1

Topic: chroot ptr resolve problem

Helo. I use iRedMail-0.5.1 on Centos 5.4. iRedMail was installed on fresh Centos installation wihtout any other services. Few days ago i decided to use "reject_unknown_client"  restriction in "smtpd_sender_restrictions" to prevent spam messages from hosts without valid ptr records. After this postfix started to reject any mail, even from hosts from valid prt records.
This is a record from maillog

Nov 25 11:55:00 email postfix/smtpd[31618]: NOQUEUE: reject: RCPT from unknown[209.85.218.211]: 450 4.7.1 Client host rejected: cannot find your hostname, [209.85.218.211]; from=<xxx@gmail.com> to=<xxx@mydomain.com> proto=ESMTP helo=<mail-bw0-f211.google.com>

.

This problem appears only when postfix run in chroot. When i change setting for smtpd in /etc/postfix/master.cf to remove it from chroot everything works fine. Files resolv.conf, localtime, hosts in /var/spool/postfix/etc/  are same as in/etc/ ones.

I don't want to run postfix without chroot, and i need your help. Thank you!

2

Re: chroot ptr resolve problem

Any update on this? We have the same issue!

3

Re: chroot ptr resolve problem

avb077 wrote:

This problem appears only when postfix run in chroot. When i change setting for smtpd in /etc/postfix/master.cf to remove it from chroot everything works fine. Files resolv.conf, localtime, hosts in /var/spool/postfix/etc/  are same as in/etc/ ones.

If files are the same ones, it should work as expected. This is really strange, i don't know why it happened now. sad

4 (edited by host2904 2014-08-10 16:20:23)

Re: chroot ptr resolve problem

I've just run into this same issue just now.
It was difficult to find the cause via google, so I’m summarizing the situation, my findings and a fix here, in the hope that it makes things easier:

Some symptoms:
A. When receiving mail, you will find headers with 'unknown' PTR lookups, e.g:

Received: from mail-pd0-f177.google.com (unknown [209.85.192.177])
    by mx1.xxx.xxx.xxx (Postfix) with ESMTPS id BB3E3201395
    for <xxx@xxx.xxx.xxx>; Sun, 10 Aug 2014 17:12:38 +0000 (UTC)

B. When messages are above the tag limit set for amavisd, you will see the RDNS_NONE raising scores on all incoming email, eg:

X-Spam-Status: No, score=xxx tagged_above=2 required=xxx
    tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RDNS_NONE=0.793, 
        SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no

The problem goes away when you disable chroot by:
Turning off the chroot by backing up and editing ‘/etc/postfix/master.cf’:
Change this:

smtp      inet  n       -       -       -       -       smtpd

To this:

smtp      inet  n       -       n       -       -       smtpd

And then run ‘postfix reload’.
Symptoms A & B will no longer occur. But now chroot is disabled


Changes/test that can be made that will still produce the same results:
1. PTR lookups work, e.g. ‘host 209.85.192.177’ returns ‘mail-pd0-f177.google.com’ and vice-versa.
2. Using a compiled example that calls getaddrinfo() / getnameinfo() also returns valid PTRs.
3. Use a non-forwarding local nameserver such as dnscache from ndjbdns (and change /etc/resolv.conf & /var/spool/postfix/etc/resolv.conf to suit)
4. postconf will show the following are set correctly:

disable_dns_lookups = no
smtpd_peername_lookup = yes

A FIX (not necessarily the best one - YMMV):
Include the necessary libraries in the chroot jail (we use /lib64 here because this is a 64-bit system. You make need to use /lib)

mkdir /var/spool/postfix/lib64
chmod 555 /var/spool/postfix/lib64
cp -p /lib64/libnss* /var/spool/postfix/lib64/
cp -p /lib64/libresolv* /var/spool/postfix/lib64/
cp -p /etc/nsswitch.conf /var/spool/postfix/etc/

You will need to/should repeat this after you install any upgrade packages to ‘glibc’. If there is a cleaner way I should be doing this, please let me know :-)

Do a ‘postfix reload’ and you should have headers with lines more like this:

Received: from mail-pa0-f45.google.com (mail-pa0-f45.google.com [209.85.220.45])
    by mx1.xxx.xxx.xxx (Postfix) with ESMTPS id 46852201732
    for <xxx@xxx.xxx.xxx>; Sun, 10 Aug 2014 18:06:52 +0000 (UTC)

And RDNS_NONE should go away from amavisd tags unless there is an actual RDNS mismatch.

>Insert Joy.<



Related posts:
http://www.iredmail.org/forum/topic675- … -time.html
http://www.iredmail.org/forum/topic6085 … ution.html
http://www.iredmail.org/forum/topic5236 … verse.html

External references:
https://groups.google.com/forum/#!topic … SZcIw6GcJ0
http://www.postfix.org/DEBUG_README.html#no_chroot

5

Re: chroot ptr resolve problem

This issue happened on CentOS/RHEL, and it was fixed since iRedMail-0.8.6.