[Indimail-support] Double double colon in IPv6 address in Received header
3 views
Skip to first unread message
Adrian Offerman
Aug 21, 2015, 3:48:14 PM8/21/15
to indimail...@lists.sourceforge.net
We ran into a DKIM validation problem today that appears to be caused by
an IPv6 problem in the Received header:
A message coming in from the system 2a00:1de0:0:203::22 caused these
header to be added:
Received: (indimail 19110 invoked from 2a00:1de0::203::22 by
host services.offerman.com by uid 555);
Fri, 21 Aug 2015 21:23:16 +0200
...
Received: from mx2.parkstad-it.nl (2a00:1de0::203::22)
by 0 with ESMTPS; Fri, 21 Aug 2015 21:23:16 +0200
Received-SPF: fail (0: SPF record at parkstad-it.nl does not
designate 2a00:1de0:0000:0000:0000:0000:0000:0203 as permitted
sender)
The address in the Received headers gets a double double colon, which
makes it an invalid address. And then the ::22 ending is interpreted as
a port number? and stripped from the address in the SPF header.
Something fishy going on here... :-)
------------------------------------------------------------------------------
_______________________________________________
Indimail-support mailing list
Indimail...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/indimail-support
Manvendra Bhangui
Aug 23, 2015, 11:26:21 PM8/23/15
to adr...@offerman.net, indimail...@lists.sourceforge.net
On 22 August 2015 at 01:17, Adrian Offerman <adr...@offerman.net> wrote:
We ran into a DKIM validation problem today that appears to be caused by
an IPv6 problem in the Received header:
A message coming in from the system 2a00:1de0:0:203::22 caused these
header to be added:
Received: (indimail 19110 invoked from 2a00:1de0::203::22 by
host services.offerman.com by uid 555);
Fri, 21 Aug 2015 21:23:16 +0200
...
Received: from mx2.parkstad-it.nl (2a00:1de0::203::22)
by 0 with ESMTPS; Fri, 21 Aug 2015 21:23:16 +0200
Received-SPF: fail (0: SPF record at parkstad-it.nl does not
designate 2a00:1de0:0000:0000:0000:0000:0000:0203 as permitted
sender)
The address in the Received headers gets a double double colon, which
makes it an invalid address. And then the ::22 ending is interpreted as
a port number? and stripped from the address in the SPF header.
Something fishy going on here... :-)
This is something to do with the SPF code. Will look into it.
Manvendra Bhangui
Aug 24, 2015, 1:12:23 AM8/24/15
to adr...@offerman.net, indimail...@lists.sourceforge.net
On 22 August 2015 at 01:17, Adrian Offerman <adr...@offerman.net> wrote:
We ran into a DKIM validation problem today that appears to be caused by
an IPv6 problem in the Received header:
A message coming in from the system 2a00:1de0:0:203::22 caused these
header to be added:
Received: (indimail 19110 invoked from 2a00:1de0::203::22 by
host services.offerman.com by uid 555);
Fri, 21 Aug 2015 21:23:16 +0200
...
Received: from mx2.parkstad-it.nl (2a00:1de0::203::22)
by 0 with ESMTPS; Fri, 21 Aug 2015 21:23:16 +0200
Received-SPF: fail (0: SPF record at parkstad-it.nl does not
designate 2a00:1de0:0000:0000:0000:0000:0000:0203 as permitted
sender)
The address in the Received headers gets a double double colon, which
makes it an invalid address. And then the ::22 ending is interpreted as
a port number? and stripped from the address in the SPF header.
Something fishy going on here... :-)
The problem is parkstad-it.nl is using ipv6 and does not have a SPF record for IPV6. It just has the ipv4 address 178.21.216.14
mx a:mx1.parkstad-it.nl a:mx2.parkstad-it.nl ip4:178.21.216.14 -all 1161
So only solution is to run your server on ipv4 or to inform parkstad-it.nl to add the ipv6 address 2a00:1de0::203:22
Look at
You can also run spfquery in /var/indimail/bin to test such records
$ spfquery 2a00:1de0::203::22 partkstad-it.nl te...@parkstad-it.nl
result=fail: See http://spf.pobox.com/why.html?sender=test%40parkstad-it.nl&ip=2a00%3a1de0%3a0000%3a0000%3a0000%3a0000%3a0000%3a0203&receiver=localhost
Received-SPF: fail (localhost: SPF record at parkstad-it.nl does not designate 2a00:1de0:0000:0000:0000:0000:0000:0203 as permitted sender)
Manvendra Bhangui
Aug 24, 2015, 2:49:11 AM8/24/15
to adr...@offerman.net, indimail...@lists.sourceforge.net
On 22 August 2015 at 01:17, Adrian Offerman <adr...@offerman.net> wrote:
We ran into a DKIM validation problem today that appears to be caused by
an IPv6 problem in the Received header:
A message coming in from the system 2a00:1de0:0:203::22 caused these
header to be added:
Received: (indimail 19110 invoked from 2a00:1de0::203::22 by
host services.offerman.com by uid 555);
Fri, 21 Aug 2015 21:23:16 +0200
...
