flori at bin
May 27, 2012, 9:28 AM
Post #7 of 8
(1282 views)
Permalink
|
Hello Erwin,
thanks as always for the precise analysis ;-)...
I understand that there is still some or significant effort needed,
but I want also to learn more about these issues since they might
affect future decisions sooner or later.
Practically I fail already in step b) as tcpserver does exactly not
listen to any ip6 enabled interface. ANd I only have the 4 you
mentioned, not more :)
So I doubt that the value of "0" does function correctly to enable
bindings on both stacks. whatever it prevents of doing so... the
executable shows the correct cmdline arguments, so it must be the
patched one, no "lost update" issue:
usage: tcpserver [ -461UXpPhHrRoOdDqQv ]
But, what Nicolai suggested, adding those -4 or -6 parameters will do
completely different things than to enable the stack binding, at least
thats what the manpage told me.
So for playing around, maybe you can help me to get this going, and
then we talk about step g) and h) later.... :)
thanks Florian
Quoting Erwin Hoffmann <feh [at] fehcom>:
> Hi Florian (and all who are interested),
>
> currently I'm working on IPv6, and particular it's integration into
> ucspi-ssl and qmail.
> Felix already did most of the coding ;-)
>
> Let me try to explain parts of the problem:
>
> Your IPvX settings:
>
> a) In your setting, you use IPv6 enabled tcpserver to catch any TCP
> packet for port 25.
> You bind tcpserver to ANY available IP address by means of the '0'
>
> b) tcpserver will happily accept any IPv4 AND IPv6 packet on any (at
> start) available IP address.
>
> c) The IPv4 address your host has is '0.0.0.0' (unspecified),
> '127.0.0.1' (loopback) and the
> dedicated address, lets lay 1.2.3.4.
>
> d) IPv6 address you host has is '::' (unspecified), '::1'
> (loopback), the link-local LLU
> address (fe80:....), and the Global IPv4 address, typically 2001:......
>
> e) In case you have turned on IPv6 privacy extension, additional LLU
> AND Global addresses
> will come and go. I doubt, this is going to work with tcpserver anyway.
>
> Your smtp.cdb:
>
> f) Let's consider tcpserver receives an IPvX packet. It needs to
> look inside the cdb.
> Here you may have defined some IP based rules, typically
> '127.0.0.1:allow'.
>
> g) The kernel of your OS will translate any IPv4 DA in the packet to
> an IPv4-mapped IPv6 address.
> The lookup will fail.
>
> h) tcpserver's rule don't work neither with IPv4 CIDR addresses nor
> IPv6 addresses.
> For the first problem I have provided a patch, on the second
> issue I'm working on (better:
> one of my students).
>
> Some solution:
>
> i) Always bind tcpserver (and perhaps sslserver) to a dedicated
> IPv4/IPv6 address.
> j) Use distinguished smtpd.cdbs for each case.
>
> Of course:
>
> k) rblsmtpd does currently not support IPv6 addresses.
>
>
> Good luck and best regards.
>
> --eh.
>
> PS: You can check for some system commands to tune IPv6 in my talk
> about the Router Advertisement Protocol:
>
> http://www.fehcom.de/ipnet/ipv6_en.html
>
>
>
> Am 22.05.2012 um 09:33 schrieb flori [at] bin:
>
>> Hello,
>>
>> as I read it I expected that I do not need those switches. And
>> heres the run file:
>>
>> start-stop-daemon --start --user qmaild \
>> --pidfile /var/run/tcpserver_smtpd.pid --make-pidfile \
>> --exec \
>> /usr/bin/tcpserver -- -R -H -l $HOSTNAME \
>> -u vpopmail -g vpopmail -x /etc/tcp.smtp.cdb 0 smtp \
>> $rblsmtpd /usr/sbin/qmail-smtpd \
>> /var/vpopmail/bin/vchkpw /bin/true 2>&1 \
>> | /usr/bin/multilog t n14 s1000000 /var/log/smtp &
>>
>> Quoting Nicolai <nicolai-qmail [at] chocolatine>:
>>
>>> On Mon, May 21, 2012 at 10:46:07PM +0200, Florian Leeber wrote:
>>>> Hello all,
>>>>
>>>> I am playing around with IPv6 a bit and found those instructions on the
>>>> net: http://www.brandonturner.net/blog/2009/08/qmail-ipv6-tcpserver/ -
>>>> however, after applying the patch exactly nothing changed.
>
>
>
> --
> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
>
>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
|
