From 846f23cb8d066bea41d290f7774be261b3c79fbb Mon Sep 17 00:00:00 2001 From: jg-dev Date: Jan 20 2022 23:05:13 +0000 Subject: Notes and README updated --- diff --git a/README.md b/README.md index dd2a724..b25596e 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,11 @@ -# 10291-testing +# 10291 Recon and testing -Testing notes and files for ticket 10291 +Recon and testing notes take whilst looking into fix for [Issue 10291](https://pagure.io/fedora-infrastructure/issue/10291). -**TO DO** -- update notes -- double check everything -- reply on issue +**recon-notes.md**: Contains notes on the OS, and postfix configuration of the machine (prox34) listed in the issue. It also contains some notes on the default posfix configs applied on a fresh install. + +**testing-notes.md**: Contains notes on the steps taken to reproduce the issue, and the proposed fix. + +**error-repro**: Contains all the files used for reporducing the issue, along with a sample of the logs generated as part of the testing. + +**error-fix**: Contains all the files used for testing the proposed fix. diff --git a/recon-notes.md b/recon-notes.md new file mode 100644 index 0000000..4fdd622 --- /dev/null +++ b/recon-notes.md @@ -0,0 +1,80 @@ +# Recon notes for pagure issue 10291 + +Some notes on the recon for issue 10291 [Issue 10291](https://pagure.io/fedora-infrastructure/issue/10291). + +General notes: +- Machine with issue idenfied as proxy34 +- Proxy34 OS: `Fedora 34 (Cloud Edition)` +- Postfix version: `mail_version = 3.5.10` +- main.cf file appeared to match [main.cf.vpn](https://www.pagure.io/fedora-infra/ansible/blob/main/f/roles/base/files/postfix/main.cf/main.cf.vpn). within the Fedora project ansible repo. +- Proxy34 config details: + + ``` + [jg-dev@proxy34 ~][PROD]$ postconf -n + alias_database = hash:/etc/aliases + alias_maps = hash:/etc/aliases + command_directory = /usr/sbin + daemon_directory = /usr/libexec/postfix + debug_peer_level = 2 + debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 + header_checks = regexp:/etc/postfix/header_checks + html_directory = no + inet_interfaces = all + mail_owner = postfix + mailq_path = /usr/bin/mailq.postfix + manpage_directory = /usr/share/man + masquerade_domains = redhat.com + masquerade_exceptions = root apache + message_size_limit = 20971520 + mydestination = $myhostname, localhost.$mydomain, fedora.redhat.com, localhost + mydomain = fedoraproject.org + myorigin = fedoraproject.org + newaliases_path = /usr/bin/newaliases.postfix + queue_directory = /var/spool/postfix + readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES + recipient_delimiter = + + relayhost = bastion.vpn.fedoraproject.org + sample_directory = /usr/share/doc/postfix-2.4.5/samples + sendmail_path = /usr/sbin/sendmail.postfix + setgid_group = postdrop + unknown_local_recipient_reject_code = 550 + ``` +- Default config settings for fresh postfix install on Fedora 34 Cloud Edition : + ``` + [vagrant@fedora ~]$ postconf -n + alias_database = hash:/etc/aliases + alias_maps = hash:/etc/aliases + command_directory = /usr/sbin + compatibility_level = 2 + daemon_directory = /usr/libexec/postfix + data_directory = /var/lib/postfix + debug_peer_level = 2 + debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 + html_directory = no + inet_interfaces = localhost + inet_protocols = all + mail_owner = postfix + mailq_path = /usr/bin/mailq.postfix + manpage_directory = /usr/share/man + meta_directory = /etc/postfix + mydestination = $myhostname, localhost.$mydomain, localhost + newaliases_path = /usr/bin/newaliases.postfix + queue_directory = /var/spool/postfix + readme_directory = /usr/share/doc/postfix/README_FILES + sample_directory = /usr/share/doc/postfix/samples + sendmail_path = /usr/sbin/sendmail.postfix + setgid_group = postdrop + shlib_directory = /usr/lib64/postfix + smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt + smtp_tls_CApath = /etc/pki/tls/certs + smtp_tls_security_level = may + smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem + smtpd_tls_key_file = /etc/pki/tls/private/postfix.key + smtpd_tls_security_level = may + unknown_local_recipient_reject_code = 550 + ``` + +- postfix default smtpd relay restrictions settings + ``` + smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}} + ``` diff --git a/recon.md b/recon.md deleted file mode 100644 index 5a43f9d..0000000 --- a/recon.md +++ /dev/null @@ -1,114 +0,0 @@ -# Recon notes for ticket 10291 -Some notes on the recon and testing for issue 10291 [Issue 10291](https://pagure.io/fedora-infrastructure/issue/10291). - - -## Error checking and recon -Machine with issue idenfied as proxy34 - - -### proxy34 details / config checking -**OS details** -``` -NAME=Fedora -VERSION="34 (Cloud Edition)" -ID=fedora -VERSION_ID=34 -VERSION_CODENAME="" -PLATFORM_ID="platform:f34" -PRETTY_NAME="Fedora 34 (Cloud Edition)" -ANSI_COLOR="0;38;2;60;110;180" -LOGO=fedora-logo-icon -CPE_NAME="cpe:/o:fedoraproject:fedora:34" -HOME_URL="https://fedoraproject.org/" -DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f34/system-administrators-guide/" -SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help" -BUG_REPORT_URL="https://bugzilla.redhat.com/" -REDHAT_BUGZILLA_PRODUCT="Fedora" -REDHAT_BUGZILLA_PRODUCT_VERSION=34 -REDHAT_SUPPORT_PRODUCT="Fedora" -REDHAT_SUPPORT_PRODUCT_VERSION=34 -PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy" -VARIANT="Cloud Edition" -VARIANT_ID=cloud -``` - -**postfix version** -`mail_version = 3.5.10` - -**postfix config file** -The main.cf file appeared to be the main.cf.vpn config file from the ansible repo: -[main.cf.vpn](https://www.pagure.io/fedora-infra/ansible/blob/main/f/roles/base/files/postfix/main.cf/main.cf.vpn). - -``` -[jg-dev@proxy34 ~][PROD]$ postconf -n -alias_database = hash:/etc/aliases -alias_maps = hash:/etc/aliases -command_directory = /usr/sbin -daemon_directory = /usr/libexec/postfix -debug_peer_level = 2 -debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 -header_checks = regexp:/etc/postfix/header_checks -html_directory = no -inet_interfaces = all -mail_owner = postfix -mailq_path = /usr/bin/mailq.postfix -manpage_directory = /usr/share/man -masquerade_domains = redhat.com -masquerade_exceptions = root apache -message_size_limit = 20971520 -mydestination = $myhostname, localhost.$mydomain, fedora.redhat.com, localhost -mydomain = fedoraproject.org -myorigin = fedoraproject.org -newaliases_path = /usr/bin/newaliases.postfix -queue_directory = /var/spool/postfix -readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES -recipient_delimiter = + -relayhost = bastion.vpn.fedoraproject.org -sample_directory = /usr/share/doc/postfix-2.4.5/samples -sendmail_path = /usr/sbin/sendmail.postfix -setgid_group = postdrop -unknown_local_recipient_reject_code = 550 -``` - - -### Default settings -**Fedora 34 cloud image default postfix config: -``` -[vagrant@fedora ~]$ postconf -n -alias_database = hash:/etc/aliases -alias_maps = hash:/etc/aliases -command_directory = /usr/sbin -compatibility_level = 2 -daemon_directory = /usr/libexec/postfix -data_directory = /var/lib/postfix -debug_peer_level = 2 -debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 -html_directory = no -inet_interfaces = localhost -inet_protocols = all -mail_owner = postfix -mailq_path = /usr/bin/mailq.postfix -manpage_directory = /usr/share/man -meta_directory = /etc/postfix -mydestination = $myhostname, localhost.$mydomain, localhost -newaliases_path = /usr/bin/newaliases.postfix -queue_directory = /var/spool/postfix -readme_directory = /usr/share/doc/postfix/README_FILES -sample_directory = /usr/share/doc/postfix/samples -sendmail_path = /usr/sbin/sendmail.postfix -setgid_group = postdrop -shlib_directory = /usr/lib64/postfix -smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt -smtp_tls_CApath = /etc/pki/tls/certs -smtp_tls_security_level = may -smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem -smtpd_tls_key_file = /etc/pki/tls/private/postfix.key -smtpd_tls_security_level = may -unknown_local_recipient_reject_code = 550 -``` - -** postfix default smtpd relay restrictions settings** -``` -[vagrant@fedora ~]$ postconf -d | grep "smtpd_relay_restrictions =" -smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}} -``` diff --git a/testing-notes.md b/testing-notes.md new file mode 100644 index 0000000..8c3b47a --- /dev/null +++ b/testing-notes.md @@ -0,0 +1,132 @@ +# Testing notes for pagure issue 10291 + +Some notes on the testing for issue 10291 [Issue 10291](https://pagure.io/fedora-infrastructure/issue/10291). + + +## Tools / Packages used + +Tools used to replicate and test issue on local machine: +- Virtualbox - [virtualbox install docs](https://www.virtualbox.org/manual/ch02.html) +- Vagrant - [vagrant install docs](https://www.vagrantup.com/downloads) +- Ansible + +Packages installed on vm to test issue (all installed onto vm with ansible playbook): +- Postfix +- rsyslog (to enable logging to /var/log/maillog) +- telnet (to carry out local test of postfix) + + +## Issue reproduction + +To reproduce the issue, the following steps were taken within the `error-repro/` directory of this repo: + +1. Run the command: + + ``` + vagrant up + ``` + To provision, start, and automatically install the relevant packages and config file onto the virtual machine. + + Files used: + + **Vagrantfile**: Used for provisioning the vm, and running the ansible playbook. + + **postfix-err-rep.yml**: Ansible playbook used to install, and start, the required packages and config file onto the vm. + + **main.cf.vpn**: Postfix config file taken from prox34 for reproducing issue. + + +2. Login to the vm using ssh: + + ``` + vagrant ssh + ``` + +3. Check relevant services are running and check logs for error: + + ``` + systemctl status postfix + systemctl status rsyslog + sudo cat /var/log/maillog + sudo tail -f /var/log/maillog + ``` + +4. Sample output from logs: + + ``` + Jan 19 23:59:42 fedora postfix/smtpd[10709]: fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify at least one working instance of: reject_unauth_destination, defer_unauth_destination, reject, defer, defer_if_permit or check_relay_domains + Jan 19 23:59:43 fedora postfix/master[10447]: warning: process /usr/ libexec/postfix/smtpd pid 10709 exit status 1 + Jan 19 23:59:43 fedora postfix/master[10447]: warning: /usr/libexec/ postfix/smtpd: bad command startup -- throttling + ``` + + +## Issue fix testing + +The following configuration was added to the `main.cf` on the vm to fix the issue described: +``` +smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination +``` + + +This config was copied from other `main.cf` files used accross the fedora infrastructure, and based on reading the following: +- https://serverfault.com/questions/698279/postfix-not-relying-mail-from-remote-hosts/698289 +- https://serverfault.com/questions/811493/fatal-parameter-smtpd-recipient-restrictions-in-maillog +- http://www.postfix.org/postconf.5.html + + +To test the fix, the following steps were taken within the `error-fix/` directory of this repo: + +1. Run the command: + + ``` + vagrant up + ``` + To provision, start, and automatically install the relevant packages and config file onto the virtual machine. + + Files used: + + **Vagrantfile**: Used for provisioning the vm, and running the ansible playbook. + + **postfix-err-fix.yml**: Ansible playbook used to install, and start, the required packages and config file onto the vm. + + **main.cf.10291-fix**: Edited postfix config file with `smtpd_relay_restrictions` added test reduction of logging. + +2. Login to the vm using ssh: + + ``` + vagrant ssh + ``` + +3. Check relevant services are running and check logs for error: + + ``` + systemctl status postfix + systemctl status rsyslog + sudo cat /var/log/maillog + sudo tail -f /var/log/maillog + ``` + +4. Sample output from logs: + + ``` + Jan 19 23:49:30 fedora postfix/postfix-script[10369]: stopping the Postfix mail system + Jan 19 23:49:30 fedora postfix/master[7759]: terminating on signal 15 + Jan 19 23:49:30 fedora postfix[10378]: Postfix is running with backwards-compatible default settings + Jan 19 23:49:30 fedora postfix[10378]: See http://www.postfix.org/COMPATIBILITY_README.html for details + Jan 19 23:49:30 fedora postfix[10378]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload" + Jan 19 23:49:30 fedora postfix/postfix-script[10444]: starting the Postfix mail system + Jan 19 23:49:30 fedora postfix/master[10446]: daemon started -- version 3.5.10, configuration /etc/postfix + Jan 19 23:49:31 fedora postfix/smtpd[10643]: connect from localhost[::1] + Jan 19 23:49:32 fedora postfix/smtpd[10643]: lost connection after CONNECT from localhost[::1] + Jan 19 23:49:32 fedora postfix/smtpd[10643]: disconnect from localhost[::1] commands=0/0 + ``` + + +## General notes + +The default relay restriction configuration was also tested, but it still appeared to be generating the logs noted in the issue. For reference the defaul configuration listed in the postfix docs is: + +``` +[vagrant@fedora ~]$ postconf -d | grep "smtpd_relay_restrictions =" +smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}} +``` \ No newline at end of file