Postfix cannot bind to port 25 after Plesk update Oct 28

[ScuL81]

Hi

In the night of October 28 the following update has been automatically installed:

Oct 28 04:09:44 Updated: psa-updates-11.0.9-rhel6.build110141001.11.noarch

Since that update my postfix service refuses to start
It continously comes back with

Oct 31 16:06:01 adm postfix/postfix-script[28854]: starting the Postfix mail system
Oct 31 16:06:01 adm postfix/master[28855]: fatal: bind 0.0.0.0 port 25: Address already in use

It cannot bind to port 25 although there is no service running on this port.
I have done extensive bug tracking with the help of some linux gurus and nobody seems to understand what the cause of this could be.

Some attempts
killall -9 postfix
postfix: no process killed

netstat -tupan |grep 25
doesn't show anything running on port 25

nc -vlp 25
doesn't show anything running on port 25

lsof -i tcp:25
doesn't show anything running on port 25

fuser 25/tcp
doesn't show anything running on port 25

SELinux status: disabled

getenforce
Disabled

/etc/services contains
smtp 25/tcp mail
smtp 25/udp mail
as normal

psa-pc-remote and opendkim
running normally
lsof -i tcp:12768
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
psa-pc-re 5233 postfix 3u IPv4 12889 0t0 TCP adm.scul.net:12768 (LISTEN)

lsof -i tcp:8891
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
opendkim 5030 opendkim 3u IPv4 12175 0t0 TCP adm.scul.net:ddi-tcp-4 (LISTEN)

sudo strace -ebind postfix start
bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
--- SIGCHLD (Child exited) @ 0 (0) ---
--- SIGCHLD (Child exited) @ 0 (0) ---
--- SIGCHLD (Child exited) @ 0 (0) ---
--- SIGCHLD (Child exited) @ 0 (0) ---
postfix/postfix-script: starting the Postfix mail system
--- SIGCHLD (Child exited) @ 0 (0) ---


strace -f output of postfix
http://www.speedyshare.com/9RTsf/putty-Copy.log

reinstall attempt of postfix
sudo yum reinstall postfix
Loaded plugins: downloadonly, fastestmirror, security
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
* base: mirror.nl.webzilla.com
* epel: mirror.nl.leaseweb.net
* extras: mirror.amsiohosting.net
* updates: mirror.denit.net
Installed package 2ostfix-2.8.4-12052415.x86_64 (from PSA_11_0_9-dist) not available.
Error: Nothing to do

 

[UFHH01]

Please try to switch to QMAIL and afterwards back to postfix again ... or/and try the command: /usr/local/psa/admin/sbin/mchk --with-spam

 

[ScuL81]

sudo /usr/local/psa/admin/sbin/mchk --with-spam
[sudo] password for xxx;
==> Checking for: mailsrv_conf_init... ok
==> Checking for: mail_handlers_init... ok
==> Checking for: mailsrv_entities_dump... ok
==> Checking for: mail_admin_aliases... ok
==> Checking for: mail_auth_dump... ok
==> Checking for: mailman_lists_dump... ok
==> Checking for: mail_kav8_restore... ok
==> Checking for: mail_responder_restore... ok
==> Checking for: mail_postfix_transport_restore... ok
==> Checking for: mail_spam_restore... not exists
==> Checking for: mail_grey_restore... ok
==> Checking for: mail_mailbox_restore... ok
==> Checking for: mail_spf_restore... ok
==> Checking for: mail_dk_restore... ok
==> Checking for: mail_drweb_restore... not exists

I am reluctant to touch postfix config as it took me ages to set it up properly with opendkim/milters making the mail valid for the Microsoft (Hotmail/MSN/Live) servers not to pick up our e-mails marked as "spam"

How safe is it to swap to Qmail temporarily and how is it done?

 

[UFHH01]

Just copy the current folder /etc/postfix to /etc/postfix.backup, to be sure, that you may restore your current configurations afterwards - it's a really quick work - around, which fixes almost every strange issue regarding postfix.

To switch to QMAIL, you either may change the eMail - server to QMAIL over your site: https://YOUR_SERVER_DOMAIN_OR_IP:8443/admin/update/add-components/
... or use the autoinstaller for it:

/usr/local/psa/admin/bin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component qmail​

/usr/local/psa/admin/bin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component postfix​

 

[ScuL81]

Ok I switched to qmail and reinstalled postfix
http://pastebin.com/6Xw0CGWF

maillog after install:
Nov 3 13:33:57 adm postfix/postfix-script[20101]: starting the Postfix mail system
Nov 3 13:33:57 adm postfix/master[20102]: fatal: bind 0.0.0.0 port 25: Address already in use

 

[UFHH01]

Did you as well try "/usr/local/psa/admin/sbin/mchk --with-spam" ?

You could as well try "killall -9 sendmail", just to be sure that this is not the cause of the issues.

 

[ScuL81]

yes the response of mchk is in the 3rd post of this topic

sendmail is not running as it is not installed.
there is no service active on port 25

 

[UFHH01]

... well.... "address already in use" does point to a usage...

