communication #154459
openpagure / code.o.o can't send mails - DNS issue + "relay access denied"
0%
Description
pagure should send out mails to people who for example subscribed to a ticket on code.o.o - but in practise it (again) failed with (picking a random example)
230458CD9 2154 Mon Jan 29 12:22:27 pagure@opensuse.org
(delivery temporarily suspended: Host or domain name not found. Name service error for name=relay.infra.opensuse.org type=AAAA: Host not found, try again)
douglas.demaio@suse.com
Looks like my workaround from #137843 was dropped, maybe via a salt run.
After re-adding the workaround, we end up with "relay access denied", for example
2024-01-29T12:39:34.424997+00:00 pagure01 postfix/smtp[16892]: 4A6DF8AB5: to=suse-beta@cboltz.de, relay=2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10]:25, conn_use=10, delay=212984, delays=212960/22/1/2, dsn=5.7.1, status=bounced (host 2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10] said: 554 5.7.1 suse-beta@cboltz.de: Relay access denied (in reply to RCPT TO command))
Updated by pjessen 3 months ago
- Category set to Email
- Private changed from Yes to No
cboltz wrote:
After re-adding the workaround, we end up with "relay access denied", for example
2024-01-29T12:39:34.424997+00:00 pagure01 postfix/smtp[16892]: 4A6DF8AB5: to=suse-beta@cboltz.de, relay=2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10]:25, conn_use=10, delay=212984, delays=212960/22/1/2, dsn=5.7.1, status=bounced (host 2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10] said: 554 5.7.1 suse-beta@cboltz.de: Relay access denied (in reply to RCPT TO command))
I think this is due to mx12 only relaying for these domains:
relay_domains = code.opensuse.org,forums.opensuse.org,lists.opensuse.org,lists.uyuni-project.org
Updated by cboltz 3 months ago
Turns out that pagure01.i.o.o is in a separate subnet which was not part of mynetworks. Added now in https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/1393 (and already added manually since I needed it for testing anyway).
That leaves the question why postfix on pagure01.i.o.o can't do DNS resolution, while DNS resolution in general works.
Updated by cboltz 3 months ago
After looking at various things and diffing the postfix config on various hosts, it turns out that the DNS problem is related to the chroot.
master.cf:
smtp unix - - y - - smtp # broken
smtp unix - - n - - smtp # works
Manually fixed on pagure01 for now (but only for smtp). We should probably get master.cf on all hosts in sync.
This affects a few more hosts, see salt \* cmd.run 'grep "^smtp .*y" /etc/postfix/master.cf'
Updated by pjessen 3 months ago
cboltz wrote in #note-3:
After looking at various things and diffing the postfix config on various hosts, it turns out that the DNS problem is related to the chroot.
master.cf: smtp unix - - y - - smtp # broken smtp unix - - n - - smtp # works
Nice find! It might be worth figuring out why on earth that was changed - the default is not to chroot. chroot'ing needs a bit of preparation to get to work.
From the postfix manual:
Note that a chrooted daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). For successful use of a chroot jail, most UNIX systems require you to bring in some files or device nodes. The examples/chroot-setup directory in the source code distribution has a collection of scripts that help you set up Postfix chroot environments on different operating systems.
The reason name resolution isn't working is probably lack of /etc/resolv.conf in /var/spool/postfix.