On 08.11.2010 21:13, Wietse Venema wrote:
Hi Wietse,
Nov 8 17:15:46 lxmhs17 postfix/smtpd[15061]: NOQUEUE: reject: RCPT from
unknown[fe80::250:56ff:fea9:2c72%vlan6]: 550 5.7.1 Client host rejected:
cannot find your reverse hostname, [fe80::250:56ff:fea9:2c72%vlan6];
from=<> to=<root+...@yyy.zzz.de> proto=ESMTP
helo=<xxx.yyy.zzz.de>
How do these systems find your server in the first place? In the worst
case you could just delete the address, or set up a firewall rule.
DNS. System A (the MX) has a global address and is listed as MX record
in the destination domain, System B (the sender) has only a link-local
address but is directly connected on the same link and learned the
prefix to be on-link from the router. Basically like this:
MX:
9: vlan6: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500
inet6 2001:xxxx:0:103:0:25:1:2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::207:e9ff:fe24:9b2a/64 scope link
valid_lft forever preferred_lft forever
Sender:
3: eth0: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500
inet6 fe80::250:56ff:fea9:2c72/64 scope link
valid_lft forever preferred_lft forever
2001:xxxx:0:103::/64 dev eth0 metric 256 expires 17677876sec mtu 1500
advmss 1440
Deleting the link-local address on the sender is not a good idea, since
the link-local address is the most basic thing an IPv6 stack creates
when it initializes an interface. Firewalling on the server might be an
option.
See the %vlan6 scope identifier at the address. Unfortunately, this
seems to prevent the CIDR table from matching when we whitelist the
link-local address range.
fe80::/64 OK
% postmap -q fe80::250:56ff:fea9:2c72%vlan6
cidr:./access.client.connect-stage.cidr
% postmap -q fe80::250:56ff:fea9:2c72
cidr:./access.client.connect-stage.cidr
OK
%
We can workaround using regexp tables (for example), but it's pretty
inconvenient. Can this be fixed easily? Or is it a known limitation?
Postfix CIDR support uses standard system library routines such as
inet_pton(). I am reluctant to re-invent Postfix-specific versions.
Maybe there is some other library that does not barf on this?
As far as I know, fe80::250:56ff:fea9:2c72%vlan6 is not a valid
IPv6 address. Postfix's sanity checks will reject it in several
places.
Phew, tough question. I did not find an RFC specifying this, but it's a
syntax often accepted by Linux network code (note that link-local is
only valid with a link-scope):
% ping6 fe80::2d0:3ff:fe3b:f400
connect: Invalid argument
% ping6 fe80::2d0:3ff:fe3b:f400%br0
PING fe80::2d0:3ff:fe3b:f400%br0(fe80::2d0:3ff:fe3b:f400) 56 data bytes
64 bytes from fe80::2d0:3ff:fe3b:f400: icmp_seq=1 ttl=64 time=0.572 ms
ping6 -I br0 fe80::2d0:3ff:fe3b:f400
PING fe80::2d0:3ff:fe3b:f400(fe80::2d0:3ff:fe3b:f400) from
fe80::221:9bff:fe80:d1cd br0: 56 data bytes
64 bytes from fe80::2d0:3ff:fe3b:f400: icmp_seq=1 ttl=64 time=0.521 ms
% ssh fe80::2d0:3ff:fe3b:f400
ssh: connect to host fe80::2d0:3ff:fe3b:f400 port 22: Invalid argument
% ssh fe80::2d0:3ff:fe3b:f400%br0
ssh: connect to host fe80::2d0:3ff:fe3b:f400%br0 port 22: Connection
refused <-- yeah, no sshd running there
Bernhard
