Hello Noel, Wednesday, July 6, 2011, 8:30:13 AM, you wrote:
> On 7/6/2011 8:15 AM, Simon Deziel wrote: >> On 07/06/2011 03:32 AM, Henrik K wrote: >>> On Wed, Jul 06, 2011 at 12:38:05AM -0500, Noel Jones wrote: >>>> On 7/6/2011 12:07 AM, Simon Deziel wrote: >>>>> Hi all, >>>>> >>>>> Since I started using Stan's fqrdns.pcre file to reduce spam I have some >>>>> problems receiving emails from with IPv6 clients. >>>>> >>>>> Jul 4 05:19:10 mx postfix/smtpd[10191]: NOQUEUE: reject: RCPT from >>>>> mail.python.org[2001:888:2000:d::a6]: 554 >>>>> <mail.python.org[2001:888:2000:d::a6]>: Client host rejected: Generic - >>>>> Please relay via ISP; fr >>>>> om=<john....@python.org> to=<jane....@example.com> proto=ESMTP >>>>> helo=<mail.python.org> >>>>> >>>>> Manual testing with dig showed that mail.python.org had a PTR matching >>>>> its AAAA. A few postmap lookups using IPv6 gave results I don't >>>>> understand : >>>>> >>>>> # postmap -q "2001:888:2000:d::a6" pcre:/etc/postfix/fqrdns.pcre >>>>> REJECT Generic - Please relay via ISP >>>>> #postmap -q "2001:888:2000:d::aa" pcre:/etc/postfix/fqrdns.pcre >>>>> >>>>> What's odd is that only 12 rules reject without mentioning the specific >>>>> ISP name/relay name and none of them should match an IPv6. >>>>> >>>>> I am probably missing something here and would greatly appreciate any >>>>> help on this. >>>> >>>> This line is the culprit. >>>> /[a-z-][0-9]+$/ REJECT Generic - >>>> Please relay via ISP >>>> >>>> the ...a6" of your test string matches "a letter followed by a >>>> number at the end". >>>> >>>> easy fix is to remove the offending line. I'm too >>>> sleep-deprived to come up with anything more clever right now. >>> >>> Simply insert as first rule: >>> >>> /:/ DUNNO >>> >> >> Thank you both, that makes a lot of sense and works well. Stan do you >> think that it would be a good idea to short-circuit all IP addresses >> look-ups by using those 2 rules at the top : >> >> # Do not check IPv4 or IPv6 >> /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/ DUNNO >> /:/ DUNNO >> >> I am wondering why I saw no other report of this problematic behaviour. >> Except from this little problem, I really appreciate this ruleset file, >> thanks Stan for making it available to us. >> >> Simon Deziel > Yes, this should be added to the top of the file, except the > v6 bypass expression needs to be improved. > I would assume that no one else is using this with ipv6 since > the offending rule will match any address ending with > letter+number. A quick search on the web I found this for IPv6 (all on one line): /^(((?=(?>.*?::)(?!.*::)))(::)?(([0-9A-F]{1,4})::?){0,5}|((?5):){6})(\2((?5)(::? |$)){0,2}|((25[0-5]|(2[0-4]|1[0-9]|[1-9])?[0-9])(\.|$)){4}|(?5):(?5))(?<![^:]:|\ .)\z/i -- Best regards, Duane mailto:du...@duanemail.org