Bug 196756 - mail/spamilter: Add IPv6 AAAA Lookups for MtaHostChk
Summary: mail/spamilter: Add IPv6 AAAA Lookups for MtaHostChk
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Dirk Meyer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-15 13:00 UTC by jvp
Modified: 2018-01-15 10:58 UTC (History)
2 users (show)

See Also:


Attachments
dns aaaa patch #1 (2.50 KB, patch)
2015-01-21 20:22 UTC, neal
no flags Details | Diff
dns aaaa patch #2 (2.51 KB, patch)
2015-01-21 20:56 UTC, neal
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description jvp 2015-01-15 13:00:26 UTC
The current (.60) version of spamilter included in the FreeBSD ports doesn't support IPv6 AAAA lookups, if the user has enabled MtaHostChk in the config.  If a MTA host connect via IPv6, spamilter's DNS lookup will always fail.  This patch fixes that.

# diff dns.c dns-ipv6.c
70,71c70,71
<
< 			rc = (res_nquery(statp, hn,ns_c_in,ns_t_a,packet,sizeof(packet)) == -1 ? 0 : 1);
---
> 			rc = ((res_nquery(statp, hn,ns_c_in,ns_t_a,packet,sizeof(packet)) == -1 ? 0 : 1) ||
> 			(res_nquery(statp, hn,ns_c_in,ns_t_aaaa,packet,sizeof(packet)) == -1 ? 0 : 1));
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2015-01-15 13:58:24 UTC
Fix Summary and assign.
Comment 2 Dirk Meyer freebsd_committer 2015-01-18 10:56:38 UTC
Patch created.


Further testing is needed, as the submitters Mail-Server
does not accept valid e-mails from dual-homed Servers.


   ----- The following addresses had permanent fatal errors -----
<jvp@lateapex.net>
    (reason: 550 5.7.1 <jvp@lateapex.net>... Rejecting due to security policy - Helo hostname/ip mis
match, Please see: http://www.lateapex.net/mail_policy.html#hostnameipmismatch)

   ----- Transcript of session follows -----
... while talking to mailhost.lateapex.net.:
>>> DATA
<<< 550 5.7.1 <jvp@lateapex.net>... Rejecting due to security policy - Helo hostname/ip mismatch, Pl
ease see: http://www.lateapex.net/mail_policy.html#hostnameipmismatch
550 5.1.1 <jvp@lateapex.net>... User unknown
<<< 503 5.0.0 Need RCPT (recipient)
Comment 3 jvp 2015-01-18 12:50:26 UTC
Mail server accepts mail just fine from anywhere, as long as PTRs resolve to proper hostnames, as per spamilter.  Note it was spamilter that caused your sendmail disconnection.  Fix your DNS and try again.
Comment 4 Dirk Meyer freebsd_committer 2015-01-19 06:45:08 UTC
I don't see any problems in the setup.

DNS is valid in both directions,
DNS matches HELO-name.

Further testing is needed.
Comment 5 jvp 2015-01-19 19:33:23 UTC
I suspect you meant dual-stacked, not dual-homed servers.  Thus the confusion on my part (I'm a network guy, and "dual-homed" means something entirely different).

The cause of the problem was MtaHostIpChk set to 1 in my rc file.  That needs some work to do proper IPv6 PTR resolutions and comparisons.  I've since set it to 0 and your connections should work fine now.
Comment 6 neal 2015-01-21 20:03:29 UTC
Author of Spamilter here....
Jvp's patch, looks like it will work, but will do the wrong thing for another case where dns_query_rr_a is used.
I'm developing a patch that will do the lookup that Jvp is asking for, but at the correct place.
Please don't apply the patch that Jvp provided.
Thanks.
Comment 7 neal 2015-01-21 20:22:55 UTC
Created attachment 151989 [details]
dns aaaa patch #1
Comment 8 jvp 2015-01-21 20:40:23 UTC
You'll want to check that patch, specifically the call in hndlrs.c:

+					else if(gMtaHostChk
+						&& !priv->islocalnethost
+						&& !( dns_query_rr_a(priv->statp,priv->helo) || dns_query_rr_a(priv->statp,priv->helo))
+						)

You're never calling the dns_query_rr_aaaa() function that you created.  Instead, you're just or'ing two calls to the same dns_query_rr_a() function.
Comment 9 neal 2015-01-21 20:56:43 UTC
Created attachment 151990 [details]
dns aaaa patch #2

haste, copy, paste, are not your friends... :(
Lets try this again, Thanks Jvp.
Comment 10 Dirk Meyer freebsd_committer 2015-01-26 20:34:14 UTC
Patch is now adopted to work with the port.

Testing in progress
Comment 11 commit-hook freebsd_committer 2015-04-12 17:28:42 UTC
A commit references this bug:

Author: dinoex
Date: Sun Apr 12 17:28:08 UTC 2015
New revision: 383877
URL: https://svnweb.freebsd.org/changeset/ports/383877

Log:
  - disable option ASM by default
  - bump PORTREVISION
  PR:		196756

Changes:
  head/security/openssl/Makefile
Comment 12 Walter Schwarzenfeld freebsd_triage 2018-01-13 22:40:59 UTC
Forgotten to close?
Comment 13 commit-hook freebsd_committer 2018-01-15 10:55:55 UTC
A commit references this bug:

Author: dinoex
Date: Mon Jan 15 10:55:02 UTC 2018
New revision: 459031
URL: https://svnweb.freebsd.org/changeset/ports/459031

Log:
  - Add IPv6 AAAA Lookups for MtaHostChk
  PR:		196756
  Submitted by:	jvp@lateapex.net

Changes:
  head/mail/spamilter/Makefile
  head/mail/spamilter/files/patch-dns.c
  head/mail/spamilter/files/patch-dns.h
  head/mail/spamilter/files/patch-hndlrs.c
Comment 14 Dirk Meyer freebsd_committer 2018-01-15 10:58:52 UTC
Sync missing matches to SVN.