On Tue, Mar 01, 2011 at 07:00:43PM -0600, /dev/rob0 wrote: > [ top-posting fixed, please don't do that ] > > On Tue, Mar 01, 2011 at 05:34:50PM -0700, Jeff Orrok wrote: > > On 3/1/2011 4:57 PM, Wietse Venema wrote: > > >See: > > >http://www.postfix.org/DEBUG_README.html#no_chroot > > > > > >and please complain to your supplier. > > > Thanks Wietse! :-) > > > > I changed all -'s to n's in master.cf chroot column and did a > > postfix reload and a postqueue -f and everything sailed away > > smoothly. > > > > But I'm mystified as to why it would be working fine for an entire > > month and then out of the blue (well, ok, the client thinks there > > may have been a power failure) start to misbehave. The date on > > master.cf was Jan 24, which I think is when I installed it. Why > > would it suddenly break? I've done postfix reload several times > > since installing, possibly even restarting postfix as well. > > This is not surprising if you're not using your own local > nameserver.[1] One obvious possibility is that the provider changed > IP addresses of nameservers given to DHCP and other network clients. > Perhaps your answer lies in /var/spool/postfix/etc/resolv.conf if > your restarts were not done using the Debian init script. > > I've had enough problems with bad ISPs and their bad nameservers; I > always run my own BIND named(8) doing recursion[1] for the Postfix > server. That way, when there are DNS problems, they also show up in > the named logs as well as Postfix logs. > > Debian provides a README for their package. Please review it. > > I agree with Wietse about Debian's chroot. It was a poor decision on > their part to chroot by default. A very high percentage of "Postfix" > problems are attributable to this decision. > > > > [1] I believe the Debian BIND package has another unwise default, > which is to use global forwarders rather than recursion. Use > caution, and consult Debian and ISC documentation, if you decide > to run your own nameserver for the Postfix machine. > -- > Offlist mail to this address is discarded unless > "/dev/rob0" or "not-spam" is in Subject: header >
I agree that running a local recusive nameserver is the way to go. I would recommend that you use pdns_recursor-3.3+ instead: http://www.powerdns.com/news/pdns-recursor-3-3-released.aspx There are .deb and .rpm versions available for x86. It is very simple, very secure, and very lightweight compared to BIND's named. Cheers, Ken
