Re: No/Invalid host lookup in smtpd_sasl_path parameter

[Lorenzo Bernardi]

Thank you Wietse,

I followed your advice and ran a strace on the smtpd process.
Postfix is running in a chroot environment (/var/spool/postfix) and I 
noticed the following:

Dec 27 16:55:05 85b8d58a343c root: open("/etc/resolv.conf", 
O_RDONLY|O_CLOEXEC) = 18
Dec 27 16:55:05 85b8d58a343c root: fstat(18, {st_mode=S_IFREG|0644, 
st_size=60, ...}) = 0
Dec 27 16:55:05 85b8d58a343c root: read(18, "search 
openstacklocal\nnameserver 127.0.0.11\noptions ndots:0\n", 4096) = 60
Dec 27 16:55:05 85b8d58a343c root: read(18, "", 4096)                   
   = 0
Dec 27 16:55:05 85b8d58a343c root: close(18)                            
   = 0
Dec 27 16:55:05 85b8d58a343c root: open("/etc/host.conf", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: futex(0x7f9690f79a64, 
FUTEX_WAKE_PRIVATE, 2147483647) = 0
Dec 27 16:55:05 85b8d58a343c root: open("/etc/hosts", 
O_RDONLY|O_CLOEXEC)  = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: open("/etc/ld.so.cache", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
open("/lib/x86_64-linux-gnu/tls/x86_64/libnss_dns.so.2", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
stat("/lib/x86_64-linux-gnu/tls/x86_64", 0x7ffc42960c30) = -1 ENOENT 
(No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
open("/lib/x86_64-linux-gnu/tls/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 
-1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/lib/x86_64-linux-gnu/tls", 
0x7ffc42960c30) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
open("/lib/x86_64-linux-gnu/x86_64/libnss_dns.so.2", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/lib/x86_64-linux-gnu/x86_64", 
0x7ffc42960c30) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 
ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/lib/x86_64-linux-gnu", 
0x7ffc42960c30) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
open("/usr/lib/x86_64-linux-gnu/tls/x86_64/libnss_dns.so.2", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
stat("/usr/lib/x86_64-linux-gnu/tls/x86_64", 0x7ffc42960c30) = -1 
ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
open("/usr/lib/x86_64-linux-gnu/tls/libnss_dns.so.2", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
stat("/usr/lib/x86_64-linux-gnu/tls", 0x7ffc42960c30) = -1 ENOENT (No 
such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
open("/usr/lib/x86_64-linux-gnu/x86_64/libnss_dns.so.2", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
stat("/usr/lib/x86_64-linux-gnu/x86_64", 0x7ffc42960c30) = -1 ENOENT 
(No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
open("/usr/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 
-1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/usr/lib/x86_64-linux-gnu", 
0x7ffc42960c30) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
open("/lib/tls/x86_64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT 
(No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/lib/tls/x86_64", 
0x7ffc42960c30) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: open("/lib/tls/libnss_dns.so.2", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/lib/tls", 0x7ffc42960c30)     
   = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: open("/lib/x86_64/libnss_dns.so.2", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/lib/x86_64", 0x7ffc42960c30)  
   = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: open("/lib/libnss_dns.so.2", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/lib", {st_mode=S_IFDIR|0755, 
st_size=4096, ...}) = 0
Dec 27 16:55:05 85b8d58a343c root: 
open("/usr/lib/tls/x86_64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 
ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/usr/lib/tls/x86_64", 
0x7ffc42960c30) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: open("/usr/lib/tls/libnss_dns.so.2", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/usr/lib/tls", 0x7ffc42960c30) 
   = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: 
open("/usr/lib/x86_64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT 
(No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/usr/lib/x86_64", 
0x7ffc42960c30) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: open("/usr/lib/libnss_dns.so.2", 
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Dec 27 16:55:05 85b8d58a343c root: stat("/usr/lib", 
{st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

It looks like "libnss_dns.so.2" cannot be found due to the chrooted 
environment and thus no DNS query can be made (at least for this 
specific call).
I fixed it by copying the libraries from /lib/x86_64-linux-gnu/ to 
/var/spool/postfix/lib/x86_64-linux-gnu/:

cp /lib/x86_64-linux-gnu/ /var/spool/postfix/lib/ -R

This apparently worked as postfix is now able to make DNS queries:

