Le 06/07/2011 15:13, Noel Jones a écrit : > On 7/6/2011 2:32 AM, Henrik K wrote: >> On Wed, Jul 06, 2011 at 12:38:05AM -0500, Noel Jones wrote: >>> On 7/6/2011 12:07 AM, Simon Deziel wrote: >>>> Hi all, >>>> >>>> Since I started using Stan's fqrdns.pcre file to reduce spam I have some >>>> problems receiving emails from with IPv6 clients. >>>> >>>> Jul 4 05:19:10 mx postfix/smtpd[10191]: NOQUEUE: reject: RCPT from >>>> mail.python.org[2001:888:2000:d::a6]: 554 >>>> <mail.python.org[2001:888:2000:d::a6]>: Client host rejected: Generic - >>>> Please relay via ISP; fr >>>> om=<john....@python.org> to=<jane....@example.com> proto=ESMTP >>>> helo=<mail.python.org> >>>> >>>> Manual testing with dig showed that mail.python.org had a PTR matching >>>> its AAAA. A few postmap lookups using IPv6 gave results I don't understand >>>> : >>>> >>>> # postmap -q "2001:888:2000:d::a6" pcre:/etc/postfix/fqrdns.pcre >>>> REJECT Generic - Please relay via ISP >>>> #postmap -q "2001:888:2000:d::aa" pcre:/etc/postfix/fqrdns.pcre >>>> >>>> What's odd is that only 12 rules reject without mentioning the specific >>>> ISP name/relay name and none of them should match an IPv6. >>>> >>>> I am probably missing something here and would greatly appreciate any >>>> help on this. >>> >>> This line is the culprit. >>> /[a-z-][0-9]+$/ REJECT Generic - >>> Please relay via ISP >>> >>> the ...a6" of your test string matches "a letter followed by a >>> number at the end". >>> >>> easy fix is to remove the offending line. I'm too >>> sleep-deprived to come up with anything more clever right now. >> >> Simply insert as first rule: >> >> /:/ DUNNO >> > > > While that will hide the problem, it would be much better to > check for a valid v6 construct, or a least check for invalid > characters in that context. >
OP's problem is that he uses check_client_access, which will check the IP as wel as the PTR. the fix is to use check_reverse_client_hostname_access. for those who can't, the fix is for the map to exclude IPs. since this is a "black list", it is ok to exclude anything that contains a ':'. the map isn't here to find real IP addresses. it is a black list intended to catch known generic PTRs. so it's better to fail on the safe side. Stan, can you add at the top: /:/ DUNNO this will fix OP's issue until a better fix is implemented!
