warning: /etc/resolv.conf? [FIXED]

[Michael Chinn]

Dear Michael Breton:

YES! That fixed it. The "postfix check" returns with nothing (no errors).

Thank you very much for the tip.

Regards,
Michael Chinn

At 6/20/02 Thursday 01:34 PM, Michael Breton wrote:
>You should do this:
>
>cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf
>
>It is likely that something is different, and since you are running
>chrooted, the resolv.conf in the jail need to match the active one.
>
>Michael Breton
>Commtel
>
>-----Original Message-----
>From: Michael Chinn [mailto:mch...@tuxeterna.com]
>Sent: Thursday, June 20, 2002 1:30 PM
>To: postfi...@cloud9.net
>Subject: warning: /etc/resolv.conf?
>
>
>Greetings:
>
>I have a RH 7.1 server running postfix (and apache and webmin). I have a
>few user e-mail accounts on the server and Postfix runs properly however...
>
>When I run postfix check, I get this error message:
>
># postfix check
>
>postfix-script: warning: /var/spool/postfix/etc/resolv.conf and
>/etc/resolv.conf differ
>postfix-script: WARNING: The file /var/spool/postfix/etc/resolv.conf was
>originally created as a copy of
>postfix-script: /etc/resolv.conf. They are now different. If you have
>updated /etc/resolv.conf
>postfix-script: successfully you probably want to copy that update to
>/var/spool/postfix/etc/resolv.conf.
>
>The Postfix program also e-mail this error to the root e-mail account once
>a day (and Postfix continues to operate properly).
>
>I checked the resolv.conf file in both locations and they are identical in
>content. I also checked the FAQ's for this problem but could not find the
>answer. I also reloaded Postfix and recheck it (# postfix check) but I
>still get this message. So... (help!)
>
>I'm a beginner in using and administering Postfix so your input would be
>greatly appreciated.
>
>Thank you,
>Michael Chinn
>
>-
>To unsubscribe, send mail to majo...@postfix.org with content
>(not subject): unsubscribe postfix-users
>-
>To unsubscribe, send mail to majo...@postfix.org with content
>(not subject): unsubscribe postfix-users

-
To unsubscribe, send mail to majo...@postfix.org with content
(not subject): unsubscribe postfix-users

[Cybertime Hostmaster]

It was probably a whitespace of some sort if you saw no difference. Nothing
that would stop it from working, but it is always nice to copy it and make
it all work perfectly.

--Eric

> Dear Michael Breton:
>
> YES! That fixed it. The "postfix check" returns with nothing (no
errors).
>
> Thank you very much for the tip.
>
> Regards,
> Michael Chinn
>
>

[Adrian 'Dagurashibanipal' von Bidder]

--=-NlXEXsobX5527Ht/Za/e
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

[system resolv.conf vs. postfix chroot jail resolv.conf]

On Thu, 2002-06-20 at 21:50, Cybertime Hostmaster wrote:
> It was probably a whitespace of some sort if you saw no difference. Noth=
ing
> that would stop it from working, but it is always nice to copy it and mak=
e
> it all work perfectly.

Any reason not to hardlink the files if they're on the same fs?

cheers
-- vbi

-- secure email with gpg http://fortytwo.ch/gpg

--=-NlXEXsobX5527Ht/Za/e
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQA9EsPfwj49sl5Lcx8RAnYuAJkBe6nK4NRX6a0McKodtf0tojehQgCdFJ4a
VuWDcpirFB6qEkkPKWCcSP4=
=/V7a
-----END PGP SIGNATURE-----

--=-NlXEXsobX5527Ht/Za/e--

[Ralf Hildebrandt]

On Fri, Jun 21, 2002 at 08:12:47AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
> [system resolv.conf vs. postfix chroot jail resolv.conf]
>
> On Thu, 2002-06-20 at 21:50, Cybertime Hostmaster wrote:

> > It was probably a whitespace of some sort if you saw no difference. Nothing
> > that would stop it from working, but it is always nice to copy it and make

> > it all work perfectly.
>
> Any reason not to hardlink the files if they're on the same fs?

