4

I'm stuck with a Postfix MX related problem.

I've just migrated a very old Centos 5 server to v7 so I'm using postfix-2.10.1-7.el7.x86_64. I've upgraded the legacy postfix configuration (maybe the cause of this hell) and other supplementary stuff which seems to work:

  • postfix-perl-scripts-2.10.1-7.el7.x86_64
  • postgrey-1.34-12.el7.noarch
  • amavisd-new-2.11.1-1.el7.noarch
  • spamassassin-3.4.0-4.el7_5.x86_64
  • perl-Mail-SPF-2.8.0-4.el7.noarch
  • perl-Mail-DKIM-0.39-8.el7.noarch
  • dovecot-2.2.36-3.el7.x86_64

After many tribulations I think I got most of the system running except the annoying MX related problems, as (from /var/log/maillog):

Mar 28 14:26:48 tormento postfix/smtpd[1021]: warning: Unable to look up MX host for spmailtechn.com: Host not found, try again
Mar 28 14:26:51 tormento postfix/smtpd[1052]: warning: Unable to look up MX host for inlumine.ual.es: Host not found, try again
Mar 28 14:31:38 tormento postfix/smtpd[1442]: warning: Unable to look up MX host for aol.com: Host not found, try again
Mar 28 13:07:53 tormento postfix/smtpd[26556]: warning: Unable to look up MX host for hotmail.com: Host not found, try again
Mar 28 13:12:06 tormento postfix/smtpd[26650]: warning: Unable to look up MX host for facebookmail.com: Host not found, try again
Mar 28 13:12:31 tormento postfix/smtpd[26650]: warning: Unable to look up MX host for joker.com: Host not found, try again
Mar 28 13:13:02 tormento postfix/smtpd[26650]: warning: Unable to look up MX host for bounce.linkedin.com: Host not found, try again

and:

Mar 28 14:50:36 tormento postfix/smtp[1700]: 7B6C69C6A2: to=<ismael.olea@gmail.com>, orig_to=<ismael@olea.org>, relay=none, delay=1142, delays=1142/0.07/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=gmail.com type=MX: Host not found, try again)
Mar 28 14:32:05 tormento postfix/smtp[1383]: 721A19C688: to=<XXXXX@yahoo.com>, orig_to=<XXXX@olea.org>, relay=none, delay=4742, delays=4742/0/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=yahoo.com type=MX: Host not found, try again)

as examples.

The first suspect is DNS resolution but this is working both using Hetztner DNS servers (where machine is host) or 8.8.8.8 or 9.9.9.9.

$ cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
nameserver 213.133.100.100
nameserver 213.133.98.98
nameserver 213.133.99.99

and /etc/hosts:

195.201.24.84 tormento tormento.olea.org
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4

# The following lines are desirable for IPv6 capable hosts
::1 tormento tormento.olea.org
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

I fear I'm missing something really obvious but I've been googling for two days doing any amount of tests and now I don't know what much to do.

Since Serverfault rejected my original question as spam I've put the log and configuration details at my personal blog: http://olea.org/diario/2019/03/28/Postfix_MX_not_found.html

Thanks in advance.

Ismael Olea
  • 111
  • 1
  • 1
  • 8
  • I've added the contents of the default Hetzner configuration, which works with dig as you can check at http://olea.org/diario/2019/03/28/Postfix_MX_not_found.html – Ismael Olea Mar 28 '19 at 15:01
  • Have you tried to run SELinux in permissive mode temporarily? I don't see anything wrong with your setup, so I suspect that the problem is caused by a SELinux misconfiguration. Please, run `setenforce 0` as root user and verify if it solves the issue. – Anderson Medeiros Gomes Mar 28 '19 at 15:20
  • @AndersonM.Gomes thanks for the suggestion: I've setenforced to 0, restarted postfix, launched postqueue -f and checked with a new mail test but keeps the problematic behaviour. – Ismael Olea Mar 28 '19 at 15:28
  • Many postfix subprocesses use chroots for security, so check if the resolv.conf in the chroot matches the system one. I'm not familiar with CentOS, but on Debian the chroot is in /var/spool/postfix. – Marius Gedminas Mar 28 '19 at 16:53
  • 1
    @MariusGedminas Thanks for the tip but checking [master.cf](http://olea.org/diario/2019/03/28/Postfix_MX_not_found.html) there is not chrooted Postfix process. I've just double checked using [this other tip](https://www.cyberciti.biz/tips/linux-chroot-service.html) too :-/ – Ismael Olea Mar 28 '19 at 18:23

