When troubleshooting Postfix recently, I encountered a baffling error that halted my SMTP service:
postfix/smtp[130]: fatal: unknown service: smtp/tcp
This error typically indicates that Postfix cannot resolve the SMTP service definition. While the immediate fix (copying system files) works, understanding why it's necessary reveals important Postfix security architecture.
Postfix operates in a chroot jail by default for security reasons, meaning it can only access files within its designated directory structure (/var/spool/postfix). This isolation prevents potential security breaches from compromising the entire system.
The critical files that need manual copying are:
/etc/services- Defines network services and port mappings/etc/resolv.conf- Contains DNS resolver information
Several scenarios can trigger this requirement:
# Common triggers:
1. Fresh Postfix installation
2. System updates that modify base files
3. Changes to DNS resolution
4. Security policy updates
5. Migration between servers
While manually copying files works, you should implement a more maintainable solution:
# Recommended approach for /etc/services:
sudo cp /etc/services /var/spool/postfix/etc/
sudo chmod 644 /var/spool/postfix/etc/services
sudo chown root:root /var/spool/postfix/etc/services
# For resolv.conf (consider alternatives for dynamic DNS):
sudo cp /etc/resolv.conf /var/spool/postfix/etc/
sudo chmod 644 /var/spool/postfix/etc/resolv.conf
For more sophisticated setups, consider these options:
- Disable chroot (not recommended for production):
# In master.cf: smtp inet n - n - - smtpd(Remove the 'y' or '-')
- Use bind mounts (Linux systems):
sudo mount --bind /etc/services /var/spool/postfix/etc/services sudo mount --bind /etc/resolv.conf /var/spool/postfix/etc/resolv.conf
For servers that frequently update DNS configurations, create a maintenance script:
#!/bin/bash
# postfix-config-update.sh
cp /etc/services /var/spool/postfix/etc/
cp /etc/resolv.conf /var/spool/postfix/etc/
systemctl reload postfixSet this to run after network changes or through cron for high-availability systems.
After implementing changes, verify with:
postfix check
telnet localhost 25
dig @8.8.8.8 example.comThese commands test service resolution, SMTP availability, and DNS functionality respectively.
When Postfix runs in a chroot environment (which is the default security configuration), it operates in an isolated filesystem subtree at /var/spool/postfix. This means it cannot directly access system files like /etc/services or /etc/resolv.conf unless they're explicitly copied into its chroot jail.
The error fatal: unknown service: smtp/tcp appears when:
- Your Postfix installation was recently upgraded
- You migrated servers or changed DNS configurations
- You modified Postfix's chroot settings in
master.cf
Here's how to properly set up the required files:
# Create the target directory if it doesn't exist
sudo mkdir -p /var/spool/postfix/etc
# Copy essential files
sudo cp /etc/services /var/spool/postfix/etc/
sudo cp /etc/resolv.conf /var/spool/postfix/etc/
# Verify permissions
sudo chmod 644 /var/spool/postfix/etc/*
sudo chown root:root /var/spool/postfix/etc/*
# Restart Postfix
sudo systemctl restart postfixTo prevent future issues, create a systemd unit that syncs these files on boot:
[Unit]
Description=Sync Postfix chroot files
After=network.target
[Service]
Type=oneshot
ExecStart=/bin/bash -c 'cp /etc/{services,resolv.conf} /var/spool/postfix/etc/'
[Install]
WantedBy=multi-user.targetIf you still experience DNS issues after copying resolv.conf, test name resolution from within the chroot:
sudo chroot /var/spool/postfix /bin/bash
ping example.com
exitFor systems using systemd-resolved, you may need additional configuration:
sudo mkdir -p /var/spool/postfix/run/systemd/resolve
sudo cp /run/systemd/resolve/stub-resolv.conf /var/spool/postfix/etc/resolv.confIf maintaining the chroot environment isn't required for your security needs, you can disable it in /etc/postfix/master.cf by changing:
smtp inet n - y - - smtpdto:
smtp inet n - n - - smtpd