You could try to stop xinet.d for a moment, make sure that your iptables are flushed ( if you have fail2ban installed, run "service fail2ban restart", other wise please use the command: iptables -F )... and try to start postfix again.


Last... I would restart the whole server... normally a bit unusual on linux systems... but I for myself would give it a try. ^^

 

[ScuL81]

I have done all of the above and still no change!! (xinet d stop/start, fail2ban is not installed, iptables flushed, server reboot)
Still "can not bind"

Someone suggested a rootkit may be on the system occupying port 25 that I cannot see
but it would be very strange that this occurred exactly around the time of the update

 

[ScuL81]

After running "psa stop" to stop all plesk services, and restarting by using "psa start" I get

Starting xinetd service... done
Starting mysqld service... done
Starting named service... done
Starting postgresql service... not installed
Starting psa-spamassassin service... not installed
Plesk: Starting Mail Server... failed
Starting psa... done

 

[UFHH01]

I don't think either, that it is a rootkit - cause... but if you would like to check that:

Update for rkhunter might be done with: /opt/psa/admin/sbin/modules/watchdog/rkhunter --configfile /opt/psa/etc/modules/watchdog/rkhunter.conf --update
( or /usr/local/psa/admin/sbin/modules/watchdog/rkhunter --configfile /usr/local/psa/etc/modules/watchdog/rkhunter.conf --update )

... and you could start a check with the command: /opt/psa/admin/sbin/modules/watchdog/rkhunter --check ( or: /usr/local/psa/admin/sbin/modules/watchdog/rkhunter --check )

 

[ScuL81]

/rkhunter.conf --update
[ Rootkit Hunter version 1.3.4 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n versions [ Update failed ]

Please check the log file (/var/log/rkhunter.log)

[15:48:28] Checking file i18n versions [ Update failed ]
[15:48:28] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.
[15:48:28]


rkhunter --check

[15:50:44] Checking for enabled inetd services [ Skipped ]
[15:50:44] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[15:50:44]
[15:50:44] Performing check for enabled xinetd services
[15:50:44] Info: Using xinetd configuration file '/etc/xinetd.conf'
[15:50:44] Checking '/etc/xinetd.conf' for enabled services [ None found ]
[15:50:44] Found 'includedir /etc/xinetd.d' directive
[15:50:44] Checking '/etc/xinetd.d/chargen-dgram' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/chargen-stream' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/daytime-dgram' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/daytime-stream' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/discard-dgram' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/discard-stream' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/echo-dgram' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/echo-stream' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[15:50:44] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
[15:50:44] Checking '/etc/xinetd.d/rsync' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/tcpmux-server' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/time-dgram' for enabled services [ None found ]
[15:50:44] Checking '/etc/xinetd.d/time-stream' for enabled services [ None found ]
[15:50:45] Checking for enabled xinetd services [ Warning ]
[15:50:45] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[15:50:45] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[15:50:45] Checking for Apache backdoor [ Not found ]


[15:51:08] Checking for SSH configuration file [ Found ]
[15:51:08] Info: Found SSH configuration file: /etc/ssh/sshd_config
[15:51:08] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'unset'.
[15:51:08] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '2'.
[15:51:08] Checking if SSH root access is allowed [ Warning ]
[15:51:09] Warning: The SSH and rkhunter configuration options should be the same:
[15:51:09] SSH configuration option 'PermitRootLogin': no
[15:51:09] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': unset
[15:51:09] Checking if SSH protocol v1 is allowed [ Not allowed ]



[15:51:09] Checking for hidden files and directories [ Warning ]
[15:51:09] Warning: Hidden directory found: /dev/.mdadm
[15:51:09] Warning: Hidden directory found: /dev/.udev
[15:51:09] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compressi$
[15:51:09] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compre$
[15:51:09] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[15:51:09] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[15:51:09] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[15:51:09] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
[15:51:09] Warning: Hidden file found: /sbin/.cryptsetup.hmac: ASCII text



[15:51:32] Checking version of Apache [ Warning ]
[15:51:32] Warning: Application 'httpd', version '2.2.15', is out of date, and possibly a security risk.
[15:51:32] Checking version of ProFTPd [ Skipped ]
[15:51:32] Info: Unable to obtain version number for 'proftpd': version option gives: ProFTPD Version 1.3.4a

File properties checks...
Files checked: 128
Suspect files: 0

Rootkit checks...
Rootkits checked : 112
Possible rootkits: 0

Applications checks...
Applications checked: 7
Suspect applications: 1

 

[UFHH01]

When I scan your ports, I see as well, that 25 is open and used by postfix. Did you change something between your last post and now or found a solution for your issue?

 

[ScuL81]

Yes, I hadn't managed to update this post yet.

Thanks to a hint from another user I checked the configuration of /etc/postfix/master.cf

From the beginning this file was set to:
127.0.0.1:smtp inet n - n - - smtpd

I have changed it to
25 inet n - n - - smtpd

All of a sudden it started working.
Postfix version has not changed with either file so I suggest maybe another update or setting has enforced something to do with ipv4/ipv6 which caused the 127.0.0.1 to no longer be a valid setting