this is my scenario: someone needs to push some files from a really old mainframe that only works with plain FTP (no SSH, no SSL). In my environment, I have a VM with Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-139-generic x86_64) image, where I set up a vsftpd server. The VM has public address XXX.XXX.XXX.XXX. However, the internal addresses are different:

$ ifconfig   
ens3      Link encap:Ethernet  HWaddr aa:aa:aa:aa:aa:aa  
          inet addr:YYY.YYY.YYY.YYY  Bcast:YYY.YYY.YYY.255  Mask:255.255.255.0
          inet6 addr: aaaa::aaaa:aaaa:aaaa:aaaa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:676755 errors:0 dropped:0 overruns:0 frame:0
          TX packets:244476 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:712807318 (712.8 MB)  TX bytes:20949942 (20.9 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:355 errors:0 dropped:0 overruns:0 frame:0
          TX packets:355 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:23535 (23.5 KB)  TX bytes:23535 (23.5 KB)

I have no external control of this VM. I request it on a system, and it gives me an IP address, user, and password. God knows where this VM is.

So, I have the following configuration for vsftpd:

listen_address=XXX.XXX.XXX.XXX. # External IP here.
pasv_address=XXX.XXX.XXX.XXX.   # External IP here too.
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=NO
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
allow_writeable_chroot=YES

Using this configuration, I can access the server remotely and push files without a problem. Note that the IPs on the configuration file (XXX.XXX.XXX.XXX) are the external IP, not the internal one (YYY.YYY.YYY.YYY).

However, as the title suggests, my partner cannot use SSL connections. Since vsftpd does not accept user/password plain authentication when SSL is enabled, I have to turn that off:

ssl_enable=NO

But now, I have a lot of problems. This is an example when I try to connect to the server:

$ ftp XXX.XXX.XXX.XXX
Connected to XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX).
220 (vsFTPd 3.0.3)
Name (XXX.XXX.XXX.XXX:alice): bob
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (0,0,0,0,39,107).
ftp: connect: Connection refused

Note that "alice" and "bob" are valid users on my server. So, the problem here is that when FTP goes passive to receive files, etc, it changes de IP to (0,0,0,0,39,107), which is localhost in the server, even though I explicitly ask to use address XXX.XXX.XXX.XXX.

There is some material on the internet that relates this issue with NAT translation (which looks be the case), but I have tried their solutions. Most of them ask us to set pasv_address (and sometimes port ranges), but none works.

Now, another weirdo:

listen_ipv6=NO
ssl_enable=YES

Now, I cannot even connect into the server, neither remote machine:

$ hostname
my_laptop

$ ftp XXX.XXX.XXX.XXX
ftp: connect: Connection refused

nor localhost:

$ hostname
my_server

$ ftp localhost
ftp: connect: Connection refused

The latter makes sense since list_address points to the external IP address. But even I comment that line, still, I cannot connect.

It clear to me that the problem is in the addresses configuration since it looks to respond to IPv6 localhost. However, I am not an expert on such things, so I look for your help. Thanks!