Project

General

Profile

Actions

communication #154459

open

pagure / code.o.o can't send mails - DNS issue + "relay access denied"

Added by cboltz 9 months ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Email
Target version:
-
Start date:
2024-01-29
Due date:
% Done:

0%

Estimated time:

Description

pagure should send out mails to people who for example subscribed to a ticket on code.o.o - but in practise it (again) failed with (picking a random example)

230458CD9      2154 Mon Jan 29 12:22:27  pagure@opensuse.org
(delivery temporarily suspended: Host or domain name not found. Name service error for name=relay.infra.opensuse.org type=AAAA: Host not found, try again)
                                         douglas.demaio@suse.com

Looks like my workaround from #137843 was dropped, maybe via a salt run.

After re-adding the workaround, we end up with "relay access denied", for example

2024-01-29T12:39:34.424997+00:00 pagure01 postfix/smtp[16892]: 4A6DF8AB5: to=suse-beta@cboltz.de, relay=2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10]:25, conn_use=10, delay=212984, delays=212960/22/1/2, dsn=5.7.1, status=bounced (host 2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10] said: 554 5.7.1 suse-beta@cboltz.de: Relay access denied (in reply to RCPT TO command))

Actions #1

Updated by pjessen 9 months ago

  • Category set to Email
  • Private changed from Yes to No

cboltz wrote:

After re-adding the workaround, we end up with "relay access denied", for example

2024-01-29T12:39:34.424997+00:00 pagure01 postfix/smtp[16892]: 4A6DF8AB5: to=suse-beta@cboltz.de, relay=2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10]:25, conn_use=10, delay=212984, delays=212960/22/1/2, dsn=5.7.1, status=bounced (host 2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10] said: 554 5.7.1 suse-beta@cboltz.de: Relay access denied (in reply to RCPT TO command))

I think this is due to mx12 only relaying for these domains:

relay_domains = code.opensuse.org,forums.opensuse.org,lists.opensuse.org,lists.uyuni-project.org
Actions #2

Updated by cboltz 9 months ago

Turns out that pagure01.i.o.o is in a separate subnet which was not part of mynetworks. Added now in https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/1393 (and already added manually since I needed it for testing anyway).

That leaves the question why postfix on pagure01.i.o.o can't do DNS resolution, while DNS resolution in general works.

Actions #3

Updated by cboltz 9 months ago

After looking at various things and diffing the postfix config on various hosts, it turns out that the DNS problem is related to the chroot.

master.cf:
smtp      unix  -       -       y       -       -       smtp    # broken
smtp      unix  -       -       n       -       -       smtp    # works

Manually fixed on pagure01 for now (but only for smtp). We should probably get master.cf on all hosts in sync.

This affects a few more hosts, see salt \* cmd.run 'grep "^smtp .*y" /etc/postfix/master.cf'

Actions #4

Updated by pjessen 9 months ago

cboltz wrote in #note-3:

After looking at various things and diffing the postfix config on various hosts, it turns out that the DNS problem is related to the chroot.

master.cf:
smtp      unix  -       -       y       -       -       smtp    # broken
smtp      unix  -       -       n       -       -       smtp    # works

Nice find! It might be worth figuring out why on earth that was changed - the default is not to chroot. chroot'ing needs a bit of preparation to get to work.

From the postfix manual:
Note that a chrooted daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). For successful use of a chroot jail, most UNIX systems require you to bring in some files or device nodes. The examples/chroot-setup directory in the source code distribution has a collection of scripts that help you set up Postfix chroot environments on different operating systems.

The reason name resolution isn't working is probably lack of /etc/resolv.conf in /var/spool/postfix.

Actions

Also available in: Atom PDF