LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue77/tag/6.html

375 lines
14 KiB
HTML
Raw Permalink Blame History

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.4F.o">
<TITLE>The Answer Gang 77: Postfix name resolution fails, dig doesn't</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
LINK="#3366FF" VLINK="#A000A0">
<!--endcut ========================================================= -->
<P> <hr>
<!--startcut ======================================================= -->
<CENTER>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
</CENTER>
</p>
<!--endcut ========================================================= -->
<!--startcut ======================================================= -->
<P> <hr>
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<p align="center">
<table width="100%" border="0"><tr>
<td align="right" valign="center"
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0"
><A HREF="../index.html"
><IMG SRC="../../gx/navbar/toc.jpg" align="middle"
ALT="[ Table Of Contents ]" border="0"></A
><A HREF="../lg_answer.html"
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
<td align="center" valign="center"><A HREF="../lg_answer.html#greeting"><img align="middle"
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A> &nbsp;
<A HREF="../tag/bios.html">Meet&nbsp;the&nbsp;Gang</A> &nbsp;
<A HREF="1.html">1</A> &nbsp;
<A HREF="2.html">2</A> &nbsp;
<A HREF="3.html">3</A> &nbsp;
<A HREF="4.html">4</A> &nbsp;
<A HREF="5.html">5</A> &nbsp;
<A HREF="6.html">6</A> &nbsp;
<A HREF="7.html">7</A> &nbsp;
<A HREF="8.html">8</A> &nbsp;
<A HREF="9.html">9</A>
</td>
<td align="left" valign="center"><A HREF="../../tag/kb.html"
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
ALT="[ Index of Past Answers ]" border="0"></A
><IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
</p>
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<!--endcut ========================================================= -->
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
border="0" align="middle">
<font color="#B03060">The Answer Gang</font>
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
border="0" align="middle">
</A></H1>
<BR>
<H4>By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and...
(<a href="tag/bios.html">meet the Gang</a>) ...
the Editors of Linux Gazette...
and You!
<br>Send questions (or interesting answers) to
The Answer Gang
for possible publication
(but read the <a href="../tag/ask-the-gang.html">guidelines</a> first)
</H4>
</center>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<p><hr><p>
<!-- begin 7 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
height="50" width="60" alt="(?) " border="0"
>Postfix name resolution fails, dig doesn't</H3>
<p><strong>From Faber Fedor
</strong></p>
<p align="right"><strong>Answered By Ben Okopnik, Dan Wilder, Yann Vernier, Jay R. Ashworth, Heather Stern
</strong></p>
<P><STRONG>
Hey Gang!
You probably haven't noticed, but I've been a bit quiet the past few days. It's
certainly not by choice, however. I was recently switched over from @Home to
the lovely Comcast network. After a few birthing pains, everthing seemed to be
going well. However, I've sent out a few emails, including to the Gang, and
I've not seen them show up.
</STRONG></P>
<P><STRONG>
Looking into <TT>/var/log/maillog</TT>, I see, as an example, the following:
</STRONG></P>
<pre><strong>Mar 7 22:52:25 uranus postfix/smtp[12586]: 0A9F2FE16:
to=&lt;linux-questions-only@ssc.com&gt;, relay=none, delay=28121, status=deferred
(Name service error for ssc.com (Host not found, try again) while looking up
the MX record.)
</strong></pre>
<P><STRONG>
and I see this for every email I've tried to send for the last few days.
</STRONG></P>
<P><STRONG>
So I check my ability to do name resolution. I do a `dig ssc.com mx` and I get
the correct response. dig, ping, nslookup works for every email address I've
sent to in the pat few days, but no emails are sent because of "Host not found
while looking up MX record".
</STRONG></P>
<P><STRONG>
Any ideas where to look next?
</STRONG></P>
<P><STRONG>
===== Sincerely, Faber Fedor
</STRONG></P>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Den]
Maybe postfix has managed to latch in your old nameserver information.
You might try the command:
</blockQuote>
<blockQuote><BLOCKQuote>
postfix reload
</BLOCKQuote></blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Yann]
Quite probable. Postfix also has a tendency to run as much as possible
in a chroot jail; to update the contents of that, you probably have to
run the <TT>/etc/postfix/chroot-setup-LINUX2</TT> script. This had me stumped for
a while after changing <TT>/etc/localtime</TT> but still getting american
timestamps in the mail.
</blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Heather]
Err, the Postfix FAQ has a point here and there of saying "oh, you want to
copy <TT>/etc/resolv.conf</TT> and <TT>/etc/services.switch</TT> down into the jail"
</blockQuote>
<blockQuote>
Which would likely be true whether there is a script to help it do the
right thing or not.
</blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Ben]
My familiarity with Postfix is no more than skin-deep, but if it follows
the Exim way of doing things (i.e., emulating Sendmail options), you might
be able to try some of the following:
</blockQuote>
<blockquote><pre>sendmail -d11 -bt # Address testing mode
sendmail -d11 -bv # Address testing mode, skips "no_verify" routers
</pre></blockquote>
<blockQuote>
A debug level of 11 or above turns on DNS debugging (at least in Exim.)
Here's hoping that all this stuff is at least close... you might want to
read the Postfix manpage; if it's not the same options, they should at
least implement similar functionality.
</blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Dan]
Sorry Ben, no direct debugging. Use syslog. Postfix isn't a monolithic
program,
but a cluster of cooperating daemons, with no protocol for centralizing
debugging info and having one of them dump to standard out. Rather than
reinvent the wheel, Wietse Venema has Postfix consolidate its log streams
via syslog.
</blockQuote>
<blockQuote>
Put it into verbose mode then tail -f whatever syslog puts
the various mail.* syslog streams into.
</blockQuote>
<blockquote><pre> postfix -v reload
tail -f whatever_log_file
</pre></blockquote>
<blockQuote>
and in another window
</blockQuote>
<blockquote><pre> postfix flush
</pre></blockquote>
<blockQuote>
to make it retry all pending spool entries and log what it sees happen.
</blockQuote>
<blockQuote>
All nameservers in your <TT>/etc/resolv.conf</TT>, or the nameservers assigned by DHCP
(see logs) are reachable, I presume.
</blockQuote>
<P><STRONG>
<IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
In a manner of speaking, yes. postfix uses
<TT>/var/spool/postfix/etc/resolv.conf</TT> for name resolution. I assume that
has to do with the chroot jail that Yann was refering to (although I
don't have a script in <TT>/etc/postfix</TT> that corrects the problem).
</STRONG></P>
<P><STRONG>
I didn't see the message about <TT>/var/spool/postfix/etc/resolv.conf</TT> not
being the same as <TT>/etc/resolv.conf</TT> since that only shows up when you
start/stop the postfix (NOT when you reload, btw).
</STRONG></P>
<P><STRONG>
I think I'll go and find out why <TT>/var/spool/postfix/etc/resolv.conf</TT>
isn't (shouldn't?) be a symlink to <TT>/etc/resolv.conf.</TT>
</STRONG></P>
<P><STRONG>
Either way, all better now!
<IMG SRC="../../gx/dennis/smily.gif" ALT=":-)"
height="24" width="20" align="middle">
</STRONG></P>
<P><STRONG>
-- Regards, Faber
</STRONG></P>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Ben]
Erm, 'cause it's a chroot jail (best as I can tell from your description.)
Assuming that '<TT>/var/spool/postfix</TT>' is your jail's '<TT>/</TT>', "postfix" won't be
able to see anything above that level once it's chrooted.
</blockQuote>
<blockQuote>
My knowledge of chroot jails is limited - I keep promising myself to build
a few of the damn things and experiment, as soon as I have the time (yah,
shuuure...) - but it only makes sense. A link <em> _inside</em> the jail to
'<TT>/etc/resolv.conf</TT>' is going to point at the <em> _inside</em> version of
'<TT>/etc/resolv.conf</TT>' (a.k.a., "<TT>/var/spool/postfix/etc/resolv.conf</TT>" when seen
from the outside.)
</blockQuote>
<P><STRONG>
<IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
By my understanding of setting up ftp chroot jails, you can have
symlinks from inside the jail to the outside. This is A Bad Thing, of
course, because the entire purpose of a chroot jail is to keep the user
in a specific directory.
</STRONG></P>
<P><STRONG>
Now, I understand that symlinking libraries is a securoty breach, but I
don't see how symlinking a text file is a security breach. Can anyone
explain how an exploit like that would work?
</STRONG></P>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Jay]
Nope. Unless there's a bug.
</blockQuote>
<blockQuote>
You can have <EM>hard</EM> links, though, but only between files, obviously.
</blockQuote>
<blockQuote>
You can symlink <EM>into</EM> a chroot, but not out of it.
</blockQuote>
<blockQuote>
Or, more properly: you can make a symlink that <EM>looks</EM> like it points
to an external file, but when it's interpreted by a program inside the
chroot environment, it probably won't point anywhere useful.
</blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Heather]
If you're wondering why it wasn't just automagically set up as a
hard link, it's not the way of distro's package folk
to assume they have any idea how your hardware is laid out, and hardlinks
only work on the same filesystem (for ext2/3 ... for other fs' you may
not have the ability at all).
</blockQuote>
<P><STRONG>
<IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
Besides, I don't think my postfix is chrooted; there's only one library
in <TT>/etc/var/postfix/lib</TT> and postfix has got to need access to more than
one library to function.
</STRONG></P>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Dan]
Depends on how it was set up. The postfix source has a file called
INSTALL which discusses the pros and cons of chroot in some detail,
and gives procedures to establish it. Default (as of some time back)
was not to chroot.
</blockQuote>
<blockQuote>
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
> [Heather]
Postfix comes in parts, some are jailed and some not; you have to look
at <TT>/etc/postfix/master.cf</TT> (a table describing features Postfix should apply
to its children) to be certain. And even then it's only for sure
if you recently reloaded postfix
<IMG SRC="../../gx/dennis/smily.gif" ALT=":)"
height="24" width="20" align="middle"> It doesn't lurk on the file watching
for it to change.
</blockQuote>
<!-- end 7 -->
<P> <hr> </p>
<!-- *** BEGIN copyright *** -->
<H5 align="center">This page edited and maintained by the Editors
of <I>Linux Gazette</I>
<a href=""
>Copyright &copy;</a> 2002
<BR>Published in issue 77 of <I>Linux Gazette</I> April 2002</H5>
<H6 ALIGN="center">HTML script maintained by
<A HREF="mailto:star@starshine.org">Heather Stern</a> of
Starshine Technical Services,
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
</H6>
<!-- *** END copyright *** -->
<!--startcut ======================================================= -->
<P> <hr>
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<p align="center">
<table width="100%" border="0"><tr>
<td align="right" valign="center"
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0"
><A HREF="../index.html"
><IMG SRC="../../gx/navbar/toc.jpg" align="middle"
ALT="[ Table Of Contents ]" border="0"></A
><A HREF="../lg_answer.html"
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
<td align="center" valign="center"><A HREF="../lg_answer.html#greeting"><img align="middle"
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A> &nbsp;
<A HREF="../tag/bios.html">Meet&nbsp;the&nbsp;Gang</A> &nbsp;
<A HREF="1.html">1</A> &nbsp;
<A HREF="2.html">2</A> &nbsp;
<A HREF="3.html">3</A> &nbsp;
<A HREF="4.html">4</A> &nbsp;
<A HREF="5.html">5</A> &nbsp;
<A HREF="6.html">6</A> &nbsp;
<A HREF="7.html">7</A> &nbsp;
<A HREF="8.html">8</A> &nbsp;
<A HREF="9.html">9</A>
</td>
<td align="left" valign="center"><A HREF="../../tag/kb.html"
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
ALT="[ Index of Past Answers ]" border="0"></A
><IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
</p>
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<!--endcut ========================================================= -->
<P> <hr>
<!--startcut ======================================================= -->
<CENTER>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
</CENTER>
</p>
<!--endcut ========================================================= -->
<!--startcut ======================================================= -->
</BODY></HTML>
<!--endcut ========================================================= -->
Reference in New Issue View Git Blame Copy Permalink