Dropped email/ssh client connections

Support
1

Hi - thanks everyone for reading this.

I am a newbie at yunohost.

My server is set up through the nohost.me domain.

///

Base system (basesystem)

[INFO] Server hardware architecture is bare-metal amd64

  • Server model is HP HP EliteDesk 800 G2 DM 35W

[INFO] Server is running Linux kernel 5.10.0-26-amd64

[INFO] Server is running Debian 11.8

[INFO] Server is running YunoHost 11.2.7 (stable)

  • yunohost version: 11.2.7 (stable)
  • yunohost-admin version: 11.2.3 (stable)
  • moulinette version: 11.2 (stable)
  • ssowat version: 11.2 (stable)

[WARNING] There’s been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in Security | Yunohost Documentation.

=================================
Internet connectivity (ip)

[SUCCESS] Domain name resolution is working!

[SUCCESS] The server is connected to the Internet through IPv4!

  • Global IP: xx.xx.xx.xx
  • Local IP: 192.168.1.194

[WARNING] The server does not have working IPv6.

  • IPv6 should usually be automatically configured by the system or your provider if it’s available. Otherwise, you might need to configure a few things manually as explained in the documentation here: YunoHost • index.

=================================
DNS records (dnsrecords)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category basic)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category mail)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category xmpp)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category extra)

=================================
Ports exposure (ports)

[SUCCESS] Port 22 is reachable from the outside.

  • Exposing this port is needed for admin features (service ssh)

[SUCCESS] Port 25 is reachable from the outside.

  • Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 80 is reachable from the outside.

  • Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 443 is reachable from the outside.

  • Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 587 is reachable from the outside.

  • Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 993 is reachable from the outside.

  • Exposing this port is needed for email features (service dovecot)

[SUCCESS] Port 5222 is reachable from the outside.

  • Exposing this port is needed for xmpp features (service metronome)

[SUCCESS] Port 5269 is reachable from the outside.

  • Exposing this port is needed for xmpp features (service metronome)

[SUCCESS] Port 5349 is reachable from the outside.

  • Exposing this port is needed for [?] features (service coturn)

[SUCCESS] Port 8096 is reachable from the outside.

  • Exposing this port is needed for [?] features (service squid)

[SUCCESS] Port 22000 is reachable from the outside.

  • Exposing this port is needed for [?] features (service syncthing)

=================================
Web (web)

[SUCCESS] Domain maindomain.tld is reachable through HTTP from outside the local network.

=================================
Email (mail)

[SUCCESS] The SMTP mail server is able to send emails (outgoing port 25 is not blocked).

[SUCCESS] The SMTP mail server is reachable from the outside and therefore is able to receive emails!

[ERROR] Reverse DNS is not correctly configured for IPv4. Some emails may fail to get delivered or be flagged as spam.

  • Current reverse DNS: XXXXXx
    Expected value: maindomain.tld
  • You should first try to configure reverse DNS with maindomain.tld in your internet router interface or your hosting provider interface. (Some hosting providers may require you to send them a support ticket for this).
  • Some providers won’t let you configure your reverse DNS (or their feature might be broken…). If you are experiencing issues because of this, consider the following solutions:
    • Some ISP provide the alternative of using a mail server relay though it implies that the relay will be able to spy on your email traffic.
    • A privacy-friendly alternative is to use a VPN with a dedicated public IP to bypass this kind of limits. See YunoHost • index
    • Or it’s possible to switch to a different provider

[SUCCESS] The IPs and domains used by this server do not appear to be blacklisted

[SUCCESS] 0 pending emails in the mail queues

=================================
Services status check (services)

[SUCCESS] Service coturn is running!

[SUCCESS] Service dnsmasq is running!

[SUCCESS] Service dovecot is running!

[SUCCESS] Service fail2ban is running!

[SUCCESS] Service metronome is running!

[SUCCESS] Service mysql is running!

[SUCCESS] Service nginx is running!

[SUCCESS] Service php7.4-fpm is running!

[SUCCESS] Service postfix is running!

[SUCCESS] Service redis-server is running!

[SUCCESS] Service rspamd is running!

[SUCCESS] Service slapd is running!

[SUCCESS] Service squid is running!

[SUCCESS] Service ssh is running!

[SUCCESS] Service syncthing is running!

[SUCCESS] Service uwsgi-app@searx is running!

[SUCCESS] Service wetty is running!

[ERROR] Service ynh-vpnclient is failed :frowning:

  • You can try to restart the service, and if it doesn’t work, have a look at the service logs in the webadmin (from the command line, you can do this with ‘yunohost service restart ynh-vpnclient’ and ‘yunohost service log ynh-vpnclient’).

