|Main Archive Page > Month Archives > postfix-users archives|
postfix 2.7.1 on SLES 10.3 i586 (probably not important, but who knows).
We run a production mailserver with reject_unknown_client_hostname
enabled (for a few years now). To deal with the unavoidable
misconfigurations we have a very large whitelist which was created
automatically from years of message tracking and is also regularly
updated. So far so good.
This system is also IPv6-enabled. Since broken reverse DNS is a bit more
common in the IPv6 world AND those problems remain unnoticed for much
longer (as there are not nearly enough IPv6-enabled destinations
outside), we override this check for the whole global IPv6 address block
in above listed access.client.connect-stage.cidr:
So far so good, take two. Now we are bitten by a special feature of
IPv6. Systems (running postfix) in the same subnet as the mail servers
that do NOT have a global IPv6 address configured (but the IPv6 stack
loaded) still try IPv6. They use the link-local address (fe80::/64) to
connect to the server ... and get rejected due to missing reverse DNS:
Nov 8 17:15:46 lxmhs17 postfix/smtpd: NOQUEUE: reject: RCPT from
unknown[fe80::250:56ff:fea9:2c72%vlan6]: 550 5.7.1 Client host rejected:
cannot find your reverse hostname, [fe80::250:56ff:fea9:2c72%vlan6];
from=<> to=<firstname.lastname@example.org> proto=ESMTP
See the %vlan6 scope identifier at the address. Unfortunately, this
seems to prevent the CIDR table from matching when we whitelist the
link-local address range.
% postmap -q fe80::250:56ff:fea9:2c72%vlan6
% postmap -q fe80::250:56ff:fea9:2c72
We can workaround using regexp tables (for example), but it's pretty
inconvenient. Can this be fixed easily? Or is it a known limitation?