# CARP with Sendmail



## APettersson (Jun 7, 2018)

I'm setting up a new mail gateway pair with Sendmail using CARP. I'ts on an internal network protected from the Internet (it relays all SMTP traffic!). I have an old single mail gateway running since ages. And i'ts running just fine. 

I have configured CARP. And if I connect to the real/physical address on the server all is fine. But I got a TCP-Reset if I try to connect to the virtual IP-address.


```
#uname -a
FreeBSD ***.com 11.1-RELEASE-p10 FreeBSD 11.1-RELEASE-p10 #0: Tue May  8 05:21:56 UTC 2018     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

# netstat -an | grep LISTEN
tcp4       0      0 *.587                  *.*                    LISTEN
tcp6       0      0 *.25                   *.*                    LISTEN
tcp4       0      0 *.25                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
```


```
# ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:50:56:85:52:2f
        hwaddr 00:50:56:85:52:2f
        inet 10.130.87.202 netmask 0xffffff00 broadcast 10.130.87.255
        inet 10.130.87.201 netmask 0xffffff00 broadcast 10.130.87.255 vhid 1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        carp: MASTER vhid 1 advbase 1 advskew 100
```
Other host:

```
# ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:50:56:85:0c:92
        hwaddr 00:50:56:85:0c:92
        inet 10.130.87.203 netmask 0xffffff00 broadcast 10.130.87.255
        inet 10.130.87.201 netmask 0xffffff00 broadcast 10.130.87.255 vhid 1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        carp: BACKUP vhid 1 advbase 1 advskew 200
```


```
# telnet 10.130.87.201 25
Trying 10.130.87.201...
telnet: connect to address 10.130.87.201: Connection refused
telnet: Unable to connect to remote host
```

Why does the server send a TCP-Reset when I try to connect to the virtual CARP address?

/Alexander
PS: Sorry for the bad english it is not my native..


----------



## SirDice (Jun 7, 2018)

Did you restart sendmail after adding the CARP address? If it was started before the IP address was assigned to the interface it will be ignored. 

Also verify if sendmail is actually listening, you typically get a RST packet when you try to connect to a closed port.


----------



## APettersson (Jun 7, 2018)

Thanks for the reply!

Yes i have restarted sendmail.
When I  # telnet 10.130.87.202 25 I can send mail with telnet.
BTW: SSH to 10.130.87.201 , .202 and .201 works fine.

How do I verify that sendmail is listening?


----------



## APettersson (Jun 8, 2018)

I only know two ways to verify if sendmail is listening.


```
# netstat -an | grep LISTEN
tcp4       0      0 *.587                  *.*                    LISTEN
tcp6       0      0 *.25                   *.*                    LISTEN
tcp4       0      0 *.25                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
```


```
# sockstat | grep sendmail
smmsp    sendmail   42196 3  dgram  -> /var/run/log
root     sendmail   42192 3  tcp4   *:25                  *:*
root     sendmail   42192 4  dgram  -> /var/run/logpriv
root     sendmail   42192 5  tcp6   *:25                  *:*
root     sendmail   42192 6  tcp4   *:587                 *:*
```

Does this verify that sendmail is listening on all IP addresses?


----------



## APettersson (Jun 8, 2018)

When I connect from the local machine it works.


```
# telnet 10.130.87.201 25
Trying 10.130.87.201...
Connected to 10.130.87.201.
Escape character is '^]'.
220 SESSCSVMG11.*****.com ESMTP Sendmail 8.15.2/8.15.2; Fri, 8 Jun 2018 09:38:15 +0200 (CEST)
quit
221 2.0.0 SESSCSVMG11.*****.com closing connection
Connection closed by foreign host.
```



```
# telnet 10.130.87.202 25
Trying 10.130.87.202...
Connected to 10.130.87.202.
Escape character is '^]'.
220 SESSCSVMG11.*****.com ESMTP Sendmail 8.15.2/8.15.2; Fri, 8 Jun 2018 09:38:08 +0200 (CEST)
quit
221 2.0.0 SESSCSVMG11.*****.com closing connection
Connection closed by foreign host.
```

From another host:


```
# telnet 10.130.87.201 25
Trying 10.130.87.201...
telnet: connect to address 10.130.87.201: Connection refused
telnet: Unable to connect to remote host
```


```
# telnet 10.130.87.202 25
Trying 10.130.87.202...
Connected to 10.130.87.202.
Escape character is '^]'.
220 SESSCSVMG11.*****.com ESMTP Sendmail 8.15.2/8.15.2; Fri, 8 Jun 2018 09:48:36 +0200 (CEST)
quit
221 2.0.0 SESSCSVMG11.*****.com closing connection
Connection closed by foreign host.
```

I think that sendmail is listening on both addresses.
Any suggestions?


----------



## SirDice (Jun 8, 2018)

From the machine itself you can connect to the CARP address but from any other host on your network it fails? Did I understand that correctly?

Is there a firewall active? That may be preventing the connections to the CARP address?


----------



## APettersson (Jun 8, 2018)

Yes that's correct.

I have tested from a host on a different subnet and that traverse a Cisco ASA. I can see that the traffic is permitted in the firewall logg.
And I have tested from the other CARP machine who is in the backup state and lives on the the same subnet.
Same result...

I can see with tcpdump that traffic hits the active servers CARP adress and that the server sent TCP-RESET

```
# tcpdump src port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:28:35.431992 IP 10.130.87.201.smtp > 10.130.87.203.48262: Flags [R.], seq 0, ack 2744796078, win 0, length 0
```


----------



## SirDice (Jun 8, 2018)

Is there a firewall running locally? I'm honestly rapidly running out of ideas why it's not working for you.


----------



## APettersson (Jun 8, 2018)

Strange! Now it works!

In frustration I "ifconfig em0 vhid 1 state backup" on the Master and then back again. After that all is working! (I´m 100% sure that nothing else was done)

All the time SSH was working even on the CARP IP. Strange...

Thank you all for your effort!


----------



## APettersson (Jun 8, 2018)

Now I have found the root cause... This was not strange att all.

I got the FreeBSD machines installed by a "WMvare" guy. After that I configured CARP and sendmail.
I assumed that he installed two machines but he installed tree. One of the machines was the CARP address.
( I did not login with SSH on the "CARP machine". I just got the login prompt...)

It was a IP collision.


----------



## SirDice (Jun 8, 2018)

Oh, bugger. Yeah, that's going to trip you up too.


----------

