[SOLVED] Cluster slave throwing "relay access denied" while master delivering ok

J

jors

Member
Apr 10, 2012
21
2
23
Hi there,

We have 2 Proxmox Mail Gateway nodes on a cluster. The cluster is OK and working great as an MX filter with several domains:

NAME(CID)--------------IPADDRESS----ROLE-STATE---------UPTIME---LOAD----MEM---DISK
mail-filter01(1) X.X.X.X master S 4 days 17:17 0.11 59% 34%
mail-filter02(2) Y.Y.Y.Y node S 00:09 0.36 52% 34%

But one of the domains is giving "relay access denied" when receiving mails only on the Slave node (on the Master, the mails are being delivered correctly). The relay domain & proper transport is created and showing correctly on both nodes.

We tried (in this order):

1. Rebooting the Slave node to make sure all services were getting the same configuration. No luck.
2. Removing the domain from the Relay domains and also its Transport on the Master node and adding it again. Both values were successfully removed from both Master and Slave nodes, and also correctly added. But still keeps giving "relay access denied".

As we said, we have other domains working great and this is the only domain that is giving us this headache. What is happening and what can we do?

Any help is appreciated.

Kind regards.
 
Last edited:
Hi again,

Found this: https://forum.proxmox.com/threads/relay-access-denied-on-cluster-slave.40844/

And /etc/pmg/domains and /etc/pmg/transport files had an old modification time:

root@mail-filter02:~# ls -lh /etc/pmg/
-rw-r--r-- 1 root root 120 Mar 18 13:53 domains
-rw-r--r-- 1 root root 12K Mar 18 13:53 domains.db
-rw-r--r-- 1 root root 195 Mar 17 14:35 transport
-rw-r--r-- 1 root root 12K Mar 17 14:35 transport.db

So ran postmap on both with no luck:

root@mail-filter02:~# ls -lht /etc/pmg/
-rw-r--r-- 1 root root 12K Mar 30 11:30 transport.db
-rw-r--r-- 1 root root 12K Mar 30 11:30 domains.db
-rw-r--r-- 1 root root 120 Mar 18 13:53 domains
-rw-r--r-- 1 root root 195 Mar 17 14:35 transport

But then searched for the issue domain and it is missing on the domains file (!), so this may be the problem. We would like to help you solve the bug if you want. Do you want us to review anything for you? Else we will add the domain manually and re-run postmap.

Kind regards.
 
Could be a problem with your cluster sync:
* check the journal for potential problems
* especially check messages from `pmgmirror` and `pmgtunnel`

I hope this helps!
 
Hi Stoiko,

Yes, it helped alot, thank you.

As you suggested, we had sync issues with those services:

mail-filter02:~# systemctl status pmgmirror.service
● pmgmirror.service - Proxmox Mail Gateway Database Mirror Daemon
Loaded: loaded (/lib/systemd/system/pmgmirror.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-03-30 10:00:46 CEST; 3h 3min ago
Process: 971 ExecStart=/usr/bin/pmgmirror start (code=exited, status=0/SUCCESS)
Main PID: 991 (pmgmirror)
Tasks: 1 (limit: 4666)
Memory: 75.2M
CGroup: /system.slice/pmgmirror.service
└─991 pmgmirror

Mar 30 12:54:45 mail-filter02 pmgmirror[991]: starting cluster syncronization
Mar 30 12:54:45 mail-filter02 pmgmirror[991]: sync error: syncing master configuration from 'X.X.X.X' failed: rsync error: error in rsync protocol data stream (code 12) at io.c(235) [Receiver=3.1.3]

mail-filter02:~# systemctl status pmgtunnel.service
● pmgtunnel.service - Proxmox Mail Gateway Cluster Tunnel Daemon
Loaded: loaded (/lib/systemd/system/pmgtunnel.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-03-30 10:00:31 CEST; 3h 4min ago
Process: 611 ExecStart=/usr/bin/pmgtunnel start (code=exited, status=0/SUCCESS)
Main PID: 816 (pmgtunnel)
Tasks: 1 (limit: 4666)
Memory: 77.1M
CGroup: /system.slice/pmgtunnel.service
└─816 pmgtunnel

Mar 30 12:59:22 mail-filter02 pmgtunnel[816]: restarting crashed tunnel 28312 X.X.X.X
Mar 30 12:59:22 mail-filter02 pmgtunnel[816]: tunnel finished 28312 X.X.X.X

The problem was the ssh keys/authorization of every host. Once fixed that, we could do a manual sync (apparently went ok):

mail-filter02:~# pmgcm sync
syncing master configuration from 'X.X.X.X'
updated /etc/pmg/domains
updated /etc/pmg/mynetworks
updated /etc/pmg/transport
updated /etc/mail/spamassassin/pmg-scores.cf
updated /etc/pmg/pmg.conf
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
could not change directory to "/root": Permission denied
please restart the following daemons:
pmg-smtp-filter

Is it normal this "Permission denied"?

After restarting pmgmirror and pmgtunnel services, all seems to be working fine.

Thank you very much.

Kind regards.
 
  • Like
Reactions: Stoiko Ivanov
nice! glad the issue got resolved :)

jors said:
Is it normal this "Permission denied"?
Click to expand...
yes this is due to you running the `pmgcm sync` command in '/root' and parts of the sync happen as non-root users, who cannot change into '/root'
the warnings are harmless in context of `pmgcm sync`. you can change to e.g. /tmp and run the command again, then the messages should not appear.

Please mark the thread as 'SOLVED' - this helps other users with similar problems.

Thanks!
 
Stoiko Ivanov said:
yes this is due to you running the `pmgcm sync` command in '/root' and parts of the sync happen as non-root users, who cannot change into '/root'
the warnings are harmless in context of `pmgcm sync`. you can change to e.g. /tmp and run the command again, then the messages should not appear.
Click to expand...

Perfect, thank you.

Stoiko Ivanov said:
Please mark the thread as 'SOLVED' - this helps other users with similar problems.
Click to expand...

Sure, how do I do that?

Kind regards.
 
jors said:
Sure, how do I do that?
Click to expand...
click on the 3 dots ('...') above the first post -> Edit Thread -> select 'SOLVED' as prefix
(for the next time - I updated that thread already :)
 
  • Like
Reactions: jors
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom