[courier-users] monitoring prgram times out

Discussion:

SZÉPE Viktor

2017-03-25 18:24:44 UTC

Hello!

I am using 0.73.1-1.6

A monitoring program called "Monit" checks port 25 on localhost.
Courier listens only on localhost on this server.

Monit sends:
EHLO localhost
QUIT

Source code:
https://bitbucket.org/tildeslash/monit/src/8584ce1f0a2af60ca615e126c37284238d611e29/src/notification/SMTP.c?at=master&fileviewer=file-view-default#SMTP.c-193:216

Rarely it times out after 5 seconds. This incident is several months old.

1) Could failed DNS lookups be the reason?

PTR? 1.0.0.127.in-addr.arpa.
A? localhost.
AAAA? localhost.

2) Is it possible for Courier to skip DNS lookups for "localhost"?

I wonder why Courier is not using gethostbyname().
/etc/hosts contains:
127.0.0.1 localhost.localdomain localhost

Thank you!

tcpdump:
17:52:17.510906 IP (tos 0x0, ttl 64, id 50144, offset 0, flags [DF],
proto UDP (17), length 68)
185.33.146.202.44816 > 81.2.192.131.53: 36007+ PTR?
1.0.0.127.in-addr.arpa. (40)
17:52:17.511163 IP (tos 0x0, ttl 63, id 15247, offset 0, flags [none],
proto UDP (17), length 91)
81.2.192.131.53 > 185.33.146.202.44816: 36007* 1/0/0
1.0.0.127.in-addr.arpa. PTR localhost. (63)
17:52:17.511296 IP (tos 0x0, ttl 64, id 50145, offset 0, flags [DF],
proto UDP (17), length 55)
185.33.146.202.57740 > 81.2.192.131.53: 25967+ A? localhost. (27)
17:52:17.511542 IP (tos 0x0, ttl 63, id 15248, offset 0, flags [none],
proto UDP (17), length 130)
81.2.192.131.53 > 185.33.146.202.57740: 25967 NXDomain 0/1/0 (102)
17:52:17.511657 IP (tos 0x0, ttl 64, id 50146, offset 0, flags [DF],
proto UDP (17), length 55)
185.33.146.202.50565 > 81.2.192.131.53: 30003+ AAAA? localhost. (27)
17:52:17.511880 IP (tos 0x0, ttl 63, id 15249, offset 0, flags [none],
proto UDP (17), length 130)
81.2.192.131.53 > 185.33.146.202.50565: 30003 NXDomain 0/1/0 (102)
17:52:17.512032 IP (tos 0x0, ttl 64, id 50147, offset 0, flags [DF],
proto UDP (17), length 68)
185.33.146.202.43555 > 81.2.192.131.53: 59819+ PTR?
1.0.0.127.in-addr.arpa. (40)
17:52:17.512265 IP (tos 0x0, ttl 63, id 15250, offset 0, flags [none],
proto UDP (17), length 91)
81.2.192.131.53 > 185.33.146.202.43555: 59819* 1/0/0
1.0.0.127.in-addr.arpa. PTR localhost. (63)
17:52:17.512372 IP (tos 0x0, ttl 64, id 50148, offset 0, flags [DF],
proto UDP (17), length 55)
185.33.146.202.57447 > 81.2.192.131.53: 64566+ A? localhost. (27)
17:52:17.512590 IP (tos 0x0, ttl 63, id 15251, offset 0, flags [none],
proto UDP (17), length 130)
81.2.192.131.53 > 185.33.146.202.57447: 64566 NXDomain 0/1/0 (102)
17:52:17.512697 IP (tos 0x0, ttl 64, id 50149, offset 0, flags [DF],
proto UDP (17), length 55)
185.33.146.202.36041 > 81.2.192.131.53: 28274+ AAAA? localhost. (27)
17:52:17.512954 IP (tos 0x0, ttl 63, id 15252, offset 0, flags [none],
proto UDP (17), length 130)
81.2.192.131.53 > 185.33.146.202.36041: 28274 NXDomain 0/1/0 (102)

SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md

--
+36-20-4242498 ***@szepe.net skype: szepe.viktor
Budapest, III. kerület

Sam Varshavchik

2017-03-26 14:32:49 UTC

Permalink

Post by SZÃPE Viktor
2) Is it possible for Courier to skip DNS lookups for "localhost"?
I wonder why Courier is not using gethostbyname().
127.0.0.1 localhost.localdomain localhost

gethostbyname/gethostbyaddr can only look up A addresses. Courier needs MX
records, and so needs to use its own resolver; and with its own DNS resolver
code already in place, it makes no sense to use different resolvers.

