exim relay and ipv6

Nick Schmalenberger · External Since: Apr 08, 2007 Posts: 6

list,
I have a mail server running etch and another etch machine and they both
have exim. The second machine is configured to use the first as a
smarthost with smtp authentication and this worked well until they were
able to connect to each other by IPv6. After that, any attempted relay
is denied. I tried putting the IPv6 address and/or the subnet in places
like
dc_relay_nets in update-exim4.conf.conf and MAIN_RELAY_NETS in
exim4.conf.localmacros but it didn't help. I then tried using Icedove
and the smtp authentication worked, from the same machine and again over
IPv6, so it looks like the smtp authentication client in exim has a
problem.

below is an example mail -v from the client machine.
Thanks for any help.
Nick

R: smarthost for nick@destinationdomain
T: remote_smtp_smarthost for nick@destinationdomain
Connecting to nick.relaydomain [2001:470:1f01:3324::1]:25 ... connected
SMTP<< 220 nick.relaydomain ESMTP Exim 4.63 Sat, 07 Apr 2007 10:38:22 -0700
SMTP>> EHLO athena.relaydomain
SMTP<< 250-nick.relaydomain Hello athena.relaydomain [2001:4830:1547:1:205:2ff:feb7:63d8]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
SMTP>> EHLO athena.relaydomain
SMTP<< 250-nick.relaydomain Hello athena.relaydomain [2001:4830:1547:1:205:2ff:feb7:63d8]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
SMTP>> MAIL FROM:<nick@relaydomain> SIZE=1406
SMTP>> RCPT TO:<nick@destinationdomain>
SMTP>> DATA
SMTP<< 250 OK
SMTP<< 550 relay not permitted
SMTP<< 503 valid RCPT command must precede DATA
SMTP>> QUIT
LOG: MAIN
** nick@destinationdomain R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after RCPT TO:<nick@destinationdomain>: host nick.relaydomain [2001:470:1f01:3324::1]: 550 relay not permitted
LOG: MAIN
<= <> R=1HaErt-0007cx-GO U=Debian-exim P=local S=1345
LOG: MAIN
Completed

--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org

Bernhard Schmidt · External Since: Mar 25, 2005 Posts: 25

Nick Schmalenberger <nick.RemoveThis@schmalenberger.us> wrote:

Hi Nick,

> dc_relay_nets in update-exim4.conf.conf and MAIN_RELAY_NETS in
> exim4.conf.localmacros but it didn't help. I then tried using Icedove
> and the smtp authentication worked, from the same machine and again over
> IPv6, so it looks like the smtp authentication client in exim has a
> problem.
>
> SMTP>> EHLO athena.relaydomain
> SMTP<< 250-nick.relaydomain Hello athena.relaydomain [2001:4830:1547:1:205:2ff:feb7:63d8]
> 250-SIZE 52428800
> 250-PIPELINING
> 250-AUTH PLAIN LOGIN
> 250 HELP
> SMTP>> MAIL FROM:<nick@relaydomain> SIZE=1406

You exim client does not even try to authenticate, although advertised.
I have no clue of exim, but browsing through the documentation it looks
like you need to adjust the options host_require_auth and/or
host_try_auth

http://www.exim.org/exim-html-4.50/doc/html/spec_33.html#SECT33.5

that probably only lists the IPv4 address at the moment.

Regards,
Bernhard

--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

Nick Schmalenberger · External Since: Apr 08, 2007 Posts: 6

On Sun, Apr 08, 2007 at 02:26:01PM +0200, Bernhard Schmidt wrote:
> Nick Schmalenberger <nick.TakeThisOut@schmalenberger.us> wrote:
>
> Hi Nick,
>
> > dc_relay_nets in update-exim4.conf.conf and MAIN_RELAY_NETS in
> > exim4.conf.localmacros but it didn't help. I then tried using Icedove
> > and the smtp authentication worked, from the same machine and again over
> > IPv6, so it looks like the smtp authentication client in exim has a
> > problem.
> >
> > SMTP>> EHLO athena.relaydomain
> > SMTP<< 250-nick.relaydomain Hello athena.relaydomain [2001:4830:1547:1:205:2ff:feb7:63d8]
> > 250-SIZE 52428800
> > 250-PIPELINING
> > 250-AUTH PLAIN LOGIN
> > 250 HELP
> > SMTP>> MAIL FROM:<nick@relaydomain> SIZE=1406
>
> You exim client does not even try to authenticate, although advertised.
> I have no clue of exim, but browsing through the documentation it looks
> like you need to adjust the options host_require_auth and/or
> host_try_auth
>
> http://www.exim.org/exim-html-4.50/doc/html/spec_33.html#SECT33.5
>
> that probably only lists the IPv4 address at the moment.
>
Thanks for the link, I think it put me on the right track, but I still
don't have smtp relay over ipv6 working yet. I think the problem is that
the ipv6 subnet on my mail server has no reverse hostnames because of a
bad delegation I put in with hurricane electric that hasn't been updated
to the correct name servers. I put them in the web interface months ago,
took them out again, tried afraid.org and went back to my own servers
and the delegation is still to the bad servers. I have emailed hurricane
electric describing the problem and only got an automatic response with
a ticket number. Waiting on this is why I didn't respond to the email
earlier, but it was helpful, thank you!

