Loading ...
Sorry, an error occurred while loading the content.

mynetworks support for ipv6 link local (fe80) hosts

Expand Messages
  • Derek Atkins
    Hi, I ve got a weird configuration issue that I m trying to track down. I ve got a partial ipv6 network where some machines have public addresses and some of
    Message 1 of 15 , May 31, 2012
    • 0 Attachment
      Hi,

      I've got a weird configuration issue that I'm trying to track down.
      I've got a partial ipv6 network where some machines have public
      addresses and some of them only have link local (fe80::/10) addresses.
      I just upgraded my mail server to a public v6 address and now a bunch of
      my other machines (which only have v6ll addresses) can no longer send
      their nightly logwatch mail. They worked just fine when everything was
      v4 only.

      The failure is in the smtpd_sender_restrictions rule:

      smtpd_sender_restrictions = permit_mynetworks,
      permit_tls_clientcerts,
      permit_sasl_authenticated,
      check_sender_access hash:/etc/postfix/goodsender,
      check_sender_access hash:/etc/postfix/badsender,
      reject_unknown_sender_domain,
      reject_non_fqdn_sender,
      check_sender_access hash:/etc/postfix/sender_access,
      reject_unverified_sender,
      permit

      The failure appears to be that postfix does not honor the fe80 link
      local addresses in mynetworks. If I get the machine onto a public v6 IP
      address then it works fine, so really the only issue is the acceptance
      of the v6 link local address.

      Here is the mynetworks configuration:

      mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
      [fe80::]/10 [fe80::%eth0]/10 [::1]/128

      Machines are connecting as from their LL address just fine:

      May 31 15:55:31 mail2 postfix/smtpd[29712]: connect from unknown[fe80::20c:29ff:fecf:7df0%eth0]

      But they are not being treated as being on "mynetworks" even though they
      should (as per the above configuration). I have a "permit_mynetworks"
      that seems to work fine for v4 and for "public" v6 addresses but not for
      v6-ll addresses. In the v6-ll case is falls through to later checks
      (and then fails in the reject_unverified_sender.

      What am I doing wrong? Do I have the correct encoding of a link local
      address? Or is there a problem with postfix matching a v6 link local
      address?

      This is postfix-2.7.4-1.fc14.i686
      If this is a bug, has this been fixed in a more recent release?

      Thanks,

      -derek

      --
      Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
      Member, MIT Student Information Processing Board (SIPB)
      URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
      warlord@... PGP key available
    • Louis Kowolowski
      ... Have you tried reducing it to simply: mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48 [::1]/128 [fe80::]/10 I have it running on a
      Message 2 of 15 , Jun 1, 2012
      • 0 Attachment
        On May 31, 2012, at 3:44 PM, Derek Atkins wrote:

        > ...
        > Here is the mynetworks configuration:
        >
        > mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
        > [fe80::]/10 [fe80::%eth0]/10 [::1]/128
        >

        Have you tried reducing it to simply:
        mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48 [::1]/128 [fe80::]/10

        I have it running on a couple hosts configured in similar fashion (just no interface descriptor as part of the ll ip).
        --
        Louis Kowolowski louisk@...
        Cryptomonkeys: http://www.cryptomonkeys.org/~louisk

        Making life more interesting for people since 1977
      • Derek Atkins
        Hey Louis! ... Yes, I have. In fact that was the first thing I tried, but it didn t work. I added the interface descriptor on the theory that it was
        Message 3 of 15 , Jun 1, 2012
        • 0 Attachment
          Hey Louis!

          Louis Kowolowski <louisk@...> writes:

          > On May 31, 2012, at 3:44 PM, Derek Atkins wrote:
          >
          >> ...
          >> Here is the mynetworks configuration:
          >>
          >> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
          >> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
          >>
          >
          > Have you tried reducing it to simply:
          > mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48 [::1]/128 [fe80::]/10

          Yes, I have. In fact that was the first thing I tried, but it didn't
          work. I added the interface descriptor on the theory that it was
          outputting it so therefore it might want it. Obviously that didn't
          help, either.

          > I have it running on a couple hosts configured in similar fashion
          > (just no interface descriptor as part of the ll ip).

          What version of postfix are you using? Is it possible that this was a
          bug that was fixed somewhere between 2.7 and e.g. 2.9?

