Loading ...
Sorry, an error occurred while loading the content.

Re: mynetworks support for ipv6 link local (fe80) hosts

Expand Messages
  • Derek Atkins
    ... For the record, this appears to have been fixed somewhere between 2.7 and 2.9; I just backported 2.9.2 to my mail server and using mynetworks = [fe80::]/10
    Message 1 of 15 , Jun 1, 2012
    • 0 Attachment
      Viktor Dukhovni <postfix-users@...> writes:

      > On Fri, Jun 01, 2012 at 12:35:54PM -0400, Derek Atkins wrote:
      >
      >> >> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
      >> >> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
      >>
      >> Yes, I have. In fact that was the first thing I tried, but it didn't
      >> work. I added the interface descriptor on the theory that it was
      >> outputting it so therefore it might want it. Obviously that didn't
      >> help, either.
      >
      > See http://archives.neohapsis.com/archives/postfix/2010-11/thread.html#295
      > Postfix does not AFAIK support link-local address scopes.

      For the record, this appears to have been fixed somewhere between 2.7
      and 2.9; I just backported 2.9.2 to my mail server and using
      mynetworks = [fe80::]/10 works as I would expect it to.

      Sorry for the noise, and thanks for the pointer to the history. That
      helped point me into looking at current sources to see if it's any
      different (which it is, obviously).

      Also, thank you, Wietse! I'm sorry I ever doubted you. :)
      I'll buy you a beer next time I see you.

      -derek
      --
      Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
      Member, MIT Student Information Processing Board (SIPB)
      URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
      warlord@... PGP key available
    • Wietse Venema
      ... Postfix has never output interface descriptor information unless some helpful port maintainer added support to improve this. ... Postfix has always
      Message 2 of 15 , Jun 2, 2012
      • 0 Attachment
        Derek Atkins:
        > Viktor Dukhovni <postfix-users@...> writes:
        >
        > > On Fri, Jun 01, 2012 at 12:35:54PM -0400, Derek Atkins wrote:
        > >
        > >> >> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
        > >> >> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
        > >>
        > >> Yes, I have. In fact that was the first thing I tried, but it didn't
        > >> work. I added the interface descriptor on the theory that it was
        > >> outputting it so therefore it might want it. Obviously that didn't
        > >> help, either.

        Postfix has never output interface descriptor information unless some
        helpful port maintainer added support to 'improve' this.

        > > See http://archives.neohapsis.com/archives/postfix/2010-11/thread.html#295
        > > Postfix does not AFAIK support link-local address scopes.
        >
        > For the record, this appears to have been fixed somewhere between 2.7
        > and 2.9; I just backported 2.9.2 to my mail server and using
        > mynetworks = [fe80::]/10 works as I would expect it to.

        Postfix has always wortked this way unless some helpful port maintainer
        added support to break this.

        Wietse
      • Derek Atkins
        ... Yes, it did, and it had nothing to do with a helpful port maintainer . E.g. this output: May 31 15:55:31 mail2 postfix/smtpd[29712]: connect from
        Message 3 of 15 , Jun 2, 2012
        • 0 Attachment
          Wietse Venema <wietse@...> writes:

          > Derek Atkins:
          >> Viktor Dukhovni <postfix-users@...> writes:
          >>
          >> > On Fri, Jun 01, 2012 at 12:35:54PM -0400, Derek Atkins wrote:
          >> >
          >> >> >> mynetworks = 127.0.0.0/8 1.2.3.4/24 192.168.1.0/24 [2001:1234:1234::]/48
          >> >> >> [fe80::]/10 [fe80::%eth0]/10 [::1]/128
          >> >>
          >> >> Yes, I have. In fact that was the first thing I tried, but it didn't
          >> >> work. I added the interface descriptor on the theory that it was
          >> >> outputting it so therefore it might want it. Obviously that didn't
          >> >> help, either.
          >
          > Postfix has never output interface descriptor information unless some
          > helpful port maintainer added support to 'improve' this.

