Re: Problems with smtpd + chroot + smtpd_client_restrictions
* JDL j...@imaginenet.net: p@rick, If you are referring to resolv.conf and associated files, then yes. All the files in /var/spool/postfix/etc match those in /etc and the data in the those files is correct. And the libs? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Problems with smtpd + chroot + smtpd_client_restrictions
JDL: I have been working through a problem for the last couple of hours. If have the following set in main.cf smtpd_client_restrictions = reject_unknown_client_hostname and the smtpd is chroot'ed in master.cf smtpd pass- - y - - smtpd then every message gets rejected due to unknown hostname, despite the forward and reverse DNS records being correct. Some distributions turn on the Postfix chroot feature. I think this is a mistake, because most people don't know how to make chroot work. Just turn it off. chroot is for sites with unusual requirements. Wietse
Re: Problems with smtpd + chroot + smtpd_client_restrictions
Wietse, I have been running Postfix for over 10 years now. I am pretty familiar with the general Postfix configurations and with chroot. I also keep all of the files in /var/spool/postfix up to date. I am fine with leaving it off. I just normally have it on for some additional security. I have 3 other servers that seem to work just fine with smtpd chroot'ed. However, none of those 3 have any smtpd_client_restrictions. This server is the only one that has that configuration and the only one experiencing any problems. If it was a bug, I just wanted to make sure it was reported. Jim On May 8, 2012, at 4:19 PM, Wietse Venema wrote: JDL: I have been working through a problem for the last couple of hours. If have the following set in main.cf smtpd_client_restrictions = reject_unknown_client_hostname and the smtpd is chroot'ed in master.cf smtpd pass- - y - - smtpd then every message gets rejected due to unknown hostname, despite the forward and reverse DNS records being correct. Some distributions turn on the Postfix chroot feature. I think this is a mistake, because most people don't know how to make chroot work. Just turn it off. chroot is for sites with unusual requirements. Wietse
Re: Problems with smtpd + chroot + smtpd_client_restrictions
* JDL j...@imaginenet.net: On May 8, 2012, at 4:19 PM, Wietse Venema wrote: JDL: I have been working through a problem for the last couple of hours. If have the following set in main.cf smtpd_client_restrictions = reject_unknown_client_hostname and the smtpd is chroot'ed in master.cf smtpd pass- - y - - smtpd then every message gets rejected due to unknown hostname, despite the forward and reverse DNS records being correct. Is your chroot DNS correct? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Problems with smtpd + chroot + smtpd_client_restrictions
p@rick, If you are referring to resolv.conf and associated files, then yes. All the files in /var/spool/postfix/etc match those in /etc and the data in the those files is correct. Jim On May 8, 2012, at 4:55 PM, Patrick Ben Koetter wrote: * JDL j...@imaginenet.net: On May 8, 2012, at 4:19 PM, Wietse Venema wrote: JDL: I have been working through a problem for the last couple of hours. If have the following set in main.cf smtpd_client_restrictions = reject_unknown_client_hostname and the smtpd is chroot'ed in master.cf smtpd pass- - y - - smtpd then every message gets rejected due to unknown hostname, despite the forward and reverse DNS records being correct. Is your chroot DNS correct? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Problems with smtpd + chroot + smtpd_client_restrictions
JDL: Wietse, I have been running Postfix for over 10 years now. I am pretty familiar with the general Postfix configurations and with chroot. I also keep all of the files in /var/spool/postfix up to date. I am fine with leaving it off. I just normally have it on for some additional security. I have 3 other servers that seem to work just fine with smtpd chroot'ed. However, none of those 3 have any smtpd_client_restrictions. This server is the only one that has that configuration and the only one experiencing any problems. If it was a bug, I just wanted to make sure it was reported. DEBUG_README.html has suggestions to watch a daemon with strace. Do this once with chroot, and once without. Next, look for differences between the traces. Normally, lots of syscalls fail. You use the without chroot record to eliminate the uninteresting failures from the without strace record, and find the first anomaly. Have fun. Wietse
Re: Problems with smtpd + chroot + smtpd_client_restrictions
Wietse Venema: JDL: Wietse, I have been running Postfix for over 10 years now. I am pretty familiar with the general Postfix configurations and with chroot. I also keep all of the files in /var/spool/postfix up to date. I am fine with leaving it off. I just normally have it on for some additional security. I have 3 other servers that seem to work just fine with smtpd chroot'ed. However, none of those 3 have any smtpd_client_restrictions. This server is the only one that has that configuration and the only one experiencing any problems. If it was a bug, I just wanted to make sure it was reported. DEBUG_README.html has suggestions to watch a daemon with strace. Do this once with chroot, and once without. Next, look for differences between the traces. Normally, lots of syscalls fail. You use the without chroot record to eliminate the uninteresting failures from the without strace record, and find - with chroot the first anomaly. Have fun. Wietse
Re: Problems with smtpd + chroot + smtpd_client_restrictions
I have not yet run strace (as per Wietse's recommendation), but I think I may have discovered the problem. My problem sounds very similar to the one documented at the link below. https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/764096 I ran a quick test and, sure enough, the postfix-chroot.sh script that comes with the Postfix package that I am using, seems to assume that all of the required libraries are the 32-bit versions. A quick check with ldd shows that this is, in fact, not the case. As this is the only 64-bit Postfix installation that I administer, it makes sense that this would be the only one with problems. I will test this theory soon by manually copying over the 64-bit libraries in the /var/spool/postfix and then test again. If it does, I will make contact with the author of the script. Thanks, Jim
