[SOLVED] two small problems with 4 beta

Bugs in eFa 4
Post Reply
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

[SOLVED] two small problems with 4 beta

Post by stefandewal »

Hi,

Im testing efa 4 and im seeing dcc errors. the servers cant be reached. in the efa shell i can only choose from 1 pool instead of two polls (efa 3)

I also tried to create a new partition for /var/spool/MailScanner

Bu i keep getting permission errors and see this error in the logs:


Feb 1 09:56:03 mailscanner MSMilter[22233]: Could not open file >>/temp-43rWD25MzNzWF6V: Permission denied
Feb 1 09:56:03 mailscanner MSMilter[22233]: Unable to to open queue temp file for writing!
Feb 1 09:46:46 mailscanner MailScanner[18875]: Cannot open directory . when finding depth

This is the output of /var/spool/MailScanner

[root@mailscanner.computel.nl MailScanner]# ls -al
total 0
drwxr-xr-x. 9 root root 129 Feb 1 09:44 .
drwxr-xr-x. 11 root root 132 Feb 1 09:14 ..
drwxr-xr-x. 2 root root 6 Feb 1 09:44 archive
drwxrwx---. 27 root mtagroup 580 Feb 1 09:56 incoming
drwxr-xr-x. 2 postfix mtagroup 6 Feb 1 09:44 milterin
drwxr-xr-x. 2 postfix mtagroup 6 Feb 1 09:44 milterout
drwxrwx---. 2 postfix mtagroup 6 Feb 1 09:42 quarantine
drwxrwx---. 4 root mtagroup 73 Feb 1 09:42 ramdisk_store
drwxr-xr-x. 2 postfix mtagroup 6 Feb 1 09:44 spamassassin
Last edited by stefandewal on 08 Feb 2019 12:01, edited 1 time in total.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: two small problems with 4 beta

Post by shawniverson »

On the dcc errors, are you using forwarding DNS or recursive DNS?

It looks like your path is missing for the milter? Any changes made to /etc/MailScanner/MailScanner.conf?
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

Hi,

I didnt change anything in the configs. I just added a new partition for the mailscanner and via rsync i synced the two directories
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: two small problems with 4 beta

Post by henk »

Did you synced with the -a option? https://ss64.com/bash/rsync.html
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

henk: yes i did. the permissions seem to be correct and im stumped
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: two small problems with 4 beta

Post by shawniverson »

What about the SELinux labels?
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

i think that is the problem. i will check it. normally i dont work with selinux...

will keep you posted
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

it was the selinux permissions. never thought of that as i dont use selinux.

thanks for the tip.

I still have this error:

Feb 5 15:41:30 mailscanner dccifd[8256]: no working DCC servers @ dcc.nova53.net dcc1.dcc-servers.net ... at ::1 127.0.0.1 127.0.0.1 ...
Feb 5 15:41:31 mailscanner dccifd[8256]: continue not asking DCC 127 seconds after 3 failures

any ideas on that one?
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: two small problems with 4 beta

Post by henk »

On the dcc errors, are you using forwarding DNS or recursive DNS?
Is dns working? You didn't answered Shawn's question.

To show dcc servers

Code: Select all

cdcc info
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

My apologies, i dint read the commants very well.

Here is the output.

[root@mailscanner.computel.nl log]# cdcc info
# 02/06/19 10:05:07 CET /var/dcc/map
# Re-resolve names after 11:14:49
# 12 total, 0 working servers
# continue not asking DCC server 32 seconds after 1 failures
IPv6 on version=3

@,- RTT-1000 ms 32768
# 127.0.0.1,-
# not answering
# ::1,-
# not answering

dcc.nova53.net,- RTT+0 ms anon
# 2001:470:8cf8:25::1:41,-
# not answering
# 2001:470:8cf8:25::1:42,-
# not answering

dcc1.dcc-servers.net,- RTT+0 ms anon
# 2001:67c:28fc:195:20:8:232:0,-
# not answering
# 2a02:708:0:22::2,-
# not answering

dcc2.dcc-servers.net,- RTT+0 ms anon
# 2001:470:4b:581::3,-
# not answering
# 2604:9100:7:9::1:33,-
# not answering

dcc3.dcc-servers.net,- RTT+0 ms anon
# 2001:470:1f05:10ed::30,-
# not answering

dcc4.dcc-servers.net,- RTT+0 ms anon
# 2001:470:1f05:10ed::26,-
# not answering

dcc5.dcc-servers.net,- RTT+0 ms anon
# 2001:628:404:8::63,-
# not answering
# *2a02:708:0:23::2,-
# not answering

################
# 02/06/19 10:05:07 CET greylist /var/dcc/map
# Re-resolve names after 11:14:53
# 2 total, 0 working servers
# continue not asking greylist server 32 seconds after 1 failures

@,- Greylist 32768
# *127.0.0.1,6276
# not answering
# ::1,6276
# not answering
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: two small problems with 4 beta

Post by henk »

Dns is having issues to resolve the dcc servers, as the error message " no working DCC servers" already reported.
So the question is: Is dns working?

As we have no clue about your config of efa.

1.Did you solve the selinux issues, or just disabled selinux?
2. did you update with yum?
3.You did enable ipv6?
4.Do you use recursion?
if so, did you configure unbound?

test ipv6

Code: Select all

ping6 localhost
?

Code: Select all

ping dcc.nova53.net
PING dcc.nova53.net (173.71.176.217) 56(84) bytes of data.
64 bytes from static-173-71-176-217.pitbpa.fios.verizon.net (173.71.176.217): icmp_seq=1 ttl=51 time=124 ms
64 bytes from static-173-71-176-217.pitbpa.fios.verizon.net (173.71.176.217): icmp_seq=2 ttl=51 time=124 ms
64 bytes from static-173-71-176-217.pitbpa.fios.verizon.net (173.71.176.217): icmp_seq=3 ttl=51 time=123 ms

Code: Select all

dig  2.0.0.127.zen.spamhaus.org +short
127.0.0.4
127.0.0.2
127.0.0.10

Code: Select all

ping6  2001:470:8cf8:25::1:41
?

Code: Select all

cat /etc/host
?

Code: Select all

cat /etc/resolv.conf
?

P.S.
I can confirm a new workin EFA4 server, with Selinux enabled, with recursion, No ipv6, and a successful migration of efa3.
Last edited by henk on 06 Feb 2019 10:08, edited 1 time in total.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

Henk,

i didnt disable selinux.
we have ipv4 and ipv6 running.
i updated the machine using the shell
i just configured a recursive bind


output of ping6 localhost
PING localhost(localhost (::1)) 56 data bytes
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.095 ms
64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.082 ms


output of ping dcc.nova53.net
PING dcc.nova53.net (173.71.176.217) 56(84) bytes of data.
64 bytes from static-173-71-176-217.pitbpa.fios.verizon.net (173.71.176.217): icmp_seq=1 ttl=51 time=108 ms
64 bytes from static-173-71-176-217.pitbpa.fios.verizon.net (173.71.176.217): icmp_seq=2 ttl=51 time=108 ms


output of ping6 2001:470:8cf8:25::1:41
PING 2001:470:8cf8:25::1:41(2001:470:8cf8:25::1:41) 56 data bytes
64 bytes from 2001:470:8cf8:25::1:41: icmp_seq=1 ttl=55 time=96.8 ms
64 bytes from 2001:470:8cf8:25::1:41: icmp_seq=2 ttl=55 time=97.1 ms

output of cat
[root@mailscanner.computel.nl ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
83.137.20.52 mailscanner.computel.nl mailscanner
2001:4038:0:20::54 mailscanner.computel.nl mailscanner

[root@mailscanner.computel.nl ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search computel.nl
nameserver 83.137.17.11
nameserver 83.137.20.12
nameserver 2001:4038:0:17::11
nameserver 2001:4038:0:20::12


[root@mailscanner.computel.nl ~]# dig 2.0.0.127.zen.spamhaus.org +short
127.0.0.10
127.0.0.4
127.0.0.2
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: two small problems with 4 beta

Post by henk »

You are fast :D
As dns seems functional, just one more question.
i just configured a recursive bind
cat /etc/resolv.conf
# Generated by NetworkManager
search computel.nl
nameserver 83.137.17.11
nameserver 83.137.20.12
nameserver 2001:4038:0:17::11
nameserver 2001:4038:0:20::12

Recursive bind? You mean unbound?
As unbound should listen only on localhost
my cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search example.lan. example.man.
nameserver 127.0.0.1


