efa-project.org

Hi,

Im testing efa 4 and im seeing dcc errors. the servers cant be reached. in the efa shell i can only choose from 1 pool instead of two polls (efa 3)

I also tried to create a new partition for /var/spool/MailScanner

Bu i keep getting permission errors and see this error in the logs:


Feb 1 09:56:03 mailscanner MSMilter[22233]: Could not open file >>/temp-43rWD25MzNzWF6V: Permission denied
Feb 1 09:56:03 mailscanner MSMilter[22233]: Unable to to open queue temp file for writing!
Feb 1 09:46:46 mailscanner MailScanner[18875]: Cannot open directory . when finding depth

This is the output of /var/spool/MailScanner

[root@mailscanner.computel.nl MailScanner]# ls -al
total 0
drwxr-xr-x. 9 root root 129 Feb 1 09:44 .
drwxr-xr-x. 11 root root 132 Feb 1 09:14 ..
drwxr-xr-x. 2 root root 6 Feb 1 09:44 archive
drwxrwx---. 27 root mtagroup 580 Feb 1 09:56 incoming
drwxr-xr-x. 2 postfix mtagroup 6 Feb 1 09:44 milterin
drwxr-xr-x. 2 postfix mtagroup 6 Feb 1 09:44 milterout
drwxrwx---. 2 postfix mtagroup 6 Feb 1 09:42 quarantine
drwxrwx---. 4 root mtagroup 73 Feb 1 09:42 ramdisk_store
drwxr-xr-x. 2 postfix mtagroup 6 Feb 1 09:44 spamassassin

On the dcc errors, are you using forwarding DNS or recursive DNS?

It looks like your path is missing for the milter? Any changes made to /etc/MailScanner/MailScanner.conf?

Hi,

I didnt change anything in the configs. I just added a new partition for the mailscanner and via rsync i synced the two directories

Did you synced with the -a option? https://ss64.com/bash/rsync.html

henk: yes i did. the permissions seem to be correct and im stumped

What about the SELinux labels?

i think that is the problem. i will check it. normally i dont work with selinux...

will keep you posted

it was the selinux permissions. never thought of that as i dont use selinux.

thanks for the tip.

I still have this error:

Feb 5 15:41:30 mailscanner dccifd[8256]: no working DCC servers @ dcc.nova53.net dcc1.dcc-servers.net ... at ::1 127.0.0.1 127.0.0.1 ...
Feb 5 15:41:31 mailscanner dccifd[8256]: continue not asking DCC 127 seconds after 3 failures

any ideas on that one?

On the dcc errors, are you using forwarding DNS or recursive DNS?

Is dns working? You didn't answered Shawn's question.

To show dcc servers

My apologies, i dint read the commants very well.

Here is the output.

[root@mailscanner.computel.nl log]# cdcc info
# 02/06/19 10:05:07 CET /var/dcc/map
# Re-resolve names after 11:14:49
# 12 total, 0 working servers
# continue not asking DCC server 32 seconds after 1 failures
IPv6 on version=3

@,- RTT-1000 ms 32768
# 127.0.0.1,-
# not answering
# ::1,-
# not answering

dcc.nova53.net,- RTT+0 ms anon
# 2001:470:8cf8:25::1:41,-
# not answering
# 2001:470:8cf8:25::1:42,-
# not answering

dcc1.dcc-servers.net,- RTT+0 ms anon
# 2001:67c:28fc:195:20:8:232:0,-
# not answering
# 2a02:708:0:22::2,-
# not answering

dcc2.dcc-servers.net,- RTT+0 ms anon
# 2001:470:4b:581::3,-
# not answering
# 2604:9100:7:9::1:33,-
# not answering

dcc3.dcc-servers.net,- RTT+0 ms anon
# 2001:470:1f05:10ed::30,-
# not answering

dcc4.dcc-servers.net,- RTT+0 ms anon
# 2001:470:1f05:10ed::26,-
# not answering

dcc5.dcc-servers.net,- RTT+0 ms anon
# 2001:628:404:8::63,-
# not answering
# *2a02:708:0:23::2,-
# not answering

################
# 02/06/19 10:05:07 CET greylist /var/dcc/map
# Re-resolve names after 11:14:53
# 2 total, 0 working servers
# continue not asking greylist server 32 seconds after 1 failures

@,- Greylist 32768
# *127.0.0.1,6276
# not answering
# ::1,6276
# not answering

Dns is having issues to resolve the dcc servers, as the error message " no working DCC servers" already reported.
So the question is: Is dns working?

As we have no clue about your config of efa.

1.Did you solve the selinux issues, or just disabled selinux?
2. did you update with yum?
3.You did enable ipv6?
4.Do you use recursion?
if so, did you configure unbound?

test ipv6 ? PING dcc.nova53.net (173.71.176.217) 56(84) bytes of data.
64 bytes from static-173-71-176-217.pitbpa.fios.verizon.net (173.71.176.217): icmp_seq=1 ttl=51 time=124 ms
64 bytes from static-173-71-176-217.pitbpa.fios.verizon.net (173.71.176.217): icmp_seq=2 ttl=51 time=124 ms
64 bytes from static-173-71-176-217.pitbpa.fios.verizon.net (173.71.176.217): icmp_seq=3 ttl=51 time=123 ms
127.0.0.4
127.0.0.2
127.0.0.10 ? ? ?

P.S.
I can confirm a new workin EFA4 server, with Selinux enabled, with recursion, No ipv6, and a successful migration of efa3.

