communication #154459
openpagure / code.o.o can't send mails - DNS issue + "relay access denied"
0%
Description
pagure should send out mails to people who for example subscribed to a ticket on code.o.o - but in practise it (again) failed with (picking a random example)
230458CD9 2154 Mon Jan 29 12:22:27 pagure@opensuse.org
(delivery temporarily suspended: Host or domain name not found. Name service error for name=relay.infra.opensuse.org type=AAAA: Host not found, try again)
douglas.demaio@suse.com
Looks like my workaround from #137843 was dropped, maybe via a salt run.
After re-adding the workaround, we end up with "relay access denied", for example
2024-01-29T12:39:34.424997+00:00 pagure01 postfix/smtp[16892]: 4A6DF8AB5: to=suse-beta@cboltz.de, relay=2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10]:25, conn_use=10, delay=212984, delays=212960/22/1/2, dsn=5.7.1, status=bounced (host 2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10] said: 554 5.7.1 suse-beta@cboltz.de: Relay access denied (in reply to RCPT TO command))
Updated by pjessen 10 months ago
- Category set to Email
- Private changed from Yes to No
cboltz wrote:
After re-adding the workaround, we end up with "relay access denied", for example
2024-01-29T12:39:34.424997+00:00 pagure01 postfix/smtp[16892]: 4A6DF8AB5: to=suse-beta@cboltz.de, relay=2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10]:25, conn_use=10, delay=212984, delays=212960/22/1/2, dsn=5.7.1, status=bounced (host 2a07:de40:b27e:1203::10[2a07:de40:b27e:1203::10] said: 554 5.7.1 suse-beta@cboltz.de: Relay access denied (in reply to RCPT TO command))
I think this is due to mx12 only relaying for these domains:
relay_domains = code.opensuse.org,forums.opensuse.org,lists.opensuse.org,lists.uyuni-project.org
Updated by cboltz 10 months ago
Turns out that pagure01.i.o.o is in a separate subnet which was not part of mynetworks. Added now in https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/1393 (and already added manually since I needed it for testing anyway).
That leaves the question why postfix on pagure01.i.o.o can't do DNS resolution, while DNS resolution in general works.
Updated by cboltz 10 months ago
After looking at various things and diffing the postfix config on various hosts, it turns out that the DNS problem is related to the chroot.
master.cf:
smtp unix - - y - - smtp # broken
smtp unix - - n - - smtp # works
Manually fixed on pagure01 for now (but only for smtp). We should probably get master.cf on all hosts in sync.
This affects a few more hosts, see salt \* cmd.run 'grep "^smtp .*y" /etc/postfix/master.cf'
Updated by pjessen 10 months ago
cboltz wrote in #note-3:
After looking at various things and diffing the postfix config on various hosts, it turns out that the DNS problem is related to the chroot.
master.cf: smtp unix - - y - - smtp # broken smtp unix - - n - - smtp # works
Nice find! It might be worth figuring out why on earth that was changed - the default is not to chroot. chroot'ing needs a bit of preparation to get to work.
From the postfix manual:
Note that a chrooted daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). For successful use of a chroot jail, most UNIX systems require you to bring in some files or device nodes. The examples/chroot-setup directory in the source code distribution has a collection of scripts that help you set up Postfix chroot environments on different operating systems.
The reason name resolution isn't working is probably lack of /etc/resolv.conf in /var/spool/postfix.