Re: postscreen stopped working today for a few hours
Viktor Dukhovni: postconf -Mf smtp inet n - - - 1 postscreen Yep, it's chrooted. You need to configure syslog to add a log socket to the jail, or turn off chroot. FreeBSD: # mkdir -p /var/spool/postfix/var/run # syslogd -l /var/spool/postfix/var/run/log Linux, OpenBSD: # mkdir -p /var/spool/postfix/dev # syslogd -a /var/spool/postfix/dev/log Wietse
Re: postscreen stopped working today for a few hours
Wietse Venema: Viktor Dukhovni: postconf -Mf smtp inet n - - - 1 postscreen Yep, it's chrooted. You need to configure syslog to add a log socket to the jail, or turn off chroot. FreeBSD: # mkdir -p /var/spool/postfix/var/run # syslogd -l /var/spool/postfix/var/run/log Linux, OpenBSD: # mkdir -p /var/spool/postfix/dev # syslogd -a /var/spool/postfix/dev/log Except that on some systems systemd is taking over every service, like the Borg (Resistance is futile. You will be assimilated.). Wietse
Re: postscreen stopped working today for a few hours
On 2015.01.15 22.21, Viktor Dukhovni wrote: On Thu, Jan 15, 2015 at 09:57:53PM -0500, b...@bitrate.net wrote: i happened to notice that on one of our two mxes, no postscreen activity was logged between 06:25:09 and 11:54:42: Jan 15 06:25:09 mta2 postfix/postscreen[22371]: DISCONNECT [103.242.116.92]:37543 Jan 15 11:54:42 mta2 postfix/postscreen[25663]: CONNECT from [209.85.213.183]:41380 to [10.3.70.6]:25 Note the change of pid! You probably ran postfix reload right around then. no postfix reload, there, no. those two log entries are 5+ hours apart. it was just to illustrate the time period. but other postfix activity was *logging* normally, and mail was flowing normally: all of this makes it seems like postscreen wasn't working during that period, and i'm wondering why that might be. Actually it was working, just wasn't logging! i thought so too. it seemed the most obvious answer, but i began to change my mind when i saw mail getting accepted which should have been rejected by postscreen_access_list. it also doesn't explain why postfix was logging other process activity successfully during that time. I avoid sending SIGHUP to the log daemon, and use syslog-ng with date based output files which are expired by scripts other than logrotate, that way I don't lose any log messages. thanks for this suggestion, we may do that. postconf -Mf smtp inet n - - - 1 postscreen Yep, it's chrooted. You need to configure syslog to add a log socket to the jail, or turn off chroot. during this period, postfix activity from all other postfix processes is getting logged successfully, most of which are chrooted, and postscreen is logging fine outside of this one period. i think chroot is not the culprit here. -ben
Re: postscreen stopped working today for a few hours
btb: postconf -Mf smtp inet n - - - 1 postscreen Yep, it's chrooted. You need to configure syslog to add a log socket to the jail, or turn off chroot. during this period, postfix activity from all other postfix processes is getting logged successfully, most of which are chrooted, and postscreen is logging fine outside of this one period. i think chroot is not the You are missing an important detail. On a busy server postscreen will run forever. It will never reconnect to the new syslog server. On a busy or idle server, smtpd runs only for a few minutes. The next smtpd process will automatically to the new syslog server. I am 99.99% certain that chroot is the problem here. Wietse
Re: postscreen stopped working today for a few hours
Am 16.01.2015 um 15:33 schrieb Wietse Venema: Wietse Venema: FreeBSD: # mkdir -p /var/spool/postfix/var/run # syslogd -l /var/spool/postfix/var/run/log Linux, OpenBSD: # mkdir -p /var/spool/postfix/dev # syslogd -a /var/spool/postfix/dev/log Except that on some systems systemd is taking over every service, like the Borg (Resistance is futile. You will be assimilated.) on the other hand you get much more logs on recent systemd distributions, even stdout normally not make it to the syslog is now catched by journald with chroot and bind-mounts you can even get important devices by just bind-mount /dev in the new chroot without leak the complete /dev tree and no longer need to consider each and every seperated PrivateDevices= Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda. This is useful to securely turn off physical device access by the executed process. Defaults to false. Enabling this option will also remove CAP_MKNOD from the capability bounding set for the unit (see above), and set DevicePolicy=closed (see systemd.resource-control(5) for details). Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for services which shall be able to install mount points in the main mount namespace.
Re: postscreen stopped working today for a few hours
On 2015.01.16 09.43, wie...@porcupine.org (Wietse Venema) wrote: btb: postconf -Mf smtp inet n - - - 1 postscreen Yep, it's chrooted. You need to configure syslog to add a log socket to the jail, or turn off chroot. during this period, postfix activity from all other postfix processes is getting logged successfully, most of which are chrooted, and postscreen is logging fine outside of this one period. i think chroot is not the You are missing an important detail. On a busy server postscreen will run forever. It will never reconnect to the new syslog server. On a busy or idle server, smtpd runs only for a few minutes. The next smtpd process will automatically to the new syslog server. I am 99.99% certain that chroot is the problem here. thanks, i'll concede this analysis. i don't have enough forensic evidence to confirm but i now believe that the symptom of mail appearing to get through which shouldn't have was the red herring [sorry viktor!] - that the client in question was added to postscreen_access_list just after this, and it was just a coincidence of timing. i guess i consider lost logs to be a bug - i'll submit a bug report to ubuntu for this. in your opinion, would this be something the postfix package maintainer should address, or the syslog-ng packager maintainer [or is it just the admin's fault]? -ben
Re: postscreen stopped working today for a few hours
On Fri, Jan 16, 2015 at 10:42:54AM -0500, btb wrote: I guess I consider lost logs to be a bug - I'll submit a bug report to ubuntu for this. In your opinion, would this be something the postfix package maintainer should address, or the syslog-ng packager maintainer [or is it just the admin's fault]? If a distribution ships Postfix packages with chroot enabled by default, it must also arrange for syslogd or equivalent to keep a log socket in each Postfix chroot jail (I say each, because with multiple instances each queue directory is a separate jail). They'd have to patch postmulti-script to make the appropriate syslog configuration changes. At some point the Debian and Ubuntu distributions might finally reconsider their chroot-by-default decision, it hurts a lot more than it helps. [ Scott K.? LaMont J.? Any plans? ] -- Viktor. P.S. Things were much simpler when syslog(3) was UDP to localhost. No log sockets in the file-system. The UDP namespace is unified across chroot jails.
Re: postscreen stopped working today for a few hours
btb: i guess i consider lost logs to be a bug - i'll submit a bug report to ubuntu for this. in your opinion, would this be something the postfix package maintainer should address, or the syslog-ng packager maintainer [or is it just the admin's fault]? Postfix, with chroot turned on, requires a syslog socket under /var/spool/postfix (the location that queue_directory is set to). This requires action by two parties. 1) The syslog server maintainer needs to provide a method that allows other programs to request an additional syslog socket. 2) The Postfix maintainer needs to use the method described in 1). This is not new; but in 16 years since the public release it has yet to be resolved in a satisfactory manner. This cannot be built into Postfix, because there is no API to determine the location of the syslog socket or to determine that the syslog server is restarted (the syslog() function does not return a result value). Wietse
Re: postscreen stopped working today for a few hours
On Thu, Jan 15, 2015 at 09:57:53PM -0500, b...@bitrate.net wrote: i happened to notice that on one of our two mxes, no postscreen activity was logged between 06:25:09 and 11:54:42: Jan 15 06:25:09 mta2 postfix/postscreen[22371]: DISCONNECT [103.242.116.92]:37543 Jan 15 11:54:42 mta2 postfix/postscreen[25663]: CONNECT from [209.85.213.183]:41380 to [10.3.70.6]:25 Note the change of pid! You probably ran postfix reload right around then. but other postfix activity was *logging* normally, and mail was flowing normally: all of this makes it seems like postscreen wasn't working during that period, and i'm wondering why that might be. Actually it was working, just wasn't logging! daily cron started just before this, which seems suspect: Jan 15 06:25:01 mta2 CRON[22748]: (root) CMD (test -x /usr/sbin/anacron || ( cd / run-parts --report /etc/cron.daily )) l /etc/cron.daily/ total 52K -rwxr-xr-x 1 root root 372 Oct 2 2012 logrotate* This often SIGHUPs the log daemon which deletes and recreates the log socket. If postscreen is chrooted, and there is no log socket in the jail, it ceases to be able to log. I avoid sending SIGHUP to the log daemon, and use syslog-ng with date based output files which are expired by scripts other than logrotate, that way I don't lose any log messages. postconf -Mf smtp inet n - - - 1 postscreen Yep, it's chrooted. You need to configure syslog to add a log socket to the jail, or turn off chroot. -- Viktor.