Henk,

i didnt disable selinux.
we have ipv4 and ipv6 running.
i updated the machine using the shell
i just configured a recursive bind


output of ping6 localhost
PING localhost(localhost (::1)) 56 data bytes
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.095 ms
64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.082 ms


output of ping dcc.nova53.net
PING dcc.nova53.net (173.71.176.217) 56(84) bytes of data.
64 bytes from static-173-71-176-217.pitbpa.fios.verizon.net (173.71.176.217): icmp_seq=1 ttl=51 time=108 ms
64 bytes from static-173-71-176-217.pitbpa.fios.verizon.net (173.71.176.217): icmp_seq=2 ttl=51 time=108 ms


output of ping6 2001:470:8cf8:25::1:41
PING 2001:470:8cf8:25::1:41(2001:470:8cf8:25::1:41) 56 data bytes
64 bytes from 2001:470:8cf8:25::1:41: icmp_seq=1 ttl=55 time=96.8 ms
64 bytes from 2001:470:8cf8:25::1:41: icmp_seq=2 ttl=55 time=97.1 ms

output of cat
[root@mailscanner.computel.nl ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
83.137.20.52 mailscanner.computel.nl mailscanner
2001:4038:0:20::54 mailscanner.computel.nl mailscanner

[root@mailscanner.computel.nl ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search computel.nl
nameserver 83.137.17.11
nameserver 83.137.20.12
nameserver 2001:4038:0:17::11
nameserver 2001:4038:0:20::12


[root@mailscanner.computel.nl ~]# dig 2.0.0.127.zen.spamhaus.org +short
127.0.0.10
127.0.0.4
127.0.0.2

You are fast
As dns seems functional, just one more question.

i just configured a recursive bind

cat /etc/resolv.conf
# Generated by NetworkManager
search computel.nl
nameserver 83.137.17.11
nameserver 83.137.20.12
nameserver 2001:4038:0:17::11
nameserver 2001:4038:0:20::12

Recursive bind? You mean unbound?
As unbound should listen only on localhost
my cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search example.lan. example.man.
nameserver 127.0.0.1


Simple test the resolve time and watch The query time

dig multiple times
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> dcc.nova53.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55226
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dcc.nova53.net. IN A

;; ANSWER SECTION:
dcc.nova53.net. 3561 IN A 173.71.176.217
dcc.nova53.net. 3561 IN A 173.71.176.214
dcc.nova53.net. 3561 IN A 173.71.176.213
dcc.nova53.net. 3561 IN A 173.71.176.215

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 6 11:23:47 2019
;; MSG SIZE rcvd: 96

[root@mailscanner.computel.nl ~]# netstat -nlp | fgrep 53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 6575/unbound
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 28265/named
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 6575/unbound
tcp 0 0 127.0.0.1:11553 0.0.0.0:* LISTEN 12964/MailWatch SQL
tcp6 0 0 ::1:53 :::* LISTEN 6575/unbound
tcp6 0 0 ::1:953 :::* LISTEN 28265/named
tcp6 0 0 ::1:8953 :::* LISTEN 6575/unbound
udp 0 0 127.0.0.1:53 0.0.0.0:* 28265/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 6575/unbound
udp 0 0 127.0.0.1:53 0.0.0.0:* 6575/unbound
udp 0 0 127.0.0.1:53 0.0.0.0:* 6575/unbound
udp 0 0 127.0.0.1:53 0.0.0.0:* 6575/unbound
udp6 0 0 ::1:53 :::* 28265/named
udp6 0 0 ::1:53 :::* 6575/unbound
udp6 0 0 ::1:53 :::* 6575/unbound
udp6 0 0 ::1:53 :::* 6575/unbound
udp6 0 0 ::1:53 :::* 6575/unbound

resolv.conf now:

nameserver 127.0.0.1

Can you explain the " i just configured a recursive bind" ? (As I try to understand your setup)

i meant a local caching nameserver with recursion on

Why did you install bind

I just remembered the famous pdwalker words:

We know, you have a problem and you need an answer RIGHT NOW! and either no one answers you, or they ask you a bunch of stupid questions just to piss you off.
When you are describing your problem, you may think you understand your problem correctly and you may think you are giving the right information necessary to solve your problem. If that were true, then you wouldn't be having a problem.
The people who will help you may not have all the necessary information they need as you may not have provided it, or you may think that certain information is not necessary, but you'd be wrong.
After all, they are not familiar with your system, your configuration, your settings. They may not know what changes you've made, or remember what changes they've made to their own systems that makes it behave differently from yours.

The people helping you will ask questions. Some of those questions may not seem relevant.
But here is the thing: if you knew what information was really relevant, then you could probably solve your own problem and you wouldn't be here asking.

Right now, I start getting the Dutch "Gekke Henkie" feeling. If you consider the fact my name is Henk, that's a bad omen.

Henk, I get what you're saying but i dont understand why

Is it a joke, a remark about me or yourself?

As we all have the same goal, the eFa4 server, all issues are important. To understand the nature of the issue you need to ask a bunch of questions to get the picture.

As I just want to help, I need to know why you installed bind, as you also enabled recursion, so unbound will take care of DNS.
Having bind and Unbound running at the same time handling dns?
So why install bind? It doesn't make sense for me. So please explain!

About the pdwalker remark I mentioned. Don't take it to seriously, but to understand why, just read back this post ( and many others on this forum)

henk, now i understand. sometimes its hard to see ehwther someone is joking, mocking or helping you..

i now discovered the packages called unbound. i only knew howto get a local caching nameserver with bind.

i will test unbound

Hi, I have discovered the problem. Recently we discovered that our Juniper Cluster is blocking some legit UDP requests.

It seems we are hitting a rather nasty bug and they have changed some options to work around in it.

So, thanks very much for your time !