Your message dated Sat, 23 May 2009 13:42:38 +0200
with message-id <[email protected]>
and subject line Re: Bug#499034: permit_mx_backup_networks and IPv6
has caused the Debian Bug report #499034,
regarding permit_mx_backup_networks does not accept IPv6 addresses
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
499034: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499034
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: postfix
Version: 2.5.4-1
Severity: important
Tags: ipv6
The primary MX for madduck.net supports IPv6 for a while now and
I've added the appropriate AAAA record. Unfortunately, this now
causes b.mx.madduck.net, the backup MX, to reject mails, since I use
permit_mx_backup_networks set to 213.203.238.82/32.
b.mx.madduck.net is also IPv6-connected, and I verified the
IPv6-connectivity of and between both.
The problem seems to be that b.mx.madduck.net checks
a.mx.madduck.net and then only extracts the IPv6 address (even for
IPv4 connections) and tries to match that - which I haven't yet
added to permit_mx_backup_networks yet.
So I tried to add the IPv6 address to permit_mx_backup_networks in
all of the following forms, yielding the same error in all cases:
2001:6f8:128a::1/128 # dict_open: unsupported dictionary type: 2001:
[2001:6f8:128a::1]/128 # dict_open: unsupported dictionary type: [2001:
[IPv6:2001:6f8:128a::1]/128 # dict_open: unsupported dictionary type: [IPv6:
The error appears as soon as a client connects to smtpd and prevents
it from starting; there is never a banner.
I am using postfix 2.5.4-1 on both machines. Mark Watts was unable
to reproduce this with Mandriva 2008.1 stock RPMs (2.5.1); he tried
to add an IPv6 address to permit_mx_backup_networks and add
permit_mx_backup to the smtpd_recipient_restrictions. This could
thus be a Debian-only bug, but I currently do not have the capacity
to verify that.
Wietse seems to think it's Debian-only too:
http://www.nabble.com/Re%3A-permit_mx_backup_networks-and-IPv6-p19288016.html
Unfortunately, Debian's postfix doesn't seem to modify this code at
all, according to http://patch-tracking.debian.net/package/postfix/2.5.4-1
So I am clueless and thus filing this bug. I have not had the time
to try to run postfix from source to see if I can reproduce this
with my configuration.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-etchnhalf.1+scoflowctrl.1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages postfix depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.23 Debian configuration management sy
ii dpkg 1.14.22 Debian package management system
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libdb4.6 4.6.21-10 Berkeley v4.6 Database Libraries [
ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra
ii libssl0.9.8 0.9.8g-13 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii netbase 4.33 Basic TCP/IP networking system
ii ssl-cert 1.0.22 simple debconf wrapper for OpenSSL
postfix recommends no packages.
Versions of packages postfix suggests:
ii bsd-mailx [mail-re 8.1.2-0.20071201cvs-3 A simple mail user agent
ii icedove [mail-read 2.0.0.16-1 free/unbranded thunderbird mail/ne
ii libsasl2-modules 2.1.22.dfsg1-23 Cyrus SASL - pluggable authenticat
ii mutt [mail-reader] 1.5.18-4 text-based mailreader supporting M
pn postfix-cdb <none> (no description available)
pn postfix-ldap <none> (no description available)
pn postfix-mysql <none> (no description available)
pn postfix-pcre <none> (no description available)
pn postfix-pgsql <none> (no description available)
ii procmail 3.22-16 Versatile e-mail processor
ii resolvconf 1.42 name server information handler
pn sasl2-bin <none> (no description available)
pn ufw <none> (no description available)
-- debconf information excluded
--
.''`. martin f. krafft <[email protected]>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
--- End Message ---
--- Begin Message ---
notfound 499034 2.5.5-1.1
notfound 499034 2.5.4-1
tags 499034 unreproducible
thanks
also sprach martin f krafft <[email protected]> [2009.05.23.0017 +0200]:
> I will try to compile upstream code and use it. However, given that
> we do not patch any source in a way that seems relevant to me and
> the only thing that we surely do different are compiler options,
> I shied away thus far.
I found the error. Somehow, the following ended up in the config.
I have never used ETRN and I do not know how it ended up in there,
but suddenly it all makes sense.
smtpd_etrn_restrictions =
permit_mynetworks
check_client_access $permit_mx_backup_networks
reject
While this makes sense in spirit, it does not work.
Using a cidr_table for $permit_mx_backup_networks works.
So this was a local fault all along. Sorry for taking your time. Bug
report closed.
--
.''`. martin f. krafft <[email protected]> Related projects:
: :' : proud Debian developer http://debiansystem.info
`. `'` http://people.debian.org/~madduck http://vcs-pkg.org
`- Debian - when you have better things to do than fixing systems
"one should never trust a woman who tells her real age.
if she tells that, she will tell anything."
-- oscar wilde
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
--- End Message ---