Simple test the resolve time and watch The query time

dig multiple times :!:

Code: Select all

dig dcc.nova53.net
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> dcc.nova53.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55226
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dcc.nova53.net. IN A

;; ANSWER SECTION:
dcc.nova53.net. 3561 IN A 173.71.176.217
dcc.nova53.net. 3561 IN A 173.71.176.214
dcc.nova53.net. 3561 IN A 173.71.176.213
dcc.nova53.net. 3561 IN A 173.71.176.215

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 6 11:23:47 2019
;; MSG SIZE rcvd: 96
Last edited by henk on 06 Feb 2019 10:27, edited 1 time in total.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

[root@mailscanner.computel.nl ~]# netstat -nlp | fgrep 53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 6575/unbound
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 28265/named
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 6575/unbound
tcp 0 0 127.0.0.1:11553 0.0.0.0:* LISTEN 12964/MailWatch SQL
tcp6 0 0 ::1:53 :::* LISTEN 6575/unbound
tcp6 0 0 ::1:953 :::* LISTEN 28265/named
tcp6 0 0 ::1:8953 :::* LISTEN 6575/unbound
udp 0 0 127.0.0.1:53 0.0.0.0:* 28265/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 6575/unbound
udp 0 0 127.0.0.1:53 0.0.0.0:* 6575/unbound
udp 0 0 127.0.0.1:53 0.0.0.0:* 6575/unbound
udp 0 0 127.0.0.1:53 0.0.0.0:* 6575/unbound
udp6 0 0 ::1:53 :::* 28265/named
udp6 0 0 ::1:53 :::* 6575/unbound
udp6 0 0 ::1:53 :::* 6575/unbound
udp6 0 0 ::1:53 :::* 6575/unbound
udp6 0 0 ::1:53 :::* 6575/unbound

resolv.conf now:

nameserver 127.0.0.1
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: two small problems with 4 beta

Post by henk »

Can you explain the " i just configured a recursive bind" ? (As I try to understand your setup)
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

i meant a local caching nameserver with recursion on
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: two small problems with 4 beta

Post by henk »

Why did you install bind :?:
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: two small problems with 4 beta

Post by henk »

I just remembered the famous pdwalker words: :idea:
We know, you have a problem and you need an answer RIGHT NOW! and either no one answers you, or they ask you a bunch of stupid questions just to piss you off.
When you are describing your problem, you may think you understand your problem correctly and you may think you are giving the right information necessary to solve your problem. If that were true, then you wouldn't be having a problem.
The people who will help you may not have all the necessary information they need as you may not have provided it, or you may think that certain information is not necessary, but you'd be wrong.
After all, they are not familiar with your system, your configuration, your settings. They may not know what changes you've made, or remember what changes they've made to their own systems that makes it behave differently from yours.

The people helping you will ask questions. Some of those questions may not seem relevant.
But here is the thing: if you knew what information was really relevant, then you could probably solve your own problem and you wouldn't be here asking.

Right now, I start getting the Dutch "Gekke Henkie" feeling. If you consider the fact my name is Henk, that's a bad omen.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

Henk, I get what you're saying but i dont understand why :P

Is it a joke, a remark about me or yourself?
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: two small problems with 4 beta

Post by henk »

As we all have the same goal, the eFa4 server, all issues are important. To understand the nature of the issue you need to ask a bunch of questions to get the picture.

As I just want to help, I need to know why you installed bind, as you also enabled recursion, so unbound will take care of DNS.
Having bind and Unbound running at the same time handling dns?
So why install bind? It doesn't make sense for me. So please explain!

About the pdwalker remark I mentioned. Don't take it to seriously, but to understand why, just read back this post ( and many others on this forum)
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

henk, now i understand. sometimes its hard to see ehwther someone is joking, mocking or helping you..

i now discovered the packages called unbound. i only knew howto get a local caching nameserver with bind.

i will test unbound
stefandewal
Posts: 33
Joined: 16 Jan 2019 09:34

Re: two small problems with 4 beta

Post by stefandewal »

Hi, I have discovered the problem. Recently we discovered that our Juniper Cluster is blocking some legit UDP requests.

It seems we are hitting a rather nasty bug and they have changed some options to work around in it.

So, thanks very much for your time !
Post Reply