monitoring prgram times out

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

monitoring prgram times out

Szépe Viktor
Hello!

I am using 0.73.1-1.6

A monitoring program called "Monit" checks port 25 on localhost.  
Courier listens only on localhost on this server.

Monit sends:
EHLO localhost
QUIT

Source code:
https://bitbucket.org/tildeslash/monit/src/8584ce1f0a2af60ca615e126c37284238d611e29/src/notification/SMTP.c?at=master&fileviewer=file-view-default#SMTP.c-193:216

Rarely it times out after 5 seconds. This incident is several months old.

1) Could failed DNS lookups be the reason?

PTR? 1.0.0.127.in-addr.arpa.
A? localhost.
AAAA? localhost.

2) Is it possible for Courier to skip DNS lookups for "localhost"?

I wonder why Courier is not using gethostbyname().
/etc/hosts contains:
127.0.0.1       localhost.localdomain localhost

Thank you!



tcpdump:
17:52:17.510906 IP (tos 0x0, ttl 64, id 50144, offset 0, flags [DF],  
proto UDP (17), length 68)
     185.33.146.202.44816 > 81.2.192.131.53: 36007+ PTR?  
1.0.0.127.in-addr.arpa. (40)
17:52:17.511163 IP (tos 0x0, ttl 63, id 15247, offset 0, flags [none],  
proto UDP (17), length 91)
     81.2.192.131.53 > 185.33.146.202.44816: 36007* 1/0/0  
1.0.0.127.in-addr.arpa. PTR localhost. (63)
17:52:17.511296 IP (tos 0x0, ttl 64, id 50145, offset 0, flags [DF],  
proto UDP (17), length 55)
     185.33.146.202.57740 > 81.2.192.131.53: 25967+ A? localhost. (27)
17:52:17.511542 IP (tos 0x0, ttl 63, id 15248, offset 0, flags [none],  
proto UDP (17), length 130)
     81.2.192.131.53 > 185.33.146.202.57740: 25967 NXDomain 0/1/0 (102)
17:52:17.511657 IP (tos 0x0, ttl 64, id 50146, offset 0, flags [DF],  
proto UDP (17), length 55)
     185.33.146.202.50565 > 81.2.192.131.53: 30003+ AAAA? localhost. (27)
17:52:17.511880 IP (tos 0x0, ttl 63, id 15249, offset 0, flags [none],  
proto UDP (17), length 130)
     81.2.192.131.53 > 185.33.146.202.50565: 30003 NXDomain 0/1/0 (102)
17:52:17.512032 IP (tos 0x0, ttl 64, id 50147, offset 0, flags [DF],  
proto UDP (17), length 68)
     185.33.146.202.43555 > 81.2.192.131.53: 59819+ PTR?  
1.0.0.127.in-addr.arpa. (40)
17:52:17.512265 IP (tos 0x0, ttl 63, id 15250, offset 0, flags [none],  
proto UDP (17), length 91)
     81.2.192.131.53 > 185.33.146.202.43555: 59819* 1/0/0  
1.0.0.127.in-addr.arpa. PTR localhost. (63)
17:52:17.512372 IP (tos 0x0, ttl 64, id 50148, offset 0, flags [DF],  
proto UDP (17), length 55)
     185.33.146.202.57447 > 81.2.192.131.53: 64566+ A? localhost. (27)
17:52:17.512590 IP (tos 0x0, ttl 63, id 15251, offset 0, flags [none],  
proto UDP (17), length 130)
     81.2.192.131.53 > 185.33.146.202.57447: 64566 NXDomain 0/1/0 (102)
17:52:17.512697 IP (tos 0x0, ttl 64, id 50149, offset 0, flags [DF],  
proto UDP (17), length 55)
     185.33.146.202.36041 > 81.2.192.131.53: 28274+ AAAA? localhost. (27)
17:52:17.512954 IP (tos 0x0, ttl 63, id 15252, offset 0, flags [none],  
proto UDP (17), length 130)
     81.2.192.131.53 > 185.33.146.202.36041: 28274 NXDomain 0/1/0 (102)



SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Sam Varshavchik
SZÉPE Viktor writes:


> 2) Is it possible for Courier to skip DNS lookups for "localhost"?
>
> I wonder why Courier is not using gethostbyname().
> /etc/hosts contains:
> 127.0.0.1       localhost.localdomain localhost

gethostbyname/gethostbyaddr can only look up A addresses. Courier needs MX  
records, and so needs to use its own resolver; and with its own DNS resolver  
code already in place, it makes no sense to use different resolvers.