Postscreen not working
Hi Members, I setup postscreen on of my postfix-2.8.4 mail server . Postscreen is not working and i am getting following in log file - fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable postfix/master[8783]: warning: process /usr/libexec/postfix/postscreen pid 14066 exit status 1 nav1 postfix/master[8783]: warning: /usr/libexec/postfix/postscreen: bad command startup -- throttling - Please guide how i can resolve this issue and number of process configured for postscreen in only 1 in master.conf. Thanks
Re: Postscreen not working
Hi Vishesh, Can you share your postconf -n and master.cf file ?? Regards, Uma Shankar On Fri, May 11, 2012 at 2:46 PM, vishesh kumar linuxtovish...@gmail.comwrote: Hi Members, I setup postscreen on of my postfix-2.8.4 mail server . Postscreen is not working and i am getting following in log file - fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable postfix/master[8783]: warning: process /usr/libexec/postfix/postscreen pid 14066 exit status 1 nav1 postfix/master[8783]: warning: /usr/libexec/postfix/postscreen: bad command startup -- throttling - Please guide how i can resolve this issue and number of process configured for postscreen in only 1 in master.conf. Thanks
Re: Postscreen not working
Hi Shankar, My master.cf is as follows - smtp inet n - n - 1 postscreen soft_bounce=y es smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy -- and postfix conf file is - postscreen_cache_cleanup_interval = 12h postscreen_cache_map = btree:/var/lib/postfix/postscreen_cache postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*2 b.barracudacentral.org*1 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce proxy_write_maps = queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.8.4/README_FILES sample_directory = /usr/share/doc/postfix-2.8.4/samples sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_send_xforward_command = yes smtp_tls_security_level = may smtp_use_tls = no smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128 smtpd_client_restrictions = permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client nomail.rhsbl.sorbs.net smtpd_milters = inet:localhost:12768 smtpd_proxy_timeout = 3600s smtpd_recipient_restrictions = permit_mynetworks, check_client_access pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re smtpd_timeout = 3600s smtpd_tls_cert_file = /etc/postfix/postfix_default.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_use_tls = yes transport_maps = hash:/var/spool/postfix/plesk/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual virtual_gid_maps = static:31 virtual_mailbox_base = /var/qmail/mailnames virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox virtual_transport = plesk_virtual virtual_uid_maps = static:110 --- Thanks On Fri, May 11, 2012 at 3:00 PM, Uma Shankar rajarya...@gmail.com wrote: Hi Vishesh, Can you share your postconf -n and master.cf file ?? Regards, Uma Shankar On Fri, May 11, 2012 at 2:46 PM, vishesh kumar linuxtovish...@gmail.comwrote: Hi Members, I setup postscreen on of my postfix-2.8.4 mail server . Postscreen is not working and i am getting following in log file - fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable postfix/master[8783]: warning: process /usr/libexec/postfix/postscreen pid 14066 exit status 1 nav1 postfix/master[8783]: warning: /usr/libexec/postfix/postscreen: bad command startup -- throttling - Please guide how i can resolve this issue and number of process configured for postscreen in only 1 in master.conf. Thanks -- http://linuxmantra.com
Re: Postscreen not working
vishesh kumar: fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable You can't share one /var/lib/postfix/postscreen_cache.db file with more than one postscreen process. How many main.cf/master.cf files are there on your system? Instead of /var/lib/postfix, use $data_directory to avoid file sharing conflicts. Wietse
Re: Postscreen not working
Hi wietse , I have only one main.cf and one master.cf . Also if i can't share /var/lib/postfix/postscreen_cache then what options i have ? Thanks Vishesh Kumar On Fri, May 11, 2012 at 4:31 PM, Wietse Venema wie...@porcupine.org wrote: vishesh kumar: fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable You can't share one /var/lib/postfix/postscreen_cache.db file with more than one postscreen process. How many main.cf/master.cf files are there on your system? Instead of /var/lib/postfix, use $data_directory to avoid file sharing conflicts. Wietse -- http://linuxmantra.com
Re: Postscreen not working
vishesh kumar: fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable Wietse: You can't share one /var/lib/postfix/postscreen_cache.db file with more than one postscreen process. How many main.cf/master.cf files are there on your system? Instead of /var/lib/postfix, use $data_directory to avoid file sharing conflicts. vishesh kumar: I have only one main.cf and one master.cf . Also if i can't share /var/lib/postfix/postscreen_cache then what options i have ? You can share it via the memcache protocol. http://www.postfix.org/POSTSCREEN_README.html http://www.postfix.org/DATABASE_README.html http://www.postfix.org/memcache_table.html Wietse