postfix not resolving mDNS lookups (make it work in a LAN-without-internet)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

postfix not resolving mDNS lookups (make it work in a LAN-without-internet)

postfix-user-2019-8-26
Hi!


Introduction
=======


Few days ago I thought it would be a great idea to send emails to others
in the same LAN (each participant having their own postfix server) and
without reaching Internet. Applications of this is: a dynamic during a
conference, a workshop, emergency situation (where Internet or
centralized server in the LAN is not working), etc.

In my first attempt I thought mDNS [1] is very fine for this, to make it
work in debian you have to install avahi-daemon [2]. After that, your
hostname is appended with .local domain.

Mail clients thunderbird [3] and claws mail [4] allow using the
/var/mail/user localhost mailbox. The emails are managed very fine but
there is a problem trying to send email using postfix as a localhost
SMTP server to a mDNS host


Showing the config files and testing
======================


When you install avahi-daemon, hosts line in /etc/nsswitch.conf looks like

    hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname

so it first tries to do "nsswitch resolution" with mDNS before
contacting dns thing

you can check it with command getent (getent - get entries from Name
Service Switch libraries), and I think this is equivalent to calling
getaddrinfo:

    $ getent hosts host1.local
    192.168.1.124  host1.local

from a default debian 10 stable postfix server version 3.4.5, in file
/etc/postfix/main.cf I added: (1) ability to run IPs (that works fine,
but is not as interesting as mDNS!) and (2) ability to query nsswitch.conf:

    # allow raw IPs -> src
https://serverfault.com/questions/373350/postfix-allow-sending-to-raw-ip-address
    resolve_numeric_domain = yes
   
    # http://www.postfix.org/postconf.5.html#smtp_host_lookup
    smtp_host_lookup = dns, native

In official postfix documentation for "smtp_host_lookup" says "native -
Use the native naming service only (nsswitch.conf, or equivalent
mechanism)". I thought that it included mDNS but I am pretty sure is not
working (and I think is very easy to replicate)

    <[hidden email]>: unable to look up host host1.local: Name
or service not known

for testing purposes, if I added an entry in /etc/hosts like:

    192.168.1.24    host1.local

and I restart postfix server, then works (interesting: If I quit
/etc/hosts entry still works until I restart postfix server again, looks
like postfix server only checks /etc/hosts in init time, not dynamically).

But /etc/hosts is not so interesting in this scenario because is so
static, and for the use case I said in the beginning, very boring.

I think the error I'm getting is coming from file src/smtp/smtp_addr.c
(sourcecode of postfix 3.4.5) [5]. Postfix is using getaddrinfo, and it
should be resolving mDNS lookups, but is not doing it and I don't
understand why.

I hope we can have this feature and that it does not harm other things


Thanks for your time!
Pedro


[1] https://en.wikipedia.org/wiki/Multicast_DNS
[2] https://wiki.debian.org/ZeroConf
[3] https://www.thunderbird.net/
[4] https://www.claws-mail.org/
[5]

    /*
     * Use the native name service which also looks in /etc/hosts.
     *
     * XXX A soft error dominates past and future hard errors. Therefore we
     * should not clobber a soft error text and status code.
     */
#define RETRY_AI_ERROR(e) \
        ((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM)
#ifdef EAI_NODATA
#define DSN_NOHOST(e) \
    ((e) == EAI_AGAIN || (e) == EAI_NODATA || (e) == EAI_NONAME)
#else
#define DSN_NOHOST(e) \
    ((e) == EAI_AGAIN || (e) == EAI_NONAME)
#endif

    if (smtp_host_lookup_mask & SMTP_HOST_FLAG_NATIVE) {
    if ((aierr = hostname_to_sockaddr(host, (char *) 0, 0, &res0)) != 0) {
        dsb_simple(why, (SMTP_HAS_SOFT_DSN(why) || RETRY_AI_ERROR(aierr)) ?
               (DSN_NOHOST(aierr) ? "4.4.4" : "4.3.0") :
               (DSN_NOHOST(aierr) ? "5.4.4" : "5.3.0"),
               "unable to look up host %s: %s",
               host, MAI_STRERROR(aierr));





0xCF8ACB83E96003E3.asc (1019 bytes) Download Attachment
0xCF8ACB83E96003E3.asc (1017 bytes) Download Attachment
signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: postfix not resolving mDNS lookups (make it work in a LAN-without-internet)

Viktor Dukhovni
> \On Aug 26, 2019, at 7:33 AM, [hidden email] wrote:
>
> When you install avahi-daemon, hosts line in /etc/nsswitch.conf looks like
>
>     hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
>
> so it first tries to do "nsswitch resolution" with mDNS before
> contacting dns thing
>
> you can check it with command getent (getent - get entries from Name
> Service Switch libraries), and I think this is equivalent to calling
> getaddrinfo:
>
>     $ getent hosts host1.local
>     192.168.1.124  host1.local
>
> from a default debian 10 stable postfix server version 3.4.5, in file
> /etc/postfix/main.cf I added: (1) ability to run IPs (that works fine,
> but is not as interesting as mDNS!) and (2) ability to query nsswitch.conf:
>
>     # allow raw IPs -> src
> https://serverfault.com/questions/373350/postfix-allow-sending-to-raw-ip-address
>     resolve_numeric_domain = yes
>    
>     # http://www.postfix.org/postconf.5.html#smtp_host_lookup
>     smtp_host_lookup = dns, native

Is smtp(8) using "chroot" in your master.cf file?  If so, the relevant
nsswitch.conf is likely the one in the chroot jail, and the jail would
also need to contain the relevant nss plugin modules.  Simpler may be
to disable chroot.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: postfix not resolving mDNS lookups (make it work in a LAN-without-internet)

postfix-user-2019-8-26


On 8/26/19 3:57 PM, Viktor Dukhovni wrote:
> Is smtp(8) using "chroot" in your master.cf file?  If so, the relevant
> nsswitch.conf is likely the one in the chroot jail, and the jail would
> also need to contain the relevant nss plugin modules.  Simpler may be
> to disable chroot.