If they're on the same FS, that should work.

--
Ralf Hildebrandt (Im Auftrag des Referat V A) Ralf.Hil...@charite.de
Charite Campus Virchow-Klinikum Tel. +49 (0)30-450 570-155
Referat V A - Kommunikationsnetze - Fax. +49 (0)30-450 570-916
How many viruses must arrive before people realize,
that M$ is just not ready for the enterprise?

[Victor....@morganstanley.com]

On Fri, 21 Jun 2002, Ralf Hildebrandt wrote:

> On Fri, Jun 21, 2002 at 08:12:47AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
> > [system resolv.conf vs. postfix chroot jail resolv.conf]
> >
> > On Thu, 2002-06-20 at 21:50, Cybertime Hostmaster wrote:
> > > It was probably a whitespace of some sort if you saw no difference. Nothing
> > > that would stop it from working, but it is always nice to copy it and make
> > > it all work perfectly.
> >
> > Any reason not to hardlink the files if they're on the same fs?
>
> If they're on the same FS, that should work.
>
>

But why chroot(), if one is going to expose the attacker critical system
files (/etc/password, /etc/resolv.conf, ...). If "smtpd" cannot be
compromised over the network one should not chroot, if it can, it should
not have access to any files that are also used outside the chroot jail.

While hard links will work, they partly defeat the purpose of the
chroot().

A read only loopback mount of of a hard-linked directory hierarchy may be
OK. That way no errors in the file permissions can allow chrooted
attackers to modify them. Don't know if the OS in question (presumably
Debian) supports loopback mounts...

--
Viktor.

[Ralf Hildebrandt]

On Fri, Jun 21, 2002 at 10:03:57AM -0400, Victor....@morganstanley.com wrote:

> But why chroot(), if one is going to expose the attacker critical system
> files (/etc/password, /etc/resolv.conf, ...). If "smtpd" cannot be
> compromised over the network one should not chroot, if it can, it should
> not have access to any files that are also used outside the chroot jail.

Maybe a copy that has certain accounts removed from it. IMHO not even
the shells or the GECOS must be correct.

--
Ralf Hildebrandt (Im Auftrag des Referat V A) Ralf.Hil...@charite.de
Charite Campus Virchow-Klinikum Tel. +49 (0)30-450 570-155
Referat V A - Kommunikationsnetze - Fax. +49 (0)30-450 570-916

Anyone who cannot cope with Mathematics is not fully human -- at best
he is a tolerable subhuman who learned how to tie his shoes and not
make messes in the house. -- Mr. Easley, calculus teacher

[Victor....@morganstanley.com]

On Fri, 21 Jun 2002, Ralf Hildebrandt wrote:

> Maybe a copy that has certain accounts removed from it. IMHO not even
> the shells or the GECOS must be correct.
>

If the files differ, postfix start will complain. One can ignore the
complaint, but it is probably best to keep them the same. If one delivers
to local users, local_recipient_maps requires the same set of local users
inside and outside the chroot jail.

--
Viktor.

[Ralf Hildebrandt]

On Fri, Jun 21, 2002 at 01:47:42PM -0400, Victor....@morganstanley.com wrote:

> If the files differ, postfix start will complain. One can ignore the
> complaint, but it is probably best to keep them the same. If one delivers
> to local users, local_recipient_maps requires the same set of local users
> inside and outside the chroot jail.

UNLESS certain users are aliase (e.g. like root). Also: Do the shells
have to be correct? I mean, "local" is not chrooted anyway...

--
Ralf Hildebrandt (Im Auftrag des Referat V A) Ralf.Hil...@charite.de
Charite Campus Virchow-Klinikum Tel. +49 (0)30-450 570-155
Referat V A - Kommunikationsnetze - Fax. +49 (0)30-450 570-916

"Looking at the proliferation of personal web pages on the net, it
looks like very soon everyone on earth will have 15 Megabytes of fame."
-MG Siriam