          Thanks,

          > Louis Kowolowski louisk@...
          > Cryptomonkeys: http://www.cryptomonkeys.org/~louisk
          >
          > Making life more interesting for people since 1977

          -derek

          --
          Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
          Member, MIT Student Information Processing Board (SIPB)
          URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
          warlord@... PGP key available
        • DTNX Postmaster
          ... Have you tried it with [fe80::]/64 ? See; http://en.wikipedia.org/wiki/Link-local_address#IPv6 Cya, Jona
          Message 4 of 15 , Jun 1, 2012
          • 0 Attachment
            On Jun 1, 2012, at 18:35, Derek Atkins wrote:

            > Hey Louis!
            >
            > Louis Kowolowski <louisk@...> writes:
            >
            >> On May 31, 2012, at 3:44 PM, Derek Atkins wrote:
            >>
            >>> ...
            >>> Here is the mynetworks configuration:
            >>>
            >>> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
            >>> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
            >>>
            >>
            >> Have you tried reducing it to simply:
            >> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48 [::1]/128 [fe80::]/10
            >
            > Yes, I have. In fact that was the first thing I tried, but it didn't
            > work. I added the interface descriptor on the theory that it was
            > outputting it so therefore it might want it. Obviously that didn't
            > help, either.

            Have you tried it with '[fe80::]/64'? See;

            http://en.wikipedia.org/wiki/Link-local_address#IPv6

            Cya,
            Jona
          • Viktor Dukhovni
            ... See http://archives.neohapsis.com/archives/postfix/2010-11/thread.html#295 Postfix does not AFAIK support link-local address scopes. -- Viktor.
            Message 5 of 15 , Jun 1, 2012
            • 0 Attachment
              On Fri, Jun 01, 2012 at 12:35:54PM -0400, Derek Atkins wrote:

              > >> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
              > >> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
              >
              > Yes, I have. In fact that was the first thing I tried, but it didn't
              > work. I added the interface descriptor on the theory that it was
              > outputting it so therefore it might want it. Obviously that didn't
              > help, either.

              See http://archives.neohapsis.com/archives/postfix/2010-11/thread.html#295
              Postfix does not AFAIK support link-local address scopes.

              --
              Viktor.
            • Derek Atkins
              ... Yes, I have. With and without the %eth0. I have found no configuration that is accepted and matches with the actual address. ... -derek -- Derek Atkins,
              Message 6 of 15 , Jun 1, 2012
              • 0 Attachment
                DTNX Postmaster <postmaster@...> writes:

                > On Jun 1, 2012, at 18:35, Derek Atkins wrote:
                >
                >> Hey Louis!
                >>
                >> Louis Kowolowski <louisk@...> writes:
                >>
                >>> On May 31, 2012, at 3:44 PM, Derek Atkins wrote:
                >>>
                >>>> ...
                >>>> Here is the mynetworks configuration:
                >>>>
                >>>> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
                >>>> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
                >>>>
                >>>
                >>> Have you tried reducing it to simply:
                >>> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48 [::1]/128 [fe80::]/10
                >>
                >> Yes, I have. In fact that was the first thing I tried, but it didn't
                >> work. I added the interface descriptor on the theory that it was
                >> outputting it so therefore it might want it. Obviously that didn't
                >> help, either.
                >
                > Have you tried it with '[fe80::]/64'? See;
                >
                > http://en.wikipedia.org/wiki/Link-local_address#IPv6

                Yes, I have. With and without the %eth0. I have found no configuration
                that is accepted and matches with the actual address.

                > Cya,
                > Jona

                -derek

                --
                Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
                Member, MIT Student Information Processing Board (SIPB)
                URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
                warlord@... PGP key available
              • Derek Atkins
                ... Thanks for the link, Viktor. That was back in 2010; has Wietse not fixed this since then? I d rather lose the ability to differentiate between different
                Message 7 of 15 , Jun 1, 2012
                • 0 Attachment
                  Viktor Dukhovni <postfix-users@...> writes:

                  > On Fri, Jun 01, 2012 at 12:35:54PM -0400, Derek Atkins wrote:
                  >
                  >> >> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
                  >> >> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
                  >>
                  >> Yes, I have. In fact that was the first thing I tried, but it didn't
                  >> work. I added the interface descriptor on the theory that it was
                  >> outputting it so therefore it might want it. Obviously that didn't
                  >> help, either.
                  >
                  > See http://archives.neohapsis.com/archives/postfix/2010-11/thread.html#295
                  > Postfix does not AFAIK support link-local address scopes.