Has anybody had issues like this with hurricane electric before? What
have they been able to do about it? My subnet is 2001:470:1f01:3324::/64
and the namservers should be ns1 and ns2.schmalenberger.us, so maybe
somebody can see something wrong with my configuration there too.
Thanks.
Nick

--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Bernhard Schmidt · External Since: Mar 25, 2005 Posts: 25

Hi Nick,

Nick Schmalenberger <nick.TakeThisOut@schmalenberger.us> wrote:

>> > dc_relay_nets in update-exim4.conf.conf and MAIN_RELAY_NETS in
>> > exim4.conf.localmacros but it didn't help. I then tried using Icedove
>> > and the smtp authentication worked, from the same machine and again over
>> > IPv6, so it looks like the smtp authentication client in exim has a
>> > problem.
>> >
>> > SMTP>> EHLO athena.relaydomain
>> > SMTP<< 250-nick.relaydomain Hello athena.relaydomain [2001:4830:1547:1:205:2ff:feb7:63d8]
>> > 250-SIZE 52428800
>> > 250-PIPELINING
>> > 250-AUTH PLAIN LOGIN
>> > 250 HELP
>> > SMTP>> MAIL FROM:<nick@relaydomain> SIZE=1406
>>
>> You exim client does not even try to authenticate, although advertised.
>> I have no clue of exim, but browsing through the documentation it looks
>> like you need to adjust the options host_require_auth and/or
>> host_try_auth
>>
>> http://www.exim.org/exim-html-4.50/doc/html/spec_33.html#SECT33.5
>>
>> that probably only lists the IPv4 address at the moment.
>>
> Thanks for the link, I think it put me on the right track, but I still
> don't have smtp relay over ipv6 working yet. I think the problem is that
> the ipv6 subnet on my mail server has no reverse hostnames because of a
> bad delegation I put in with hurricane electric that hasn't been updated
> to the correct name servers.

I don't think this is the case. What is the current content of your
$hosts_require_auth and $hosts_try_auth variables? A crosschecking
reverse -> forward is usually done by the server side, but in your case
the client does not invoke the authentication, although offered by the
server. Unfortunately I don't have much clue of debugging Exim, so I
can't give you more hints here.

Regards,
Bernhard

--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Andrew Pounce · External Since: Apr 17, 2007 Posts: 1

Have you made sure that you have a relay_hosts line something like....

relay_hosts 127.0.0.1 : <ip.v4.add.ress> : ::::1/128

Note that as :'s are used as field markers you need to double them up
like :-

nnnn::nnnn::nnnn::nnnn::nnnn::nnnn/64

Cheers,

--Andrew

Bernhard Schmidt wrote:
> Hi Nick,
>
> Nick Schmalenberger <nick.TakeThisOut@schmalenberger.us> wrote:
>
>>>> dc_relay_nets in update-exim4.conf.conf and MAIN_RELAY_NETS in
>>>> exim4.conf.localmacros but it didn't help. I then tried using Icedove
>>>> and the smtp authentication worked, from the same machine and again over
>>>> IPv6, so it looks like the smtp authentication client in exim has a
>>>> problem.
>>>>
>>>> SMTP>> EHLO athena.relaydomain
>>>> SMTP<< 250-nick.relaydomain Hello athena.relaydomain [2001:4830:1547:1:205:2ff:feb7:63d8]
>>>> 250-SIZE 52428800
>>>> 250-PIPELINING
>>>> 250-AUTH PLAIN LOGIN
>>>> 250 HELP
>>>> SMTP>> MAIL FROM:<nick@relaydomain> SIZE=1406
>>> You exim client does not even try to authenticate, although advertised.
>>> I have no clue of exim, but browsing through the documentation it looks
>>> like you need to adjust the options host_require_auth and/or
>>> host_try_auth
>>>
>>> http://www.exim.org/exim-html-4.50/doc/html/spec_33.html#SECT33.5
>>>
>>> that probably only lists the IPv4 address at the moment.
>>>
>> Thanks for the link, I think it put me on the right track, but I still
>> don't have smtp relay over ipv6 working yet. I think the problem is that
>> the ipv6 subnet on my mail server has no reverse hostnames because of a
>> bad delegation I put in with hurricane electric that hasn't been updated
>> to the correct name servers.
>
> I don't think this is the case. What is the current content of your
> $hosts_require_auth and $hosts_try_auth variables? A crosschecking
> reverse -> forward is usually done by the server side, but in your case
> the client does not invoke the authentication, although offered by the
> server. Unfortunately I don't have much clue of debugging Exim, so I
> can't give you more hints here.
>
> Regards,
> Bernhard
>
>

--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Nick Schmalenberger · External Since: Apr 08, 2007 Posts: 6

On Mon, Apr 16, 2007 at 04:30:13PM +0200, Bernhard Schmidt wrote:
>
> I don't think this is the case. What is the current content of your
> $hosts_require_auth and $hosts_try_auth variables? A crosschecking
> reverse -> forward is usually done by the server side, but in your case
> the client does not invoke the authentication, although offered by the
> server. Unfortunately I don't have much clue of debugging Exim, so I
> can't give you more hints here.
>
> Regards,
> Bernhard
>
Thanks, my $hosts_try_tls is as follows:

hosts_try_auth = ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
}\
{} \
}

and I don't have a $hosts_require_tls. Is there something for exim like
postconf for postfix to see what values certain things have while the
MTA is running?

About the reverse DNS, I would like to get that fixed anyway and the
exim4_files(5) manpage says for /etc/exim4/passwd.client:
Please note that target.mail.server.example is currently the
value that exim can read from reverse DNS: It first follows the
host name of the target system until it finds and IP address, and
then looks up the reverse DNS for that IP address to use the
outcome of this query (or the IP address itself should the
query fail) as index into /etc/exim4/passwd.client.

Thanks for all help!

--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.DeleteThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.DeleteThis@lists.debian.org