That's it!!

I applied this patch (that disables chroot) and then it works [1]. Thank
you, Viktor!

With curiosity, I do not understand why the chroot of postfix is not
resolving through the nsswitch that includes and that is identical to the :

    cmp /var/spool/postfix/etc/nsswitch.conf  /etc/nsswitch.conf

(returns no output because it is equal and I see the same content)

The "relevant nss plugin modules" looks like they are there too:

 $ find /var/spool/postfix/lib | grep mdns
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns6_minimal.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns4.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns_minimal.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns6.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns.so.2

Cheers,
Pedro

[1] (I think is an untouched master for debian10, yes! it is in two places!)

# diff -u /etc/postfix/master.cf.orig /etc/postfix/master.cf
--- master.cf.orig    2019-08-26 16:49:09.231356916 +0200
+++ master.cf    2019-08-26 16:49:37.100024149 +0200
@@ -9,7 +9,7 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 #
==========================================================================
-smtp      inet  n       -       y       -       -       smtpd
+smtp      inet  n       -       n       -       -       smtpd
 #smtp      inet  n       -       y       -       1       postscreen
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
@@ -51,7 +51,7 @@
 flush     unix  n       -       y       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
-smtp      unix  -       -       y       -       -       smtp
+smtp      unix  -       -       n       -       -       smtp
 relay     unix  -       -       y       -       -       smtp
         -o syslog_name=postfix/$service_name
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5


0xCF8ACB83E96003E3.asc (1017 bytes) Download Attachment
signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: postfix not resolving mDNS lookups (make it work in a LAN-without-internet)

postfix-user-2019-8-26
On 8/26/19 5:18 PM, postfix-user-2019-8-26 wrote:

> That's it!!
>
> I applied this patch (that disables chroot) and then it works [1]. Thank
> you, Viktor!
>
> (...)
>
> [1] (I think is an untouched master for debian10, yes! it is in two places!)
>
> # diff -u /etc/postfix/master.cf.orig /etc/postfix/master.cf
> --- master.cf.orig    2019-08-26 16:49:09.231356916 +0200
> +++ master.cf    2019-08-26 16:49:37.100024149 +0200
> @@ -9,7 +9,7 @@
>  # service type  private unpriv  chroot  wakeup  maxproc command + args
>  #               (yes)   (yes)   (no)    (never) (100)
>  #
> ==========================================================================
> -smtp      inet  n       -       y       -       -       smtpd
> +smtp      inet  n       -       n       -       -       smtpd
>  #smtp      inet  n       -       y       -       1       postscreen
>  #smtpd     pass  -       -       y       -       -       smtpd
>  #dnsblog   unix  -       -       y       -       0       dnsblog
> @@ -51,7 +51,7 @@
>  flush     unix  n       -       y       1000?   0       flush
>  proxymap  unix  -       -       n       -       -       proxymap
>  proxywrite unix -       -       n       -       1       proxymap
> -smtp      unix  -       -       y       -       -       smtp
> +smtp      unix  -       -       n       -       -       smtp
>  relay     unix  -       -       y       -       -       smtp
>          -o syslog_name=postfix/$service_name
>  #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
>
Reviewing my config patch to make it work it is only needed to disable
chroot for the smtp client part:

# diff -u /etc/postfix/master.cf.orig /etc/postfix/master.cf
--- master.cf.orig    2019-08-26 16:49:09.231356916 +0200
+++ master.cf    2019-08-26 17:45:10.926390350 +0200
@@ -51,7 +51,7 @@
 flush     unix  n       -       y       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
-smtp      unix  -       -       y       -       -       smtp
+smtp      unix  -       -       n       -       -       smtp
 relay     unix  -       -       y       -       -       smtp
         -o syslog_name=postfix/$service_name
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5


0xCF8ACB83E96003E3.asc (1017 bytes) Download Attachment
signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: postfix not resolving mDNS lookups (make it work in a LAN-without-internet)

Viktor Dukhovni
In reply to this post by postfix-user-2019-8-26
> On Aug 26, 2019, at 11:18 AM, postfix-user-2019-8-26 <[hidden email]> wrote:
>
> I applied this patch (that disables chroot) and then it works [1]. Thank
> you, Viktor!
>
> With curiosity, I do not understand why the chroot of postfix is not
> resolving through the nsswitch

I'm afraid I can't help you debug what's required to get mDNS working
in a Debian chroot jail.  The simplest solution is to not chroot the
smtp(8) delivery agent.  You might find some help on an appropriate
Debian forum.

Perhaps /var/run/avahi-daemon or similar needs to be bind mounted in
the chroot jail, but that's just wild speculation:

        https://stackoverflow.com/questions/27905063/use-avahi-in-schroot-chroot-environment

--
        Viktor.