Received: from mx2.parkstad-it.nl (2a00:1de0::203::22)
by 0 with ESMTPS; Fri, 21 Aug 2015 21:23:16 +0200
Received-SPF: fail (0: SPF record at parkstad-it.nl does not
designate 2a00:1de0:0000:0000:0000:0000:0000:0203 as permitted
sender)
The address in the Received headers gets a double double colon, which
makes it an invalid address. And then the ::22 ending is interpreted as
a port number? and stripped from the address in the SPF header.
I see what you mean by ::22. Something wrong is happening with address conversion. Investigating it
Manvendra Bhangui
Aug 25, 2015, 11:46:48 PM8/25/15
to adr...@offerman.net, indimail...@lists.sourceforge.net
On 22 August 2015 at 01:17, Adrian Offerman <adr...@offerman.net> wrote:
Received: (indimail 19110 invoked from 2a00:1de0::203::22 by
host services.offerman.com by uid 555);
Fri, 21 Aug 2015 21:23:16 +0200
...
Received: from mx2.parkstad-it.nl (2a00:1de0::203::22)
by 0 with ESMTPS; Fri, 21 Aug 2015 21:23:16 +0200
Received-SPF: fail (0: SPF record at parkstad-it.nl does not
designate 2a00:1de0:0000:0000:0000:0000:0000:0203 as permitted
sender)
The address in the Received headers gets a double double colon, which
makes it an invalid address. And then the ::22 ending is interpreted as
a port number? and stripped from the address in the SPF header.
Something fishy going on here... :-)
I have done some investigation.
1. The address 2a00:1de0::203::22 is correctly being interpreted as 2a00:1de0::203. The extra ::22 is being discarded by ip6_scan() and ip6_fmt() functions in the ip6 library.
2. The spfquery is correctly looking for spf record for parkstad-it.nl and does not find 2a00:1de0::203 as a valid permitted sender IP. This can be corrected by the parkstad-it.nl by adding it. You could send an email to postm...@parkstad-it.nl
The issue that I cannot debug is how ::22 got appended. qmail-smtpd gets this address from TCPREMOTEIP environment variable set by tcpserver. So few questions
1. In /var/log/indimail/log/smtpd.25/current, what is the IPv6 address you see for the mail from parkstad-it.nl
2. Is 2a00:1de0::203 the right ipv6 address for parkstad-it.nl
NOTE: I tried simulating the above situation by setting my laptop address to 2a00:1de0::203 and the received address correctly shows it as 2a00:1de0::203. Also I have updated the ipv6 library to show ipv6 addresses in compressed notation. i.e. 2a00:1de0::203 instead of 2a00:1de0:0000:0000:0000:0000:0000:0203
Adrian Offerman
Aug 26, 2015, 9:24:01 AM8/26/15
to Manvendra Bhangui, indimail...@lists.sourceforge.net
No need to worry about SPF configuration; we understand that and we can
fix that.
In answer to your questions:
2) Note: the actual IPv6 address is 2a00:1de0:0:203::22,
so it looks like the ':0:' part is replaced with a double colon
'::' somewhere in the stack/chain, even though the address
already contains a double colon, thereby creating an invalid
IPv6 address;
and later on the '::23' part of the address is stripped from the
end because it is seen as a port number?
1) I just checked for the IPv6 address as seen by smtpd.25: it says
'2a00:1de0::203::22', so the misformed address is propagated from
there;
but I also see the same misformed address in the tcpserver log
lines, so it looks like that's were it originates;
in the tcpserver log lines you can also see that the ::23 is part
of the IP address;
here below some relevant log lines; let me know if you need
more/other info:
@4000000055db3d942cb52ecc tcpserver: pid 6511 from 2a00:1de0::203::22
@4000000055db3d9432fa1644 tcpserver: ok 6511 0[2a02:27f8:1098::1:6]25
mx2.parkstad-it.nl[2a00:1de0::203::22]:41116:maxperip=25
@4000000055db3db421e99654 qmail-smtpd: pid 6511 from 2a00:1de0::203::22
HELO <mx2.parkstad-it.nl> MAIL from
<prvs=0678f1bfcd=XXXXXX...@parkstad-it.nl> RCPT
<XXXXXX...@offerman.com> AUTH <local-rcpt> Size: 27915
@4000000055db3db421f37d7c tcpserver: end 6511 status 0
On 08/26/2015 05:46 AM, Manvendra Bhangui wrote:
> On 22 August 2015 at 01:17, Adrian Offerman <adr...@offerman.net
> <mailto:adr...@offerman.net>> wrote:
>
>
> Received: (indimail 19110 invoked from 2a00:1de0::203::22 by
> host services.offerman.com <http://services.offerman.com> by uid 555);
>
>
> Received: (indimail 19110 invoked from 2a00:1de0::203::22 by
> Fri, 21 Aug 2015 21:23:16 +0200
> ...
