[PLUG] crazy postfix problem - fixed

Keith Lofstrom keithl at kl-ic.com
Fri Jul 6 20:50:10 UTC 2007


I just spent a miserable 3 hours debugging an incoming mail problem.
If I actually fixed it, you will see this mail and so will I.

I have an offsite server which runs postfix.  It receives all my
incoming mail, and deals with some of it locally (mailing lists and
such) and routes the rest to my inside mail server for further
filtering and processing.

Sometime last night or this morning, mail stopped working, probably
due to rebooting all the machines while fixing an unrelated problem.
Most of the machines had been up for weeks or months.

The mail problem is our old friend, 
  "mail for mailserver.kl-ic.com loops back to myself"

(machine name changed to protect the innocent)

This is postfix's cryptic way of saying "go f**k yourself".  2.5 hours
were spent looking at postfix documents and configuration files (none
of which had changed in months) trying to figure out what went wrong.

Note that my outside DNS service is intentionally set up to route
requests to "mailserver.kl-ic.com" to the server.  That is so that
outbound email headers that leak out as "keithl at mailserver.kl-ic.com"
(instead of the rewritten "keithl at kl-ic.com") will get properly 
replied to.  

I turned out that the problem wasn't a postfix configuration problem
(unless you consider *postfix itself* a configuration problem).  It
turned out to be a DNS configuration problem on my firewall, which
uses named/BIND to do DNS for my inside machines and my outer server.  

My network of inside and outside machines are stitched together with
OpenVPN tunnels, all using 172.XXX.XXX.XXX addresses for the tunnel
segments.  On the outside machines, I could ping the inside network
machines, but "dig" would not provide ANSWER or AUTHORITY sections
for inside machines the way it does between inside machines.  After
checking iptables and firewalling, I eventually realized that the
nameserver on the firewall was not responding to the outside machine
DNS requests.  I fixed this by modifying /etc/named.conf, changing
the lines:

  view "internal" {
        match-clients { 192.168.XXX.0/24; 127.0.0.1; };

to: 
  view "internal" {
        match-clients { 192.168.XXX.0/24; 172.XXX.0.0/16; 127.0.0.1; };

( XXX = obscured in this posting for silly privacy reasons )

I restarted named on the server. Now dig works, and postfix no
longer complains about mail loop backs.

I was a little annoyed to learn that Postfix only uses DNS aka
named-BIND servers;  it ignores entries in /etc/hosts .  If there
is some way to make it pay attention to /etc/hosts, I would love
to hear about it, because frankly I would prefer to only provide
outside machines with IP addresses for the few machines listed in
/etc/hosts .  Tissue paper security, of course, but every little
bit helps.

Sigh.  Postfix and Sendmail both suck.  Maybe Exim or Qmail
work better, but I'm afraid to find out.  I suspect Mail
Transport Agent programmers are required to sign pacts with
the devil before they are allowed to work on MTAs.

Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs



More information about the PLUG mailing list