headers
Marcin Mirosław | 1 Jul 2010 15:15
Picon

option "interface" in smtp transport and ipv6

Hello!
I've set up smtp transport in this way:
external_smtp_batv:
                driver          = smtp
                return_path     = ${prvs {$return_path}{BATVKEY}}
                dkim_domain     = +local_domains
                dkim_selector   = 100623
                dkim_private_key= /etc/ssl/poczta.cibet.pl.key
                dkim_canon      = relaxed
                interface       =
${lookup{$domain}lsearch{/etc/exim/domeny_interfejs.txt}{$value}{}}

If recipient domain is found in appropriate file and destination mx
doesn't have AAAA records everything works correctly. Problem appears
when dest. mx has AAAA, then option "interface" is ignored and mail is
sending using ipv6 proto.
It looks there is bug in smtp tranposrt or option "interface" should
named "interface_ipv4".
Regards,
Marcin

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply | 14 comments |
headers
Dan_Mitton | 1 Jul 2010 17:17

Re: SRS forward

Isn't it just easier to always do the SRS rewrite, rather then having to 
do a DNS query, wait for the response, check the result...?

Please respond to exim-users <at> exim.org
Sent by:        exim-users-bounces <at> exim.org
To:     John Horne <john.horne <at> plymouth.ac.uk>, exim-users <at> exim.org
cc:      (bcc: Dan Mitton/YD/RWDOE)
Subject:        Re: [exim] SRS forward
LSN: Not Relevant - Not Privileged
User Filed as: Excl/AdminMgmt-14-4/QA:N/A

On 2010-06-30 at 15:31 -0700, Phil Pennock wrote:
> On 2010-06-30 at 23:03 +0100, John Horne wrote:
> > On Wed, 2010-06-30 at 14:18 -0700, Phil Pennock wrote:
> > > On 2010-06-30 at 20:15 +0000, Christian Gregoire wrote:
> > > > I've written an SRS forward router, which works fine but it always 
rewrites the sender address when I'd expect the rewrite to occur only if 
the incoming domain has an SPF record. Is that possible ?
> > > 
> > > condition = ${if match{${lookup 
dnsdb{defer_never,txt=$sender_address_domain}}}{\N^v=spf1\s\N}}
> > > 
> > We have found that occasionally multiple TXT records are present (for
> > other things than SPF), and so tend to use a multiline regex. In the
> > above example it would become:
> > 
> >     ...{\N^(?m)v=spf1\s\N}}
> 
> Good catch, thanks.  In addition ...
(Continue reading)

Permalink | Reply | 4 comments |
headers
Ian Eiloart | 1 Jul 2010 17:59
Picon
Favicon
Gravatar

Re: SRS forward


--On 30 June 2010 20:15:40 +0000 Christian Gregoire <cgregoir99 <at> yahoo.com> 
wrote:

> Hello,
>
> I've written an SRS forward router, which works fine but it always
> rewrites the sender address when I'd expect the rewrite to occur only if
> the incoming domain has an SPF record. Is that possible ?

Caution - make sure you've already checked the SPF status. If the inbound 
message gets an SPF fail, then you should not forward it. If it gets an SPF 
softfail, or neutral, then you probably don't want to take responsibility 
for it by rewriting the sender address, either.

> Thanks.
>
> Christian
>
>
>

-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ian Eiloart | 1 Jul 2010 17:58
Picon
Favicon
Gravatar

Re: SRS forward


--On 1 July 2010 08:17:54 -0700 Dan_Mitton <at> YMP.GOV wrote:

> Isn't it just easier to always do the SRS rewrite, rather then having to
> do a DNS query, wait for the response, check the result...?

It might be easier, but it's not necessarily advisable. SRS exists in order 
to avoid downgrading the SPF status of a message. If the message has an SPF 
PASS, SRS lets you pass it on without downgrading the status to SOFTFAIL, 
NEUTRAL or FAIL. Using SRS without publishing an SPF record of your own 
risks downgrading messages from pass to no unknown.

However, if you use SRS for mail that fails SPF tests, or on mail from 
domains without SPF records, then you risk upgrading the message to a PASS. 
That might be OK, for example if the message had a good DKIM signature in 
the same domain, and if you actually trust the original domain. It might 
improve the deliverability of a message that you have reason to trust.

But, if the message has a good DKIM signature, then the signature should 
survive your forwarding. The recipient host should check both the SPF 
status and the DKIM signature. Most mail paths won't break both a DKIM 
signature AND SPF. Arguably DKIM is better than SRS in preserving 
authentication across hops, so you may consider that SRS isn't necessary if 
a message carries a good DKIM signature that you aren't going to break.

>
> Please respond to exim-users <at> exim.org
> Sent by:        exim-users-bounces <at> exim.org
> To:     John Horne <john.horne <at> plymouth.ac.uk>, exim-users <at> exim.org
> cc:      (bcc: Dan Mitton/YD/RWDOE)
(Continue reading)

Permalink | Reply | 3 comments |
headers
John Horne | 1 Jul 2010 18:39
Picon
Favicon

Re: SRS forward

On Thu, 2010-07-01 at 16:58 +0100, Ian Eiloart wrote:
> 
> Using SRS without publishing an SPF record of your own 
> risks downgrading messages from pass to no unknown.
> 
I don't quite follow this. My understanding was that when SRS was used
it was a way of saying to the recipient MTA (that is the MTA you are
forwarding the message to) "This message has come from us, but when
checking SPF you must 'decode' the sender address and then check against
that decoded original sender address." That is, don't check our SPF
records but check those of whoever (whomever?) we got the message from
originally.

As such it should not matter whether the forwarding MTA domain has SPF
records or not.

John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply | 2 comments |
headers
Phil Pennock | 1 Jul 2010 19:33

Re: option "interface" in smtp transport and ipv6

On 2010-07-01 at 15:15 +0200, Marcin Mirosław wrote:
> Hello!
> I've set up smtp transport in this way:
> external_smtp_batv:
>                 driver          = smtp
>                 return_path     = ${prvs {$return_path}{BATVKEY}}
>                 dkim_domain     = +local_domains
>                 dkim_selector   = 100623
>                 dkim_private_key= /etc/ssl/poczta.cibet.pl.key
>                 dkim_canon      = relaxed
>                 interface       =
> ${lookup{$domain}lsearch{/etc/exim/domeny_interfejs.txt}{$value}{}}
> 
> If recipient domain is found in appropriate file and destination mx
> doesn't have AAAA records everything works correctly. Problem appears
> when dest. mx has AAAA, then option "interface" is ignored and mail is
> sending using ipv6 proto.
> It looks there is bug in smtp tranposrt or option "interface" should
> named "interface_ipv4".

IPv6 addresses contain a colon.  Exim's default list separator character
is a colon.  interface takes an expanded string list.

Try <; at the start of the value of interface, to change the list
separator character, if you know that you're going to include : as data
from the lookup.

-Phil

--

--
(Continue reading)

Permalink | Reply | 11 comments |
headers
Marcin Mirosław | 1 Jul 2010 20:24
Picon

Re: option "interface" in smtp transport and ipv6

W dniu 2010-07-01 19:33, Phil Pennock pisze:
> IPv6 addresses contain a colon.  Exim's default list separator character
> is a colon.  interface takes an expanded string list.
> 
> Try <; at the start of the value of interface, to change the list
> separator character, if you know that you're going to include : as data
> from the lookup.

Hi,
Thank you for reply.
Sadly it doesn't change behavior of exim. (In file domeny_interfejs.txt
i only have ipv4 addresses). I tried this:
interface = 1.2.3.4
and :
interface = <; 1.2.3.4
and even:
interface = <; 1.2.3.4;
And it stills doesn't work when recipient mx has record AAAA. Then exim
sends mail over ipv6.
Regards,
Marcin

--

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply | 10 comments |
headers
Phil Pennock | 1 Jul 2010 21:23

