OpenSMTPd: Unable to use TLS/SSL over IPv6

Tue, 11 Jan 2022 10:11:53 -0800 

Hey friends,
i am running OpenBSD 7.0 with all patches applied. Some weeks ago i noticed a very strange issue with my OpenSMTPd instance. People are unable to use TLS when connecting via IPv6. This is not just my observation, some people on misc@ told me so as well. 


I talked to gilles@ in private and he could confirm the issue, but he 
thinks its not related to OpenSMTPd itsef and might be even an OpenBSD 
(LibreSSL) issue itself. gilles@ told me to post this to the ML because 
it might be a little bit more complicated.



Here are some basics from the System. I am using the real hostname and 
IP addresses so every one can look at the problem directly.


The Server is configured to use both IPv4 and IPv6:


$ cat /etc/hostname.vio0                                                                                                                    
inet 116.202.103.165 255.255.255.255

inet6 2a01:4f8:c010:3301::dead:beef 64 -soii
!route add -inet 172.31.1.1 -llinfo -link -static -iface vio0
!route add -inet default 172.31.1.1


I confimed it via ifconfig:


$ ifconfig vio0          
vio0: flags=408843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,INET6_NOSOII> mtu 1500

    lladdr 96:00:00:31:1f:b5
    index 1 priority 0 llprio 3
    groups: egress
    media: Ethernet autoselect
    status: active
    inet 116.202.103.165 netmask 0xffffffff
    inet6 fe80::9400:ff:fe31:1fb5%vio0 prefixlen 64 scopeid 0x1
    inet6 2a01:4f8:c010:3301::dead:beef prefixlen 64



I also can use ping and ping6 to reach other servers and the server can 
be reached over IPv4 and IPv6. So this seams to work.



Here is my OpenSMTTPd config. The only thing i replaced is the 
encryption key:



##
## Queue
##
queue compression
queue encryption xxxxxxxxx



##
## SMTP
##
smtp max-message-size 80M
smtp sub-addr-delim "+"



##
## Tables
##
table aliases file:/etc/mail/aliases
table vdomains file:/etc/mail/table-vdomains
table vaddr file:/etc/mail/table-vaddr
table credentials file:/etc/mail/table-credentials
table filter-dyndns file:/etc/mail/table-filter-dyndns
table vmailstub file:/etc/mail/table-vmailstub



##
## PKI
##
pki "*" cert "/etc/ssl/storm-peaks.northrend.azeroth.wow-data.net.fullchain.pem"
pki "*" key "/etc/ssl/private/storm-peaks.northrend.azeroth.wow-data.net.key"


##
## Filter
##
filter "check-dyndns" phase connect match rdns regex <filter-dyndns> disconnect "550 
no residential/dyndns connections"
filter "check-rdns" phase connect match !rdns disconnect "550 rDNS missmatch"
filter "check-fcrdns" phase connect match !fcrdns disconnect "550 FCrDNS 
missmatch"
filter "dnsbl" proc-exec "filter-dnsbl -v ix.dnsbl.manitu.net dnsbl.dronebl.org 
all.spamrats.com dnsbl.sorbs.net bl.spamcop.net"



##
## Listen
##
listen on lo0
listen on egress tls pki "*" filter { "check-dyndns" "check-rdns" "check-fcrdns" 
"dnsbl" }
listen on egress port submission tls-require pki "*" auth <credentials>
listen on egress port 25255 tls-require pki "*" auth <credentials>



##
## Actions
##
action "outbound" relay
action "local-lmtp" lmtp "/var/dovecot/lmtp" rcpt-to virtual <vmailstub>


##
## Matches
##
match from any for domain <vdomains> rcpt-to <vaddr> action "local-lmtp"
match auth from any for any action "outbound"



To me it looks like i am not doing anything different for IPv4 or IPv6. 
I am just listening on egress and according to ifconfig is assigned to 
vio0. But people cannot use SSL/TLS on IPv6, but it works fine when 
using IPv4. This results in some emails getting delayed from IPv6 
senders, until they downgrade or switch to IPv4.



Does someone of you have an idea why this might happen? To me the config 
seams clean. Do you have this issue on other instances as well?


Thank you so much and greetings
Leo


OpenBSD 7.0 (GENERIC.MP) #3: Wed Dec 15 13:14:26 MST 2021
    
r...@syspatch-70-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4177379328 (3983MB)
avail mem = 4034760704 (3847MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5ad0 (10 entries)
bios0: vendor Hetzner version "20171111" date 11/11/2017
bios0: Hetzner vServer
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel Xeon Processor (Skylake, IBRS), 2100.37 MHz, 06-55-04
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLWB,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 999MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel Xeon Processor (Skylake, IBRS), 2100.01 MHz, 06-55-04
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLWB,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,MELTDOWN
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpihpet0 at acpi0: 100000000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
cpu0: using VERW MDS workaround
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 96:00:00:31:1f:b5
virtio0: msix shared
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio SCSI" rev 0x00
vioscsi0 at virtio1: qsize 128
scsibus2 at vioscsi0: 255 targets
sd0 at scsibus2 targ 0 lun 0: <QEMU, QEMU HARDDISK, 2.5+>
sd0: 39064MB, 512 bytes/sector, 80003072 sectors, thin
sd1 at scsibus2 targ 0 lun 1: <HC, Volume, 2.5+> serial.HC_Volume_10410864
sd1: 512000MB, 512 bytes/sector, 1048576000 sectors, thin
virtio1: msix shared
virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
viomb0 at virtio2
virtio2: apic 0 int 10
virtio3 at pci0 dev 6 function 0 "Qumranet Virtio Console" rev 0x00
virtio3: no matching child driver; not configured
virtio4 at pci0 dev 7 function 0 "Qumranet Virtio SCSI" rev 0x00
vioscsi1 at virtio4: qsize 128
scsibus3 at vioscsi1: 255 targets
virtio4: msix shared
xhci0 at pci0 dev 8 function 0 vendor "Red Hat", unknown product 0x000d rev 
0x01: apic 0 int 11, xHCI 0.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Red Hat xHCI root hub" rev 3.00/1.00 
addr 1
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
dt: 445 probes
uhidev0 at uhub0 port 5 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev 
2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus4 at vscsi0: 256 targets
softraid0 at root
scsibus5 at softraid0: 256 targets
sd2 at scsibus5 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
sd2: 39056MB, 512 bytes/sector, 79987043 sectors
root on sd2a (3aa1953775dc1966.a) swap on sd2b dump on sd2b
fd0 at fdc0 drive 1: density unknown
sd3 at scsibus5 targ 2 lun 0: <OPENBSD, SR CRYPTO, 006>
sd3: 511993MB, 512 bytes/sector, 1048561958 sectors
























					Reply via email to