There are several options in the esmtpd config file that control DNS lookups  
on incoming connections:

BOFHCHECKDNS; and TCPDOPTS passes through the options to couriertcpd, such  
as -nodnslookup.




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

attachment0 (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Szépe Viktor
Idézem/Quoting Sam Varshavchik <[hidden email]>:

> SZÉPE Viktor writes:
>
>
>> 2) Is it possible for Courier to skip DNS lookups for "localhost"?
>>
>> I wonder why Courier is not using gethostbyname().
>> /etc/hosts contains:
>> 127.0.0.1       localhost.localdomain localhost
>
> gethostbyname/gethostbyaddr can only look up A addresses. Courier  
> needs MX records, and so needs to use its own resolver; and with its  
> own DNS resolver code already in place, it makes no sense to use  
> different resolvers.
>
> There are several options in the esmtpd config file that control DNS  
> lookups on incoming connections:
>
> BOFHCHECKDNS; and TCPDOPTS passes through the options to  
> couriertcpd, such as -nodnslookup.

Thank you for your support!

-nodnslookup is the solution for satellite type server which delivery  
messages through one smarthost.

What should I do on normal (tcp/25,587,465 are open to the internet)  
mail server where DNS lookup is necessary? Is there a way to exclude  
localhost from DNS lookup on the initial (pre-EHLO) connection?



SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Sam Varshavchik
SZÉPE Viktor writes:

> Thank you for your support!
>
> -nodnslookup is the solution for satellite type server which delivery
> messages through one smarthost.
>
> What should I do on normal (tcp/25,587,465 are open to the internet)
> mail server where DNS lookup is necessary? Is there a way to exclude
> localhost from DNS lookup on the initial (pre-EHLO) connection?

Looking at the code there does not appear to be a way to select -nodnslookup  
based on the connecting IP address.

There is a facility for selectively setting environment variables based on  
the connecting IP address, the smtpaccess list (see makesmttpaccess). But,  
currently nodnslookup just looks only at the parameter.

In tcpd.c, you can try changing

    if (nodnslookup) return;

to something like

    if (nodnslookup || getenv("NODNSLOOKUP")) return;

and then put

127.0.0.1<tab>allow,NODNSLOOKUP=1

into the smtpaccess file.

But why don't you just run bind locally, and have it handle DNS resolution  
for local zones. You can have it listen only on local IP addresses, and  
thusly inaccessible from the Internet, and then get some benefits of a local  
DNS lookup cache.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

attachment0 (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Szépe Viktor
Idézem/Quoting Sam Varshavchik <[hidden email]>:

> SZÉPE Viktor writes:
>
>> Thank you for your support!
>>
>> -nodnslookup is the solution for satellite type server which delivery
>> messages through one smarthost.
>>
>> What should I do on normal (tcp/25,587,465 are open to the internet)
>> mail server where DNS lookup is necessary? Is there a way to exclude
>> localhost from DNS lookup on the initial (pre-EHLO) connection?
>
> Looking at the code there does not appear to be a way to select  
> -nodnslookup based on the connecting IP address.
>
> There is a facility for selectively setting environment variables  
> based on the connecting IP address, the smtpaccess list (see  
> makesmttpaccess). But, currently nodnslookup just looks only at the  
> parameter.
>
> In tcpd.c, you can try changing
>
>    if (nodnslookup) return;
>
> to something like
>
>    if (nodnslookup || getenv("NODNSLOOKUP")) return;
>
> and then put
>
> 127.0.0.1<tab>allow,NODNSLOOKUP=1
>
> into the smtpaccess file.
>
> But why don't you just run bind locally, and have it handle DNS  
> resolution for local zones. You can have it listen only on local IP  
> addresses, and thusly inaccessible from the Internet, and then get  
> some benefits of a local DNS lookup cache.


Thank you again!

Running bind is too expensive for me. I usually use the caching DNS  
resolver in the given datacenter plus µnscd  
https://busybox.net/~vda/unscd/ which does local caching for Name  
Service - which Courier apparently is not using.

>    if (nodnslookup || getenv("NODNSLOOKUP")) return;

Is there a non-zero chance to get this into the next release?



SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Sam Varshavchik
SZÉPE Viktor writes:

> Thank you again!
>
> Running bind is too expensive for me. I usually use the caching DNS
> resolver in the given datacenter plus µnscd
> https://busybox.net/~vda/unscd/ which does local caching for Name
> Service - which Courier apparently is not using.
>
> >    if (nodnslookup || getenv("NODNSLOOKUP")) return;
>
> Is there a non-zero chance to get this into the next release?
Yes; I just have to test this myself.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

attachment0 (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Matus UHLAR - fantomas
In reply to this post by Sam Varshavchik
>SZÉPE Viktor writes:
>>2) Is it possible for Courier to skip DNS lookups for "localhost"?
>>
>>I wonder why Courier is not using gethostbyname().
>>/etc/hosts contains:
>>127.0.0.1       localhost.localdomain localhost

all recursive DNS servers should have localhost defined.
Also, mailservers should use own recursive DNS servers, topologically close,
so resolving localhost should not be a problem.

On 26.03.17 10:32, Sam Varshavchik wrote:
>gethostbyname/gethostbyaddr can only look up A addresses. Courier
>needs MX records, and so needs to use its own resolver; and with its
>own DNS resolver code already in place, it makes no sense to use
>different resolvers.

Note that different MTAs do the same. AFAIK neither sendmail nor postfix
support gethostbyname() or anything other to look up /etc/hosts.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Matus UHLAR - fantomas
In reply to this post by Szépe Viktor
On 26.03.17 18:44, SZÉPE Viktor wrote:
>Running bind is too expensive for me.

are you trying to say that it's more expensive than running courier mail
server?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Szépe Viktor

Idézem/Quoting Matus UHLAR - fantomas <[hidden email]>:

> On 26.03.17 18:44, SZÉPE Viktor wrote:
>> Running bind is too expensive for me.
>
> are you trying to say that it's more expensive than running courier mail
> server?

Hello Matus!

I'd like to use the DNS resolver from the given datacenter.
Optimizing and maintaining (thus learning) another linux daemon is  
what really is expensive.


SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Matus UHLAR - fantomas
>> On 26.03.17 18:44, SZÉPE Viktor wrote:
>>> Running bind is too expensive for me.

>Idézem/Quoting Matus UHLAR - fantomas <[hidden email]>:
>> are you trying to say that it's more expensive than running courier mail
>> server?

On 29.03.17 13:30, SZÉPE Viktor wrote:
>I'd like to use the DNS resolver from the given datacenter.
>Optimizing and maintaining (thus learning) another linux daemon is
>what really is expensive.

1. as I stated, the server should be able to resolve localhost

2. if you do any kind of spam detection (blacklist), using others' name
server could result to worse spam detection.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Szépe Viktor

Idézem/Quoting Matus UHLAR - fantomas <[hidden email]>:

>>> On 26.03.17 18:44, SZÉPE Viktor wrote:
>>>> Running bind is too expensive for me.
>
>> Idézem/Quoting Matus UHLAR - fantomas <[hidden email]>:
>>> are you trying to say that it's more expensive than running courier mail
>>> server?
>
> On 29.03.17 13:30, SZÉPE Viktor wrote:
>> I'd like to use the DNS resolver from the given datacenter.
>> Optimizing and maintaining (thus learning) another linux daemon is
>> what really is expensive.
>
> 1. as I stated, the server should be able to resolve localhost
>
> 2. if you do any kind of spam detection (blacklist), using others' name
> server could result to worse spam detection.

Thank you.
Most of my Courier installs are satellite servers sending message  
through one transactional provider like Amazon SES, Mailjet, Mandrill  
or Sendgrid as I am not able to maintain more than 1 full featured  
mail server.

My mail server with mailboxes has a dedicated resolver server with "unbound".


SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: monitoring prgram times out

Gordon Messmer-2
In reply to this post by Szépe Viktor
On 03/26/2017 09:44 AM, SZÉPE Viktor wrote:
Running bind is too expensive for me.

I'll note that Red Hat's bind package installs with an ideal configuration for a localhost-only caching DNS server.  There's virtually no administrative cost, there.

I usually use the caching DNS  
resolver in the given datacenter plus µnscd  
https://busybox.net/~vda/unscd/ which does local caching for Name  
Service - which Courier apparently is not using.


Nope.  nscd (and unscd) are not DNS servers, they're caches for the libc nss functions (gethostbyaddr, etc) that aren't used in Courier.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users