Univention Bugzilla – Bug 50900
UCS DNS server on DC slave not resolving spamassassin mirrors
Last modified: 2020-03-06 10:03:03 CET
I get a nightly email: --------------------------------------------------------------- /etc/cron.daily/spamassassin: channel: no 'mirrors.updates.spamassassin.org' record found, channel failed sa-update failed for unknown reasons --------------------------------------------------------------- So I google around and it turns out to be a DNS problem. There is even an entry in help.univention.de: https://help.univention.com/t/channel-no-mirrors-updates-spamassassin-org-record-found-channel-failed/8458 Turns out that the bind9 on the DC slave (that is the mail server) does not resolve mirrors.updates.spamassassin.org or 2.4.3.updates.spamassassin.org (version specific updates). A restart of the bind9 service didn't change that. The bind9 on the DC master can resolve it though! DC SLAVE: --------------------------------------------------------------- $ nslookup -type=TXT mirrors.updates.spamassassin.org <slave.fqdn> Server: <slave.fqdn> Address: <slave.ip>#53 ** server can't find mirrors.updates.spamassassin.org: SERVFAIL --------------------------------------------------------------- root@mail:~# nslookup -type=TXT mirrors.updates.spamassassin.org 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 ** server can't find mirrors.updates.spamassassin.org: SERVFAIL --------------------------------------------------------------- root@mail:~# nslookup -type=TXT 2.4.3.updates.spamassassin.org 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 ** server can't find 2.4.3.updates.spamassassin.org: SERVFAIL --------------------------------------------------------------- DC MASTER: --------------------------------------------------------------- $ nslookup -type=TXT mirrors.updates.spamassassin.org <master.fqdn> Server: <master.fqdn> Address: <master.ip>#53 Non-authoritative answer: mirrors.updates.spamassassin.org text = "http://spamassassin.apache.org/updates/MIRRORED.BY" Authoritative answers can be found from: org nameserver = a0.org.afilias-nst.info. org nameserver = d0.org.afilias-nst.org. org nameserver = b0.org.afilias-nst.org. org nameserver = a2.org.afilias-nst.info. org nameserver = c0.org.afilias-nst.info. org nameserver = b2.org.afilias-nst.org. a0.org.afilias-nst.info internet address = 199.19.56.1 a0.org.afilias-nst.info has AAAA address 2001:500:e::1 a2.org.afilias-nst.info internet address = 199.249.112.1 a2.org.afilias-nst.info has AAAA address 2001:500:40::1 b0.org.afilias-nst.org internet address = 199.19.54.1 b0.org.afilias-nst.org has AAAA address 2001:500:c::1 b2.org.afilias-nst.org internet address = 199.249.120.1 b2.org.afilias-nst.org has AAAA address 2001:500:48::1 c0.org.afilias-nst.info internet address = 199.19.53.1 c0.org.afilias-nst.info has AAAA address 2001:500:b::1 d0.org.afilias-nst.org internet address = 199.19.57.1 --------------------------------------------------------------- root@mail:~# nslookup -type=TXT 2.4.3.updates.spamassassin.org <master.fqdn> Server: <master.fqdn> Address: <master.ip>#53 Non-authoritative answer: 2.4.3.updates.spamassassin.org canonical name = 3.3.3.updates.spamassassin.org. 3.3.3.updates.spamassassin.org text = "1874824" Authoritative answers can be found from: org nameserver = c0.org.afilias-nst.info. org nameserver = b0.org.afilias-nst.org. org nameserver = a0.org.afilias-nst.info. org nameserver = a2.org.afilias-nst.info. org nameserver = b2.org.afilias-nst.org. org nameserver = d0.org.afilias-nst.org. a0.org.afilias-nst.info internet address = 199.19.56.1 a0.org.afilias-nst.info has AAAA address 2001:500:e::1 a2.org.afilias-nst.info internet address = 199.249.112.1 a2.org.afilias-nst.info has AAAA address 2001:500:40::1 b0.org.afilias-nst.org internet address = 199.19.54.1 b0.org.afilias-nst.org has AAAA address 2001:500:c::1 b2.org.afilias-nst.org internet address = 199.249.120.1 b2.org.afilias-nst.org has AAAA address 2001:500:48::1 c0.org.afilias-nst.info internet address = 199.19.53.1 c0.org.afilias-nst.info has AAAA address 2001:500:b::1 d0.org.afilias-nst.org internet address = 199.19.57.1 d0.org.afilias-nst.org has AAAA address 2001:500:f::1 --------------------------------------------------------------- This prevents updating the Spamassassin rules on DC slave systems (and probably memberserver too) which is problematic as spam often carries attack code.
For tests run: --------------------------------------------------------------- root@mail:~# /etc/cron.daily/spamassassin channel: no 'mirrors.updates.spamassassin.org' record found, channel failed sa-update failed for unknown reasons --------------------------------------------------------------- Or more verbose: --------------------------------------------------------------- sa-update --refreshmirrors -D [..] Mar 6 08:54:38.419 [739] dbg: channel: attempting channel updates.spamassassin.org Mar 6 08:54:38.419 [739] dbg: channel: using existing directory /var/lib/spamassassin/3.004002/updates_spamassassin_org Mar 6 08:54:38.419 [739] dbg: channel: channel cf file /var/lib/spamassassin/3.004002/updates_spamassassin_org.cf Mar 6 08:54:38.419 [739] dbg: channel: channel pre file /var/lib/spamassassin/3.004002/updates_spamassassin_org.pre Mar 6 08:54:38.419 [739] dbg: channel: metadata version = 1874824, from file /var/lib/spamassassin/3.004002/updates_spamassassin_org.cf Mar 6 08:54:38.421 [739] dbg: dns: query failed: 2.4.3.updates.spamassassin.org => SERVFAIL Mar 6 08:54:38.422 [739] dbg: dns: query failed: mirrors.updates.spamassassin.org => SERVFAIL channel: no 'mirrors.updates.spamassassin.org' record found, channel failed ---------------------------------------------------------------
Turns out the DC slave had no external DNS servers configured and could thus not resolve any domain (except its own). Fix: $ ucr set dns/forwarder1=<DNS.server.IP.1> dns/forwarder2=<DNS.server.IP.2> dns/forwarder3=<DNS.server.IP.3> $ service bind9 restart