Discussion:
[gentoo-user] amavis/postfix and port 10025
(too old to reply)
J. Roeleveld
2023-07-03 05:00:01 UTC
Permalink
Hi all,
I have been using a gentoo mail gateway for many years - its currently
running under LXC and is upgraded using a generic LXC "golden master" image
with the various email related packages being installed and config files
copied across roughly a month or two apart. This is always a trial,
particularly with permissions and has become much worse with gentoo's
attempt at using the acct packages to manage user and group ID's.
I actually find this easier to solve issues. What do you find difficult here?
The latest problem driving me up the wall is amavis-new wouldn't start after
the upgrade. I have postfix sending email to port 1024 where amavis is
listening (this time required a new setting in amavisd.conf not previously
needed) but postfix now wont accept email back from amavis on port 10025 so
mail is mostly queued (some leaks at times - no idea why).
I assume you mean port 10024 ?
Jul 2 10:00:14 mail amavis[6074]: (06074-02-3) about to connect to
(06074-02-3) new socket using IO::Socket::IP to [127.0.0.1]:10025, timeout
35 Jul 2 10:00:14 mail amavis[6074]: (06074-02-3) (!)connect to
[127.0.0.1]:10025 failed, attempt #1: Unrecognised protocol tcp at
(06074-02-3) mail_via_smtp: session failed: All attempts (1) failed
connecting to smtp:[127.0.0.1]:10025
This is postfix rejecting the connection.
Do you have the following:

# grep 10025 *
master.cf:127.0.0.1:10025 inet n - n - - smtpd
and what has thrown me: I can stop amavisd, then log in as user "amavis" and
run "amavisd -c /etc/amavisd.conf debug" then everything works as intended!
WHY?
Does postfix start before or after amavis?
I am preparing a new mail gateway LXC image as a clean install to try and
straighten out the underlying permissions, but a fix for my current dilemma
would be appreciated!
If a clean install works, I'd recommend a comparison between the 2 (start with
a diff for both "/etc") to check the cause.

--
Joost
William Kenworthy
2023-07-03 05:40:02 UTC
Permalink
Post by J. Roeleveld
Hi all,
I have been using a gentoo mail gateway for many years - its currently
running under LXC and is upgraded using a generic LXC "golden master" image
with the various email related packages being installed and config files
copied across roughly a month or two apart. This is always a trial,
particularly with permissions and has become much worse with gentoo's
attempt at using the acct packages to manage user and group ID's.
I actually find this easier to solve issues. What do you find difficult here?
Trying to interpret an error message that says "it cant connect" with no
detail as to why when started via the openrc service script - but it
works fine when started as the amavis user in debug mode.

If I try and run it in debug mode from root it produces lots of perl
errors that do not occur with either the openrc service script or amavis
user:

fetch_modules: error loading optional module Razor2/Client/Agent.pm:
  Can't locate Getopt/Long.pm:   lib/Getopt/Long.pm: Permission denied
at
/usr/lib64/perl5/vendor_perl/5.36/aarch64-linux-thread-multi/Razor2/Client/Agent.pm
line 15.
  BEGIN failed--compilation aborted at
/usr/lib64/perl5/vendor_perl/5.36/aarch64-linux-thread-multi/Razor2/Client/Agent.pm
line 15.
  Compilation failed in require at /usr/sbin/amavisd line 212.
fetch_modules: error loading optional module Mail/DKIM.pm:
  Can't locate Mail/DKIM.pm:   lib/Mail/DKIM.pm: Permission denied at
/usr/sbin/amavisd line 212.
fetch_modules: error loading optional module Mail/DKIM/Verifier.pm:
  Can't locate Mail/DKIM/Verifier.pm:   lib/Mail/DKIM/Verifier.pm:
Permission denied at /usr/sbin/amavisd line 212.
fetch_modules: error loading optional module Image/Info.pm:
  Can't locate Image/Info.pm:   lib/Image/Info.pm: Permission denied at
/usr/sbin/amavisd line 212.
fetch_modules: error loading optional module Image/Info/GIF.pm:
and many more!
Post by J. Roeleveld
The latest problem driving me up the wall is amavis-new wouldn't start after
the upgrade. I have postfix sending email to port 1024 where amavis is
listening (this time required a new setting in amavisd.conf not previously
needed) but postfix now wont accept email back from amavis on port 10025 so
mail is mostly queued (some leaks at times - no idea why).
I assume you mean port 10024 ?
NO, 10025 - postix is configured to send mail to amavis on 10024 for
scanning via clamav, and forward back to postix on 10025 where its
getting the error - note that this configuration has been working for
over 20 years with the same basic configuration until now.  I originally
set it up under a "mailuser" group ID and I am increasingly finding that
on startup I have to check files to make sure their permissions are
unchanged.  From the reading I have done on this I am suspecting that
this latest version of amavis is trying to enforce "something" but not
telling me what - at this stage I suspect amavis is the root cause and
not postfix.
Post by J. Roeleveld
Jul 2 10:00:14 mail amavis[6074]: (06074-02-3) about to connect to
(06074-02-3) new socket using IO::Socket::IP to [127.0.0.1]:10025, timeout
35 Jul 2 10:00:14 mail amavis[6074]: (06074-02-3) (!)connect to
[127.0.0.1]:10025 failed, attempt #1: Unrecognised protocol tcp at
(06074-02-3) mail_via_smtp: session failed: All attempts (1) failed
connecting to smtp:[127.0.0.1]:10025
This is postfix rejecting the connection.
# grep 10025 *
master.cf:127.0.0.1:10025 inet n - n - - smtpd
mail ~ # grep -r 10025 /etc/postfix/*
/etc/postfix/master.cf:127.0.0.1:10025 inet n        -       n -      
-  smtpd -v
mail ~ #
Post by J. Roeleveld
and what has thrown me: I can stop amavisd, then log in as user "amavis" and
run "amavisd -c /etc/amavisd.conf debug" then everything works as intended!
WHY?
Does postfix start before or after amavis?
The startup scripts start amavisd first, but there is no difference if I
manually start amavis after postfix (unless I run it as the amavis user)
Post by J. Roeleveld
I am preparing a new mail gateway LXC image as a clean install to try and
straighten out the underlying permissions, but a fix for my current dilemma
would be appreciated!
If a clean install works, I'd recommend a comparison between the 2 (start with
a diff for both "/etc") to check the cause.
Thats what I am working up to but I was hoping someone has seen this
before to save time - its going to be a couple of days before I can get
back to it.

