#10291 Postfix complain on some host about its config
Closed: Fixed with Explanation 7 months ago by kevin. Opened a year ago by misc.

Describe what you would like us to do:


postfix complain on:

Oct 23 08:16:02 proxy34.fedoraproject.org postfix/smtpd[1937411]: fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify at least one working instance of: reject_unauth_destination, defer_unauth_destination, reject, defer, defer_if_permit or check_relay_domains
Oct 23 08:16:03 proxy34.fedoraproject.org postfix/master[813]: warning: process /usr/libexec/postfix/smtpd pid 1937411 exit status 1
Oct 23 08:16:03 proxy34.fedoraproject.org postfix/master[813]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

While this doesn't impact much, I guess it would be nice to get it fixed since that mean the config is no F34 ready, and this generate useless churn in the log.

When do you need this to be done by? (YYYY/MM/DD)


no deadline. I log the ticket as it seems like a easy fix for a new apprentice.


Metadata Update from @mohanboddu:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops

a year ago

Hi @misc, I recently joined the fi-apprentice group and thought I would have a go at this, if you don't mind?

I haven't worked with postfix before, and have limited experience with ansible so far, so I am not sure of the best way to start, and would be grateful for a steer from someone if possible?

In the meantime, I have started having a search around for the error online, and I noticed a lot of the responses refer to the following settings within the main.cf file:
smtpd_recipient_restrictions =
smtpd_relay_restrictions =

So I made a script to pull the above settings from the relevant config files, so that they could be checked, and I noticed that the smtpd_relay_restrictions settings within the main.cf.gateway config file were a little different to the other files, would this have anything to do with it?

Output of script below for reference:

#######################################################
########## smtpd_recipient configurations #############
####################################################### 

file: main.cf
file path: ./ansible/roles/base/files/postfix/main.cf/
conf: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

file: main.cf.copr
file path: ./ansible/roles/base/files/postfix/main.cf/
conf: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

file: main.cf.iad2
file path: ./ansible/roles/base/files/postfix/main.cf/
conf: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

file: main.cf.kojibuilder
file path: ./ansible/roles/base/files/postfix/main.cf/
conf: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

file: main.cf.kojibuilder_iad2
file path: ./ansible/roles/base/files/postfix/main.cf/
conf: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

file: main.cf.phx2
file path: ./ansible/roles/base/files/postfix/main.cf/
conf: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

file: main.cf.staging
file path: ./ansible/roles/base/files/postfix/main.cf/
conf: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

#######################################################
############ smtpd_relay configurations ###############
####################################################### 

file: main.cf.gateway
file path: ./ansible/roles/base/files/postfix/main.cf/
conf: smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination

file: main.cf.vpn.pagure
file path: ./ansible/roles/base/files/postfix/main.cf/
conf: smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} :{permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}

file: main.cf.vpn.pagure-stg
file path: ./ansible/roles/base/files/postfix/main.cf/
conf: smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} :{permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}

Thanks,

Jason

@misc @mobrien can one of you help Jason out here? :)

@misc @mobrien can one of you help Jason out here? :)

thank you @kevin :)

So that's a kinda old ticket I opened, but I think the error is on the lack of smtpd_relay_restrictions in some config file.

To correct that, I would start by getting a F34 host (a non connected VM would work), install postfix and deploy the same config, eg. copying the main.cf and reload, and see if the error can be reproduced.

Given postfix start by default smtp, it should appear in the log.

Then try to change the config to get it fixed.

The error was on one proxy (proxy34.fpo) if that help to find the exact config being used, assuming it didn't change since.

And yes, that's in one of those file. Not sure which one, and as the error message show, it doesn't say which config.

From your investigation, this seems correct for smtpd_recipient_restrictions. However, I would verify the default value smtpd_relay_restrictions on F34 (there is a command to display default, I think that's postconf, the exact command and arguments are left as a exercise to the reader :p )

Thanks @misc I will have a look around and let you know how I get on :)

Hey @misc

I have looked into this some more now, and done some testing on a VM as suggested. I have collated my notes and vm configurations etc. into a repo, and saved them here for reference, and hopefully reproduction (if required):

https://pagure.io/10291-testing

In a nutshell, I looked into and tested the default value for smtpd_relay_restrictions on the vm, but it still appeared to generate the logs. For reference, it is:

postconf -d | grep "smtpd_relay_restrictions =" smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}

So I then tried the configuration that was suggested in some posts I read, and with the main.cf.gateway file and this seemed to fix the issue:

smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination

I am not sure how the main ansible repo playbooks are run on the infrastructure, but I think that the file used for the proxy34 postfix config is main.cf.vpn. So I think the fix would be to add that config to this file?

I hope that helps for now :)

Yes, I think the fix would be on one of those file.

You have to kinda try to follow by hand which file is applied on which host (that's part of the fun), and then fix it. However, it should be left working for older versions.

Based on the ansible role here: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/base/tasks/postfix.yml , the file will be deployed on some server and not others (the logic is a bit specific ).

Yes, I think the fix would be on one of those file.

You have to kinda try to follow by hand which file is applied on which host (that's part of the fun), and then fix it. However, it should be left working for older versions.

Based on the ansible role here: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/base/tasks/postfix.yml , the file will be deployed on some server and not others (the logic is a bit specific ).

Sorry for the delayed response, life and work got a bit busy, I will take a look and see what I can find / figure out :D

Metadata Update from @aheath1992:
- Issue assigned to aheath1992

7 months ago

Based on https://access.redhat.com/solutions/5420401 looks like we need both smtpd_recipient_restrictions & smtpd_relay_restrictions but in https://pagure.io/fedora-infra/ansible/blob/main/f/roles/base/files/postfix/main.cf/main.cf#_717 it only has one. willing to add the other line and test if it clears up the error.

Sure! Can you send in a PR?

Based on https://access.redhat.com/solutions/5420401 looks like we need both smtpd_recipient_restrictions & smtpd_relay_restrictions but in https://pagure.io/fedora-infra/ansible/blob/main/f/roles/base/files/postfix/main.cf/main.cf#_717 it only has one. willing to add the other line and test if it clears up the error.

Oh nice, I recall seeing that link when I was looking into the error initially, but I couldn't access the content to read it all 😅 I will see if I can sign up and access somehow to have a read :)

ok. I confirm that the PR from @aheath1992 fixed most of the machines... I just pushed a small followup that added the same fix to the vpn (for proxies) and releng machines and from the logs that should take care of all of it. ;)

Many thanks!

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

7 months ago

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog