Postfix MX resolving issue on a chrooted setup

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix MX resolving issue on a chrooted setup

Jean-Philippe Méthot
Hi,

I’ve been trying to setup postfix 3.4.6 (ghettoforge.org package) with dovecot, mailscanner and the mailwatch frontend on a centos 7 (cloudlinux 7.6) server.
Everything appears to work properly except that, when I setup smtp and lmtp as chrooted and try to send mail, a curious name resolution error happen. The exact error is as follow:

 unable to look up host mx.planethoster.net: Device or resource busy

This is particularly strange considering that to identify the MX of my domain, it was able to read its zone. Furthermore, if I su to the postfix user by giving it a login shell, I am able to dig the MX in question.
So, I can resolve the MX when logged in as the user, but postfix can’t for unknown reasons. Also, the chroot script was run and resolv.conf was properly copied in /var/spool/postfix/etc and has the proper permissions.
I suspect that some kind of limitation is put on postfix processes in the chroot jail, but I don’t know where to look and what to look at. Anyone ever experienced something similar?

Best regards,

Jean-Philippe Méthot
Openstack system administrator
Administrateur système Openstack
PlanetHoster inc.




Reply | Threaded
Open this post in threaded view
|

Re: Postfix MX resolving issue on a chrooted setup

Wesley Peng
Maybe UDP is filtered in chroot environment.  Can you try to capture the network flow?

Jean-Philippe Méthot <[hidden email]>于2019年8月31日 周六上午2:08写道:
Hi,

I’ve been trying to setup postfix 3.4.6 (ghettoforge.org package) with dovecot, mailscanner and the mailwatch frontend on a centos 7 (cloudlinux 7.6) server.
Everything appears to work properly except that, when I setup smtp and lmtp as chrooted and try to send mail, a curious name resolution error happen. The exact error is as follow:

 unable to look up host mx.planethoster.net: Device or resource busy

This is particularly strange considering that to identify the MX of my domain, it was able to read its zone. Furthermore, if I su to the postfix user by giving it a login shell, I am able to dig the MX in question.
So, I can resolve the MX when logged in as the user, but postfix can’t for unknown reasons. Also, the chroot script was run and resolv.conf was properly copied in /var/spool/postfix/etc and has the proper permissions.
I suspect that some kind of limitation is put on postfix processes in the chroot jail, but I don’t know where to look and what to look at. Anyone ever experienced something similar?

Best regards,

Jean-Philippe Méthot
Openstack system administrator
Administrateur système Openstack
PlanetHoster inc.




Reply | Threaded
Open this post in threaded view
|

Re: Postfix MX resolving issue on a chrooted setup

Viktor Dukhovni


> On Aug 31, 2019, at 5:01 AM, Wesley Peng <[hidden email]> wrote:
>
> Maybe UDP is filtered in chroot environment.

No.  Chroot only affects filesystem (and unix-domain socket) access.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix MX resolving issue on a chrooted setup

Jean-Philippe Méthot
Indeed. I suspect cloudlinux does something at the filesystem access level that regular centos 7 doesn’t do which gives me this issue. 
I would contact the Cloudlinux support but first, I just want to make sure, the current stable version of Postfix does work chrooted in current centos 7, right?


Jean-Philippe Méthot
Openstack system administrator
Administrateur système Openstack
PlanetHoster inc.




Le 31 août 2019 à 08:21, Viktor Dukhovni <[hidden email]> a écrit :



On Aug 31, 2019, at 5:01 AM, Wesley Peng <[hidden email]> wrote:

Maybe UDP is filtered in chroot environment.

No.  Chroot only affects filesystem (and unix-domain socket) access.

--
Viktor.


Reply | Threaded
Open this post in threaded view
|

Re: Postfix MX resolving issue on a chrooted setup

Viktor Dukhovni


> On Sep 2, 2019, at 10:16 AM, Jean-Philippe Méthot <[hidden email]> wrote:
>
> Indeed. I suspect cloudlinux does something at the filesystem access level that regular centos 7 doesn’t do which gives me this issue.
> I would contact the Cloudlinux support but first, I just want to make sure, the current stable version of Postfix does work chrooted in current centos 7, right?

Postfix supports entering a chroot jail.  Ensuring that the various
system libraries that Postfix depends on still work in that jail is
not the responsibility of Postfix.  So the question is perhaps ill-posed.

Postfix smtp(8) and other services work in a sufficiently well
constructed chroot jail.  Perhaps your question is whether
Centos 7 comes pre-configured with such a jail?  That's a Centos 7
question more than a Postfix question, and would be largely independent
of the Postfix release.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix MX resolving issue on a chrooted setup

Peter Ajamian
On 3/09/19 4:18 AM, Viktor Dukhovni wrote:

>> I just want to make sure, the current stable version of Postfix does work chrooted in current centos 7, right?
>
> Postfix supports entering a chroot jail.  Ensuring that the various
> system libraries that Postfix depends on still work in that jail is
> not the responsibility of Postfix.  So the question is perhaps ill-posed.
>
> Postfix smtp(8) and other services work in a sufficiently well
> constructed chroot jail.  Perhaps your question is whether
> Centos 7 comes pre-configured with such a jail?  That's a Centos 7
> question more than a Postfix question, and would be largely independent
> of the Postfix release.

Neither the postfix that comes with CentOS or the Ghettoforge packages
support chroot.  That does not mean that it won't work, but the onus is
on you to set it up and configure the jail.  For this particular issue I
would probably venture to say that didn't copy resolv.conf to the chroot
jail properly.  It might also be selinux getting in the way.

