Ubuntu
exim4 package

Can not specify different DNSBLs for IPv4/IPv6

Bug #953876 reported by Swen Kühnlein
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
exim4 (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

There is only one hook for checking DNSBLs in acl/30_exim4-config_check_rcpt which is run unconditionally for both IPv4 and IPv6 addresses. This can lead to problems when IPv6 addresses are checked against IPv4-only lists.

From exim spec 40.35:

40.35 DNS lists and IPv6
If Exim is asked to do a dnslist lookup for an IPv6 address, it inverts it nibble by nibble. For example, if the calling host’s IP address is 3ffe:ffff:836f:0a00:000a:0800:200a:c031, Exim might look up

  1.3.0.c.a.0.0.2.0.0.8.0.a.0.0.0.0.0.a.0.f.6.3.8.f.f.f.f.e.f.f.3.blackholes.mail-abuse.org

Unfortunately, some of the DNS lists contain wildcard records, intended for IPv4, that interact badly with IPv6. For example, the DNS entry

  *.3.some.list.example. A 127.0.0.1

is probably intended to put the entire 3.0.0.0/8 IPv4 network on the list. Unfortunately, it also matches the entire 3::/4 IPv6 network.

You can exclude IPv6 addresses from DNS lookups by making use of a suitable condition condition, as in this example:

  deny condition = ${if isip4{$sender_host_address}}
          dnslists = some.list.example

See original description
Tags: ipv6
Serge Hallyn (serge-hallyn)
Changed in exim4 (Ubuntu):
importance: Undecided → Medium
Bryce Harrington (bryce)
description: updated
Revision history for this message
Bryce Harrington (bryce) wrote :

From a cursory examination of 30_exim4-config_check_rcpt I don't see evidence of support for running different hooks for ipv4 vs ipv6 addresses, so presumably this is still an issue?

If it is, it would be helpful to have a way to artificially reproduce the issue.

Revision history for this message
Paride Legovini (paride) wrote :

This seems an issue that should be filed upstream[1], I don't think a fix would really belong to the Ubuntu packaging.

[1] https://bugs.exim.org/

Revision history for this message
Bryce Harrington (bryce) wrote :

A test case to reproduce the issue would be useful, but I agree with paride this should really be addressed upstream.
Please file the bug at https://bugs.exim.org/ if it remains an issue for you. If you do, and send us the link to the bug report we can track it and pull the fix if you'd like.

Changed in exim4 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.