> Received: from mx2.parkstad-it.nl <http://mx2.parkstad-it.nl>
> ...
> (2a00:1de0::203::22)
> by 0 with ESMTPS; Fri, 21 Aug 2015 21:23:16 +0200
> Received-SPF: fail (0: SPF record at parkstad-it.nl
> <http://parkstad-it.nl> does not
> by 0 with ESMTPS; Fri, 21 Aug 2015 21:23:16 +0200
> Received-SPF: fail (0: SPF record at parkstad-it.nl
> designate 2a00:1de0:0000:0000:0000:0000:0000:0203 as permitted
> sender)
>
> The address in the Received headers gets a double double colon, which
> makes it an invalid address. And then the ::22 ending is interpreted as
> a port number? and stripped from the address in the SPF header.
>
> Something fishy going on here... :-)
>
> I have done some investigation.
>
> 1. The address 2a00:1de0::203::22 is correctly being interpreted as
> 2a00:1de0::203. The extra ::22 is being discarded by ip6_scan() and
> ip6_fmt() functions in the ip6 library.
>
> 2. The spfquery is correctly looking for spf record for parkstad-it.nl
> <http://parkstad-it.nl> and does not find 2a00:1de0::203 as a valid
> sender)
>
> The address in the Received headers gets a double double colon, which
> makes it an invalid address. And then the ::22 ending is interpreted as
> a port number? and stripped from the address in the SPF header.
>
> Something fishy going on here... :-)
>
> I have done some investigation.
>
> 1. The address 2a00:1de0::203::22 is correctly being interpreted as
> 2a00:1de0::203. The extra ::22 is being discarded by ip6_scan() and
> ip6_fmt() functions in the ip6 library.
>
> 2. The spfquery is correctly looking for spf record for parkstad-it.nl
> permitted sender IP. This can be corrected by the parkstad-it.nl
> <http://parkstad-it.nl> by adding it. You could send an email to
> postm...@parkstad-it.nl <mailto:postm...@parkstad-it.nl>
>
> The issue that I cannot debug is how ::22 got appended. qmail-smtpd gets
> this address from TCPREMOTEIP environment variable set by tcpserver. So
> few questions
>
> 1. In /var/log/indimail/log/smtpd.25/current, what is the IPv6 address
> you see for the mail from parkstad-it.nl <http://parkstad-it.nl>
> The issue that I cannot debug is how ::22 got appended. qmail-smtpd gets
> this address from TCPREMOTEIP environment variable set by tcpserver. So
> few questions
>
> 1. In /var/log/indimail/log/smtpd.25/current, what is the IPv6 address
> <http://parkstad-it.nl>
>
> NOTE: I tried simulating the above situation by setting my laptop
> address to 2a00:1de0::203 and the received address correctly shows it as
> 2a00:1de0::203. Also I have updated the ipv6 library to show ipv6
> addresses in compressed notation. i.e. 2a00:1de0::203 instead of
> 2a00:1de0:0000:0000:0000:0000:0000:0203
> NOTE: I tried simulating the above situation by setting my laptop
> address to 2a00:1de0::203 and the received address correctly shows it as
> 2a00:1de0::203. Also I have updated the ipv6 library to show ipv6
> addresses in compressed notation. i.e. 2a00:1de0::203 instead of
> 2a00:1de0:0000:0000:0000:0000:0000:0203
Manvendra Bhangui
Aug 26, 2015, 9:39:40 AM8/26/15
to adr...@offerman.net, indimail...@lists.sourceforge.net
On 26 August 2015 at 18:53, Adrian Offerman <adr...@offerman.net> wrote:
2) Note: the actual IPv6 address is 2a00:1de0:0:203::22,
so it looks like the ':0:' part is replaced with a double colon
'::' somewhere in the stack/chain, even though the address
already contains a double colon, thereby creating an invalid
IPv6 address;
This is a big clue. So the bug is in tcpserver. All other programs depend on the setting of TCPREMOTEIP which is being wrongly set/scanned by my ip6_fmt() or ip6_scan() functions. Fixing this will solve this issue. Will post a fix and a new build after I have identified the problem in these two functions.
Reply all
Reply to author
Forward
0 new messages