[SUCCESS] Service yunohost-api is running!

[SUCCESS] Service yunohost-firewall is running!

[SUCCESS] Service yunomdns is running!

=================================
System resources (systemresources)

[SUCCESS] The system still has 14 GiB (90%) RAM available out of 15 GiB.

[SUCCESS] The system has 976 MiB of swap!

  • Please be careful and aware that if the server is hosting swap on an SD card or SSD storage, it may drastically reduce the life expectancy of the device.

[SUCCESS] Storage / (on device /dev/sda6) still has 204 GiB (92.3%) space left (out of 221 GiB)!

[SUCCESS] Storage /boot (on device /dev/sda1) still has 114 MiB (54%) space left (out of 213 MiB)!

=================================
System configurations (regenconf)

[WARNING] Configuration file /etc/metronome/metronome.cfg.lua appears to have been manually modified.

  • This is probably OK if you know what you’re doing! YunoHost will stop updating this file automatically… But beware that YunoHost upgrades could contain important recommended changes. If you want to, you can inspect the differences with ‘yunohost tools regen-conf metronome --dry-run --with-diff’ and force the reset to the recommended configuration with ‘yunohost tools regen-conf metronome --force’

=================================
Applications (apps)

[SUCCESS] All installed apps respect basic packaging practices

///

Description of my issue

Please note that both when using ssh (wetty) and also when using thunderbird or evolution, my connection is intermittent and gives a “timeout” message, rendering this unusable.

I was unable to configure reverse DNS due to isp problems.

Is there any way around this timeout issue? How may I provide more information?

2

Hi porferry,

Welcome to the forums!

It all looks quite ok :slight_smile:

There is no ‘way around’ not having a working connection, the problem needs to be troubleshot and solved.

As you might have guessed, the (missing) reverse DNS does not interfere with the connection.

How intermittent is your connection? If you run a ping to your Yunohost, does it drop many packages?

First things that come to mind are, in no particular order:

  • duplicate IP’s on the network
  • ‘complex’ networks, with loops where packages get lost
  • cable/connector problems
  • fail2ban blocking your connection (it has happened before)

How handy are you with the computers and appliances (router/switch/…) in your network? How is your Yunohost connected to the LAN?

3

thank you kindly and sorry for the delayed response - i could not connect to the forum for several days for some reason.

my yunohost is connected to my router by wired ethernet with assigned ip address. the network settings are ok according to the above.

i have the xmpp server set up and it works beautifully (although i have to use a vpn on my phone to access it for some reason). i can make video and audio calls and never get disconnected (if that helps any).

incidentally - why do i need a vpn on my phone to access the nohost.me site?

i have assigned port forwarding. my network is simple as you may be able to see above. the only things that don’t work are ipv6 and reverse dns.

the email is weird - it connects initially, but then times out.

no problems connecting to the server itself on the portal -

no duplicate ip

how can i test fail2ban in this setting?

4

Hi porferry,

Your reply answers some, but raises other questions :wink:

From my list,

  • duplicate IP: no explicit confirmation or disproval
  • complex network: no, direct connection from router to Yunohost, single wire
  • cable problem: does not seem the problem, via VPN it works fluently
  • fail2ban: we’ll get to that later

Who assigned the IP address? Do you mean “(dynamically) assigned by the router” (DHCP), or “assigned by me” (static / fixed IP)
You started with 192.168.1.194 as Yunohost IP. Depending on the router setup, the ‘194’-part could imply your network is quite busy (not a problem in and on itself, just an observation).

This should not be the case. What do you mean with “I have to use a VPN”? What happens if you don’t? (“It does not work” is not enough, there should be some kind of error)

How do you connect when you use VPN?

  1. do you need VPN from your phone to an external VPN when you are at home, connected to WiFi, or
  2. do you need a VPN from your phone to a VPN on Yunohost when you are at another location connected to WiFi, or at home via a mobile network connection

I noticed ‘ynh-vpnclient’ in your services list. Is your goal to make Yunohost available only over VPN, or is it an accidental installation?

You only mention this behaviour for your phone. Does it also happen with other devices, or do you only have your phone to test it with?

Reverse DNS is what it is if your ISP does not want to play nice. There are ways around, but it would cost at least a few euro per year (via VPS or VPN) or would use an external mailserver (relay).

