Bug#961538: /usr/lib/sm.bin/sendmail: IPv6 reverse-then-forward lookup broken, possibly by glibc-2.30.patch
Package: sendmail-bin
Version: 8.15.2-18
Severity: important
File: /usr/lib/sm.bin/sendmail
[ same as https://bugs.launchpad.net/ubuntu/+source/sendmail/+bug/1879738 ]
Dear Maintainer,
since USE_INET6 has been removed in glibc-2.30, sendmail fails to verify
IPv6 client addresses (reverse-then-forward-lookup) and refuses to
accept incoming mail:
May 20 16:42:50 mx sm-mta[161617]: ruleset=check_relay, arg1=[IPv6:2a04:6c0:0:0:0:0:bad:0], arg2=IPv6:2a04:6c0:0:0:0:0:bad:0, relay=hektik.14v.de [IPv6:2a04:6c0:0:0:0:0:bad:0] (may be forged), reject=451 4.1.8 Possibly forged hostname for IPv6:2a04:6c0:0:0:0:0:bad:0
It seems the patch "glibc-2.30.patch" only fixed the FTBS problem, but
does not provide any alternative method for IPv6 reverse lookups.
I checked with tcpdump and the forward-part of a
reverse-then-forward-lookup always asks for an "A" record instead of
"AAAA".
There is already some #ifdef in conf.c, function sm_getipnodebyname()
for gethostbyname2().
If I add
#define HAS_GETHOSTBYNAME2 1
before that, reverse-then-forward lookups for IPv6 do work again as
expected.
Please find the attached patch sendmail-ipv6-gethostbyname2.patch. It
modifies configure.ac, so that it checks availability of
gethostbyname2() and adds -DHAS_GETHOSTBYNNAME2=1 to sm_envdef when
found.
Regards
Matthias Ferdinand
-- Package-specific info:
Output of /usr/share/bug/sendmail-bin/script:
ls -alR /etc/mail:
/etc/mail:
total 336
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 .
drwxr-xr-x 81 root root 4096 May 25 20:02 ..
-rwxr-xr-- 1 root smmsp 10014 May 25 20:06 Makefile
-rw------- 1 root root 4265 May 25 20:06 access
-rw-r----- 1 smmta smmsp 12288 May 25 20:06 access.db
-rw-r--r-- 1 root root 281 Mar 8 00:39 address.resolve
lrwxrwxrwx 1 root smmsp 10 May 25 19:09 aliases -> ../aliases
-rw-r----- 1 smmta smmsp 12288 May 25 20:06 aliases.db
-rw-r--r-- 1 root root 3215 May 25 20:06 databases
-rw-r--r-- 1 root root 5659 Mar 8 00:39 helpfile
-rw-r--r-- 1 root smmsp 31 May 25 19:09 local-host-names
drwxr-sr-x 2 smmta smmsp 4096 May 25 19:09 m4
drwxr-xr-x 2 root root 4096 May 25 19:09 peers
drwxr-xr-x 2 root smmsp 4096 Mar 8 00:39 sasl
-rw-r--r-- 1 root smmsp 64135 May 25 20:06 sendmail.cf
-rw-r--r-- 1 root root 64135 May 25 20:06 sendmail.cf.old
-rw-r--r-- 1 root root 12235 May 25 20:06 sendmail.conf
-rw-r--r-- 1 root smmsp 4048 May 25 20:06 sendmail.mc
-rw-r--r-- 1 root root 148 Mar 8 00:39 service.switch
-rw-r--r-- 1 root root 179 Mar 8 00:39 service.switch-nodns
drwxr-sr-x 2 smmta smmsp 4096 May 25 19:09 smrsh
-rw-r--r-- 1 root smmsp 44601 May 25 20:06 submit.cf
-rw-r--r-- 1 root root 44601 May 25 20:06 submit.cf.old
-rw-r--r-- 1 root smmsp 2375 May 25 20:06 submit.mc
drwxr-xr-x 2 smmta smmsp 4096 May 25 19:09 tls
-rw-r--r-- 1 root smmsp 0 May 25 19:09 trusted-users
/etc/mail/m4:
total 8
drwxr-sr-x 2 smmta smmsp 4096 May 25 19:09 .
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 ..
-rw-r----- 1 root smmsp 0 May 25 19:09 dialup.m4
-rw-r----- 1 root smmsp 0 May 25 19:09 provider.m4
/etc/mail/peers:
total 12
drwxr-xr-x 2 root root 4096 May 25 19:09 .
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 ..
-rw-r--r-- 1 root root 328 Mar 8 00:39 provider
/etc/mail/sasl:
total 8
drwxr-xr-x 2 root smmsp 4096 Mar 8 00:39 .
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 ..
/etc/mail/smrsh:
total 8
drwxr-sr-x 2 smmta smmsp 4096 May 25 19:09 .
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 ..
lrwxrwxrwx 1 root smmsp 26 May 25 19:09 mail.local -> /usr/lib/sm.bin/mail.local
lrwxrwxrwx 1 root smmsp 17 May 25 19:09 procmail -> /usr/bin/procmail
/etc/mail/tls:
total 48
drwxr-xr-x 2 smmta smmsp 4096 May 25 19:09 .
