Exim IPv6 bug with reverse_host_lookup
Exim: version 4.94.2 #2 built 07-May-2021 10:34:38
cPanel: 96.0 (build 11)
OS: Linux host.redacted.ofc 3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Inside the Exim advanced editor, add the following to "custom_begin_connect_post":
We are seeing IPv6 senders with valid PTR's and matching AAAA's for that host hit the rule:
On the server however, we get complete A and AAAA:
If you debug it:
Note that we only see "DNS lookup of mta4.pr.judicialwatch.org (A) succeeded" there is no DNS lookup for the AAAA. Non-cPanel Exim installations on the same Exim version do not exhibit this issue:
Edit: clarified title, spelling
defer !verify = reverse_host_lookup/defer_ok
log_message = PTR invalid for $sender_host_address
We are seeing IPv6 senders with valid PTR's and matching AAAA's for that host hit the rule:
2021-06-24 14:29:03 H=[2602:ff1c:1:80::50]:60631 temporarily rejected
connection in "connect" ACL: PTR invalid for 2602:ff1c:1:80::50: host
lookup failed (2602:ff1c:1:80::50 does not match any IP address for
mta4.pr.judicialwatch.org)
On the server however, we get complete A and AAAA:
host mta4.pr.judicialwatch.org
mta4.pr.judicialwatch.org has address 192.107.243.81
mta4.pr.judicialwatch.org has IPv6 address 2602:ff1c:1:80::50
If you debug it:
exim -d-all+dns+acl -bh '[2602:ff1c:1:80::50]:60631'
Exim version 4.94.2 uid=0 gid=0 pid=27354 D=24
Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning DANE
DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR SPF Experimental_SRS
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch passwd sqlite
Authenticators: cram_md5 dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [4.8.2 20140120 (Red Hat 4.8.2-16)]
Library version: Glibc: Compile: 2.17
Runtime: 2.17
Library version: BDB: Compile: Berkeley DB 5.3.21: (May 11, 2012)
Runtime: Berkeley DB 5.3.21: (May 11, 2012)
Library version: OpenSSL: Compile: OpenSSL 1.0.2k-fips 26 Jan 2017
Runtime: OpenSSL 1.0.2k-fips 26 Jan 2017
: built on: reproducible build, date unspecified
Library version: IDN: Compile: 1.28
Runtime: 1.28
Library version: spf2: Compile: 1.2.10
Runtime: 1.2.10
Library version: PCRE: Compile: 8.32
Runtime: 8.32 2012-11-30
Library version: SQLite: Compile: 3.7.17
Runtime: 3.32.3
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST: "/etc/exim_trusted_configs"
XDG_SESSION_ID in keep_environment? no (end of list)
HOSTNAME in keep_environment? no (end of list)
TERM in keep_environment? no (end of list)
SHELL in keep_environment? no (end of list)
HISTSIZE in keep_environment? no (end of list)
SSH_CLIENT in keep_environment? no (end of list)
SSH_TTY in keep_environment? no (end of list)
USER in keep_environment? no (end of list)
LS_COLORS in keep_environment? no (end of list)
MAIL in keep_environment? no (end of list)
PATH in keep_environment? no (end of list)
PWD in keep_environment? no (end of list)
EDITOR in keep_environment? no (end of list)
LANG in keep_environment? no (end of list)
PS1 in keep_environment? no (end of list)
HISTCONTROL in keep_environment? no (end of list)
SHLVL in keep_environment? no (end of list)
HOME in keep_environment? no (end of list)
LOGNAME in keep_environment? no (end of list)
VISUAL in keep_environment? no (end of list)
SSH_CONNECTION in keep_environment? no (end of list)
LESSOPEN in keep_environment? no (end of list)
XDG_RUNTIME_DIR in keep_environment? no (end of list)
HISTTIMEFORMAT in keep_environment? no (end of list)
_ in keep_environment? no (end of list)
configuration file is /etc/exim.conf
log selectors = 00001ffe 99805426 00000003
trusted user
admin user
**** SMTP testing session as if from host
2602:ff1c:0001:0080:0000:0000:0000:0050
**** but without any ident (RFC 1413) callback.
**** This is not for real!
host in hosts_connection_nolog? no (option unset)
LOG: smtp_connection MAIN
SMTP connection from [2602:ff1c:0001:0080:0000:0000:0000:0050]:60631
host in host_lookup? no (option unset)
host in host_reject_connection? no (option unset)
host in sender_unqualified_hosts? no (option unset)
host in recipient_unqualified_hosts? no (option unset)
host in helo_verify_hosts? no (option unset)
host in helo_try_verify_hosts? no (option unset)
host in helo_accept_junk_hosts? yes (matched "*")
using ACL "acl_smtp_connect"
...snip...
