Re: [exim] ipv6 dnsbl errors

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Randy Bush
CC: exim users
Subject: Re: [exim] ipv6 dnsbl errors
On 2008-01-17 at 10:15 +0900, Randy Bush wrote:
> thanks!


Poor Peter, he replied twice but you probably didn't see it since you
would have been rejecting exim-users coming in over IPv6.

> if this gets out, it worked!


It got out.

Is the configuration exactly as described? Which version of Exim are
you using? I don't see the behaviour which you see. I can't see any
changes in the ChangeLog regarding changes in this behaviour, so
something else is wrong in your system to cause this. If memory serves,
you're using FreeBSD; in fact, your Received: headers confirm this. I'm
using FreeBSD, so it's the same OS (modulo platform/release
differences).

I just added this to the zonefile for globnix.net:

2.0.0.127.testbl  IN      A       127.0.1.0
                          TXT     "Test entry for pseudo-RBL"
1.0.0.2.testbl    IN      A       127.0.2.1
                          TXT     "Entry matching 2001::/8 IPv6 address space"
2.0.0.2.testbl    IN      A       127.0.2.2
                          TXT     "Entry matching 2002::/8 IPv6 address space"


and I set up "fred.conf" as an Exim config which denied connections
which are on that list, via:

  deny    !authenticated = *
          domains       = +local_domains
          verify        = recipient
          message       = You are on RBL $dnslist_domain: $dnslist_text
          dnslists      = testbl.globnix.net
          logwrite      = Blocked Sender host [$sender_host_address] \
                      because on RBL $dnslist_domain: $dnslist_text


% exim -C fred.conf -bh 2001:980:fff:31::1
[..., try to send an email ...]
>>> check dnslists = testbl.globnix.net
>>> DNS list check: testbl.globnix.net
>>> new DNS lookup for 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.3.0.0.f.f.f.0.0.8.9.0.1.0.0.2.testbl.globnix.net
>>> DNS lookup for 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.3.0.0.f.f.f.0.0.8.9.0.1.0.0.2.testbl.globnix.net failed
>>> => that means 2001:0980:0fff:0031:0000:0000:0000:0001 is not listed at testbl.globnix.net
>>> deny: condition test failed


Whereas when I use 2.0.0.1 directly (meh, it's currently bogon anyway):
% exim -C fred.conf -bh 2.0.0.1
[...]
>>> check dnslists = testbl.globnix.net
>>> DNS list check: testbl.globnix.net
>>> new DNS lookup for 1.0.0.2.testbl.globnix.net
>>> DNS lookup for 1.0.0.2.testbl.globnix.net succeeded (yielding 127.0.2.1)
>>> => that means 2.0.0.1 is listed at testbl.globnix.net
>>> check logwrite = Blocked Sender host [$sender_host_address] because on RBL $dnslist_domain: $dnslist_text
>>>                = Blocked Sender host [2.0.0.1] because on RBL testbl.globnix.net: Entry matching 2001::/8 IPv6 address space

LOG: [4822] Blocked Sender host [2.0.0.1] because on RBL testbl.globnix.net: Entry matching 2001::/8 IPv6 address space
>>> deny: condition test succeeded

550-You are on RBL testbl.globnix.net: Entry matching 2001::/8 IPv6 address
550 space
LOG: [4822] H=(redoubt) [2.0.0.1] F=<fred@???> rejected RCPT <fred@???>: You are on RBL testbl.globnix.net: Entry matching 2001::/8 IPv6 address space

I begin to have a horrid suspicion that the RBL which you're querying
has a server-side bug where it truncates the query to four components
below itself and doesn't notice the read of the query. I don't use the
RBL in question and don't know how to access it (commercial, isn't it?)
so can't check this myself.

-Phil