                  Thanks for the link, Viktor. That was back in 2010; has Wietse not
                  fixed this since then? I'd rather lose the ability to differentiate
                  between different links (and lose the ability to send to link local
                  addresses) than not be able to say link-local hosts are part of
                  mynetworks. I'll note that it's unlikely that we could send to a
                  link-local address anyways because there's really no way to put that
                  into DNS, so we're not actually losing anything by that. As for the
                  ability to differentiate between different links, that would only be an
                  issue for hosts with multiple interfaces. Again, I don't consider that
                  a big issue.

                  I would suggest that Wietse go ahead with his initial suggestion and
                  remove the link scope so he can continue to use the existing v6 address
                  matching logic. While it's not 100% "correct" to do this, I think the
                  benefits far outweigh the drawbacks (the main drawback in my case being
                  rejected mail!)

                  Wietse?

                  -derek

                  --
                  Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
                  Member, MIT Student Information Processing Board (SIPB)
                  URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
                  warlord@... PGP key available
                • Derek Atkins
                  ... For the record, this appears to have been fixed somewhere between 2.7 and 2.9; I just backported 2.9.2 to my mail server and using mynetworks = [fe80::]/10
                  Message 8 of 15 , Jun 1, 2012
                  • 0 Attachment
                    Viktor Dukhovni <postfix-users@...> writes:

                    > On Fri, Jun 01, 2012 at 12:35:54PM -0400, Derek Atkins wrote:
                    >
                    >> >> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
                    >> >> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
                    >>
                    >> Yes, I have. In fact that was the first thing I tried, but it didn't
                    >> work. I added the interface descriptor on the theory that it was
                    >> outputting it so therefore it might want it. Obviously that didn't
                    >> help, either.
                    >
                    > See http://archives.neohapsis.com/archives/postfix/2010-11/thread.html#295
                    > Postfix does not AFAIK support link-local address scopes.

                    For the record, this appears to have been fixed somewhere between 2.7
                    and 2.9; I just backported 2.9.2 to my mail server and using
                    mynetworks = [fe80::]/10 works as I would expect it to.

                    Sorry for the noise, and thanks for the pointer to the history. That
                    helped point me into looking at current sources to see if it's any
                    different (which it is, obviously).

                    Also, thank you, Wietse! I'm sorry I ever doubted you. :)
                    I'll buy you a beer next time I see you.

                    -derek
                    --
                    Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
                    Member, MIT Student Information Processing Board (SIPB)
                    URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
                    warlord@... PGP key available
                  • Wietse Venema
                    ... Postfix has never output interface descriptor information unless some helpful port maintainer added support to improve this. ... Postfix has always
                    Message 9 of 15 , Jun 2, 2012
                    • 0 Attachment
                      Derek Atkins:
                      > Viktor Dukhovni <postfix-users@...> writes:
                      >
                      > > On Fri, Jun 01, 2012 at 12:35:54PM -0400, Derek Atkins wrote:
                      > >
                      > >> >> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
                      > >> >> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
                      > >>
                      > >> Yes, I have. In fact that was the first thing I tried, but it didn't
                      > >> work. I added the interface descriptor on the theory that it was
                      > >> outputting it so therefore it might want it. Obviously that didn't
                      > >> help, either.

                      Postfix has never output interface descriptor information unless some
                      helpful port maintainer added support to 'improve' this.

                      > > See http://archives.neohapsis.com/archives/postfix/2010-11/thread.html#295
                      > > Postfix does not AFAIK support link-local address scopes.
                      >
                      > For the record, this appears to have been fixed somewhere between 2.7
                      > and 2.9; I just backported 2.9.2 to my mail server and using
                      > mynetworks = [fe80::]/10 works as I would expect it to.

                      Postfix has always wortked this way unless some helpful port maintainer
                      added support to break this.

                      Wietse
                    • Derek Atkins
                      ... Yes, it did, and it had nothing to do with a helpful port maintainer . E.g. this output: May 31 15:55:31 mail2 postfix/smtpd[29712]: connect from
                      Message 10 of 15 , Jun 2, 2012
                      • 0 Attachment
                        Wietse Venema <wietse@...> writes:

                        > Derek Atkins:
                        >> Viktor Dukhovni <postfix-users@...> writes:
                        >>
                        >> > On Fri, Jun 01, 2012 at 12:35:54PM -0400, Derek Atkins wrote:
                        >> >
                        >> >> >> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
                        >> >> >> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
                        >> >>
                        >> >> Yes, I have. In fact that was the first thing I tried, but it didn't
                        >> >> work. I added the interface descriptor on the theory that it was
                        >> >> outputting it so therefore it might want it. Obviously that didn't
                        >> >> help, either.
                        >
                        > Postfix has never output interface descriptor information unless some
                        > helpful port maintainer added support to 'improve' this.

