On 12/11/2013 10:56 AM, Christian Felsing wrote: > Hello, > > I am running Cluebringer for a couple of years, now I experienced an > IPv6 problem on version cluebringer-v2.1.x-201310261831 > > Google mail uses IPv6 only mail servers for sending mail to IPv6 capable > servers. In that case following happens if Helo checks are enabled: > > Dec 11 11:37:42 ip6li cbpolicyd[18017]: module=CheckHelo, action=reject, > host=2607:f8b0:4001:c03::242, helo=mail-ie0-x242.google.com, > from=***@googlemail.com, [email protected], reason=resolve_noerror > Dec 11 11:37:43 velianet cbpolicyd[18017]: module=CheckHelo, > action=reject, host=2607:f8b0:4001:c03::235, > helo=mail-ie0-x235.google.com, from=***+caf_=***@googlemail.com, > [email protected], reason=resolve_noerror > > Expected behavior: IPv6 address should resolve and should be checked > against AAAA record. > > A simple check shows that Googles mail servers are resolving: > > $ host 2607:f8b0:4001:c03::235 > 5.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.c.0.1.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa > domain name pointer mail-ie0-x235.google.com. > $ host mail-ie0-x235.google.com. > mail-ie0-x235.google.com has IPv6 address 2607:f8b0:4001:c03::235 > > I think there is a bug in Cluebringer check helo subsystem for IPv6. > Following cases needed to be considered: > > IPv4: Check for PTR and check A record > IPv6: Check for PRT and check AAAA record > > Workaround: Disable helo checks on Cluebringer so that native IPv6 > installations are not bothered by Cluebringer helo checks.
Policyd uses Net::DNS::Resolver for DNS resolution, the above appears to be a problem with that. Can you please try the latest version and try reproduce using just Net::DNS::Resolver. Depending on your results we may need to slightly modify the return result of "NOERROR". -N _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
