SOLVED Exim IPv6 bug with reverse_host_lookup

[bellwood]

Exim: version 4.94.2 #2 built 07-May-2021 10:34:38
cPanel: 96.0 (build 11)
OS: Linux host.redacted.ofc 3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Inside the Exim advanced editor, add the following to "custom_begin_connect_post":

defer !verify = reverse_host_lookup/defer_ok
       log_message = PTR invalid for $sender_host_address

We are seeing IPv6 senders with valid PTR's and matching AAAA's for that host hit the rule:

2021-06-24 14:29:03 H=[2602:ff1c:1:80::50]:60631 temporarily rejected
connection in "connect" ACL: PTR invalid for 2602:ff1c:1:80::50: host
lookup failed (2602:ff1c:1:80::50 does not match any IP address for
mta4.pr.judicialwatch.org)

On the server however, we get complete A and AAAA:

host mta4.pr.judicialwatch.org
mta4.pr.judicialwatch.org has address 192.107.243.81
mta4.pr.judicialwatch.org has IPv6 address 2602:ff1c:1:80::50

If you debug it:

exim -d-all+dns+acl -bh '[2602:ff1c:1:80::50]:60631'

Exim version 4.94.2 uid=0 gid=0 pid=27354 D=24
Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning DANE
DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR SPF Experimental_SRS
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch passwd sqlite
Authenticators: cram_md5 dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [4.8.2 20140120 (Red Hat 4.8.2-16)]
Library version: Glibc: Compile: 2.17
                         Runtime: 2.17
Library version: BDB: Compile: Berkeley DB 5.3.21: (May 11, 2012)
                       Runtime: Berkeley DB 5.3.21: (May 11, 2012)
Library version: OpenSSL: Compile: OpenSSL 1.0.2k-fips  26 Jan 2017
                           Runtime: OpenSSL 1.0.2k-fips  26 Jan 2017
                                  : built on: reproducible build, date unspecified
Library version: IDN: Compile: 1.28
                       Runtime: 1.28
Library version: spf2: Compile: 1.2.10
                        Runtime: 1.2.10
Library version: PCRE: Compile: 8.32
                        Runtime: 8.32 2012-11-30
Library version: SQLite: Compile: 3.7.17
                          Runtime: 3.32.3
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST: "/etc/exim_trusted_configs"
XDG_SESSION_ID in keep_environment? no (end of list)
HOSTNAME in keep_environment? no (end of list)
TERM in keep_environment? no (end of list)
SHELL in keep_environment? no (end of list)
HISTSIZE in keep_environment? no (end of list)
SSH_CLIENT in keep_environment? no (end of list)
SSH_TTY in keep_environment? no (end of list)
USER in keep_environment? no (end of list)
LS_COLORS in keep_environment? no (end of list)
MAIL in keep_environment? no (end of list)
PATH in keep_environment? no (end of list)
PWD in keep_environment? no (end of list)
EDITOR in keep_environment? no (end of list)
LANG in keep_environment? no (end of list)
PS1 in keep_environment? no (end of list)
HISTCONTROL in keep_environment? no (end of list)
SHLVL in keep_environment? no (end of list)
HOME in keep_environment? no (end of list)
LOGNAME in keep_environment? no (end of list)
VISUAL in keep_environment? no (end of list)
SSH_CONNECTION in keep_environment? no (end of list)
LESSOPEN in keep_environment? no (end of list)
XDG_RUNTIME_DIR in keep_environment? no (end of list)
HISTTIMEFORMAT in keep_environment? no (end of list)
_ in keep_environment? no (end of list)
configuration file is /etc/exim.conf
log selectors = 00001ffe 99805426 00000003
trusted user
admin user


**** SMTP testing session as if from host
2602:ff1c:0001:0080:0000:0000:0000:0050
**** but without any ident (RFC 1413) callback.
**** This is not for real!

host in hosts_connection_nolog? no (option unset)
LOG: smtp_connection MAIN
   SMTP connection from [2602:ff1c:0001:0080:0000:0000:0000:0050]:60631
host in host_lookup? no (option unset)
host in host_reject_connection? no (option unset)
host in sender_unqualified_hosts? no (option unset)
host in recipient_unqualified_hosts? no (option unset)
host in helo_verify_hosts? no (option unset)
host in helo_try_verify_hosts? no (option unset)
host in helo_accept_junk_hosts? yes (matched "*")
using ACL "acl_smtp_connect"

...snip...

looking up host name for 2602:ff1c:0001:0080:0000:0000:0000:0050
DNS lookup of
0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa. (PTR)
succeeded
Reverse DNS security status: unverified
IP address lookup yielded "mta4.pr.judicialwatch.org"
DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
checking addresses for mta4.pr.judicialwatch.org
Forward DNS security status: unverified
   192.107.243.81
no IP address for mta4.pr.judicialwatch.org matched
2602:ff1c:0001:0080:0000:0000:0000:0050
2602:ff1c:0001:0080:0000:0000:0000:0050 does not match any IP address
for mta4.pr.judicialwatch.org

...snip...

defer: condition test succeeded in ACL "acl_smtp_connect"
end of ACL "acl_smtp_connect": DEFER
451 Temporary local problem - please try later
LOG: connection_reject MAIN REJECT
   H=[2602:ff1c:0001:0080:0000:0000:0000:0050]:60631 temporarily
rejected connection in "connect" ACL: PTR invalid for
2602:ff1c:0001:0080:0000:0000:0000:0050: host lookup failed
(2602:ff1c:0001:0080:0000:0000:0000:0050 does not match any IP address
for mta4.pr.judicialwatch.org)

Note that we only see "DNS lookup of mta4.pr.judicialwatch.org (A) succeeded" there is no DNS lookup for the AAAA.

Non-cPanel Exim installations on the same Exim version do not exhibit this issue:

looking up host name for 2602:ff1c:0001:0080:0000:0000:0000:0050
DNS lookup of 0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa. (PTR) succeeded
Reverse DNS security status: unverified
IP address lookup yielded "mta4.pr.judicialwatch.org"
DNS lookup of mta4.pr.judicialwatch.org (AAAA) succeeded
DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
checking addresses for mta4.pr.judicialwatch.org
Forward DNS security status: unverified
2602:ff1c:1:80::50 OK

Edit: clarified title, spelling

 

[cPRex]

Hey there! Thanks for letting me know about this. I know I'm not going to be able to get to this today, but I'll do some testing with it tomorrow and get you more details.

 

[cPRex]

I've been having issues getting a proper testing environment setup to replicate this behavior. Could you submit a ticket to our team so we can do some additional work on this for you? Please let me know the ticket number once you've had a chance to do that so I can follow along on my end.

 

[assid2]

Has there been an update for this ? This problem still exists and does not do forward AAAA queries .

 

[cPRex]

@assid2 - at this point we haven't been able to reproduce the issue. If you have a server where you're experiencing the problem, please submit a ticket to our support team so we can check this out.

 

[assid2]

You should be able to re-create since I believe it can also be the reason why you have this bug : https://support.cpanel.net/hc/en-us/articles/360043387473
Anyways, Ticket Created with : #94419261 along with more examples and responses.
I have tried it with 3 cpanel servers, all of them seem to be affected with this bug, so its definitely more to do with patches provided from cpanel to exim.

 

[cPRex]

Thanks for that - I just read through the ticket, and I have some additional thoughts. I'm doing some research on my end and I'll post an update once I have more details.

 

[cPRex]

I spoke with our email team about this issue and they are discussing what options are available. Hopefully I'll have an update to share later next week.

 

[assid2]

Thanks, sounds like you have a plan. I'm sure many people will appreciate it :D

I spoke with our email team about this issue and they are discussing what options are available. Hopefully I'll have an update to share later next week.

 

[cPRex]

This has now been assigned to a team so they are going to explore if it's something we want to adjust or just remove. I'll be sure to keep this thread updated with my findings.

 

[assid2]

Hi,
Just wondering if there has been any further updates on this ?

I've been having issues getting a proper testing environment setup to replicate this behavior. Could you submit a ticket to our team so we can do some additional work on this for you? Please let me know the ticket number once you've had a chance to do that so I can follow along on my end.

 

[cPRex]

There is - the team is still discussing options, but I don't have anything worth posting just yet.

 

[cPRex]

Update - this has been resolved with the following note in the rpm changelog:

Add flag file for restoring old sort bias for ipv6
case HB-6385: Considering that by default we'll likely want to keep
our patched behavior (given the last patch for this was in the other
direction – you could enable patched behavior with flag file – was
reverted), we'll use a flag file (/var/cpanel/exim_ipv6_sort_bias) for
restoring the "original" behavior.