looking up host name for 2602:ff1c:0001:0080:0000:0000:0000:0050
DNS lookup of
0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa. (PTR)
succeeded
Reverse DNS security status: unverified
IP address lookup yielded "mta4.pr.judicialwatch.org"
DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
checking addresses for mta4.pr.judicialwatch.org
Forward DNS security status: unverified
192.107.243.81
no IP address for mta4.pr.judicialwatch.org matched
2602:ff1c:0001:0080:0000:0000:0000:0050
2602:ff1c:0001:0080:0000:0000:0000:0050 does not match any IP address
for mta4.pr.judicialwatch.org
...snip...
defer: condition test succeeded in ACL "acl_smtp_connect"
end of ACL "acl_smtp_connect": DEFER
451 Temporary local problem - please try later
LOG: connection_reject MAIN REJECT
H=[2602:ff1c:0001:0080:0000:0000:0000:0050]:60631 temporarily
rejected connection in "connect" ACL: PTR invalid for
2602:ff1c:0001:0080:0000:0000:0000:0050: host lookup failed
(2602:ff1c:0001:0080:0000:0000:0000:0050 does not match any IP address
for mta4.pr.judicialwatch.org)
Note that we only see "DNS lookup of mta4.pr.judicialwatch.org (A) succeeded" there is no DNS lookup for the AAAA. Non-cPanel Exim installations on the same Exim version do not exhibit this issue:
looking up host name for 2602:ff1c:0001:0080:0000:0000:0000:0050
DNS lookup of 0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa. (PTR) succeeded
Reverse DNS security status: unverified
IP address lookup yielded "mta4.pr.judicialwatch.org"
DNS lookup of mta4.pr.judicialwatch.org (AAAA) succeeded
DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
checking addresses for mta4.pr.judicialwatch.org
Forward DNS security status: unverified
2602:ff1c:1:80::50 OK
Edit: clarified title, spelling
-
Hey there! Thanks for letting me know about this. I know I'm not going to be able to get to this today, but I'll do some testing with it tomorrow and get you more details. 0 -
I've been having issues getting a proper testing environment setup to replicate this behavior. Could you submit a ticket to our team so we can do some additional work on this for you? Please let me know the ticket number once you've had a chance to do that so I can follow along on my end. 0 -
Has there been an update for this ? This problem still exists and does not do forward AAAA queries . 0 -
@assid2 - at this point we haven't been able to reproduce the issue. If you have a server where you're experiencing the problem, please submit a ticket to our support team so we can check this out. 0 -
Thanks for that - I just read through the ticket, and I have some additional thoughts. I'm doing some research on my end and I'll post an update once I have more details. 0 -
I spoke with our email team about this issue and they are discussing what options are available. Hopefully I'll have an update to share later next week. 0 -
Thanks, sounds like you have a plan. I'm sure many people will appreciate it :D I spoke with our email team about this issue and they are discussing what options are available. Hopefully I'll have an update to share later next week.
0 -
This has now been assigned to a team so they are going to explore if it's something we want to adjust or just remove. I'll be sure to keep this thread updated with my findings. 0 -
Hi, Just wondering if there has been any further updates on this ? I've been having issues getting a proper testing environment setup to replicate this behavior. Could you submit a ticket to our team so we can do some additional work on this for you? Please let me know the ticket number once you've had a chance to do that so I can follow along on my end.
0 -
There is - the team is still discussing options, but I don't have anything worth posting just yet. 0 -
Update - this has been resolved with the following note in the rpm changelog: Add flag file for restoring old sort bias for ipv6 case HB-6385: Considering that by default we'll likely want to keep our patched behavior (given the last patch for this was in the other direction " you could enable patched behavior with flag file " was reverted), we'll use a flag file (/var/cpanel/exim_ipv6_sort_bias) for restoring the "original" behavior.
0
Please sign in to leave a comment.
Comments
12 comments