          Yes, it did, and it had nothing to do with a "helpful port maintainer".
          E.g. this output:

          May 31 15:55:31 mail2 postfix/smtpd[29712]: connect from unknown[fe80::20c:29ff:fecf:7df0%eth0]

          Notice the "%eth0" at the end of the link-local address? This has
          nothing to do with the "port" and everything to do with postfix and how
          it interpretted the IP->string conversion. Indeed, Fedora pretty much
          takes postfix as-is and applies very few patches. Note that this log
          message was with postfix-2.7.7.

          >> > See http://archives.neohapsis.com/archives/postfix/2010-11/thread.html#295
          >> > Postfix does not AFAIK support link-local address scopes.
          >>
          >> For the record, this appears to have been fixed somewhere between 2.7
          >> and 2.9; I just backported 2.9.2 to my mail server and using
          >> mynetworks = [fe80::]/10 works as I would expect it to.
          >
          > Postfix has always wortked this way unless some helpful port maintainer
          > added support to break this.

          Again, I beg to differ. It has NOT always worked this way (see
          above). In fact, this diff between 2.7.7 and 2.9.2 shows exactly how is
          has NOT always worked that way and how you fixed it:

          --- postfix-2.7.7/src/smtpd/smtpd_peer.c 2008-04-28 20:06:08.0000
          00000 -0400
          +++ postfix-2.9.2/src/smtpd/smtpd_peer.c 2012-01-02 19:57:59.0000
          00000 -0500
          @@ -225,6 +226,14 @@
          state->port = mystrdup(client_port.buf);

          /*
          + * XXX Strip off the IPv6 datalink suffix to avoid false alarms with
          + * strict address syntax checks.
          + */
          +#ifdef HAS_IPV6
          + (void) split_at(client_addr.buf, '%');
          +#endif
          +
          + /*
          * We convert IPv4-in-IPv6 address to 'true' IPv4 address early on,
          * but only if IPv4 support is enabled (why would anyone want to turn
          * it off)? With IPv4 support enabled we have no need for the IPv6


          And I'm pretty sure that this is the patch (to postfix!) that fixed the
          problem for me. Once I upgraded from 2.7.7 to 2.9.2 not only did my
          configuration suddenly start working, but lo and behold the log messages
          changed, too! E.g.:

          Jun 2 04:10:02 mail2 postfix/smtpd[2315]: connect from unknown[fe80::20c:29ff:fe4e:1302]

          Notice the lack of the "%eth0" in this log message? The only change
          between this log message and the previous log message (above) is
          upgrading postfix from 2.7.7 to 2.9.2, so I would say it is EXACTLY
          postfix that changed, and nothing more.

          So again, thank you for fixing it somewhere between 2.7.7 and 2.9.2,
          because contrary to what you imply ipv6 link local addresses have not
          "always worked this way" (in postfix).

          Enjoy! (and thank you, even if you maintain you didn't fix it)

          > Wietse

          -derek

          --
          Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
          Member, MIT Student Information Processing Board (SIPB)
          URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
          warlord@... PGP key available
        • Viktor Dukhovni
          ... You re right. From the Postfix HISTORY file: 20101108 Workaround: strip off IPv6 datalink suffix from peer address to avoid problems with strict address
          Message 4 of 15 , Jun 2, 2012
          • 0 Attachment
            On Sat, Jun 02, 2012 at 12:31:10PM -0400, Derek Atkins wrote:

            > And I'm pretty sure that this is the patch (to postfix!) that fixed the
            > problem for me. Once I upgraded from 2.7.7 to 2.9.2 not only did my
            > configuration suddenly start working, but lo and behold the log messages
            > changed, too!

            You're right. From the Postfix HISTORY file:

            20101108

            Workaround: strip off IPv6 datalink suffix from peer address
            to avoid problems with strict address checking code. Files:
            smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.

            This change appeared in Postfix 2.8-20101126, thus official releases
            starting with 2.8.0 partly support link-local IPv6 addresses.

