Hello Noel,
Wednesday, July 6, 2011, 8:30:13 AM, you wrote:
> On 7/6/2011 8:15 AM, Simon Deziel wrote:
>> On 07/06/2011 03:32 AM, Henrik K wrote:
>>> On Wed, Jul 06, 2011 at 12:38:05AM -0500, Noel Jones wrote:
>>>> On 7/6/2011 12:07 AM, Simon Deziel wrote:
>>>>> Hi all,
>>>>>
>>>>> Since I started using Stan's fqrdns.pcre file to reduce spam I have some
>>>>> problems receiving emails from with IPv6 clients.
>>>>>
>>>>> Jul 4 05:19:10 mx postfix/smtpd[10191]: NOQUEUE: reject: RCPT from
>>>>> mail.python.org[2001:888:2000:d::a6]: 554
>>>>> <mail.python.org[2001:888:2000:d::a6]>: Client host rejected: Generic -
>>>>> Please relay via ISP; fr
>>>>> om=<john....@python.org> to=<jane....@example.com> proto=ESMTP
>>>>> helo=<mail.python.org>
>>>>>
>>>>> Manual testing with dig showed that mail.python.org had a PTR matching
>>>>> its AAAA. A few postmap lookups using IPv6 gave results I don't
>>>>> understand :
>>>>>
>>>>> # postmap -q "2001:888:2000:d::a6" pcre:/etc/postfix/fqrdns.pcre
>>>>> REJECT Generic - Please relay via ISP
>>>>> #postmap -q "2001:888:2000:d::aa" pcre:/etc/postfix/fqrdns.pcre
>>>>>
>>>>> What's odd is that only 12 rules reject without mentioning the specific
>>>>> ISP name/relay name and none of them should match an IPv6.
>>>>>
>>>>> I am probably missing something here and would greatly appreciate any
>>>>> help on this.
>>>>
>>>> This line is the culprit.
>>>> /[a-z-][0-9]+$/ REJECT Generic -
>>>> Please relay via ISP
>>>>
>>>> the ...a6" of your test string matches "a letter followed by a
>>>> number at the end".
>>>>
>>>> easy fix is to remove the offending line. I'm too
>>>> sleep-deprived to come up with anything more clever right now.
>>>
>>> Simply insert as first rule:
>>>
>>> /:/ DUNNO
>>>
>>
>> Thank you both, that makes a lot of sense and works well. Stan do you
>> think that it would be a good idea to short-circuit all IP addresses
>> look-ups by using those 2 rules at the top :
>>
>> # Do not check IPv4 or IPv6
>> /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/ DUNNO
>> /:/ DUNNO
>>
>> I am wondering why I saw no other report of this problematic behaviour.
>> Except from this little problem, I really appreciate this ruleset file,
>> thanks Stan for making it available to us.
>>
>> Simon Deziel
> Yes, this should be added to the top of the file, except the
> v6 bypass expression needs to be improved.
> I would assume that no one else is using this with ipv6 since
> the offending rule will match any address ending with
> letter+number.
A quick search on the web I found this for IPv6 (all on one line):
/^(((?=(?>.*?::)(?!.*::)))(::)?(([0-9A-F]{1,4})::?){0,5}|((?5):){6})(\2((?5)(::?
|$)){0,2}|((25[0-5]|(2[0-4]|1[0-9]|[1-9])?[0-9])(\.|$)){4}|(?5):(?5))(?<![^:]:|\
.)\z/i
--
Best regards,
Duane mailto:du...@duanemail.org
