Re: fqrdns.pcre and IPv6

Wed, 06 Jul 2011 06:30:53 -0700 

On 7/6/2011 8:15 AM, Simon Deziel wrote:
> On 07/06/2011 03:32 AM, Henrik K wrote:
>> On Wed, Jul 06, 2011 at 12:38:05AM -0500, Noel Jones wrote:
>>> On 7/6/2011 12:07 AM, Simon Deziel wrote:
>>>> Hi all,
>>>>
>>>> Since I started using Stan's fqrdns.pcre file to reduce spam I have some
>>>> problems receiving emails from with IPv6 clients.
>>>>
>>>> Jul  4 05:19:10 mx postfix/smtpd[10191]: NOQUEUE: reject: RCPT from
>>>> mail.python.org[2001:888:2000:d::a6]: 554
>>>> <mail.python.org[2001:888:2000:d::a6]>: Client host rejected: Generic -
>>>> Please relay via ISP; fr
>>>> om=<john....@python.org> to=<jane....@example.com> proto=ESMTP
>>>> helo=<mail.python.org>
>>>>
>>>> Manual testing with dig showed that mail.python.org had a PTR matching
>>>> its AAAA. A few postmap lookups using IPv6 gave results I don't understand 
>>>> :
>>>>
>>>> # postmap -q "2001:888:2000:d::a6" pcre:/etc/postfix/fqrdns.pcre
>>>> REJECT     Generic - Please relay via ISP
>>>> #postmap -q "2001:888:2000:d::aa" pcre:/etc/postfix/fqrdns.pcre
>>>>
>>>> What's odd is that only 12 rules reject without mentioning the specific
>>>> ISP name/relay name and none of them should match an IPv6.
>>>>
>>>> I am probably missing something here and would greatly appreciate any
>>>> help on this.
>>>
>>> This line is the culprit.
>>> /[a-z-][0-9]+$/                        REJECT  Generic -
>>> Please relay via ISP
>>>
>>> the ...a6" of your test string matches "a letter followed by a
>>> number at the end".
>>>
>>> easy fix is to remove the offending line.  I'm too
>>> sleep-deprived to come up with anything more clever right now.
>>
>> Simply insert as first rule:
>>
>> /:/ DUNNO
>>
> 
> Thank you both, that makes a lot of sense and works well. Stan do you
> think that it would be a good idea to short-circuit all IP addresses
> look-ups by using those 2 rules at the top :
> 
> # Do not check IPv4 or IPv6
> /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/  DUNNO
> /:/  DUNNO
> 
> I am wondering why I saw no other report of this problematic behaviour.
> Except from this little problem, I really appreciate this ruleset file,
> thanks Stan for making it available to us.
> 
> Simon Deziel

Yes, this should be added to the top of the file, except the
v6 bypass expression needs to be improved.

I would assume that no one else is using this with ipv6 since
the offending rule will match any address ending with
letter+number.

  -- Noel Jones

Reply via email to