Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Wietse Venema (wietseporcupine.org)
Date: Wed Dec 03 2008 - 19:25:26 CST
[ Charset ISO-8859-1 unsupported, converting... ]
> So I've done a bit of reading on postfix's internal chrooting
> capabilities and I thought it would fit exactly what I'm trying to do
> perfectly. Here is the simple desired functionality:
> . I want outbound email name lookups to use a different set of name
> servers than what the system normally uses in literal /etc/resolv.conf
> To accomplish this, I set the smtp service to chroot in master.cf and
> I moved the resolv libraries into /var/spool/postfix/lib and created a
> /var/spool/postfix/etc/resolv.conf with the nameservers i wanted to
> use. I'm running Postfix 2.3.3 on CentOS 5.2 (2.6.24) with SELinux.
> I added the chroot capability for the smtp binary to my SELinux
> policy. Postfix starts uneventfully, save for the warning about
> mismatched resolv.conf files, which is what I expect (in fact, is what
> I want). This is what I'm now seeing when I send mail:
> . smtpd runs, accepts the mail (opens literal /etc/resolv.conf vs.
> chroot /etc/resolv.conf and reads that)
> . proxymap runs next, opens literal /etc/resolv.conf
> . trivial-rewrite comes next, same resolv.conf
> . cleanup runs, same resolv.conf
> . smtp runs, establishes environment, opens literal /etc/resolv.conf
> - not chroot /etc/resolv.conf, reads contents, *then chroots*, then
> performs DNS lookups using the wrong DNS servers
> Why does the chroot happen after the name resolution environment is
> established? Wouldn't that mean that having the /etc/resolv.conf in
> the chroot is unnecessary? And more importantly, how can I get smtp
> outbound to read a different resolv.conf for me?
Some third-party library is calling stuff before Postfix chroots.
Postfix does not support chroot environments that are out of sync
with the host environment; I am not going to jump hoops to make
If you want Postfix to use a different resolver, use main.cf's
export_environment parameter to override resolver settings if
possible, run the whole lot in a FreeBSD jail, in a Solaris zone,
or in a Linux virtual server partition.