> On 07 Apr 2016, at 10:17, Michiel van Es <m...@pragmasec.nl> wrote:
>
>>
>> On 07 Apr 2016, at 10:02, Joerg Jung <m...@umaxx.net> wrote:
>>
>>
>>> On 07 Apr 2016, at 08:47, Michiel van Es <m...@pragmasec.nl> wrote:
>>>> On 07 Apr 2016, at 08:41, Joerg Jung <m...@umaxx.net> wrote:
>>>>
>>>>>> What asr version have you installed? Recent one?
>>>>>>
>>>>>> You can also do a tcpdump please, to see what
>>>>>> exactly goes over the wire (and comes back)?
>>>>>>
>>>>>> Also please temporarily disable all other filters, to
>>>>>> rule-out chain problems.
>>>>>
>>>>> I installed libasr, opensmtpd and OpenSMTPD-Extras from github to ensure
>>>>> the latest version.
>>>>>
>>>>> I use the following config to only use dnsbl:
>>>>>
>>>>> filter dnsbl dnsbl "-h" "psbl.surriel.com"
>>>>> filter filter-clamav clamav
>>>>> filter all chain dnsbl
>>>>> filter sub chain filter-clamav
>>>>> pki server.pragmasec.nl key
>>>>> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
>>>>> pki server.pragmasec.nl certificate
>>>>> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
>>>>> listen on lo
>>>>> listen on ens3 port 25 filter all hostname server.pragmasec.nl tls pki
>>>>> server.pragmasec.nl
>>>>> listen on ens3 port 587 filter sub hostname server.pragmasec.nl
>>>>> tls-require pki server.pragmasec.nl auth mask-source
>>>>> expire 7d
>>>>> table vdomains "/usr/local/etc/vdomains"
>>>>> table vusers "/usr/local/etc/vusers"
>>>>> accept from any for domain <vdomains> virtual <vusers> deliver to mda
>>>>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
>>>>> accept from local for any relay
>>>>>
>>>>> tcpdump of any traffic to psbl.surriel.org: (this seems useless as the
>>>>> traffic is only dns and goes to the forwarders via my dnsmasq local cache)
>>>>> tcpdump -i any | grep ’74.92.59.67'
>>>>>
>>>>> *nothing*
>>>>>
>>>>> the error with strace and running with smtpd -d -v -T filter:
>>>>>
>>>>> epoll_wait(3, debug: smtp: new client on listener: 0x79d0c0
>>>>> smtp-in: New session 71768b23cba98cf7 from host pro-mail-smtp-001.bol.com
>>>>> [185.14.168.222]
>>>>> filter: post-event event=EVENT_CONNECT filter=dnsbl
>>>>> filter: new query QUERY_CONNECT
>>>>> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197
>>>>> <->
>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>>>>> filter: running filter filter:dnsbl[hooks=0xffffffff,flags=0x0000] for
>>>>> query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <->
>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>>>>> filter: waiting for running query
>>>>> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <->
>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>>>>> dnsbl[22353]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com.
>>>>> dnsbl[22353]: warn: session 71768b23cba98cf7: event_dispatch: REJECT
>>>>> address
>>>>> filter: imsg IMSG_FILTER_RESPONSE from procfilter
>>>>> dnsbl[hooks=0xffffffff,flags=0x0000]
>>>>> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197
>>>>> <->
>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>>>>> filter: filter_end_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197
>>>>> <->
>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>>>>> filter: query 71768b247df9084f done: status=FILTER_CLOSE code=554
>>>>> response="5.7.1 Address in DNSBL"
>>>>> smtp-in: Failed command on session 71768b23cba98cf7: "" => 554 5.7.1
>>>>> Address in DNSBL
>>>>> smtp-in: Closing session 71768b23cba98cf7
>>>>> debug: smtp: 0x859c80: deleting session: done
>>>>> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
>>>>>
>>>>> dnsmasq logging:
>>>>>
>>>>> Apr 7 07:48:41 server dnsmasq[6018]: query[A]
>>>>> 222.168.14.185.psbl.surriel.com from 127.0.0.1
>>>>> Apr 7 07:48:41 server dnsmasq[6018]: forwarded
>>>>> 222.168.14.185.psbl.surriel.com to 95.85.9.86
>>>>> Apr 7 07:48:41 server dnsmasq[6018]: reply
>>>>> 222.168.14.185.psbl.surriel.com is NXDOMAIN
>>>>>
>>>>> any more pointers what could go wrong?
>>>>
>>>> To me, this really looks like a bug/problem in libasr now (Ubuntu
>>>> specific).