Personally I don't recommend running postfix as chroot since it (imo)
creates more problems than it solves, but if you want to you can.  I
would recommend writing a script that sets up (and another that tears
down) the jail and calling it from ExecStartPre and ExecStartPost
systemd service files.  How to do that is a bit beyond the scope of this
mailing list, but you should be able to get help from systemd channels
elsewhere.  A bit more specifically you can add in a directory and file
and import it into systemd so it takes precedence over but does not
overwrite the postfix service file that comes packaged with postfix.

Let me know if you need any more help.


Regards,


Peter Ajamian
Reply | Threaded
Open this post in threaded view
|

Re: Postfix MX resolving issue on a chrooted setup

Jean-Philippe Méthot
Ah, I must apologize, I didn’t phrase my question very well. I already ran the default example script that moves things like resolv.conf to be accessible from the chroot jail.
What I meant to ask was more along the line of « In a properly configured root jail, is there any known issues when using postfix with CentOS 7? » . From your answers though, I am guessing this is not the case.

All the components needed for postfix to send from the chroot jail are there, at least according to online documentation as well as the script’s code. Hence why I believe the issue lies elsewhere.
The error message itself hints at something more like a limit set on the user than a missing component. Let me paste it here again:

unable to look up host mx.planethoster.net: Device or resource busy

The implication of this error is that the domain planethoster.info is resolved, but postfix is prevented from resolving the MX due to a limitation of some kind (a «  device »  being « busy » ). As a result, it’s not
a complete failure in name resolution (in fact, my own tests suggest that A record resolution does work from the jail) but the process gets interrupted midway. There is also no other way that it could resolve the domain locally, as
the server is utterly unaware of the planethoster.info domain.

I realize though that I am out of the scope of this mailing list and I will look into this at the OS level. I just felt I needed to clarify the issue.

Jean-Philippe Méthot
Openstack system administrator
Administrateur système Openstack
PlanetHoster inc.




Le 2 sept. 2019 à 22:16, Peter <[hidden email]> a écrit :

On 3/09/19 4:18 AM, Viktor Dukhovni wrote:
I just want to make sure, the current stable version of Postfix does work chrooted in current centos 7, right?
Postfix supports entering a chroot jail.  Ensuring that the various
system libraries that Postfix depends on still work in that jail is
not the responsibility of Postfix.  So the question is perhaps ill-posed.
Postfix smtp(8) and other services work in a sufficiently well
constructed chroot jail.  Perhaps your question is whether
Centos 7 comes pre-configured with such a jail?  That's a Centos 7
question more than a Postfix question, and would be largely independent
of the Postfix release.

Neither the postfix that comes with CentOS or the Ghettoforge packages support chroot.  That does not mean that it won't work, but the onus is on you to set it up and configure the jail.  For this particular issue I would probably venture to say that didn't copy resolv.conf to the chroot jail properly.  It might also be selinux getting in the way.

Personally I don't recommend running postfix as chroot since it (imo) creates more problems than it solves, but if you want to you can.  I would recommend writing a script that sets up (and another that tears down) the jail and calling it from ExecStartPre and ExecStartPost systemd service files.  How to do that is a bit beyond the scope of this mailing list, but you should be able to get help from systemd channels elsewhere.  A bit more specifically you can add in a directory and file and import it into systemd so it takes precedence over but does not overwrite the postfix service file that comes packaged with postfix.

Let me know if you need any more help.


Regards,


Peter Ajamian

Reply | Threaded
Open this post in threaded view
|

Re: Postfix MX resolving issue on a chrooted setup

Viktor Dukhovni
On Tue, Sep 03, 2019 at 09:40:36AM -0400, Jean-Philippe Méthot wrote:

> The error message itself hints at something more like a limit set on the
> user than a missing component. Let me paste it here again:
>
>   unable to look up host mx.planethoster.net: Device or resource busy
>
> The implication of this error is that the domain planethoster.info is
> resolved, but postfix is prevented from resolving the MX due to a limitation
> of some kind.

You're reading too much into rather approximate "errno" strings.
On my FreeBSD system:

    $ perl -le 'use Errno qw(:POSIX); $! = EBUSY; printf "%d: $!\n", $!;'
    16: Device busy

The only place Postfix reports "unable to look up host" is in:

    if (smtp_host_lookup_mask & SMTP_HOST_FLAG_NATIVE) {
        if ((aierr = hostname_to_sockaddr(host, (char *) 0, 0, &res0)) != 0) {
            dsb_simple(why, (SMTP_HAS_SOFT_DSN(why) || RETRY_AI_ERROR(aierr)) ?
                       (DSN_NOHOST(aierr) ? "4.4.4" : "4.3.0") :
                       (DSN_NOHOST(aierr) ? "5.4.4" : "5.3.0"),
                       "unable to look up host %s: %s",
                       host, MAI_STRERROR(aierr));
        } else {
            ...
        }
        ...
    }

This is a "native" lookup, via getaddrinfo(3), not (explicit) DNS.
The Postfix smtp(8) delivery agent normally does DNS lookups.  Do
you have "smtp_host_lookup = dns, native"?  Why???

With "native" lookups you need not only /etc/resolv.conf, but also
an "nsswitch.conf" and perhaps various "nss modules" in the chroot
jail, that are dynamically loaded.

You can find out why native resolution fails in the chroot jail,
by compiling and installing the "getaddrinfo" program, included in
"auxiliary/name-addr-test/getaddrinfo.c" with the Postfix source
code, into the chroot jail.  Then run

    # chroot /var/spool/postfix /some/where/getaddrinfo mx.planethoster.net

and report your findings.  For extra insight (assuming it fails):

    # strace chroot /var/spool/postfix /some/where/getaddrinfo mx.planethoster.net

--
        Viktor.