                        Yes, it did, and it had nothing to do with a "helpful port maintainer".
                        E.g. this output:

                        May 31 15:55:31 mail2 postfix/smtpd[29712]: connect from unknown[fe80::20c:29ff:fecf:7df0%eth0]

                        Notice the "%eth0" at the end of the link-local address? This has
                        nothing to do with the "port" and everything to do with postfix and how
                        it interpretted the IP->string conversion. Indeed, Fedora pretty much
                        takes postfix as-is and applies very few patches. Note that this log
                        message was with postfix-2.7.7.

                        >> > See http://archives.neohapsis.com/archives/postfix/2010-11/thread.html#295
                        >> > Postfix does not AFAIK support link-local address scopes.
                        >>
                        >> For the record, this appears to have been fixed somewhere between 2.7
                        >> and 2.9; I just backported 2.9.2 to my mail server and using
                        >> mynetworks = [fe80::]/10 works as I would expect it to.
                        >
                        > Postfix has always wortked this way unless some helpful port maintainer
                        > added support to break this.

                        Again, I beg to differ. It has NOT always worked this way (see
                        above). In fact, this diff between 2.7.7 and 2.9.2 shows exactly how is
                        has NOT always worked that way and how you fixed it:

                        --- postfix-2.7.7/src/smtpd/smtpd_peer.c 2008-04-28 20:06:08.0000
                        00000 -0400
                        +++ postfix-2.9.2/src/smtpd/smtpd_peer.c 2012-01-02 19:57:59.0000
                        00000 -0500
                        @@ -225,6 +226,14 @@
                        state->port = mystrdup(client_port.buf);

                        /*
                        + * XXX Strip off the IPv6 datalink suffix to avoid false alarms with
                        + * strict address syntax checks.
                        + */
                        +#ifdef HAS_IPV6
                        + (void) split_at(client_addr.buf, '%');
                        +#endif
                        +
                        + /*
                        * We convert IPv4-in-IPv6 address to 'true' IPv4 address early on,
                        * but only if IPv4 support is enabled (why would anyone want to turn
                        * it off)? With IPv4 support enabled we have no need for the IPv6


                        And I'm pretty sure that this is the patch (to postfix!) that fixed the
                        problem for me. Once I upgraded from 2.7.7 to 2.9.2 not only did my
                        configuration suddenly start working, but lo and behold the log messages
                        changed, too! E.g.:

                        Jun 2 04:10:02 mail2 postfix/smtpd[2315]: connect from unknown[fe80::20c:29ff:fe4e:1302]

                        Notice the lack of the "%eth0" in this log message? The only change
                        between this log message and the previous log message (above) is
                        upgrading postfix from 2.7.7 to 2.9.2, so I would say it is EXACTLY
                        postfix that changed, and nothing more.

                        So again, thank you for fixing it somewhere between 2.7.7 and 2.9.2,
                        because contrary to what you imply ipv6 link local addresses have not
                        "always worked this way" (in postfix).

                        Enjoy! (and thank you, even if you maintain you didn't fix it)

                        > Wietse

                        -derek

                        --
                        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
                        Member, MIT Student Information Processing Board (SIPB)
                        URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
                        warlord@... PGP key available
                      • Viktor Dukhovni
                        ... You re right. From the Postfix HISTORY file: 20101108 Workaround: strip off IPv6 datalink suffix from peer address to avoid problems with strict address
                        Message 11 of 15 , Jun 2, 2012
                        • 0 Attachment
                          On Sat, Jun 02, 2012 at 12:31:10PM -0400, Derek Atkins wrote:

                          > And I'm pretty sure that this is the patch (to postfix!) that fixed the
                          > problem for me. Once I upgraded from 2.7.7 to 2.9.2 not only did my
                          > configuration suddenly start working, but lo and behold the log messages
                          > changed, too!

