-
-
Notifications
You must be signed in to change notification settings - Fork 800
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx/front does not resolve IPv6 -> rspamd problems #2260
Comments
Found the problem/fix: nginx/front does not resolve IPv6 adresses because of core/nginx/conf/nginx.conf#L257:
introduced by #1967 due to this (wrong? I will try to check if changing admin to listen on |
The Rspamd web interface will also not be available via
|
Curiosly I didn't run into any problems, when testing rspamd access in my ipv6 enabled containers in #2272 - I will try to double check the logs though, if something seems amiss/is just gracefully failing. |
Odds are the hostname is looked up at startup... and cached forever... this may be why it appears to work (using v4). I suggest you increase the verbosity of unbound and ensure that:
|
Try with |
@peterpramb have you run into the rspamd web-interface problem yourself, or is this an observation through reading the code? Whatever I tried I could not get access from nginx to rspamd to use IPv6, and had to resort to hard-coding the rspamd-container's IPv6 address into nginx's Same thing with more IPv4 testing, as suggested with |
@Niduroki it's the "bind()" operation that fails: when the container is created; Try |
Yes, I hit it when I manually enabled IPv6 resolver support in But I should have mentioned that I'm not using |
We've talked about IPv6 in our last developer meeting, the consensus was that it's hard to get right:
Most of the functionality (being able to receive emails from IPv6 enabled hosts) can be implemented by tweaking the docker-compose & front: no v6 support is required elsewhere, begging the questions: is it worth it? Getting emails reliably delivered in inboxes over v4 is hard enough (deliverability). |
Well, just my personal opinion (not sure if I was asked at all ;-): Given that new IPv4 addresses are now only available on the free market to horrible prices and providers start to provide servers with IPv6 only, where you have to pay for IPv4 extra, it is probably not a good idea to stick to IPv4 alone. |
I cannot reproduce that? Do you have any special configuration options, or are you using the standard setup.mailu.io docker-compose.yml (which is what I'm basically using, with minor changes, as seen in my related PR).
(fedora 35, docker/moby 20.10.12) To be completely honest, I'm not too fussed about how the original problem, of fixing ipv6 rDNS lookups and the associated If you think better IPv6 support is a Edit: If you are afraid of making people do stupid things, by misconfiguring their instances causing open-relays, or something, I don't really get the reason you have a IPv6 FAQ-section however. At least one that's more than: "Please don't!!" |
Rephrasing the above: there's very little work required to make Mailu v6-only compatible if you accept that the inner traffic will be v4 (using private address space). Add an AAAA record, configure docker to bind v6 sockets, let it do NAT to v4... and it should work. On the other hand, getting SUBNET6 to work (the inner part of Mailu) is a significant undertaking relying on broken and immature technology (experimental stuff in docker, ... complex on other stacks too), where simple failures may lead to open-relays & all kind of bad things. |
I use debian here, I suspect it's a kernel setting somewhere that's different.
Other related projects seem to have run into the same issue: mailcow/mailcow-dockerized#3168 ... apparently it's a timeout "somewhere/sometimes"
I'm not against better IPv6 support; The question is what kind of support and when. I hear @peterpramb's usecase (scarcity of publically routable v6 addresses); I am not sure how practical running a v6-only mailserver is going to be for the foreseeable future but agree that it's important to eventually get there. In the meantime, work should probably be done to allow the operation of a dual-stack mailserver (to v6 enable SMTP(inbound)/IMAP/POP), that's easy to do and definitely worth it. However, I am a lot more skeptical about the benefits of going further (enabling v6 outbound or like proposed here, dual-staking the internal network). Both because it's massively more complex but also because it's just not that useful (to me :p). I guess we should relocate this discussion into a new ticket and discuss there the type of v6 support we want.
One of the things that was agreed was to get rid of the v6 option in setup; We will do that. |
I really can't talk for Anyway, I understand the concerns. The only thing I really ask for is to make the |
And please don't drop any existing support for |
Now I'm even more confused. Shell Output on Debian
Ignore me typo-ing debian for this throwaway, test-machine 👀 This definitely seems like a configuration issue. (Using configuration from #2272)
While I'm not 100% sure I think removing Edit: (Maybe this should go in the other IPv6 ticket, though): |
It's complicated. ;-) Nginx tries to lookup the client's hostname to forward the complete client info to Postfix using the XCLIENT command. Postfix calls Rspamd via milter protocol and passes the client info on, so when Rspamd sees a mismatch in client IP and hostname you get additional SPAM points. With the current resolver configuration Nginx can't lookup IPv6 clients at all, so there is always a mismatch between client IP and hostname. |
I'll prepare a PR:
It should have minimum side effects (so that we can safely backport it); "better v6 support" should be a different ticket and I suggest that the rest of #2272 is discussed there. |
It creates issues with RSPAMD/HFILTER_HOSTNAME_UNKNOWN on v6 enabled setups see Mailu#2260 (comment)
It creates issues with RSPAMD/HFILTER_HOSTNAME_UNKNOWN on v6 enabled setups see #2260 (comment) (cherry picked from commit 9b952da)
Copy-pasting my comment from #2351 in here, too, for better visibility: #2351 caused a regression:
|
Cause of problem found
Before you open your issue
Mailu
is made by volunteers in their free time — be conscise, civil and accept that delays can occur.Environment & Versions
Environment
Versions
Description
I recently enabled IPv6 on my server (following the FAQ steps of defining an IPv6 subnet, and enabling docker's ip6tables NATing).
/etc/docker/daemon.json
It works, and IPv6 is used properly now. Instead of
192.168.190.1
in rspamd mails are received from - e.g. -2607:f8b0:4864:20::746
(Google-Mail).However in rspamd IPv6 PTR lookups seem to fail, meaning there's always going to be an added 2.5 spam points, via
HFILTER_HOSTNAME_UNKNOWN
to every mail that is delivered via IPv6.Curiosly, doing a
nslookup
in the rspamd container works, however:Replication Steps
Send mail to mailu server, from an ipv6 enabled server (e.g. gmail).
Expected behaviour
PTR lookups work - no
HFILTER_HOSTNAME_UNKNOWN
for IPv6 addresses with a valid PTR entry.Logs
logs
Notable observation (regarding line 2
mail-ed1-x535.google.com could not be resolved, host not found
):mail-ed1-x535.google.com
has noA
record, just anAAAA
record. Is this maybe related?Edit: Unrelated, I have found other IPv6 addresses also with an A record, where this problem occurs, too.
Configuration
docker-compose.yml
mailu.env
Can anybody even reproduce this, or is this some weird problem with my setup …Edit: It is not, see comment.I just can't figure out how to debug this, any pointers in the right direction, if no one can reproduce this, would be greatly appreciated.
Thanks for your time!
The text was updated successfully, but these errors were encountered: