375 lines
14 KiB
HTML
375 lines
14 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.4F.o">
|
|
<TITLE>The Answer Gang 77: Postfix name resolution fails, dig doesn't</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!--endcut ========================================================= -->
|
|
<P> <hr>
|
|
<!--startcut ======================================================= -->
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</p>
|
|
<!--endcut ========================================================= -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<p align="center">
|
|
<table width="100%" border="0"><tr>
|
|
<td align="right" valign="center"
|
|
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0"
|
|
><A HREF="../index.html"
|
|
><IMG SRC="../../gx/navbar/toc.jpg" align="middle"
|
|
ALT="[ Table Of Contents ]" border="0"></A
|
|
><A HREF="../lg_answer.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
|
|
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
|
|
<td align="center" valign="center"><A HREF="../lg_answer.html#greeting"><img align="middle"
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A>
|
|
<A HREF="../tag/bios.html">Meet the Gang</A>
|
|
<A HREF="1.html">1</A>
|
|
<A HREF="2.html">2</A>
|
|
<A HREF="3.html">3</A>
|
|
<A HREF="4.html">4</A>
|
|
<A HREF="5.html">5</A>
|
|
<A HREF="6.html">6</A>
|
|
<A HREF="7.html">7</A>
|
|
<A HREF="8.html">8</A>
|
|
<A HREF="9.html">9</A>
|
|
</td>
|
|
<td align="left" valign="center"><A HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
|
|
ALT="[ Index of Past Answers ]" border="0"></A
|
|
><IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
|
|
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
|
|
</p>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<!--endcut ========================================================= -->
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Gang</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and...
|
|
(<a href="tag/bios.html">meet the Gang</a>) ...
|
|
the Editors of Linux Gazette...
|
|
|
|
and You!
|
|
<br>Send questions (or interesting answers) to
|
|
The Answer Gang
|
|
for possible publication
|
|
(but read the <a href="../tag/ask-the-gang.html">guidelines</a> first)
|
|
</H4>
|
|
</center>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<p><hr><p>
|
|
<!-- begin 7 -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>Postfix name resolution fails, dig doesn't</H3>
|
|
|
|
|
|
<p><strong>From Faber Fedor
|
|
</strong></p>
|
|
|
|
|
|
<p align="right"><strong>Answered By Ben Okopnik, Dan Wilder, Yann Vernier, Jay R. Ashworth, Heather Stern
|
|
</strong></p>
|
|
<P><STRONG>
|
|
Hey Gang!
|
|
You probably haven't noticed, but I've been a bit quiet the past few days. It's
|
|
certainly not by choice, however. I was recently switched over from @Home to
|
|
the lovely Comcast network. After a few birthing pains, everthing seemed to be
|
|
going well. However, I've sent out a few emails, including to the Gang, and
|
|
I've not seen them show up.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Looking into <TT>/var/log/maillog</TT>, I see, as an example, the following:
|
|
</STRONG></P>
|
|
|
|
<pre><strong>Mar 7 22:52:25 uranus postfix/smtp[12586]: 0A9F2FE16:
|
|
to=<linux-questions-only@ssc.com>, relay=none, delay=28121, status=deferred
|
|
(Name service error for ssc.com (Host not found, try again) while looking up
|
|
the MX record.)
|
|
</strong></pre>
|
|
<P><STRONG>
|
|
and I see this for every email I've tried to send for the last few days.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
So I check my ability to do name resolution. I do a `dig ssc.com mx` and I get
|
|
the correct response. dig, ping, nslookup works for every email address I've
|
|
sent to in the pat few days, but no emails are sent because of "Host not found
|
|
while looking up MX record".
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Any ideas where to look next?
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
===== Sincerely, Faber Fedor
|
|
</STRONG></P>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Den]
|
|
Maybe postfix has managed to latch in your old nameserver information.
|
|
You might try the command:
|
|
</blockQuote>
|
|
<blockQuote><BLOCKQuote>
|
|
postfix reload
|
|
</BLOCKQuote></blockQuote>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Yann]
|
|
Quite probable. Postfix also has a tendency to run as much as possible
|
|
in a chroot jail; to update the contents of that, you probably have to
|
|
run the <TT>/etc/postfix/chroot-setup-LINUX2</TT> script. This had me stumped for
|
|
a while after changing <TT>/etc/localtime</TT> but still getting american
|
|
timestamps in the mail.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Heather]
|
|
Err, the Postfix FAQ has a point here and there of saying "oh, you want to
|
|
copy <TT>/etc/resolv.conf</TT> and <TT>/etc/services.switch</TT> down into the jail"
|
|
</blockQuote>
|
|
<blockQuote>
|
|
Which would likely be true whether there is a script to help it do the
|
|
right thing or not.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Ben]
|
|
My familiarity with Postfix is no more than skin-deep, but if it follows
|
|
the Exim way of doing things (i.e., emulating Sendmail options), you might
|
|
be able to try some of the following:
|
|
</blockQuote>
|
|
|
|
<blockquote><pre>sendmail -d11 -bt # Address testing mode
|
|
sendmail -d11 -bv # Address testing mode, skips "no_verify" routers
|
|
</pre></blockquote>
|
|
<blockQuote>
|
|
A debug level of 11 or above turns on DNS debugging (at least in Exim.)
|
|
Here's hoping that all this stuff is at least close... you might want to
|
|
read the Postfix manpage; if it's not the same options, they should at
|
|
least implement similar functionality.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Dan]
|
|
Sorry Ben, no direct debugging. Use syslog. Postfix isn't a monolithic
|
|
program,
|
|
but a cluster of cooperating daemons, with no protocol for centralizing
|
|
debugging info and having one of them dump to standard out. Rather than
|
|
reinvent the wheel, Wietse Venema has Postfix consolidate its log streams
|
|
via syslog.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
Put it into verbose mode then tail -f whatever syslog puts
|
|
the various mail.* syslog streams into.
|
|
</blockQuote>
|
|
|
|
<blockquote><pre> postfix -v reload
|
|
tail -f whatever_log_file
|
|
</pre></blockquote>
|
|
<blockQuote>
|
|
and in another window
|
|
</blockQuote>
|
|
|
|
<blockquote><pre> postfix flush
|
|
</pre></blockquote>
|
|
<blockQuote>
|
|
to make it retry all pending spool entries and log what it sees happen.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
All nameservers in your <TT>/etc/resolv.conf</TT>, or the nameservers assigned by DHCP
|
|
(see logs) are reachable, I presume.
|
|
</blockQuote>
|
|
<P><STRONG>
|
|
<IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
In a manner of speaking, yes. postfix uses
|
|
<TT>/var/spool/postfix/etc/resolv.conf</TT> for name resolution. I assume that
|
|
has to do with the chroot jail that Yann was refering to (although I
|
|
don't have a script in <TT>/etc/postfix</TT> that corrects the problem).
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I didn't see the message about <TT>/var/spool/postfix/etc/resolv.conf</TT> not
|
|
being the same as <TT>/etc/resolv.conf</TT> since that only shows up when you
|
|
start/stop the postfix (NOT when you reload, btw).
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I think I'll go and find out why <TT>/var/spool/postfix/etc/resolv.conf</TT>
|
|
isn't (shouldn't?) be a symlink to <TT>/etc/resolv.conf.</TT>
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Either way, all better now!
|
|
<IMG SRC="../../gx/dennis/smily.gif" ALT=":-)"
|
|
height="24" width="20" align="middle">
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
-- Regards, Faber
|
|
</STRONG></P>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Ben]
|
|
Erm, 'cause it's a chroot jail (best as I can tell from your description.)
|
|
Assuming that '<TT>/var/spool/postfix</TT>' is your jail's '<TT>/</TT>', "postfix" won't be
|
|
able to see anything above that level once it's chrooted.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
My knowledge of chroot jails is limited - I keep promising myself to build
|
|
a few of the damn things and experiment, as soon as I have the time (yah,
|
|
shuuure...) - but it only makes sense. A link <em> _inside</em> the jail to
|
|
'<TT>/etc/resolv.conf</TT>' is going to point at the <em> _inside</em> version of
|
|
'<TT>/etc/resolv.conf</TT>' (a.k.a., "<TT>/var/spool/postfix/etc/resolv.conf</TT>" when seen
|
|
from the outside.)
|
|
</blockQuote>
|
|
<P><STRONG>
|
|
<IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
By my understanding of setting up ftp chroot jails, you can have
|
|
symlinks from inside the jail to the outside. This is A Bad Thing, of
|
|
course, because the entire purpose of a chroot jail is to keep the user
|
|
in a specific directory.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Now, I understand that symlinking libraries is a securoty breach, but I
|
|
don't see how symlinking a text file is a security breach. Can anyone
|
|
explain how an exploit like that would work?
|
|
</STRONG></P>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Jay]
|
|
Nope. Unless there's a bug.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
You can have <EM>hard</EM> links, though, but only between files, obviously.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
You can symlink <EM>into</EM> a chroot, but not out of it.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
Or, more properly: you can make a symlink that <EM>looks</EM> like it points
|
|
to an external file, but when it's interpreted by a program inside the
|
|
chroot environment, it probably won't point anywhere useful.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Heather]
|
|
If you're wondering why it wasn't just automagically set up as a
|
|
hard link, it's not the way of distro's package folk
|
|
to assume they have any idea how your hardware is laid out, and hardlinks
|
|
only work on the same filesystem (for ext2/3 ... for other fs' you may
|
|
not have the ability at all).
|
|
</blockQuote>
|
|
<P><STRONG>
|
|
<IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Besides, I don't think my postfix is chrooted; there's only one library
|
|
in <TT>/etc/var/postfix/lib</TT> and postfix has got to need access to more than
|
|
one library to function.
|
|
</STRONG></P>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Dan]
|
|
Depends on how it was set up. The postfix source has a file called
|
|
INSTALL which discusses the pros and cons of chroot in some detail,
|
|
and gives procedures to establish it. Default (as of some time back)
|
|
was not to chroot.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Heather]
|
|
Postfix comes in parts, some are jailed and some not; you have to look
|
|
at <TT>/etc/postfix/master.cf</TT> (a table describing features Postfix should apply
|
|
to its children) to be certain. And even then it's only for sure
|
|
if you recently reloaded postfix
|
|
<IMG SRC="../../gx/dennis/smily.gif" ALT=":)"
|
|
height="24" width="20" align="middle"> It doesn't lurk on the file watching
|
|
for it to change.
|
|
</blockQuote>
|
|
|
|
<!-- end 7 -->
|
|
<P> <hr> </p>
|
|
<!-- *** BEGIN copyright *** -->
|
|
<H5 align="center">This page edited and maintained by the Editors
|
|
of <I>Linux Gazette</I>
|
|
<a href=""
|
|
>Copyright ©</a> 2002
|
|
<BR>Published in issue 77 of <I>Linux Gazette</I> April 2002</H5>
|
|
<H6 ALIGN="center">HTML script maintained by
|
|
<A HREF="mailto:star@starshine.org">Heather Stern</a> of
|
|
Starshine Technical Services,
|
|
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
|
</H6>
|
|
<!-- *** END copyright *** -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<p align="center">
|
|
<table width="100%" border="0"><tr>
|
|
<td align="right" valign="center"
|
|
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0"
|
|
><A HREF="../index.html"
|
|
><IMG SRC="../../gx/navbar/toc.jpg" align="middle"
|
|
ALT="[ Table Of Contents ]" border="0"></A
|
|
><A HREF="../lg_answer.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
|
|
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
|
|
<td align="center" valign="center"><A HREF="../lg_answer.html#greeting"><img align="middle"
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A>
|
|
<A HREF="../tag/bios.html">Meet the Gang</A>
|
|
<A HREF="1.html">1</A>
|
|
<A HREF="2.html">2</A>
|
|
<A HREF="3.html">3</A>
|
|
<A HREF="4.html">4</A>
|
|
<A HREF="5.html">5</A>
|
|
<A HREF="6.html">6</A>
|
|
<A HREF="7.html">7</A>
|
|
<A HREF="8.html">8</A>
|
|
<A HREF="9.html">9</A>
|
|
</td>
|
|
<td align="left" valign="center"><A HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
|
|
ALT="[ Index of Past Answers ]" border="0"></A
|
|
><IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
|
|
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
|
|
</p>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<!--endcut ========================================================= -->
|
|
<P> <hr>
|
|
<!--startcut ======================================================= -->
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</p>
|
|
<!--endcut ========================================================= -->
|
|
<!--startcut ======================================================= -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|