Re: postfix in an IPv6 network

Mon, 25 Oct 2010 04:41:24 -0700 

Zitat von postfix <post...@ayni.com>:


Hi listers

[r...@mailhost ~]# rpm -q postfix
postfix-2.5.6-3.fc11.i586
[r...@mailhost ~]#

[r...@mailhost ~]# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
anvil_rate_time_unit = 60s
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/libexec/postfix
data_directory = /data/postfix/cache
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = proxy:ldap:/etc/postfix/ldap-alias.cf
mail_owner = postfix
mailbox_command =
mailbox_transport =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
mydestination = localhost.$mydomain
mydomain = $myhostname
myhostname = mailhost.mydomain.com
mynetworks = 192.168.97.0/24, aaa.bbb.206.128/27, [2002:uuuu:vvvv::]/64
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /data/postfix/queues
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
relay_domains = permit_sasl_authenticated, permit_mynetworks
relayhost =
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 22
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_recipient_rate_limit = 100
smtpd_client_restrictions = permit_sasl_authenticated, hash:/etc/postfix/whitelist, hash:/etc/postfix/access 
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_checks, reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/check_recipients, check_recipient_access hash:/etc/postfix/access, reject_rbl_client mail-abuse.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client cbl.abuseat.org, reject_rhsbl_client mail-abuse.org, reject_rhsbl_client sbl-xbl.spamhaus.org, reject_rhsbl_client blackholes.easynet.nl, reject_rhsbl_client cbl.abuseat.org check_recipient_access ldap:/etc/postfix/ldap-spamfilter.cf, permit 
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = postfix
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/access, reject_rhsbl_sender dsn.rfc-ignorant.org 
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-alias.cf
virtual_gid_maps = static:89
virtual_mailbox_base = /data/postfix/maildrop/
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-domain.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-mailbox.cf
virtual_minimum_uid = 51
virtual_transport = virtual
virtual_uid_maps = static:89
[r...@mailhost ~]#





1. Problem: format of IPv6 address in mynetworks
After many trials, I have found out that the ipv6 Address in the mynetworks attribute must have a double semicolon at the end, otherwise the smtpd server throttles:
Oct 25 12:40:10 mailhost postfix/smtpd[5019]: connect from myclient.mydomain.com[2002:uuuu:vvvv:1::21] Oct 25 12:40:10 mailhost postfix/smtpd[5019]: fatal: bad net/mask pattern: "2002:uuuu:vvvv:/64"
As far as i remember you must specify the whole network address + präfix so the net/mask is indeed wrong. 


2. Problem: permit_mynetworks with IPv6 addresses does not work
But after having found out and changed that, postfix all the same did not accept an unauthorized connection via IPv6, even if I had specified for relay_domains permit_mynetworks
Oct 25 12:53:07 mailhost postfix/smtpd[5298]: connect from myclient.mydomain.com[2002:uuuu:vvvv:1::21] Oct 25 12:53:08 mailhost postfix/smtpd[5298]: NOQUEUE: reject: RCPT from myclient.mydomain.com[2002:uuuu:vvvv:1::21]: 554 5.7.1
The address 2002:uuuu:vvvv:1::21 is not within 2002:uuuu:vvvv::/64 as far as i can tell. You should use 2002:uuuu:vvvv:1::/64 instead in mynetworks. The :: means all zero if memory serves me right. 

Regards

Andreas

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to