Discussion:
Smtpd problem when external DB (mysql, ldap) not responding
(too old to reply)
Gregor Maier
2007-07-18 15:41:48 UTC
Permalink
Hello,

I came across an issue with postfix using ldap and virtual domains and
mailboxes. When the LDAP server is down, smtpd cannot resolve
addresses etc. using trivial-rewrite. If the ldap server is up,
everything works fine.

Example:
After smtpd received the MAIL FROM command, it tries to lookup the
associated address, but since ldap is down, trivial-rewrite cannot
resolve the address and exits. Smtpd (resp. the resolver resolve_clnt())
will try again and again and again. This also means, that the smtpd
does not send any answer to its client. I.e. the client sends the
MAIL FROM and then nothing happens. Eventually the smtp connection
might timeout.

IMHO the smtpd should return a temporary error (4xx) when lookups fail
and smtpd should not loop trying to resolve the address. Yes, one can
use backup ldap servers, etc. but nevertheless, if the database is not
responding smtpd should handle the situation gracefully!

Gathering from other mails this problem occurs whenever an external
database (ldap, mysql, psql, etc.) is used and the database is down.

What I gathered from the source code, fixing this problem might not
be trivial. It looks like, that resolv_clnt() is used by various
parts of postfix (local, etc.). For smtpd, resolv_clnt() could just
break the loop after a limited number of iterations and send a
temporary 4xx error to its peer. But I'm not sure if this might
break local delivery or other parts that use resolv_clnt().

Ideas?
Comments?


Here's my mail.log for the event. smtpd is run with -vv
------- /var/log/mail.log, smtpd run with -vv ------
Jul 18 15:04:26 mailtest postfix/smtpd[14594]: extract_addr: input: <***@fs.tum.de>
Jul 18 15:04:26 mailtest postfix/smtpd[14594]: smtpd_check_addr: addr=***@fs.tum.de
Jul 18 15:04:26 mailtest postfix/smtpd[14594]: connect to subsystem private/rewrite
Jul 18 15:04:26 mailtest postfix/smtpd[14594]: send attr request = rewrite
Jul 18 15:04:26 mailtest postfix/smtpd[14594]: send attr rule = local
Jul 18 15:04:26 mailtest postfix/smtpd[14594]: send attr address = ***@fs.tum.de
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: private/rewrite socket: wanted attribute: flags
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: input attribute name: flags
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: input attribute value: 0
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: private/rewrite socket: wanted attribute: address
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: input attribute name: address
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: input attribute value: ***@fs.tum.de
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: private/rewrite socket: wanted attribute: (list terminator)
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: input attribute name: (end)
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: rewrite_clnt: local: ***@fs.tum.de -> ***@fs.tum.de
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: send attr request = resolve
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: send attr sender =
Jul 18 15:04:32 mailtest postfix/smtpd[14594]: send attr address = ***@fs.tum.de
Jul 18 15:04:35 mailtest postfix/trivial-rewrite[14596]: warning: dict_ldap_connect: Unable to bind to server ldap://[LDAP-SERVER-NAME]:389 as : 81 (Can't contact LDAP server)
Jul 18 15:04:35 mailtest postfix/trivial-rewrite[14596]: fatal: ldap:/etc/postfix/virtual_aliases.ldap(0,lock|fold_fix): table lookup proble
m
Jul 18 15:04:36 mailtest postfix/smtpd[14594]: warning: problem talking to service rewrite: Success
Jul 18 15:04:36 mailtest postfix/master[14587]: warning: process /usr/lib/postfix/trivial-rewrite pid 14596 exit status 1
Jul 18 15:04:37 mailtest postfix/smtpd[14594]: rewrite stream disconnect
Jul 18 15:04:37 mailtest postfix/smtpd[14594]: connect to subsystem private/rewrite
Jul 18 15:04:37 mailtest postfix/smtpd[14594]: send attr request = resolve
Jul 18 15:04:37 mailtest postfix/smtpd[14594]: send attr sender =
Jul 18 15:04:37 mailtest postfix/smtpd[14594]: send attr address = ***@fs.tum.de
Jul 18 15:04:46 mailtest postfix/trivial-rewrite[14597]: warning: dict_ldap_connect: Unable to bind to server ldap://[LDAP-SERVER-NAME]:389 as : 81 (Can't contact LDAP server)
Jul 18 15:04:46 mailtest postfix/trivial-rewrite[14597]: fatal: ldap:/etc/postfix/virtual_aliases.ldap(0,lock|fold_fix): table lookup proble
m
Jul 18 15:04:47 mailtest postfix/smtpd[14594]: warning: problem talking to service rewrite: Success
Jul 18 15:04:47 mailtest postfix/master[14587]: warning: process /usr/lib/postfix/trivial-rewrite pid 14597 exit status 1
Jul 18 15:04:47 mailtest postfix/master[14587]: warning: /usr/lib/postfix/trivial-rewrite: bad command startup -- throttling
-------------------------------


