Postfix works slow maybe DNS problem

Discussion in 'Server Operation' started by Racing-Ralph, Feb 7, 2022.

  1. Racing-Ralph

    Racing-Ralph Member

    I have a debian 9 Server with isp3config an Postfix working fine.

    I got a new server with debian 11, isp3config and Postfix installed with the automated script.

    I have two domains, my.de and mail.my.de
    created letsencrypt for both, changed the configuration in order to secure my mails with this certificate from mail.my.de. like on the old server
    I made my changes from the old server in the new one and all seems to work.

    I changed the IP adress to the new server on the hoster side as the old one.

    First Problem is that postfix needs a long time to send mail, thunderbird as client shows about 10 seconds the bar until to sent the mail.
    In other forums they had similar Problems and mean there is a DNS Problem.

    Next Problem is the mail receive as SPAM
    spf=temperror (csxxx.dogadoserver.de: error in processing during lookup of [email protected]: DNS error) [email protected]

    Im not so expirienced, so how to check.

    regards, Ralph
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If you get name service errors check those first. Verify the name service data is entered correctly and the name servers do work. Or wait 4 hours for the name service data to propagate, maybe some senders are using the old data still.
    My signature has link to DNS tutorial, it has info on how to check dns is working. Tests apply even if you are not running your own name servers but uses providers name service.
     
  3. Racing-Ralph

    Racing-Ralph Member

    OK, I will try.
    Problem ist that the configuration is like the old server.
    Senders that work Friday fine get today errors ?
    I had and have no DNS entries in ISP3config (DNS ZONE)

    I use the DNS Server from my provider as on the old one

    I made a lookup test on the server on which i got the resolve errror:


    root@cs42469:~# dig deurag.de

    ; <<>> DiG 9.16.22-Debian <<>> deurag.de
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32850
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 65494
    ;; QUESTION SECTION:
    ;deurag.de. IN A

    ;; ANSWER SECTION:
    deurag.de. 100 IN A 213.216.11.7

    ;; Query time: 26 msec
    ;; SERVER: 127.0.0.53#53(127.0.0.53)
    ;; WHEN: Mon Feb 07 10:42:42 CET 2022
    ;; MSG SIZE rcvd: 54
     
    Last edited: Feb 7, 2022
  4. Racing-Ralph

    Racing-Ralph Member

    I found this, may this be a problem ?

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    # 127.0.0.53 is the systemd-resolved stub resolver.
    # run "resolvectl status" to see details about the actual nameservers.
    nameserver 127.0.0.1
    nameserver 127.0.0.53

    result resolvectl status

    root@cs42469:~# resolvectl status
    Global
    Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
    Current DNS Server: 109.237.142.6
    DNS Servers: 109.237.142.6 109.237.143.6

    Link 2 (venet0)
    Current Scopes: none
    Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported


    Provider means that our dns Entries are OK
     
  5. Racing-Ralph

    Racing-Ralph Member

    Ok, i tested from your tutorial:

    Testing name service : Works
    Then check the name service entry for the mail server FQDN : Works
    Finally check the reverse name service resolves the IP-number back to the FQDN of the mail server. : Works

    TLS Checker for mail.mydomain.de: Works
    DNS Lookup for mydoman.de : Works

    What Now ?
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Are you running a dns resolver on 127.0.0.1, ie. on your server? You don't want to use shared DNS servers (like those from your ISP) in a mail server as many rbl lookups will fail due to the shared server being over query limits. If you don't intend to run your own DNS service, you can uninstall bind and install unbound, but do make sure one of them is running and resolution through 127.0.0.1 works (or remove that from resolv.conf).
     
    Last edited: Feb 7, 2022
  7. Racing-Ralph

    Racing-Ralph Member

    I dont know.