There are several options in the esmtpd config file that control DNS lookups
on incoming connections:

BOFHCHECKDNS; and TCPDOPTS passes through the options to couriertcpd, such
as -nodnslookup.

SZÉPE Viktor

2017-03-26 15:19:19 UTC

Permalink

Post by Sam Varshavchik

Post by SZÃPE Viktor
2) Is it possible for Courier to skip DNS lookups for "localhost"?
I wonder why Courier is not using gethostbyname().
127.0.0.1 localhost.localdomain localhost

gethostbyname/gethostbyaddr can only look up A addresses. Courier
needs MX records, and so needs to use its own resolver; and with its
own DNS resolver code already in place, it makes no sense to use
different resolvers.
There are several options in the esmtpd config file that control DNS
BOFHCHECKDNS; and TCPDOPTS passes through the options to
couriertcpd, such as -nodnslookup.

Thank you for your support!

-nodnslookup is the solution for satellite type server which delivery
messages through one smarthost.

What should I do on normal (tcp/25,587,465 are open to the internet)
mail server where DNS lookup is necessary? Is there a way to exclude
localhost from DNS lookup on the initial (pre-EHLO) connection?

SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md

--
+36-20-4242498 ***@szepe.net skype: szepe.viktor
Budapest, III. kerület

Sam Varshavchik

2017-03-26 15:42:16 UTC

Permalink

Post by SZÃPE Viktor
Thank you for your support!
-nodnslookup is the solution for satellite type server which delivery
messages through one smarthost.
What should I do on normal (tcp/25,587,465 are open to the internet)
mail server where DNS lookup is necessary? Is there a way to exclude
localhost from DNS lookup on the initial (pre-EHLO) connection?

Looking at the code there does not appear to be a way to select -nodnslookup
based on the connecting IP address.

There is a facility for selectively setting environment variables based on
the connecting IP address, the smtpaccess list (see makesmttpaccess). But,
currently nodnslookup just looks only at the parameter.

In tcpd.c, you can try changing

if (nodnslookup) return;

to something like

if (nodnslookup || getenv("NODNSLOOKUP")) return;

and then put

127.0.0.1<tab>allow,NODNSLOOKUP=1

into the smtpaccess file.

But why don't you just run bind locally, and have it handle DNS resolution
for local zones. You can have it listen only on local IP addresses, and
thusly inaccessible from the Internet, and then get some benefits of a local
DNS lookup cache.

SZÉPE Viktor

2017-03-26 16:44:09 UTC

Permalink

Post by Sam Varshavchik

Looking at the code there does not appear to be a way to select
-nodnslookup based on the connecting IP address.
There is a facility for selectively setting environment variables
based on the connecting IP address, the smtpaccess list (see
makesmttpaccess). But, currently nodnslookup just looks only at the
parameter.
In tcpd.c, you can try changing
if (nodnslookup) return;
to something like
if (nodnslookup || getenv("NODNSLOOKUP")) return;
and then put
127.0.0.1<tab>allow,NODNSLOOKUP=1
into the smtpaccess file.
But why don't you just run bind locally, and have it handle DNS
resolution for local zones. You can have it listen only on local IP
addresses, and thusly inaccessible from the Internet, and then get
some benefits of a local DNS lookup cache.

Thank you again!

Running bind is too expensive for me. I usually use the caching DNS
resolver in the given datacenter plus µnscd
https://busybox.net/~vda/unscd/ which does local caching for Name
Service - which Courier apparently is not using.

Post by Sam Varshavchik
if (nodnslookup || getenv("NODNSLOOKUP")) return;

Is there a non-zero chance to get this into the next release?

SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md

--
+36-20-4242498 ***@szepe.net skype: szepe.viktor
Budapest, III. kerület

Sam Varshavchik

2017-03-26 17:09:12 UTC

Permalink

Post by SZÃPE Viktor
Thank you again!
Running bind is too expensive for me. I usually use the caching DNS
resolver in the given datacenter plus Âµnscd
https://busybox.net/~vda/unscd/ which does local caching for Name
Service - which Courier apparently is not using.

Post by Sam Varshavchik
if (nodnslookup || getenv("NODNSLOOKUP")) return;

Is there a non-zero chance to get this into the next release?

Yes; I just have to test this myself.

Matus UHLAR - fantomas

2017-03-29 07:01:55 UTC

Permalink

Post by SZÃPE Viktor
Running bind is too expensive for me.

are you trying to say that it's more expensive than running courier mail
server?

--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse

SZÉPE Viktor

2017-03-29 11:30:39 UTC

Permalink

Post by Matus UHLAR - fantomas

Post by SZÃPE Viktor
Running bind is too expensive for me.

are you trying to say that it's more expensive than running courier mail
server?

Hello Matus!

I'd like to use the DNS resolver from the given datacenter.
Optimizing and maintaining (thus learning) another linux daemon is
what really is expensive.

SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md

--
+36-20-4242498 ***@szepe.net skype: szepe.viktor
Budapest, III. kerület

Matus UHLAR - fantomas

2017-03-29 12:06:49 UTC

Permalink

Post by SZÃPE Viktor

Post by Matus UHLAR - fantomas

Post by SZÃPE Viktor
Running bind is too expensive for me.

are you trying to say that it's more expensive than running courier mail
server?

I'd like to use the DNS resolver from the given datacenter.
Optimizing and maintaining (thus learning) another linux daemon is
what really is expensive.

1. as I stated, the server should be able to resolve localhost

2. if you do any kind of spam detection (blacklist), using others' name
server could result to worse spam detection.

SZÉPE Viktor

2017-03-29 13:24:35 UTC

Permalink

Post by Matus UHLAR - fantomas

Post by SZÃPE Viktor

Post by Matus UHLAR - fantomas

Post by SZÃPE Viktor
Running bind is too expensive for me.

are you trying to say that it's more expensive than running courier mail
server?

I'd like to use the DNS resolver from the given datacenter.
Optimizing and maintaining (thus learning) another linux daemon is
what really is expensive.

1. as I stated, the server should be able to resolve localhost
2. if you do any kind of spam detection (blacklist), using others' name
server could result to worse spam detection.

Thank you.
Most of my Courier installs are satellite servers sending message
through one transactional provider like Amazon SES, Mailjet, Mandrill
or Sendgrid as I am not able to maintain more than 1 full featured
mail server.

My mail server with mailboxes has a dedicated resolver server with "unbound".

SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md

--
+36-20-4242498 ***@szepe.net skype: szepe.viktor
Budapest, III. kerület

Gordon Messmer

2017-03-30 03:39:04 UTC

Permalink

Post by SZÃPE Viktor
Running bind is too expensive for me.

I'll note that Red Hat's bind package installs with an ideal
configuration for a localhost-only caching DNS server. There's
virtually no administrative cost, there.

Post by SZÃPE Viktor
I usually use the caching DNS
resolver in the given datacenter plus Âµnscd
https://busybox.net/~vda/unscd/ which does local caching for Name
Service - which Courier apparently is not using.

Nope. nscd (and unscd) are not DNS servers, they're caches for the libc
nss functions (gethostbyaddr, etc) that aren't used in Courier.

Matus UHLAR - fantomas

2017-03-29 06:59:27 UTC

Permalink

Post by Sam Varshavchik

Post by SZÃPE Viktor
2) Is it possible for Courier to skip DNS lookups for "localhost"?
I wonder why Courier is not using gethostbyname().
127.0.0.1 localhost.localdomain localhost

all recursive DNS servers should have localhost defined.
Also, mailservers should use own recursive DNS servers, topologically close,
so resolving localhost should not be a problem.

Post by Sam Varshavchik
gethostbyname/gethostbyaddr can only look up A addresses. Courier
needs MX records, and so needs to use its own resolver; and with its
own DNS resolver code already in place, it makes no sense to use
different resolvers.

Note that different MTAs do the same. AFAIK neither sendmail nor postfix
support gethostbyname() or anything other to look up /etc/hosts.