Re: [exim] IPv6 address comparison, and callout vs VRFY

Top Page
Delete this message
Reply to this message
Author: Wouter Verhelst
Date:  
To: David Woodhouse
CC: exim-users
Subject: Re: [exim] IPv6 address comparison, and callout vs VRFY
On Wed, Nov 17, 2004 at 10:15:46PM +0000, David Woodhouse wrote:
> On Wed, 2004-11-17 at 20:15 +0100, Wouter Verhelst wrote:
> > Hi,
> >
> > I've got two questions:
> >
> > * First, on a number of occasions I've had bugs in my exim.conf that
> > occured because IPv6 addresses in exim, by default, aren't
> > canonicalized. According to the IPv6 standards, "2001:ab8:37f:20::1"
> > and "2001:ab8:38f:20:0:0:0:1" are equal. However, to exim -who does
> > string comparison- they are not. This has bitten me on a number of
> > occasions where I ran 'exim -bhc 2001:ab8:37f:20::1' to check my ACL
> > rules, and was surprised that it didn't work afterwards, since exim
> > compares the address in the ACL rule to an address in the second form,
> > which it sees as different. Is there a way to canonicalize IPv6
> > addresses before comparing them?
>
> Hmm. That would be a bug. Does it manifest itself at any time other than
> when you're using -bhc?


Not that I know of (well, apart from -bh, but that one doesn't count)

> If I have IPv6 addresses in a hostlist, it seems I can specify the
> IPv6 address in any form on the command line and it'll match them
> correctly when I connect from that address. OTOH if I have a hostname
> in the hostlist, I have to use the canonical address on the command
> line to make it match. Never does expanding the :: to strings of
> ':0:0:0...' help for me with Exim 4.42 on Linux.


No, I didn't use a hostname, I used a literal IP address.

<checks>

okay, sorry, it wasn't in the ACL code, and it was indeed the other way
around. Whoops.

grep_remote:
driver = manualroute
domains = grep.be
condition = ${if eq{$sender_host_address}{2001:838:37f::209:6bff:fe27:7db2}{false}{true}}
route_list = grep.be samba.grep.be

I don't know of any other way to do this (in fact, I wrote the above
router after a suggestion from this list). Sorry about the confusion.

The problem, thus, is that when doing ${if string comparison on IP
addresses, this comparison is done on IP addresses in the representation
as exim receives them from whatever source they are supplied from, which
may make it succeed in tests, but fail in production (or the other way
around). For the record, this is exim 4.34 (Debian package
exim4-daemon-heavy 4.34-6, but I think previous versions had this too).

Perhaps it would be a good idea to canonicalize any IPv6 address before
further processing?

> > * Second, I love exim's callout address checking feature, but I just
> > wonder, why does exim use a regular SMTP conversation to test the
> > existance of remote addresses, rather than using VRFY? It seems to me
> > that the latter was especially made for this kind of thing, no?
>
> Too few people implement VRFY and even fewer implement it properly. And
> VRFY is for verifying the forward-path not the reverse-path; there are
> addresses which verify with VRFY to which you could not send a bounce.


Okay, that explains. Thanks.

-- 
         EARTH
     smog  |   bricks
 AIR  --  mud  -- FIRE
soda water |   tequila
         WATER
 -- with thanks to fortune