Dec 27 17:05:14 85b8d58a343c root: stat("/etc/resolv.conf", 
{st_mode=S_IFREG|0644, st_size=60, ...}) = 0
Dec 27 17:05:14 85b8d58a343c root: socket(AF_INET, 
SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 19
Dec 27 17:05:14 85b8d58a343c root: connect(19, {sa_family=AF_INET, 
sin_port=htons(53), sin_addr=inet_addr("127.0.0.11")}, 16) = 0
Dec 27 17:05:14 85b8d58a343c root: poll([{fd=19, events=POLLOUT}], 1, 
0)   = 1 ([{fd=19, revents=POLLOUT}])
Dec 27 17:05:14 85b8d58a343c root: sendto(19, 
"2-\1\0\0\1\0\0\0\0\0\0\7dovecot\0\0\1\0\1", 25, MSG_NOSIGNAL, NULL, 0) 
= 25
Dec 27 17:05:14 85b8d58a343c root: poll([{fd=19, events=POLLIN}], 1, 
5000) = 1 ([{fd=19, revents=POLLIN}])
Dec 27 17:05:14 85b8d58a343c root: ioctl(19, FIONREAD, [48])            
   = 0
Dec 27 17:05:14 85b8d58a343c root: recvfrom(19, 
"2-\201\200\0\1\0\1\0\0\0\0\7dovecot\0\0\1\0\1\7dovecot\0\0\1\0\1\0\0\2X\0\4\254\24\0\5", 
1024, 0, {sa_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("127.0.0.11")}, [28->16]) = 48
Dec 27 17:05:14 85b8d58a343c root: close(19)                            
   = 0
Dec 27 17:05:14 85b8d58a343c root: socket(AF_INET, SOCK_STREAM, 
IPPROTO_TCP) = 19
Dec 27 17:05:14 85b8d58a343c root: fcntl(19, F_GETFL)                   
   = 0x2 (flags O_RDWR)
Dec 27 17:05:14 85b8d58a343c root: fcntl(19, F_SETFL, 
O_RDWR|O_NONBLOCK)   = 0
Dec 27 17:05:14 85b8d58a343c root: setsockopt(19, SOL_SOCKET, 
SO_KEEPALIVE, [1], 4) = 0
Dec 27 17:05:14 85b8d58a343c root: connect(19, {sa_family=AF_INET, 
sin_port=htons(12345), sin_addr=inet_addr("172.20.0.5")}, 16) = -1 
EINPROGRESS (Operation now in progress)
Dec 27 17:05:14 85b8d58a343c root: poll([{fd=19, events=POLLOUT}], 1, 
10000) = 1 ([{fd=19, revents=POLLOUT}])
Dec 27 17:05:14 85b8d58a343c root: getsockopt(19, SOL_SOCKET, SO_ERROR, 
[0], [4]) = 0

Shouldn't this be documented somewhere for other people that might 
encounter the issue?

Cheers,
---
LORENZO BERNARDI

On 2017-12-27 16:18, wie...@porcupine.org wrote:

Lorenzo Bernardi:

Hi Wietse,

Thank you for your answer.

The docker containers are running Debian 9.3 and the postfix package
from the official Debian repository (Version: 3.1.6-0+deb9u1).

As you can see below the source code still contains calls to
gethostbyname():

Grep does not prove that code is called. The only gethostbyname
calls that are left over in the code are in src/local/biff_notify.c
and in src/util/find_inet.c, and the latter is called only by the
dict_mysql.c module. None of these calls are relevant for the problem
at hand: hooking up Postfix with the Dovecot auth service.

Regarding the docker network, I followed the recommendations of the
official website and I'm using a user-defined network, which works 
with
no issue.

You made a mistake somewhere, because the SYSTEM LIBRARY FUNCTION
getaddrinfo() is unable to find your dovecot host unless you add
it to /etc/hosts.

To be totally clear about this: Postfix does not look in /etc/hosts,
it is the SYSTEM LIBRARY that reads the file, as configured in the
SYSTEM CONFIGURATION file /etc/nsswitch.conf.

See www.postfix.org/DEBUG_README.html for how to trace a program
with strace and ltrace, then you can see which call is failing and
why.

Wietse