IPv6 is also something your ISP should provide. There are also ways around this (also VPS/VPN, or a tunneling service such as tunnelbroker.net via HE). In the mean time, you could turn IPv6 off if you did not do that already:

image
image720×778 45.7 KB

For fail2ban, check cat /var/log/fail2ban.log via SSH. See if you recognize the IP of your computer/telephone/other device. It probably is a long list, you can cut it smaller with less, tail or more.
If SSH keeps dropping, but your connection to Yunohost via web and/or VPN is stable, you could connect via a web shell: search for terminal in the application catalog and install either of them.

Sorry for the long text :wink: I hope it is easy enough to follow. Good luck troubleshooting!

5

thank you kindly for the excellent reply.

here are some of my answers:

duplicate IP: no explicit confirmation or disproval - to my knowledge, there are no duplicate ips

complex network: no, direct connection from router to Yunohost, single wire - correct

cable problem: does not seem the problem, via VPN it works fluently - correct

Who assigned the IP address? Do you mean “(dynamically) assigned by the router” - yes, i verified that this is dhcp - incidentally, it has never changed the assigned ip to this date.

What do you mean with “I have to use a VPN”? What happens if you don’t? (“It does not work” is not enough, there should be some kind of error) - unless i connect with a vpn on my phone, the client application i am using (connect, i’ve tried others) does not establish a reliable connection and cannot find the server. This behaviour has been the same ever since i started using xmpp software (i had a prior freedombox and it did the same thing).

i use the vpn from both home and away. i do not have additional devices to connect from.

i actually don’t know how to assign my box a local name for my network. it only has the external name listed.

I noticed ‘ynh-vpnclient’ in your services list. Is your goal to make Yunohost available only over VPN, or is it an accidental installation? – i was testing my vpn service to see if it would autoconnect, but no luck on installation (went through the .ovpn, setting client files, etc… and i can manually connect from the command line but not the ynh-vpnclient application). Therefore, the vpnclient is not active. should i just remove it?

fail2ban: i tried all the log files (looks like it is using logrotate) - could not find them.

one of the warnings i also get is excessive login attempts through ssh - i wonder if I am doing something wrong.

thank you kindly for your help - this software (yunohost) really is impressive imho. i just wanted to get email to work…

right now - this is what i get:

image
image712×214 18.6 KB

best regards

6

Do I understand correctly that you use an external VPN provider? In that case, your connection from your phone seems to come from the public internet, as opposed to from your personal LAN.

It could be that your router is trying to prevent a rebinding attack. Your server has a 192.168.x.y address, which is ‘unexpected’. Some routers do not allow connections to a domain.tld to point to a private IP address.

I know that AVM Fritzboxes have this behaviour. There is a page on their site explaining how to add your server / domain to the exception list. I posted a screenshot in an earlier conversation, Trouble getting to sso login page - #4 by wbk

Talking about screenshots, I got one here about the forum:
image

If you select a bit of text, there is a popup (the bit saying "Quote >Share ) that allows you to copy the text as quote in the new post editor. That way it is easier for readers to distinguish between quotes and new bits of conversation.

I have not used a VPN to connect in that way. It should be possible though, and would provide a way to get a reverse DNS (depending on your VPN provider). Maybe it is something for another thread to look into once the other problems are solved.

Strange; your diagnosis tells that fail2ban is running, and warns that there are many failed logins. This combined would mean many log lines.

I forgot to specify using sudo. That could be the reason!

Could you try this:

  • open one SSH connection, and run sudo tail -f /var/log/fail2ban.log
    • this wil give a live view of the log (-f for ‘follow’ )
  • open a second SSH connection, and run sudo service fail2ban restart
    • this wil restart fail2ban, and write some info to fail2ban.log
  • some lines should appear in the first SSH window
  • press ctrl-c in the first window to exit tail -f
  • next try sudo cat /var/log/fail2ban.log* |grep NOTICE
    • this will list all (un)block actions and the IPs (and some other info)
    • see if the IP of your computer/laptop/phone is in the list
    • don’t be alarmed at many unknown IPs in the list: that is what fail2ban is for.

Could you tell what I see in the screenshot, and what you expected to see?

7

Amazing response - thank you for the kind, detailed debugging… greatly appreciated

"Do I understand correctly that you use an external VPN provider? In that case, your connection from your phone *seems* to come from the public internet, as opposed to from your personal LAN."

yes - using an external vpn provider - with this vpn turned on, i never have a problem using the xmpp server, even for video calls and audio calls using a coturn server.