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 ..
-rw-r--r-- 1 root root 7 May 25 19:09 no_prompt
-rw------- 1 root root 1188 May 25 19:09 sendmail-client.cfg
-rw-r--r-- 1 root smmsp 1265 May 25 19:09 sendmail-client.crt
-rw------- 1 root root 1025 May 25 19:09 sendmail-client.csr
-rw-r----- 1 root smmsp 1675 May 25 19:09 sendmail-common.key
-rw-r----- 1 root smmsp 1650 May 25 19:09 sendmail-common.prm
-rw------- 1 root root 1188 May 25 19:09 sendmail-server.cfg
-rw-r--r-- 1 root smmsp 1265 May 25 19:09 sendmail-server.crt
-rw------- 1 root root 1025 May 25 19:09 sendmail-server.csr
-rwxr--r-- 1 root root 3243 May 25 20:06 starttls.m4
sendmail.conf:
DAEMON_NETMODE="Static";
DAEMON_NETIF="eth0";
DAEMON_MODE="Daemon";
DAEMON_PARMS="";
DAEMON_HOSTSTATS="No";
DAEMON_MAILSTATS="No";
QUEUE_MODE="${DAEMON_MODE}";
QUEUE_INTERVAL="10m";
QUEUE_PARMS="";
MSP_MODE="Cron";
MSP_INTERVAL="20m";
MSP_PARMS="";
MSP_MAILSTATS="${DAEMON_MAILSTATS}";
MISC_PARMS="";
CRON_MAILTO="root";
CRON_PARMS="";
LOG_CMDS="No";
HANDS_OFF="No";
AGE_DATA="";
DAEMON_RUNASUSER="No";
DAEMON_STATS="${DAEMON_MAILSTATS}";
MSP_STATS="${MSP_MAILSTATS}";
sendmail.mc:
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.15.2-18 2020-03-08 00:39:49 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS=
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`access_db', , `skip')dnl
FEATURE(`greet_pause', `1000')dnl 1 seconds
FEATURE(`delay_checks', `friend', `n')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
include(`/etc/mail/m4/dialup.m4')dnl
include(`/etc/mail/m4/provider.m4')dnl
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl
submit.mc...
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: submit.mc, v 8.15.2-18 2020-03-08 00:39:49 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-msp')dnl
FEATURE(`msp', `[127.0.0.1]', `25')dnl
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages sendmail-bin depends on:
ii debconf 1.5.74
ii init-system-helpers 1.57
ii libc6 2.30-8
ii libdb5.3 5.3.28+dfsg1-0.6
ii libldap-2.4-2 2.4.50+dfsg-1
ii liblockfile1 1.16-1.1
ii libsasl2-2 2.1.27+dfsg-2
ii libssl1.1 1.1.1g-1
ii libwrap0 7.6.q-30
ii lsb-base 11.1.0
ii procps 2:3.3.16-5
ii sendmail-base 8.15.2-18
ii sendmail-cf 8.15.2-18
sendmail-bin recommends no packages.
Versions of packages sendmail-bin suggests:
ii libsasl2-modules 2.1.27+dfsg-2
ii openssl 1.1.1g-1
pn sasl2-bin <none>
pn sendmail-doc <none>
Versions of packages sensible-mda depends on:
ii libc6 2.30-8
ii procmail 3.22-26
Versions of packages sendmail depends on:
ii sendmail-base 8.15.2-18
ii sendmail-cf 8.15.2-18
ii sensible-mda 8.15.2-18
Versions of packages sendmail suggests:
pn rmail <none>
pn sendmail-doc <none>
-- no debconf information
--- a/debian/configure.ac.orig 2020-03-08 00:39:49.000000000 +0100
+++ b/debian/configure.ac 2020-05-25 17:44:34.527721758 +0200
@@ -1398,14 +1398,27 @@
fi;
fi;
+# sendmail does not use getaddrinfo()
+# if test $sm_have_ipv6 = yes; then
+# AC_CHECK_FUNCS(getaddrinfo,
+# [sm_have_ipv6=yes]
+# ,[sm_have_ipv6=no])
+# if test $sm_have_ipv6 = no; then
+# AC_MSG_ERROR([IPv6 support requires getaddrinfo])
+# fi;
+# fi;
+
+# sendmail supports gethostbyname2()
if test $sm_have_ipv6 = yes; then
- AC_CHECK_FUNCS(getaddrinfo,
+ AC_CHECK_FUNCS(gethostbyname2,
[sm_have_ipv6=yes]
,[sm_have_ipv6=no])
if test $sm_have_ipv6 = no; then
- AC_MSG_ERROR([IPv6 support requires getaddrinfo])
- fi;
+ AC_MSG_ERROR([IPv6 support requires gethostbyname2])
+ else
+ sm_envdef="$sm_envdef -DHAS_GETHOSTBYNAME2=1"
fi;
+ fi;
if test $sm_have_ipv6 = yes; then
v2i 8.10.0;
Reply to: