my servers get bind errors when starting or recycling? | ||
+ | |||
+ | :!: **Answer: | ||
+ | If you're getting bind errors when first starting up one or more Synchronet servers, similar to the following: | ||
+ | 0420 !ERROR 48 binding FTP Server socket to port 21 | ||
+ | |||
+ | **Note: | ||
+ | On Unix-like systems, the error number may be different, e.g. '' | ||
+ | |||
+ | This usually means you have another TCP/IP server on your system that is already bound to (and is presumably already listening for incoming connections on) this port. This could be a pre-existing instance of Synchronet or any other Telnet/ | ||
+ | |||
+ | If you're running a Unix-like operating system (not Windows) and get bind errors only when recycling servers, this is most likely because a TCP session is stuck in a '' | ||
+ | REUSEADDR=1 | ||
+ | |||
+ | :!: **Answer: | ||
+ | If you're getting bind errors when first starting up one or more Synchronet servers, similar to the following: | ||
+ | 0003 !ERROR 13 binding Web Server socket to port 80 | ||
+ | |||
+ | Error '' | ||
+ | This error upon binding usually means that you're running Synchronet as non-privileged user account (e.g. not ' | ||
+ | |||
+ | ===== Bandwidth ===== | ||
+ | :?: **Question: | ||
+ | How many nodes/ | ||
+ | |||
+ | :!: **Answer: | ||
+ | Depends on what those clients will be doing while connected. Here are some facts to consider: | ||
+ | |||
+ | 1. A BBS node doesn' | ||
+ | |||
+ | 2. An active TCP session doesn' | ||
+ | |||
+ | 3. Most Internet connections are asymmetrical in nature (as in ADSL). | ||
+ | |||
+ | This means your upstream channel usually has less bandwidth than your downstream channel. | ||
+ | When TCP/IP clients (users of your BBS's servers) download content from your servers (this includes viewing menus, reading messages, and playing door games on your BBS), they are primarily using your upstream channel. | ||
+ | |||
+ | So if you have a 1.5Mbps/ | ||
+ | |||
+ | If you are lucky enough to have an SDSL or other type of symmetrical Internet connection, then both your upstream and downstream channels are of the same bandwidth. | ||
+ | |||
+ | 4. Most BBS traffic is bursty. | ||
+ | |||
+ | With the exception of large file transfers, most BBS traffic is sent and received in small bursts. For example, the BBS user's TCP session is idle while the user is viewing menus, reading messages, pausing between keystrokes, etc. Many clients sending and receiving data in small intermittent bursts can be active simultaneously without any perceptible impact on one another. | ||
+ | |||
+ | 5. Not all clients will be capable of saturating your upstream channel. | ||
+ | |||
+ | If you have a 256Kbps upstream channel, for example, you could support four or five simultaneous " | ||
+ | |||
+ | ===== Block Hackers ===== | ||
+ | :?: **Question: | ||
+ | Can Synchronet automatically block the IP address of hackers/ | ||
+ | |||
+ | :!: **Answer: | ||
+ | Yes, see [[howto: | ||
+ | |||
+ | ===== SSH Algo ===== | ||
+ | :?: **Question: | ||
+ | Why do some SSH clients (e.g. [[http:// | ||
+ | |||
+ | :!: **Answer: | ||
+ | SSH supports a variety of cryptographic algorithms for encryption (privacy), integrity (mac) and authentication (key-exchange). As stronger algorithms are introduced, older (less-strong) algorithms are deprecated. As a result, when using a newer version of any SSH client (especially OpenSSH), it may fail to connect to SSH servers which only support less-than-the-strongest (newest) algorithms. There is no permanent solution to this issue as cryptographic algorithms are constantly improving (becoming stronger) and older (weaker) algorithms are going out of favor. | ||
+ | |||
+ | |||
+ | ==== SSH Cipher Algo ==== | ||
+ | |||
+ | Should be fixed as of Fri Feb 14 07:37:04 2020 UTC. aes128-ctr and aes256-ctr support was added. | ||
+ | |||
+ | Example: | ||
+ | $ ssh vert.synchro.net | ||
+ | Unable to negotiate with vert.synchro.net port 22: no matching cipher found. Their offer: aes128-cbc, | ||
+ | |||
+ | Workarounds for OpenSSH: | ||
+ | |||
+ | $ ssh -c aes128-cbc user@yourbbs.com | ||
+ | |||
+ | or in the '' | ||
+ | |||
+ | Host yourbbs.com | ||
+ | Ciphers aes128-cbc | ||
+ | |||
+ | ==== SSH Kex Algo ==== | ||
+ | |||
+ | Should be fixed as of Mon Jun 3 22:21:15 2019 UTC. diffie-hellman-group-exchange-sha256 and diffie-hellman-group14-sha256 support was added. | ||
+ | |||
+ | Example: | ||
+ | $ ssh vert.synchro.net | ||
+ | Received disconnect from 71.95.196.34: | ||
+ | |||
+ | or: | ||
+ | Unable to negotiate with legacyhost: no matching key exchange method found. | ||
+ | Their offer: diffie-hellman-group1-sha1 | ||
+ | |||
+ | From the OpenSSH [[http:// | ||
+ | > OpenSSH implements all of the cryptographic algorithms needed for compatibility with standards-compliant SSH implementations, | ||
+ | |||
+ | Workarounds for OpenSSH: | ||
+ | |||
+ | $ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@yourbbs.com | ||
+ | |||
+ | or in the '' | ||
+ | |||
+ | Host yourbbs.com | ||
+ | KexAlgorithms diffie-hellman-group1-sha1 | ||
+ | |||
+ | **Note:** | ||
+ | If you created this file to work-around the cryptlib v3.4.2 compatibility issue, you will need to remove this file or modify it after updating to cryptlib v3.4.4 | ||
+ | |||
+ | or in the '' | ||
+ | |||
+ | Host yourbbs.com | ||
+ | KexAlgorithms +diffie-hellman-group1-sha1 | ||
+ | |||
+ | Note: Run '' | ||
+ | |||
+ | ==== SSH MAC Algo ==== | ||
+ | |||
+ | Should be fixed as of Mon Jun 3 22:21:15 2019 UTC. hmac-sha2-256 support was added. | ||
+ | |||
+ | Another observed problem is with the negotiated Message Authentication Code (MAC) algorithm. | ||
+ | |||
+ | Workaround for OpenSSH (reported by nelgin): | ||
+ | |||
+ | $ ssh -m hmac-md5 user@yourbbs.com | ||
+ | |||
+ | ===== SSH Session Key ===== | ||
+ | :?: **Question: | ||
+ | How do I resolve the following terminal server SSH error? | ||
+ | |||
+ | ' | ||
- | You do not want to advertise this IP address to the public since it is useless to anyone outside of your own private/local area network (LAN). IP addresses in these ranges are typically assigned to your computer by your router/firewall device (using DHCP) to allow multiple computers on your private network to share the same public IP address using a mechanism known as Network Address Translation (NAT). Clients on the Internet must use the IP address of your router/ | + | :!: **Answer: |
+ | Rename/move or delete | ||
+ | If you're using TLS for your other [[server: | ||
+ | These files ('' | ||
===== See Also ===== | ===== See Also ===== | ||
- | * [[:faq:|faq index]] | + | * [[:server:|Servers]] |
+ | * [[: | ||
+ | * [[:faq: | ||
+ | {{tag> |