From owner-freebsd-stable@FreeBSD.ORG Wed Jan 9 16:56:04 2013 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BECD7B3E for ; Wed, 9 Jan 2013 16:56:04 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) by mx1.freebsd.org (Postfix) with ESMTP id A8C12DB8 for ; Wed, 9 Jan 2013 16:56:03 +0000 (UTC) Received: from alph.allbsd.org (p1137-ipbf1505funabasi.chiba.ocn.ne.jp [118.7.212.137]) (authenticated bits=128) by mail.allbsd.org (8.14.5/8.14.5) with ESMTP id r09GtlBc086177 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 10 Jan 2013 01:55:57 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) (authenticated bits=0) by alph.allbsd.org (8.14.5/8.14.5) with ESMTP id r09Gtkve073985; Thu, 10 Jan 2013 01:55:47 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Thu, 10 Jan 2013 01:55:16 +0900 (JST) Message-Id: <20130110.015516.1722722242677856001.hrs@allbsd.org> To: ben@morrow.me.uk Subject: Re: sendmail vs ipv6 broken after upgrade to 9.1 From: Hiroki Sato In-Reply-To: <20130109154435.GA81164@anubis.morrow.me.uk> References: <20130108180920.GJ36633@rugsucker.smi.sendmail.com> <20130109.072935.595111158363526981.hrs@allbsd.org> <20130109154435.GA81164@anubis.morrow.me.uk> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.5 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart(Thu_Jan_10_01_55_16_2013_317)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.allbsd.org [133.31.130.32]); Thu, 10 Jan 2013 01:55:58 +0900 (JST) X-Spam-Status: No, score=-98.1 required=13.0 tests=CONTENT_TYPE_PRESENT, ONLY1HOPDIRECT,SAMEHELOBY2HOP,USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gatekeeper.allbsd.org Cc: freebsd-stable@FreeBSD.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2013 16:56:04 -0000 ----Security_Multipart(Thu_Jan_10_01_55_16_2013_317)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Ben Morrow wrote in <20130109154435.GA81164@anubis.morrow.me.uk>: be> So getipnodebyname is behaving correctly here: the host has both IPv4 be> and IPv6 addresses, and Sendmail is requesting both native and v4-mapped be> addresses be returned in all cases. The v4-mapped addresses are then be> sorted to the top of the list. be> be> On FreeBSD, where net.inet6.ip6.v6only is on by default, I believe this be> is incorrect, and Sendmail should be passing 0 for the flags argument, be> unless it's going to check or clear the IPV6_V6ONLY socket option. There be> is no point binding a socket to a v4-mapped address if the kernel isn't be> going to deliver IPv4 connections to it. Sendmail should also be binding be> to all the addresses returned, if it isn't already, rather than just the be> first: this would make the problem go away, since both v4-mapped and be> native IPv6 sockets would be bound, and the v4-mapped ones would simply be> never get any connections. I reread the RFC 2553 and realize your explanation is correct. gshapiro's explanation was a behavior in the case of (AF_INET6, AI_DEFAULT), not (AF_INET6, AI_DEFAULT|AI_ALL). I think sendmail should work regardless of net.inet6.ip6.v6only. Is just dropping AI_ALL enough for that? When AAAA RR is found, no v4-mapped address will return in that case. Is this correct? be> Fixing this by setting ipv6_prefer is not necessarily a good idea; this be> will cause IPv6 addresses to be preferred across the whole system, and be> unless your IPv6 connectivity is at least as good as your IPv4, that be> probably isn't what you want. Yes, I agree that ipv6_prefer is not a correct way to solve this specific issue. be> > Just curious, but is there any specific reason not to return an error be> > when Family=inet6 and no AAAA RR? be> be> In this case, Sendmail explicitly requested that v4-mapped addresses be be> returned in all cases... -- Hiroki ----Security_Multipart(Thu_Jan_10_01_55_16_2013_317)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAlDtoPQACgkQTyzT2CeTzy3Z2wCfRjFlwaISqfVUSfmg5+NgLRHc fQYAn1OPl087ck16Ge0s47plPfSUItcd =Rvme -----END PGP SIGNATURE----- ----Security_Multipart(Thu_Jan_10_01_55_16_2013_317)----