    You see my resolv is :

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    # 127.0.0.53 is the systemd-resolved stub resolver.
    # run "resolvectl status" to see details about the actual nameservers.
    nameserver 127.0.0.1
    nameserver 127.0.0.53

    But it uses

    Current DNS Server: 109.237.142.6
    DNS Servers: 109.237.142.6 109.237.143.6

    On my old server in the resolv.conf are two ip Adresses
     
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    So your new server uses 127.0.0.1, which may or may not work, and uses those other 2 servers, either of which may or may not work. You should test each from your server, eg. using dig do you see something like this, which returns an answer:
    Code:
    $ dig test.com @127.0.0.1
    
    ; <<>> DiG 9.16.22-Debian <<>> test.com @127.0.0.1
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34908
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ;; QUESTION SECTION:
    ;test.com.                      IN      A
    
    ;; ANSWER SECTION:
    test.com.               3398    IN      A       67.225.146.248
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Feb 07 09:23:34 MST 2022
    ;; MSG SIZE  rcvd: 53
    
    
    or more like this, which indicates a problem:
    Code:
    $ dig test.com @127.0.0.1
    
    ; <<>> DiG 9.16.22-Debian <<>> test.com @127.0.0.1
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    
    Then test @109.237.142.6 and @109.237.143.6.
     
  9. Racing-Ralph

    Racing-Ralph Member

    Yes, error

    ; <<>> DiG 9.16.22-Debian <<>> deurag.de @127.0.0.1
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

    with 127.0.0.53 ist does work.

    Then test @109.237.142.6 and @109.237.143.6.
    This will also work

    can I change or delete 127.0.0.1 ?

    I have seen that in isp3config under system dns server is checked, shall I uncheck this ?
     
    Last edited: Feb 7, 2022
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If it were me, I would install bind or unbound and stop using the ISP dns servers, for the reason mentioned above. But if you prefer, you can just remove 127.0.0.1 from resolv.conf (see "man 8 resolvconf" for info on configuring the nameservers if needed).

    I would uncheck that if you aren't going to run a nameserver on your ispconfig system, or install bind if you intend to (followed by reconfiguring services via the ispconfig installer, so bind is setup).
     
    Racing-Ralph likes this.
  11. Racing-Ralph

    Racing-Ralph Member

    OK, thanks I try and report !
     
  12. Racing-Ralph

    Racing-Ralph Member

    I think i reinstall the server. in the automated installation bind9 is included, so there might went something wrong.
     
  13. Racing-Ralph

    Racing-Ralph Member

    I found out the after every reboot the hostname will be changed by the provider. They only allow to change in their config tool like server1.domain.de oder domain.de
    like in the tutorial it should be only server1
    so hostname and hostname -f shows server1.domain.de !
    Same thing with hostname -I
    it shows
    127.0.0.1 123.123.123.123 (my server IP).
    even the hosts file will be overwritten on restart.
    is it notmal that the provider will change on system site configuration ?
     
  14. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I remember there was similar post, somewhat long time ago. So some hosting providers offer hosts that do not work fully like a linux host should.
    Change the hostname in the config tool?
    Find a better hosting provider that offers full linux hosts?
     
  15. Racing-Ralph

    Racing-Ralph Member

    The only Problem is that the dns lookup in postfix does not work, is there a way to tell postfix to use a special one ?
     
  16. Steini86

    Steini86 Active Member

    The solution was posted several times. If you specify your localhost (127.0.0.1) as nameserver, you need a resolver running on port 53. If you do not use bind, the uninstall it and install unbound instead.
    This will solve your problem and speed up postfix.
    If you do not want to do that, at least specify another fast external nameserver like google (8.8.8.8 / 8.8.4.4) or cloudflare (1.1.1.1).
     
  17. Racing-Ralph

    Racing-Ralph Member

    Im not able to configure unbound

    I cannot specify an other nameserver because provider overwrites my configuration after reboot
     
  18. Steini86

    Steini86 Active Member

    There is good literature around that should help you.
    Nameservers in Linux is a mess. Lots of program use/change them. One solution is to find out how/why it is changed and edit this (if it is coming from dhcp, network config, systemd, whatever). Another (hacky) option is to prevent changes of resolv.conf file (you should remember and document this! If this causes trouble in the future it is very difficult to debug this):
    Code:
    chattr +i /etc/resolv.conf #(make it "immutable" -> prevent writes)
    chattr -i /etc/resolv.conf #(back to default)
    However, if you read the comments in your resolv.conf file carefully, there is an explanation why this file gets overwritten and where you get more information: "resolvectl status"
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    And in case your provider changes it only after reboot and setting the immutable bit as @Steini86 suggested gets somehow overridden, then you might use a script that runs after a reboot to fix it automatically.
     