It could be that your router is trying to prevent a rebinding attack. Your server has a 192.168.x.y address, which is ‘unexpected’. Some routers do not allow connections to a domain.tld to point to a private IP address.

i have forwarded the ports appropriately and assigned dchp-static with my router - again, no problem connecting through ssh or xmpp, but timeouts do happen both on ssh and also continued problems getting the email. the connection to xmpp does not reliably work at all, though, if i try to connect on my phone without vpn (nordvpn in my case) running.

router info - don’t know the specifics here otherwise

image

![image|683x167](upload://gbOgWCtgwfNhYniRyigU63UG8WG.png)

yes - would like to start another thread in the future if possible.

completed tasks above - did not see that my computer or phone are being banned.

image
image712×214 18.6 KB

this image refers to the inbox on thunderbird - you can see that there are 22 messages on the server, but these cannot be retrieved at all now (previously could be retrieved/synced initially to the inbox, and then it would time out). now the connection never works.

Blockquote

FYI - updated diagnosis

=================================
Base system (basesystem)
=================================

[INFO] Server hardware architecture is bare-metal amd64
  - Server model is HP HP EliteDesk 800 G2 DM 35W

[INFO] Server is running Linux kernel 5.10.0-26-amd64

[INFO] Server is running Debian 11.8

[INFO] Server is running YunoHost 11.2.8.2 (stable)
  - yunohost version: 11.2.8.2 (stable)
  - yunohost-admin version: 11.2.3 (stable)
  - moulinette version: 11.2 (stable)
  - ssowat version: 11.2 (stable)

[WARNING] There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.



=================================
Internet connectivity (ip)
=================================

[SUCCESS] Domain name resolution is working!

[SUCCESS] The server is connected to the Internet through IPv4!
  - Global IP: xx.xx.xx.xx
  - Local IP: 192.168.1.194

[WARNING] The server does not have working IPv6.
  - Having a working IPv6 is not mandatory for your server to work, but it is better for the health of the Internet as a whole. IPv6 should usually be automatically configured by the system or your provider if it's available. Otherwise, you might need to configure a few things manually as explained in the documentation here: https://yunohost.org/#/ipv6. If you cannot enable IPv6 or if it seems too technical for you, you can also safely ignore this warning.



=================================
DNS records (dnsrecords)
=================================

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category basic)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category mail)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category xmpp)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category extra)

[INFO] Domain domain2.tld is based on a special-use top-level domain (TLD) such as .local or .test and is therefore not expected to have actual DNS records.



=================================
Ports exposure (ports)
=================================

[SUCCESS] Port 22 is reachable from the outside.
  - Exposing this port is needed for admin features (service ssh)

[SUCCESS] Port 25 is reachable from the outside.
  - Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 80 is reachable from the outside.
  - Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 443 is reachable from the outside.
  - Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 587 is reachable from the outside.
  - Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 993 is reachable from the outside.
  - Exposing this port is needed for email features (service dovecot)

[SUCCESS] Port 5222 is reachable from the outside.
  - Exposing this port is needed for xmpp features (service metronome)

[SUCCESS] Port 5269 is reachable from the outside.
  - Exposing this port is needed for xmpp features (service metronome)

[SUCCESS] Port 5349 is reachable from the outside.
  - Exposing this port is needed for [?] features (service coturn)

[SUCCESS] Port 8096 is reachable from the outside.
  - Exposing this port is needed for [?] features (service squid)

[SUCCESS] Port 22000 is reachable from the outside.
  - Exposing this port is needed for [?] features (service syncthing)



=================================
Web (web)
=================================

[INFO] Domain domain2.tld is based on a special-use top-level domain (TLD) such as .local or .test and is therefore not expected to be exposed outside the local network.

[SUCCESS] Domain maindomain.tld is reachable through HTTP from outside the local network.



=================================
Email (mail)
=================================

[SUCCESS] The SMTP mail server is able to send emails (outgoing port 25 is not blocked).

[SUCCESS] The SMTP mail server is reachable from the outside and therefore is able to receive emails!

[ERROR] Reverse DNS is not correctly configured for IPv4. Some emails may fail to get delivered or be flagged as spam.
  - Current reverse DNS: 104-11-228-191.lightspeed.hstntx.sbcglobal.net
    Expected value: maindomain.tld
  - You should first try to configure reverse DNS with maindomain.tld in your internet router interface or your hosting provider interface. (Some hosting providers may require you to send them a support ticket for this).
  - Some providers won't let you configure your reverse DNS (or their feature might be broken...). If you are experiencing issues because of this, consider the following solutions:
     - Some ISP provide the alternative of using a mail server relay though it implies that the relay will be able to spy on your email traffic.
    - A privacy-friendly alternative is to use a VPN *with a dedicated public IP* to bypass this kind of limits. See https://yunohost.org/#/vpn_advantage
    - Or it's possible to switch to a different provider

[SUCCESS] The IPs and domains used by this server do not appear to be blacklisted

[SUCCESS] 0 pending emails in the mail queues



=================================
Services status check (services)
=================================

[SUCCESS] Service coturn is running!