cu
Gregor
Victor Duchovni
2007-07-18 15:49:14 UTC
Permalink
Post by Gregor Maier
Hello,
I came across an issue with postfix using ldap and virtual domains and
mailboxes. When the LDAP server is down, smtpd cannot resolve
addresses etc. using trivial-rewrite. If the ldap server is up,
everything works fine.
The trivial-rewrite service (used by the queue manager to resolve
addresses to mailer/nexthop/address triples) MUST be reliable. The
queue manager cannot tempfail. Don't use LDAP for transport lookups
(via trivial-rewrite) unless your LDAP service is reliable, run a local
replica or multiple remote replicas, ...

I only use LDAP for virtual(5) rewriting not transport resolution.
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Gregor Maier
2007-07-18 20:09:57 UTC
Permalink
Post by Victor Duchovni
Post by Gregor Maier
I came across an issue with postfix using ldap and virtual domains and
mailboxes. When the LDAP server is down, smtpd cannot resolve
addresses etc. using trivial-rewrite. If the ldap server is up,
everything works fine.
The trivial-rewrite service (used by the queue manager to resolve
addresses to mailer/nexthop/address triples) MUST be reliable. The
queue manager cannot tempfail. Don't use LDAP for transport lookups
(via trivial-rewrite) unless your LDAP service is reliable, run a local
replica or multiple remote replicas, ...
Well yes. But my problem is with *smtpd* and trivial-rewrite, not qmgr.
smtpd tries to lookup up the address (in my case after it received the
MAIL FROM command). The lookup fails and smtpd loops forever (or rather
resolve_clnt()), trying to resolve the address. Which has the effect,
that nothing happens in the SMTP dialog after postfix received the MAIL
FROM. Here I would like smtpd to send a tempfail (4xx). The behaviour of
trivial-rewrite and qmgr is IMHO ok.
Post by Victor Duchovni
I only use LDAP for virtual(5) rewriting not transport resolution.
I'm not entirely sure what you mean by transport resolution but I'm
using LDAP only for virtual stuff.

mailtest:/etc/postfix# postconf | grep ldap
alias_maps = hash:/etc/postfix/aliases ldap:/etc/postfix/ldap-aliases
smtpd_sender_login_maps = ldap:/etc/postfix/sender_map.ldap
virtual_alias_maps = ldap:/etc/postfix/virtual_aliases.ldap
hash:/etc/postfix/virtual_aliases
virtual_gid_maps = ldap:/etc/postfix/virtual_gid.ldap
virtual_mailbox_maps = ldap:/etc/postfix/virtual_mailbox_maps.ldap
virtual_uid_maps = ldap:/etc/postfix/virtual_uid.ldap


cu
Gregor
Victor Duchovni
2007-07-18 20:20:32 UTC
Permalink
Post by Gregor Maier
Well yes. But my problem is with *smtpd* and trivial-rewrite, not qmgr.
smtpd tries to lookup up the address (in my case after it received the
MAIL FROM command). The lookup fails and smtpd loops forever (or rather
resolve_clnt()), trying to resolve the address. Which has the effect,
that nothing happens in the SMTP dialog after postfix received the MAIL
FROM. Here I would like smtpd to send a tempfail (4xx). The behaviour of
trivial-rewrite and qmgr is IMHO ok.
The queue manager and smtpd use the same library interface to perform
transport lookups. If trivial-rewrite fails, the queue manager is stuck
and Postfix becomes unusable, there is not much benefit in analyzing
smtpd behaviour at that point...
Post by Gregor Maier
Post by Victor Duchovni
I only use LDAP for virtual(5) rewriting not transport resolution.
I'm not entirely sure what you mean by transport resolution but I'm
using LDAP only for virtual stuff.
mailtest:/etc/postfix# postconf | grep ldap
alias_maps = hash:/etc/postfix/aliases ldap:/etc/postfix/ldap-aliases
smtpd_sender_login_maps = ldap:/etc/postfix/sender_map.ldap
virtual_alias_maps = ldap:/etc/postfix/virtual_aliases.ldap
hash:/etc/postfix/virtual_aliases
virtual_gid_maps = ldap:/etc/postfix/virtual_gid.ldap
virtual_mailbox_maps = ldap:/etc/postfix/virtual_mailbox_maps.ldap
virtual_uid_maps = ldap:/etc/postfix/virtual_uid.ldap
You are falling victim to the implicit backwards compatible setting:

virtual_mailbox_domains = $virtual_mailbox_maps
virtual_alias_domains = $virtual_alias_maps

Set these explicitly, and avoid LDAP for the domain lists. Using LDAP for
the per-user data is fine. Don't use LDAP in transport_maps (and related
tables mentioned in post a year or two back) unless LDAP is reliable.
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Loading...