Thanks.

BillK
Post by J. Roeleveld
--
Joost
J. Roeleveld
2023-07-04 05:30:01 UTC
Permalink
Post by William Kenworthy
Post by J. Roeleveld
Hi all,
I have been using a gentoo mail gateway for many years - its currently
running under LXC and is upgraded using a generic LXC "golden master" image
with the various email related packages being installed and config files
copied across roughly a month or two apart. This is always a trial,
particularly with permissions and has become much worse with gentoo's
attempt at using the acct packages to manage user and group ID's.
I actually find this easier to solve issues. What do you find difficult here?
Trying to interpret an error message that says "it cant connect" with no
detail as to why when started via the openrc service script - but it
works fine when started as the amavis user in debug mode.
If I try and run it in debug mode from root it produces lots of perl
errors that do not occur with either the openrc service script or amavis
Can't locate Getopt/Long.pm: lib/Getopt/Long.pm: Permission denied
at
/usr/lib64/perl5/vendor_perl/5.36/aarch64-linux-thread-multi/Razor2/Client/A
gent.pm line 15.
BEGIN failed--compilation aborted at
/usr/lib64/perl5/vendor_perl/5.36/aarch64-linux-thread-multi/Razor2/Client/A
gent.pm line 15.
Compilation failed in require at /usr/sbin/amavisd line 212.
Can't locate Mail/DKIM.pm: lib/Mail/DKIM.pm: Permission denied at
/usr/sbin/amavisd line 212.
Permission denied at /usr/sbin/amavisd line 212.
Can't locate Image/Info.pm: lib/Image/Info.pm: Permission denied at
/usr/sbin/amavisd line 212.
and many more!
Which USE-flags do you have?
I only have "clamav spamassassin" (the other parts are implemented differently
for me)
As these are perl modules, did you try "perl-cleaner" to see if that fixes
anything?
Post by William Kenworthy
Post by J. Roeleveld
The latest problem driving me up the wall is amavis-new wouldn't start
after the upgrade. I have postfix sending email to port 1024 where
amavis is listening (this time required a new setting in amavisd.conf
not previously needed) but postfix now wont accept email back from
amavis on port 10025 so mail is mostly queued (some leaks at times - no
idea why).
I assume you mean port 10024 ?
NO, 10025 - postix is configured to send mail to amavis on 10024 for
scanning via clamav, and forward back to postix on 10025 where its
getting the error
In your original email: " I have postfix sending email to port *1024* where "
Post by William Kenworthy
- note that this configuration has been working for
over 20 years with the same basic configuration until now. I originally
set it up under a "mailuser" group ID and I am increasingly finding that
on startup I have to check files to make sure their permissions are
unchanged. From the reading I have done on this I am suspecting that
this latest version of amavis is trying to enforce "something" but not
telling me what - at this stage I suspect amavis is the root cause and
not postfix.
Are you still using "mailuser" ?
In " /etc/amavisd.conf ", what is configured for:

$daemon_user = ...
$daemon_group = ...
Post by William Kenworthy
Post by J. Roeleveld
and what has thrown me: I can stop amavisd, then log in as user "amavis"
and run "amavisd -c /etc/amavisd.conf debug" then everything works as
intended! WHY?
Does postfix start before or after amavis?
The startup scripts start amavisd first, but there is no difference if I
manually start amavis after postfix (unless I run it as the amavis user)
Ok, so when started as init-script, from root, it fails. when run as amavis,
it works.
Am wondering if the 2 settings mentioned above have something other then
amavis.
Post by William Kenworthy
Post by J. Roeleveld
I am preparing a new mail gateway LXC image as a clean install to try and
straighten out the underlying permissions, but a fix for my current dilemma
would be appreciated!
If a clean install works, I'd recommend a comparison between the 2 (start
with a diff for both "/etc") to check the cause.
Thats what I am working up to but I was hoping someone has seen this
before to save time - its going to be a couple of days before I can get
back to it.
I haven't seen this myself, but I have used the default user and group since I
set this up.

--
Joost

Loading...