            --
            Viktor.
          • Wietse Venema
            For the record: mynetworks has always supported net/mask notation. I did not notice that your problem was in client hostname lookup. Wietse
            Message 5 of 15 , Jun 3, 2012
            • 0 Attachment
              For the record: mynetworks has always supported net/mask notation.
              I did not notice that your problem was in client hostname lookup.

              Wietse
            • Derek Atkins
              ... Of course, but that wasn t what I was talking about, and it never was. I was talking about permit_mynetworks working properly with an ipv6 link local
              Message 6 of 15 , Jun 4, 2012
              • 0 Attachment
                Wietse Venema <wietse@...> writes:

                > For the record: mynetworks has always supported net/mask notation.

                Of course, but that wasn't what I was talking about, and it never was.
                I was talking about "permit_mynetworks" working properly with an ipv6
                link local address specified in mynetworks, and *that* wasn't working
                due the extraneous "%eth0" in the address from the Linux "AddrToString"
                functions.

                > I did not notice that your problem was in client hostname lookup.

                I'm not sure I'd classify it as "hostname lookup" but more as "link
                local address matching". But whatever. It's working in 2.9, which is
                all I really care about.

                Thanks,

                > Wietse

                -derek

                --
                Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
                Member, MIT Student Information Processing Board (SIPB)
                URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
                warlord@... PGP key available
              • Wietse Venema
                ... You stated that (permit)mynetworks should support link-local suffixes (they never did, and to this date thet don t). Instead, when I learned that such
                Message 7 of 15 , Jun 6, 2012
                • 0 Attachment
                  Derek Atkins:
                  > Wietse Venema <wietse@...> writes:
                  >
                  > > For the record: mynetworks has always supported net/mask notation.
                  >
                  > Of course, but that wasn't what I was talking about, and it never was.
                  > I was talking about "permit_mynetworks" working properly with an ipv6
                  > link local address specified in mynetworks, and *that* wasn't working
                  > due the extraneous "%eth0" in the address from the Linux "AddrToString"
                  > functions.

                  You stated that (permit)mynetworks should support link-local suffixes
                  (they never did, and to this date thet don't). Instead, when I
                  learned that such suffixes crept into Postfix via non-Postfix library
                  routines, I added code to strip them.

                  Wietse
                • Derek Atkins
                  ... Actually it was someone else that said postfix should support link-local suffixes. That conversation happened in 2010, well before I joined this list. I
                  Message 8 of 15 , Jun 7, 2012
                  • 0 Attachment
                    Wietse Venema <wietse@...> writes:

                    > Derek Atkins:
                    >> Wietse Venema <wietse@...> writes:
                    >>
                    >> > For the record: mynetworks has always supported net/mask notation.
                    >>
                    >> Of course, but that wasn't what I was talking about, and it never was.
                    >> I was talking about "permit_mynetworks" working properly with an ipv6
                    >> link local address specified in mynetworks, and *that* wasn't working
                    >> due the extraneous "%eth0" in the address from the Linux "AddrToString"
                    >> functions.
                    >
                    > You stated that (permit)mynetworks should support link-local suffixes
                    > (they never did, and to this date thet don't). Instead, when I
                    > learned that such suffixes crept into Postfix via non-Postfix library
                    > routines, I added code to strip them.

                    Actually it was someone else that said postfix should support link-local
                    suffixes. That conversation happened in 2010, well before I joined this
                    list. I just wanted link-local matching to work with
                    (permit)mynetworks, which it didn't in 2.7.7 (due to the suffixes), but
                    does in 2.9.2 because you added the code to strip the suffixes. I never
                    had a preference as to *how* the address matching would work. :)

                    But again, thank you for adding that code. I'm a happy postfix user
                    (again).

                    > Wietse

                    -derek

                    --
                    Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
                    Member, MIT Student Information Processing Board (SIPB)
                    URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
                    warlord@... PGP key available
                  Your message has been successfully submitted and would be delivered to recipients shortly.