[SUCCESS] Service dnsmasq is running!

[SUCCESS] Service dovecot is running!

[SUCCESS] Service fail2ban is running!

[SUCCESS] Service metronome is running!

[SUCCESS] Service mysql is running!

[SUCCESS] Service nginx is running!

[SUCCESS] Service php7.4-fpm is running!

[SUCCESS] Service postfix is running!

[SUCCESS] Service redis-server is running!

[SUCCESS] Service rspamd is running!

[SUCCESS] Service slapd is running!

[SUCCESS] Service squid is running!

[SUCCESS] Service ssh is running!

[SUCCESS] Service syncthing is running!

[SUCCESS] Service uwsgi-app@searx is running!

[SUCCESS] Service wetty is running!

[SUCCESS] Service yunohost-api is running!

[SUCCESS] Service yunohost-firewall is running!

[SUCCESS] Service yunomdns is running!



=================================
System resources (systemresources)
=================================

[SUCCESS] The system still has 14 GiB (91%) RAM available out of 15 GiB.

[SUCCESS] The system has 976 MiB of swap!
  - Please be careful and aware that if the server is hosting swap on an SD card or SSD storage, it may drastically reduce the life expectancy of the device.

[SUCCESS] Storage / (on device /dev/sda6) still has 203 GiB (91.9%) space left (out of 221 GiB)!

[SUCCESS] Storage /boot (on device /dev/sda1) still has 114 MiB (54%) space left (out of 213 MiB)!



=================================
System configurations (regenconf)
=================================

[WARNING] Configuration file /etc/metronome/metronome.cfg.lua appears to have been manually modified.
  - This is probably OK if you know what you're doing! YunoHost will stop updating this file automatically... But beware that YunoHost upgrades could contain important recommended changes. If you want to, you can inspect the differences with 'yunohost tools regen-conf metronome --dry-run --with-diff' and force the reset to the recommended configuration with 'yunohost tools regen-conf metronome --force'



=================================
Applications (apps)
=================================

[SUCCESS] All installed apps respect basic packaging practices
8

Thank you for your encouragement, it’s my pleasure :wink:

Summarizing:

  • When using WiFi at home from your phone:
    • unreliable connection for XMPP
    • connection, but with timeouts, for SSH
    • unreliable connection for mail
  • When using WiFi at home from your phone in combination with external VPN (NordVPN):
    • XMPP works flawless
    • what about SSH?
    • what about mail?
  • When using your phone on WiFi out-of-doors, or mobile internet, either with or without VPN
    • how about XMPP?
    • how about SSH
    • how about mail?
  • You mention only your phone as device you use for connecting to your server. How about other devices?
  • You only mention XMPP, SSH and mail. Do you have other services installed on your server? How about those?

I tried to look up information on Arris modems, without much success. On their ‘surfboard’ brand forum, there is one person asking about rebind protection. Lacking an answer, the person suggests to use an addition to the hosts file on the client. Someone else asks about ‘NAT loopback’; answers there are that depending on the model, the feature (of reaching servers on your own network) is not implemented. There is another thread pointing in that direction

The threads I referred to speak of loopback. I did not see any specific info on your model. Another term that is used for this is ‘hairpinning’, in case you’d like to investigate further.

It all matches the symptoms you experience, because when you connect to a VPN outside of your LAN, suchas NordVPN, your connection seems to come from the public internet and then your router does not block the traffic to your server (it does not block it in this case, because you opened the ports)

That is a thing fewer to worry about :wink:

Ah, yes, now I recognize it.

I think Thunderbird caches retrieved messages. I see a button ‘Quick Filter’ active, could it be that the filter hides (some of) those 22 messages?

To check functionality of the mailserver itself, you could install one of the webmail clients available for Yunohost. I think Rainloop is least complex.

“Never working” would be a symptom of the router not allowing access. Strange in that case, that it sometimes has worked.

Did you notice this? In case you indeed configured a domain ‘local’, it is best to remove it (after moving any applications to another domain); .local is reserved for inter-system messaging

Good luck and don’t give up :wink:

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.