Re: option "interface" in smtp transport and ipv6

On 2010-07-01 at 20:24 +0200, Marcin Mirosław wrote:
> W dniu 2010-07-01 19:33, Phil Pennock pisze:
> > IPv6 addresses contain a colon.  Exim's default list separator character
> > is a colon.  interface takes an expanded string list.
> > 
> > Try <; at the start of the value of interface, to change the list
> > separator character, if you know that you're going to include : as data
> > from the lookup.
> 
> 
> Hi,
> Thank you for reply.
> Sadly it doesn't change behavior of exim. (In file domeny_interfejs.txt
> i only have ipv4 addresses). I tried this:
> interface = 1.2.3.4
> and :
> interface = <; 1.2.3.4
> and even:
> interface = <; 1.2.3.4;
> And it stills doesn't work when recipient mx has record AAAA. Then exim
> sends mail over ipv6.

Oh, it appeared from the report that an IPv6 address in the interface
was not working.

Right, per the documentation for interface:
----------------------------8< cut here >8------------------------------
The first interface of the correct type (IPv4 or IPv6) is used for the outgoing
connection. If none of them are the correct type, the option is ignored.
----------------------------8< cut here >8------------------------------
(Continue reading)

Permalink | Reply | 9 comments |
headers
J.R.Haynes | 1 Jul 2010 21:27
Picon

Re: option "interface" in smtp transport and ipv6

On Thu, 1 Jul 2010 at 14:15 +0100, Marcin Mirosław wrote

> Hello!
> I've set up smtp transport in this way:
> external_smtp_batv:
>                driver          = smtp
>                return_path     = ${prvs {$return_path}{BATVKEY}}
>                dkim_domain     = +local_domains
>                dkim_selector   = 100623
>                dkim_private_key= /etc/ssl/poczta.cibet.pl.key
>                dkim_canon      = relaxed
>                interface       =
> ${lookup{$domain}lsearch{/etc/exim/domeny_interfejs.txt}{$value}{}}
>
> If recipient domain is found in appropriate file and destination mx
> doesn't have AAAA records everything works correctly. Problem appears
> when dest. mx has AAAA, then option "interface" is ignored and mail is
> sending using ipv6 proto.
> It looks there is bug in smtp tranposrt or option "interface" should
> named "interface_ipv4".

The spec says (smtp transport -> interface option)

The first interface of the correct type (IPv4 or IPv6) is used for the 
outgoing connection. If none of them are the correct type, the option is 
ignored. If interface is not set, or is ignored, the system's IP functions 
choose which interface to use if the host has more than one.

(http://www.exim.org/exim-html-current/doc/html/spec_html/ch30.html#SECID146)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Marcin Mirosław | 1 Jul 2010 21:47
Picon

Re: option "interface" in smtp transport and ipv6

W dniu 2010-07-01 21:23, Phil Pennock pisze:
> Oh, it appeared from the report that an IPv6 address in the interface
> was not working.
> 
> Right, per the documentation for interface:
> ----------------------------8< cut here >8------------------------------
> The first interface of the correct type (IPv4 or IPv6) is used for the outgoing
> connection. If none of them are the correct type, the option is ignored.
> ----------------------------8< cut here >8------------------------------

Yes, i read it. But i don't speak well english and maybe i can't catch
nuance.

> Use something like (untested):
>    ignore_target_hosts = <; ::
> on the Router to refuse to use IPv6 addresses.  Or there's
> dns_ipv4_lookup as a global option, per "13.6 Disabling IPv6".

But i don't want to disable ipv6!:)
I.E. My domain: host hermes.mejor.pl
hermes.mejor.pl has address 193.238.12.139
hermes.mejor.pl has IPv6 address 2001:470:1f0b:84c::2

From other host (on which i setup transport using interafce=1.2.3.4) i'm
trying to send mail to domain "mejor.pl". I'd like to send mail via ipv4
(not via ipv6), because there are two links, and link with ipv4 only is
faster than link with ipv6. So i put domain "mejor.pl" to file
"domeny_interfejs.txt" and i'm expecting that exim will use address
(ipv4) taken from file, and sends via ipv4, although ipv6 can be used
for this domain.
(Continue reading)

Permalink | Reply | 8 comments |

Gmane