                          You're right. From the Postfix HISTORY file:

                          20101108

                          Workaround: strip off IPv6 datalink suffix from peer address
                          to avoid problems with strict address checking code. Files:
                          smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

                          This change appeared in Postfix 2.8-20101126, thus official releases
                          starting with 2.8.0 partly support link-local IPv6 addresses.

                          --
                          Viktor.
                        • Wietse Venema
                          For the record: mynetworks has always supported net/mask notation. I did not notice that your problem was in client hostname lookup. Wietse
                          Message 12 of 15 , Jun 3, 2012
                          • 0 Attachment
                            For the record: mynetworks has always supported net/mask notation.
                            I did not notice that your problem was in client hostname lookup.

                            Wietse
                          • Derek Atkins
                            ... Of course, but that wasn t what I was talking about, and it never was. I was talking about permit_mynetworks working properly with an ipv6 link local
                            Message 13 of 15 , Jun 4, 2012
                            • 0 Attachment
                              Wietse Venema <wietse@...> writes:

                              > For the record: mynetworks has always supported net/mask notation.

                              Of course, but that wasn't what I was talking about, and it never was.
                              I was talking about "permit_mynetworks" working properly with an ipv6
                              link local address specified in mynetworks, and *that* wasn't working
                              due the extraneous "%eth0" in the address from the Linux "AddrToString"
                              functions.

                              > I did not notice that your problem was in client hostname lookup.

                              I'm not sure I'd classify it as "hostname lookup" but more as "link
                              local address matching". But whatever. It's working in 2.9, which is
                              all I really care about.

                              Thanks,

                              > Wietse

                              -derek

                              --
                              Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
                              Member, MIT Student Information Processing Board (SIPB)
                              URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
                              warlord@... PGP key available
                            • Wietse Venema
                              ... You stated that (permit)mynetworks should support link-local suffixes (they never did, and to this date thet don t). Instead, when I learned that such
                              Message 14 of 15 , Jun 6, 2012
                              • 0 Attachment
                                Derek Atkins:
                                > Wietse Venema <wietse@...> writes:
                                >
                                > > For the record: mynetworks has always supported net/mask notation.
                                >
                                > Of course, but that wasn't what I was talking about, and it never was.
                                > I was talking about "permit_mynetworks" working properly with an ipv6
                                > link local address specified in mynetworks, and *that* wasn't working
                                > due the extraneous "%eth0" in the address from the Linux "AddrToString"
                                > functions.

                                You stated that (permit)mynetworks should support link-local suffixes
                                (they never did, and to this date thet don't). Instead, when I
                                learned that such suffixes crept into Postfix via non-Postfix library
                                routines, I added code to strip them.

                                Wietse
                              • Derek Atkins
                                ... Actually it was someone else that said postfix should support link-local suffixes. That conversation happened in 2010, well before I joined this list. I
                                Message 15 of 15 , Jun 7, 2012
                                • 0 Attachment
                                  Wietse Venema <wietse@...> writes:

                                  > Derek Atkins:
                                  >> Wietse Venema <wietse@...> writes:
                                  >>
                                  >> > For the record: mynetworks has always supported net/mask notation.
                                  >>
                                  >> Of course, but that wasn't what I was talking about, and it never was.
                                  >> I was talking about "permit_mynetworks" working properly with an ipv6
                                  >> link local address specified in mynetworks, and *that* wasn't working
                                  >> due the extraneous "%eth0" in the address from the Linux "AddrToString"
                                  >> functions.
                                  >
                                  > You stated that (permit)mynetworks should support link-local suffixes
                                  > (they never did, and to this date thet don't). Instead, when I
                                  > learned that such suffixes crept into Postfix via non-Postfix library
                                  > routines, I added code to strip them.

                                  Actually it was someone else that said postfix should support link-local
                                  suffixes. That conversation happened in 2010, well before I joined this
                                  list. I just wanted link-local matching to work with
                                  (permit)mynetworks, which it didn't in 2.7.7 (due to the suffixes), but
                                  does in 2.9.2 because you added the code to strip the suffixes. I never
                                  had a preference as to *how* the address matching would work. :)

                                  But again, thank you for adding that code. I'm a happy postfix user
                                  (again).

                                  > Wietse

                                  -derek

                                  --
                                  Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
                                  Member, MIT Student Information Processing Board (SIPB)
                                  URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
                                  warlord@... PGP key available
                                Your message has been successfully submitted and would be delivered to recipients shortly.