  20. Racing-Ralph

    Racing-Ralph Member

    OK, I made a lot of changes. right now I can reveive mails, eben with TLS1.3

    if I try to check my mail with tls checker I get an error :
    FAILED //email/test From:
    Your email was sent, however it was NOT SENT SECURELY using TLS.
    my log when sending this mail:
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: initializing the server-side TLS engine
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: connect from i6DFA4289.versanet.de[109.250.66.137]
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: setting up TLS connection from i6DFA4289.versanet.de[109.250.66.137]
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: i6DFA4289.versanet.de[109.250.66.137]: TLS cipher list "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!RC4:!aNULL"
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: SSL_accept:before SSL initialization
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: SSL_accept:before SSL initialization
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: i6dfa4289.versanet.de[109.250.66.137]: Decrypting session ticket, key expiration: 1644853396
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: SSL_accept:SSLv3/TLS read client hello
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: SSL_accept:SSLv3/TLS write server hello
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: SSL_accept:SSLv3/TLS write change cipher spec
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: SSL_accept:TLSv1.3 write encrypted extensions
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: SSL_accept:SSLv3/TLS write finished
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: SSL_accept:TLSv1.3 early data
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: SSL_accept:TLSv1.3 early data
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: SSL_accept:SSLv3/TLS read finished
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: i6dfa4289.versanet.de[109.250.66.137]: Reusing old session (RFC 5077 session ticket)
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: Anonymous TLS connection established from i6dfa4289.versanet.de[109.250.66.137]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)
    Feb 14 16:19:41 cs42469 postfix/smtps/smtpd[1146678]: 61D8A60A84: client=i6DFA4289.versanet.de[109.250.66.137], sasl_method=PLAIN, [email protected]
    Feb 14 16:19:41 cs42469 postfix/cleanup[1146684]: 61D8A60A84: message-id=<[email protected]>
    Feb 14 16:19:46 cs42469 postfix/qmgr[1146460]: 61D8A60A84: from=<[email protected]>, size=1059, nrcpt=1 (queue active)
    Feb 14 16:19:46 cs42469 postfix/smtps/smtpd[1146678]: disconnect from i6DFA4289.versanet.de[109.250.66.137] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
    Feb 14 16:19:47 cs42469 dovecot: imap([email protected])<1146511><56O/3/vXIOpt+kKJ>: Connection closed (IDLE running for 0.001 + waiting input for 0.002 secs, 2 B in + 10 B out, state=wait-input) in=1418 out=3228 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=295 body_count=0 body_bytes=0
    Feb 14 16:19:47 cs42469 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=109.250.66.137, lip=123.123.123.123, mpid=1146687, TLS, session=<2+9n8vvXbutt+kKJ>
    Feb 14 16:19:47 cs42469 postfix/smtp[1146685]: 61D8A60A84: to=<[email protected]>, relay=ts11-do.CheckTLS.com[165.227.190.238]:25, delay=6.2, delays=5.3/0.01/0.48/0.37, dsn=2.0.0, status=sent (250 Ok)
    Feb 14 16:19:47 cs42469 postfix/cleanup[1146684]: 6CC6161E04: message-id=<[email protected]>
    Feb 14 16:19:47 cs42469 postfix/bounce[1146688]: 61D8A60A84: sender delivery status notification: 6CC6161E04
    Feb 14 16:19:47 cs42469 postfix/qmgr[1146460]: 6CC6161E04: from=<>, size=3294, nrcpt=1 (queue active)
    Feb 14 16:19:47 cs42469 postfix/qmgr[1146460]: 61D8A60A84: removed
    Feb 14 16:19:47 cs42469 dovecot: lmtp(1146690): Connect from local
    Feb 14 16:19:47 cs42469 dovecot: lmtp([email protected])<1146690><+bbuGxNzCmJCfxEA8Uqisw>: sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX'
    Feb 14 16:19:47 cs42469 dovecot: lmtp(1146690): Disconnect from local: Client has quit the connection (state=READY)
    Feb 14 16:19:47 cs42469 postfix/lmtp[1146689]: 6CC6161E04: to=<[email protected]>, relay=mail.meine-domaene.de[private/dovecot-lmtp], delay=0.03, delays=0/0.01/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> +bbuGxNzCmJCfxEA8Uqisw Saved)
    Feb 14 16:19:47 cs42469 postfix/qmgr[1146460]: 6CC6161E04: removed
     

Share This Page