The current (.60) version of spamilter included in the FreeBSD ports doesn't support IPv6 AAAA lookups, if the user has enabled MtaHostChk in the config. If a MTA host connect via IPv6, spamilter's DNS lookup will always fail. This patch fixes that.
# diff dns.c dns-ipv6.c
< rc = (res_nquery(statp, hn,ns_c_in,ns_t_a,packet,sizeof(packet)) == -1 ? 0 : 1);
> rc = ((res_nquery(statp, hn,ns_c_in,ns_t_a,packet,sizeof(packet)) == -1 ? 0 : 1) ||
> (res_nquery(statp, hn,ns_c_in,ns_t_aaaa,packet,sizeof(packet)) == -1 ? 0 : 1));
Fix Summary and assign.
Further testing is needed, as the submitters Mail-Server
does not accept valid e-mails from dual-homed Servers.
----- The following addresses had permanent fatal errors -----
(reason: 550 5.7.1 <firstname.lastname@example.org>... Rejecting due to security policy - Helo hostname/ip mis
match, Please see: http://www.lateapex.net/mail_policy.html#hostnameipmismatch)
----- Transcript of session follows -----
... while talking to mailhost.lateapex.net.:
<<< 550 5.7.1 <email@example.com>... Rejecting due to security policy - Helo hostname/ip mismatch, Pl
ease see: http://www.lateapex.net/mail_policy.html#hostnameipmismatch
550 5.1.1 <firstname.lastname@example.org>... User unknown
<<< 503 5.0.0 Need RCPT (recipient)
Mail server accepts mail just fine from anywhere, as long as PTRs resolve to proper hostnames, as per spamilter. Note it was spamilter that caused your sendmail disconnection. Fix your DNS and try again.
I don't see any problems in the setup.
DNS is valid in both directions,
DNS matches HELO-name.
Further testing is needed.
I suspect you meant dual-stacked, not dual-homed servers. Thus the confusion on my part (I'm a network guy, and "dual-homed" means something entirely different).
The cause of the problem was MtaHostIpChk set to 1 in my rc file. That needs some work to do proper IPv6 PTR resolutions and comparisons. I've since set it to 0 and your connections should work fine now.
Author of Spamilter here....
Jvp's patch, looks like it will work, but will do the wrong thing for another case where dns_query_rr_a is used.
I'm developing a patch that will do the lookup that Jvp is asking for, but at the correct place.
Please don't apply the patch that Jvp provided.
Created attachment 151989 [details]
dns aaaa patch #1
You'll want to check that patch, specifically the call in hndlrs.c:
+ else if(gMtaHostChk
+ && !priv->islocalnethost
+ && !( dns_query_rr_a(priv->statp,priv->helo) || dns_query_rr_a(priv->statp,priv->helo))
You're never calling the dns_query_rr_aaaa() function that you created. Instead, you're just or'ing two calls to the same dns_query_rr_a() function.
Created attachment 151990 [details]
dns aaaa patch #2
haste, copy, paste, are not your friends... :(
Lets try this again, Thanks Jvp.
Patch is now adopted to work with the port.
Testing in progress
A commit references this bug:
Date: Sun Apr 12 17:28:08 UTC 2015
New revision: 383877
- disable option ASM by default
- bump PORTREVISION
Forgotten to close?
A commit references this bug:
Date: Mon Jan 15 10:55:02 UTC 2018
New revision: 459031
- Add IPv6 AAAA Lookups for MtaHostChk
Submitted by: email@example.com
Sync missing matches to SVN.