>>>
>>> The libasr is from github (I tried 14.04 and 16.04) but can try a different
>>> distro to check if others also have this issue?
>>
>> Others, e.g. FreeBSD and OpenBSD and some Linux (Debian/Alpine?) are known
>> to work.
>> For example, I use filter-dnsbl in production on OpenBSD.
>
> Hmm Ubuntu should be a derivative from Debian but I can also try that oner
> later on.
> BSD’s are not an option yet because of docker I am using for some containers
> (I do see the FreeBSD docker option, might try that later ;) )
>
>>
>>>> Despite the NXDOMAIN reply, this condition seems to become true for you:
>>>> https://github.com/OpenSMTPD/OpenSMTPD-extras/blob/master/extras/wip/filters/filter-dnsbl/filter_dnsbl.c#L44
>>>>
>>>> The question is why does it become true und what is the value of:
>>>> ar->ar_gai_errno (and why has it this value).
>>>> Can you add/print the value to the log line please? For example:
>>>> log_warnx("warn: session %016"PRIx64": event_dispatch: REJECT address
>>>> ar_gai_errno=%d", *q, ar->ar_gai_errno);
>>>
>>> where do I need to add it? in which file? to
>>> /extras/wip/filters/filter-dnsbl/filter_dnsbl.c and recompile the
>>> OpenSMTPD-Extras?
>>
>> Yes, the log_warnx() from line 45 in filter_dnsbl.c
>> https://github.com/OpenSMTPD/OpenSMTPD-extras/blob/master/extras/wip/filters/filter-dnsbl/filter_dnsbl.c#L45
>>
>> Just add ar->ar_gai_errno as additional argument like this:
>> log_warnx("warn: session %016"PRIx64": event_dispatch: REJECT address
>> ar_gai_errno=%d", *q, ar->ar_gai_errno);
>>
>> ...recompile and see log for the errno value. I hope this gives some insight
>> (at least is a start).
>
> Did that, restart smtpd and got the following:
>
> debug: smtp: new client on listener: 0x9b40f0
> smtp-in: New session 668445e741ecfaa7 from host
> pro-mail-smtp-001.bol.com[185.14.168.222]
> filter: post-event event=EVENT_CONNECT filter=dnsbl
> filter: new query QUERY_CONNECT
> filter: filter_drain_query 668445e8da5533e5[QUERY_CONNECT=178.21.114.197 <->
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x9acbf0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: running filter filter:dnsbl[hooks=0xffffffff,flags=0x0000] for query
> 668445e8da5533e5[QUERY_CONNECT=178.21.114.197 <->
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x9acbf0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: waiting for running query
> 668445e8da5533e5[QUERY_CONNECT=178.21.114.197 <->
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x9acbf0[datalen=0,eom=(nil),ofile=(nil)]]
> dnsbl[24002]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com.
> dnsbl[24002]: warn: session 668445e741ecfaa7: event_dispatch: REJECT address
> ar_gai_errno=-5
> filter: imsg IMSG_FILTER_RESPONSE from procfilter
> dnsbl[hooks=0xffffffff,flags=0x0000]
> filter: filter_drain_query 668445e8da5533e5[QUERY_CONNECT=178.21.114.197 <->
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x9acbf0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: filter_end_query 668445e8da5533e5[QUERY_CONNECT=178.21.114.197 <->
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x9acbf0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: query 668445e8da5533e5 done: status=FILTER_CLOSE code=554
> response="5.7.1 Address in DNSBL"
> smtp-in: Failed command on session 668445e741ecfaa7: "" => 554 5.7.1 Address
> in DNSBL
> smtp-in: Closing session 668445e741ecfaa7
> debug: smtp: 0xa70cb0: deleting session: done
> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
>
> I am not sure what 'event_dispatch: REJECT address ar_gai_errno=-5’ means..
So, this is strange, I’m bit confused now :(
You have only modified Line 45 in dnsbl_event_dispatch(), right?
Can you show me your whole modified dnsbl_event_dispatch(), please?
gai_errno=-5 means: EAI_NODATA — because, it is defined in netdb.h:
#define EAI_NODATA -5 /* no address associated with name */
This is expected and fine because IP is not listed and not found.
BUT, in line 44 in dnsbl_event_dispatch() we have:
if (ar->ar_gai_errno != EAI_NODATA) {
…
How come that it enters the if statement, when it should NOT?
Can you also please print the value of EAI_NODATA? e.g. can you add the
following in line 43 right before the if statement:
log_warnx("warn: DEBUG: ar_gai_errno=%d, EAI_NODATA=%d", ar->ar_gai_errno,
EAI_NODATA);
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