3 Answers3

7

Well, this is embarrassing. As I predicted my problem was caused by the most obvious and trivial reason: lack of read access to /etc/resolv.conf for the postfix user o_0

As you probably know the postfix subproceses (smtp, smtpd, qmgr, etc) runs with the postfix user. All the comments and suggestion I've received has been related with problems accessing to DNS resolving data and the usual suspects has been SELinux or a chrooted postfix. You all were right in the final reason. Following an advice and tried:

# sudo -u postfix -H cat /etc/resolv.conf
cat: /etc/resolv.conf: Permission denied

So... What??

# ls -l /etc/resolv.conf
-rw-r-----. 1 root named 118 mar 28 20:34 /etc/resolv.conf

OMG!... then after a chmod o+r and restarting Postfix all the email on hold can be processed and sent and new mail is processed as expected.

I doubt I've changed the resolv.conf reading permissions but I can't be 100% sure. So finally the problem is fixed and I'm very sorry for stole the attention of all of you for this ridiculous reason. Thanks you all.

Ismael Olea
  • 111
  • 1
  • 1
  • 8
  • 1
    Thank you for sharing the root cause. I passed all today's afternoon thinking what could be wrong in your setup and was about to suggest you to set unusual Postfix configuration parameters, such as [smtp_host_lookup](http://www.postfix.org/postconf.5.html#smtp_host_lookup). I did not suspect lack of read permissions because the question description showed a successful read of `/etc/resolv.conf`. – Anderson Medeiros Gomes Mar 28 '19 at 23:32
  • @AndersonM.Gomes thank you very much for your time and attention :) – Ismael Olea Mar 29 '19 at 08:45
2

step 1. i check gmail.com for access to mx record on my server. first i installed the bind server using yum install bind-utils and check rhe gmail.com by following command:

root@host# host -t mx gmail.com
;; connection timed out; no servers could be reached

so, i change my dns server to 8.8.8.8 using nmtui command and reboot my server...

after reboot I execute the host -t mx gmail.com and my timed out was fixed by thsi houtput:

root#host# host -t mx gmail.com
gmail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 30 alt3.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 40 alt4.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 5 gmail-smtp-in.l.google.com.

But the main problem not solved yet for me... so, I did step 2...

step 2. Om my server not exist etc folder on /var/spool/postfix/.So, I created etc folder manually...Then, copy three file on it. /etc/host.conf , /etc/resolv.conf and /etc/servoces

root@host# mkdir /var/spool/postfix/etc
root@host# cp /etc/host.conf /var/spool/postfix/etc/
root@host# cp /etc/resolv.conf /var/spool/postfix/etc/
root@host# cp /etc/services /var/spool/postfix/etc/

The main problem of MX not solved yet...

step 3. I change mode of /etc/resolv.conf and /var/pool/postfix/etc/* to 1777 and fixed my problem

root@host# chmod 1777 /etc/resolve.conf
root@host# chmod 1777 -R /var/spool/postfix/etc

finally I restart the postfix service using systemctl restart postfix.service and my smtp worked fine!

ultra.deep
  • 141
  • 6
1

FYI, this problem may be caused by SELinux. Postfix didn't have permission to read /etc/resolv.conf. To fix this, you can disable SELinux completely by the command setenforce 0 or reset SELinux context for /etc/resolv.conf by the command sudo restorecon /etc/resolv.conf

Danny Li
  • 11
  • 1