mchk command

[DJSnoopy]

Dear Plesk / Odin Team.

I´ve got a quick question about the mchk command line tool.

I´ve made manually changes form inet_protocols = all TO inet_protocols = ipv4, but everytime the mchk command is executed it resets it to "all".

Can you please tell me where the original "all" parameter is stored? Where can i change it so that mchk writes ipv4 instead of all during regeneration?

kind regards
Michael

 

[IgorG]

I'm afraid that it is hardcoded.

 

[DJSnoopy]

Does this also count for Plesk 12.5?

 

[IgorG]

Does this also count for Plesk 12.5?

Yes, the same behaviour for 12.5

 

[DJSnoopy]

Mhh thanks Igor.

But this seems not to be good.
Postfix so does sometimes ipv6 lookups even if whole ipv6 is disabeld on the server.
So postfix try to send mails to an ipv6 endpoint and this results in hanging mails in mail queue with network unreachable

postfix/smtp[29307]: ABE3C4D0B86: to=<[email protected]>, relay=none, delay=390960, delays=390960/0.01/0.21/0, dsn=4.4.1, status=deferred (connect to mailin46-1.mobile.de[2a04:cb41:f016:2::11]:25: Network is unreachable)
postfix/smtp[11864]: connect to alt1.gmail-smtp-in.l.google.com[2404:6800:4003:c02::1b]:25: Network is unreachable

kind regards
Michael

 

[UFHH01]

Hi DJSnoopy,

even if whole ipv6 is disabeld on the server.

Could you please describe, HOW you disabled ipv6 - usage on your server? And could you please post the file "/etc/sysctl.conf" and "/etc/resolv.conf"?

 

[DJSnoopy]

I´ve disabled IPv6 like documented here:
https://wiki.centos.org/FAQ/CentOS5#head-47912ebdae3b5ac10ff76053ef057c366b421dc4
by editing the /etc/sysconfig/network and /etc/sysctl.conf (documented last part from upstream dev)

Here comes the sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296

net.ipv6.conf.all.disable_ipv6 = 1

Here comes the resolv.conf

search xxxxxxx.de
nameserver <localip>
nameserver 8.8.8.8
nameserver 8.8.4.4

 

[UFHH01]

Hi DJSnoopy,

the recommended entries when disabling ipv6 - support at "sysctl.conf" are:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

... and consider to use the command:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6​

Please be aware, that if you use a firewall, or other networking applications with included ipv6 - support, the ipv6 - functionality may be re-enabled on reboots, or starts of the mentioned services and applications.


For "resolv.conf", I recommend:

nameserver 8.8.8.8
nameserver 8.8.4.4

nameserver <localip>

options rotate
options timeout:3

Please monitor again your maillog after your changes and a reboot of your server and report possible issues/problems/failures/errors again with the new informations of your log - entries.

 

[DJSnoopy]

Hi all together.

I made the configs UFHH01 suggested and rebooted the system.
Sadly in logs i found again network unreachables for IPv6 addresses:

Nov  3 10:47:06 XXX postfix/smtp[5985]: connect to gmail-smtp-in.l.google.com[2a00:1450:4013:c00::1a]:25: Network is unreachable
Nov  3 11:07:06 XXX postfix/smtp[6497]: connect to gmail-smtp-in.l.google.com[2a00:1450:4013:c00::1a]:25: Network is unreachable
Nov  3 11:07:06 XXX postfix/smtp[6497]: connect to alt1.gmail-smtp-in.l.google.com[2404:6800:4003:c02::1a]:25: Network is unreachable
Nov  3 11:17:13 XXX postfix/smtp[6730]: connect to gmr-smtp-in.l.google.com[2a00:1450:4013:c00::e]:25: Network is unreachable

kind regards
Michael

 

[IgorG]

Try to add line

NETWORKING_IPV6 = no

to /etc/sysconfig/network file and restart network with

# service network restart

It should completely disable IPv6 support.

 

[DJSnoopy]

Hi IgorG.

This is already set to NETWORKING_IPV6=NO

This was the first entry in the documentation link you asked me for

 

[UFHH01]

Hi DJSnoopy,

could you please post your "/etc/postfix/main.cf" for further investigations?

 

[DJSnoopy]

Sure and big thanks for your time helping me!

I´ve posted it to pastebin to not explode the forum

http://pastebin.com/7CLgzCBE

kind regards
Michael

 

[UFHH01]

Hi DJSnoopy,

From your main.cf:

inet_protocols = all

Now we go to the postfix documentation and see:

The first new parameter is called inet_protocols. This specifies what protocols Postfix will use when it makes or accepts network connections, and also controls what DNS lookups Postfix will use when it makes network connections.

/etc/postfix/main.cf:
# You must stop/start Postfix after changing this parameter.
inet_protocols = ipv4 (DEFAULT: enable IPv4 only)
inet_protocols = all (enable IPv4, and IPv6 if supported)
inet_protocols = ipv4, ipv6 (enable both IPv4 and IPv6)
inet_protocols = ipv6 (enable IPv6 only)

By default, Postfix uses IPv4 only, because most systems aren't attached to an IPv6 network.

You should consider to set:

inet_protocols = ipv4

..., if you disabled ipv6 - support on your server and if you only want ipv4 - connections to be accepted by postfix. Please don't forget to restart postfix after your chages.

 

[DJSnoopy]

Hiho.

And there we are at my root question (see first post)
I already changed it, but if you run mchk-command it got reset to "all"

I´ve made manually changes form inet_protocols = all TO inet_protocols = ipv4, but everytime the mchk command is executed it resets it to "all".

kind regards
Michael

 

[UFHH01]

Hi DJSnoopy,

... and IgorG already answered, that the "all" modification, when you use Plesk, is hardcoded ( which is actually a good idea, because with this setting you ensure, that the setting will support both protocols on each server ). You now desire a specific, non-standart, ipv6-only modification and made the changes as suggested and still return to let Plesk "repair" your modifications, which result again to the fact, that your modifications are overwritten again to the standart - settings, to fit the support of ipv4 AND ipv6 protocol - usage. Well, sorry to say that, but you are turning in circles. Please decide which way you would like to go, but always keep in mind, that updates/upgrades/patches and using Plesk utilities can result in re-changes of your own, specific modifications, due to "support-all-transport-protocols-policies" .

 

[DJSnoopy]

Hi UFHH01.

That´s correct. I think hardcoded is never good (speaking as long term software developer), but this is my personal own opinion
Problem is that not everyone got already IPv6 addresses.

I now made a simple bash script which now calls the mchk-command and afterwards simple patch the main.cf with an reload on the end.

Hope this works.

As little idea in my head:
Plesk is able to manage IP-Addresses already. So here it could check which IPs (type of) are managed and from there decide what to write in the main.cf
If only managing IPv4 addresses == ipv4, etc...
Just an idea.

But anyways. Big thanks for your time (both of you) to go through this problem with me.

kind regards
Michael

 

[DJSnoopy]

Ok, than i try to document my solution:

First we run mchk to create a clean main.cf and than we set up a patch. As last we build a shell script.

/usr/local/psa/admin/sbin/mchk
cd /etc/postfix/
cp main.cf main.cf.original
vim main.cf
    -> change inet_protocols = all to inet_protocols = ipv4
    -> save n exit
diff -u diff main.cf.orig main.cf > /etc/postfix/main.cf.patch
    -> should contain something like
        @@ -665,7 +665,7 @@
        # readme_directory: The location of the Postfix README files.
        #
        readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
        -inet_protocols = all
        +inet_protocols = ipv4

now we create a bash script to run it automatically

vim /etc/postfix/repairPostfix.sh

This should contain:

#!/bin/sh
cd /etc/postfix
chattr -i main.cf
/usr/local/psa/admin/sbin/mchk
patch -i main.cf.patch main.cf
chattr +i main.cf
/etc/init.d/postfix restart
exit

As last we make it runnable

chmod 700 /etc/postfix/repairPostfix.sh

So now, if plesk again forgets his alias.db or some other fancy problems i just run the script and all are happy again. I installed it as cronjob, everyone like he needs it

If you need more changes to be save, just extend the patch file.

kind regards
Michael