mynetworks support for ipv6 link local (fe80) hosts

Thu, 31 May 2012 15:45:18 -0700 

Hi,

I've got a weird configuration issue that I'm trying to track down.
I've got a partial ipv6 network where some machines have public
addresses and some of them only have link local (fe80::/10) addresses.
I just upgraded my mail server to a public v6 address and now a bunch of
my other machines (which only have v6ll addresses) can no longer send
their nightly logwatch mail.  They worked just fine when everything was
v4 only.

The failure is in the smtpd_sender_restrictions rule:

smtpd_sender_restrictions = permit_mynetworks,
        permit_tls_clientcerts,
        permit_sasl_authenticated,
        check_sender_access hash:/etc/postfix/goodsender,
        check_sender_access hash:/etc/postfix/badsender,
        reject_unknown_sender_domain,
        reject_non_fqdn_sender,
        check_sender_access hash:/etc/postfix/sender_access,
        reject_unverified_sender,
        permit

The failure appears to be that postfix does not honor the fe80 link
local addresses in mynetworks.  If I get the machine onto a public v6 IP
address then it works fine, so really the only issue is the acceptance
of the v6 link local address.

Here is the mynetworks configuration:

mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
 [fe80::]/10 [fe80::%eth0]/10 [::1]/128

Machines are connecting as from their LL address just fine:

May 31 15:55:31 mail2 postfix/smtpd[29712]: connect from 
unknown[fe80::20c:29ff:fecf:7df0%eth0]

But they are not being treated as being on "mynetworks" even though they
should (as per the above configuration).  I have a "permit_mynetworks"
that seems to work fine for v4 and for "public" v6 addresses but not for
v6-ll addresses.  In the v6-ll case is falls through to later checks
(and then fails in the reject_unverified_sender.

What am I doing wrong?  Do I have the correct encoding of a link local
address?  Or is there a problem with postfix matching a v6 link local
address?

This is postfix-2.7.4-1.fc14.i686
If this is a bug, has this been fixed in a more recent release?

Thanks,

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warl...@mit.edu                        PGP key available

Reply via email to