Re: "limit mta inet4" is ignored, smtpd fails to start

2018-03-18 Thread Harald Dunkel 
On 03/18/18 13:54, Richard wrote:
> 
> It appears that "limit mta inet4" statement limits outgoing ipv6
> connections but not incoming ipv6 connections...
> 
> Instead of the limit statement one might use a notation like this
> which limits incoming and outgoing connections to ipv4 by interface:
> 
>listen on lo inet4 tls pki $xname
>listen on eth0 inet4 tls pki $xname
>listen on eth1 inet4 tls pki $xname
> 

This works for me in this case (thanx very much), but apparently it
doesn't really solve the problem. If I use a global IPv6 address and
a dual-stack configuration

xname="mailhost.example.com"

pki $xname key "/etc/ssl/private/smtpd.key.pem"
pki $xname certificate "/etc/ssl/public/mailhost.example.com.pem"

listen on lo tls pki $xname
listen on eth0 tls pki $xname
listen on eth1 tls pki $xname
:

then smtpd stumbles over the tentative IPv6 address again. The only
difference is that its not a link-local address anymore:

:
:
670   bind(11, {sa_family=AF_INET, sin_port=htons(25), 
sin_addr=inet_addr("10.0.0.2")}, 16 
670   <... bind resumed> )  = 0
670   socket(PF_INET6, SOCK_STREAM, IPPROTO_IP 
670   <... socket resumed> )= 12
670   setsockopt(12, SOL_SOCKET, SO_REUSEADDR, [1], 4 
670   <... setsockopt resumed> )= 0
670   setsockopt(12, SOL_IPV6, IPV6_V6ONLY, [1], 4 
670   <... setsockopt resumed> )= 0
670   bind(12, {sa_family=AF_INET6, sin6_port=htons(25), inet_pton(AF_INET6, 
"2001:DB8:30:ffe0::e6", _addr), sin6_flowinfo=0, sin6_scope_id=0}, 28 <
670   <... bind resumed> )  = -1 EADDRNOTAVAIL (Cannot assign 
requested address)
670   write(2, "pony express: smtpd: bind: Canno"..., 59 
670   <... write resumed> ) = 59
670   exit_group(1) = ?
670   +++ exited with 1 +++


Regards
Harri

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: "limit mta inet4" is ignored, smtpd fails to start

2018-03-18 Thread Reio Remma 

Hello!

I had a similar problem starting OpenSMTPD at boot in CentOS 7.
Solved it by using *listen on 0.0.0.0* instead of *listen on eth0*

Good luck,
Reio

On 18.03.2018 14:54, Richard wrote:

On Sun, 18 Mar 2018, Harald Dunkel wrote:


problem using opensmtpd 6.0.3 on Debian: I have set

xname=mailhost.example.com
:
limit mta inet4
listen on lo tls pki $xname
listen on eth0 tls pki $xname
listen on eth1 tls pki $xname
:

in smtpd.conf, but apparently this "limit" line ignored. At boot
time it tries to bind to a link-local IPv6 address. And this fails,
as strace shows:

:
695   setsockopt(11, SOL_SOCKET, SO_REUSEADDR, [1], 4 
695   <... setsockopt resumed> )= 0
695   bind(11, {sa_family=AF_INET, sin_port=htons(25), 
sin_addr=inet_addr("10.0.0.2")}, 16 
695   <... bind resumed> )  = 0
695   socket(PF_INET6, SOCK_STREAM, IPPROTO_IP 
695   <... socket resumed> )= 12
695   setsockopt(12, SOL_SOCKET, SO_REUSEADDR, [1], 4 
695   <... setsockopt resumed> )= 0
695   setsockopt(12, SOL_IPV6, IPV6_V6ONLY, [1], 4 
695   <... setsockopt resumed> )= 0
695   bind(12, {sa_family=AF_INET6, sin6_port=htons(25), inet_pton(AF_INET6, 
"fe80::216:3aff:feca:38bb", _addr), sin6_flowinfo=0, 
sin6_scope_id=if_nametoindex("eth0")}, 28 
695   <... bind resumed> )  = -1 EADDRNOTAVAIL (Cannot assign 
requested address)
695   write(2, "pony express: smtpd: bind: Canno"..., 59 
695   <... write resumed> ) = 59
695   exit_group(1) = ?
695   +++ exited with 1 +++


"ip address show" (run immediately before smtpd) shows, that
the link-local address is still "tentative":

:
194: eth0@if195:  mtu 1500 qdisc noqueue state 
UP group default qlen 1000
 link/ether 00:16:3a:ca:38:bb brd ff:ff:ff:ff:ff:ff
 inet 10.0.0.2/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
 inet6 fe80::216:3aff:feca:38bb/64 scope link tentative
valid_lft forever preferred_lft forever
:

If I try to run smtpd later, then it works.

It appears that "limit mta inet4" statement limits outgoing ipv6
connections but not incoming ipv6 connections...

Instead of the limit statement one might use a notation like this
which limits incoming and outgoing connections to ipv4 by interface:

listen on lo inet4 tls pki $xname
listen on eth0 inet4 tls pki $xname
listen on eth1 inet4 tls pki $xname

Richard Narron