Bug#961538: /usr/lib/sm.bin/sendmail: IPv6 reverse-then-forward lookup broken, possibly by glibc-2.30.patch

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#961538: /usr/lib/sm.bin/sendmail: IPv6 reverse-then-forward lookup broken, possibly by glibc-2.30.patch
From: Matthias Ferdinand <mf+ubuntu1@14v.de>
Date: Mon, 25 May 2020 20:47:32 +0200
Message-id: <[🔎] 20200525184732.GC20802@xoff>
Reply-to: Matthias Ferdinand <mf+ubuntu1@14v.de>, 961538@bugs.debian.org

Package: sendmail-bin
Version: 8.15.2-18
Severity: important
File: /usr/lib/sm.bin/sendmail


[ same as https://bugs.launchpad.net/ubuntu/+source/sendmail/+bug/1879738 ]

Dear Maintainer,

since USE_INET6 has been removed in glibc-2.30, sendmail fails to verify
IPv6 client addresses (reverse-then-forward-lookup) and refuses to
accept incoming mail:

    May 20 16:42:50 mx sm-mta[161617]: ruleset=check_relay, arg1=[IPv6:2a04:6c0:0:0:0:0:bad:0], arg2=IPv6:2a04:6c0:0:0:0:0:bad:0, relay=hektik.14v.de [IPv6:2a04:6c0:0:0:0:0:bad:0] (may be forged), reject=451 4.1.8 Possibly forged hostname for IPv6:2a04:6c0:0:0:0:0:bad:0

It seems the patch "glibc-2.30.patch" only fixed the FTBS problem, but
does not provide any alternative method for IPv6 reverse lookups.

I checked with tcpdump and the forward-part of a
reverse-then-forward-lookup always asks for an "A" record instead of
"AAAA".

There is already some #ifdef in conf.c, function sm_getipnodebyname()
for gethostbyname2().

If I add
  #define HAS_GETHOSTBYNAME2 1
before that, reverse-then-forward lookups for IPv6 do work again as
expected.

Please find the attached patch sendmail-ipv6-gethostbyname2.patch. It
modifies configure.ac, so that it checks availability of
gethostbyname2() and adds -DHAS_GETHOSTBYNNAME2=1 to sm_envdef when
found.

Regards
Matthias Ferdinand

-- Package-specific info:
Output of /usr/share/bug/sendmail-bin/script:

ls -alR /etc/mail:
/etc/mail:
total 336
drwxr-sr-x  7 smmta smmsp  4096 May 25 20:06 .
drwxr-xr-x 81 root  root   4096 May 25 20:02 ..
-rwxr-xr--  1 root  smmsp 10014 May 25 20:06 Makefile
-rw-------  1 root  root   4265 May 25 20:06 access
-rw-r-----  1 smmta smmsp 12288 May 25 20:06 access.db
-rw-r--r--  1 root  root    281 Mar  8 00:39 address.resolve
lrwxrwxrwx  1 root  smmsp    10 May 25 19:09 aliases -> ../aliases
-rw-r-----  1 smmta smmsp 12288 May 25 20:06 aliases.db
-rw-r--r--  1 root  root   3215 May 25 20:06 databases
-rw-r--r--  1 root  root   5659 Mar  8 00:39 helpfile
-rw-r--r--  1 root  smmsp    31 May 25 19:09 local-host-names
drwxr-sr-x  2 smmta smmsp  4096 May 25 19:09 m4
drwxr-xr-x  2 root  root   4096 May 25 19:09 peers
drwxr-xr-x  2 root  smmsp  4096 Mar  8 00:39 sasl
-rw-r--r--  1 root  smmsp 64135 May 25 20:06 sendmail.cf
-rw-r--r--  1 root  root  64135 May 25 20:06 sendmail.cf.old
-rw-r--r--  1 root  root  12235 May 25 20:06 sendmail.conf
-rw-r--r--  1 root  smmsp  4048 May 25 20:06 sendmail.mc
-rw-r--r--  1 root  root    148 Mar  8 00:39 service.switch
-rw-r--r--  1 root  root    179 Mar  8 00:39 service.switch-nodns
drwxr-sr-x  2 smmta smmsp  4096 May 25 19:09 smrsh
-rw-r--r--  1 root  smmsp 44601 May 25 20:06 submit.cf
-rw-r--r--  1 root  root  44601 May 25 20:06 submit.cf.old
-rw-r--r--  1 root  smmsp  2375 May 25 20:06 submit.mc
drwxr-xr-x  2 smmta smmsp  4096 May 25 19:09 tls
-rw-r--r--  1 root  smmsp     0 May 25 19:09 trusted-users

/etc/mail/m4:
total 8
drwxr-sr-x 2 smmta smmsp 4096 May 25 19:09 .
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 ..
-rw-r----- 1 root  smmsp    0 May 25 19:09 dialup.m4
-rw-r----- 1 root  smmsp    0 May 25 19:09 provider.m4

/etc/mail/peers:
total 12
drwxr-xr-x 2 root  root  4096 May 25 19:09 .
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 ..
-rw-r--r-- 1 root  root   328 Mar  8 00:39 provider

/etc/mail/sasl:
total 8
drwxr-xr-x 2 root  smmsp 4096 Mar  8 00:39 .
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 ..

/etc/mail/smrsh:
total 8
drwxr-sr-x 2 smmta smmsp 4096 May 25 19:09 .
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 ..
lrwxrwxrwx 1 root  smmsp   26 May 25 19:09 mail.local -> /usr/lib/sm.bin/mail.local
lrwxrwxrwx 1 root  smmsp   17 May 25 19:09 procmail -> /usr/bin/procmail

/etc/mail/tls:
total 48
drwxr-xr-x 2 smmta smmsp 4096 May 25 19:09 .
drwxr-sr-x 7 smmta smmsp 4096 May 25 20:06 ..
-rw-r--r-- 1 root  root     7 May 25 19:09 no_prompt
-rw------- 1 root  root  1188 May 25 19:09 sendmail-client.cfg
-rw-r--r-- 1 root  smmsp 1265 May 25 19:09 sendmail-client.crt
-rw------- 1 root  root  1025 May 25 19:09 sendmail-client.csr
-rw-r----- 1 root  smmsp 1675 May 25 19:09 sendmail-common.key
-rw-r----- 1 root  smmsp 1650 May 25 19:09 sendmail-common.prm
-rw------- 1 root  root  1188 May 25 19:09 sendmail-server.cfg
-rw-r--r-- 1 root  smmsp 1265 May 25 19:09 sendmail-server.crt
-rw------- 1 root  root  1025 May 25 19:09 sendmail-server.csr
-rwxr--r-- 1 root  root  3243 May 25 20:06 starttls.m4

sendmail.conf:
DAEMON_NETMODE="Static";
DAEMON_NETIF="eth0";
DAEMON_MODE="Daemon";
DAEMON_PARMS="";
DAEMON_HOSTSTATS="No";
DAEMON_MAILSTATS="No";
QUEUE_MODE="${DAEMON_MODE}";
QUEUE_INTERVAL="10m";
QUEUE_PARMS="";
MSP_MODE="Cron";
MSP_INTERVAL="20m";
MSP_PARMS="";
MSP_MAILSTATS="${DAEMON_MAILSTATS}";
MISC_PARMS="";
CRON_MAILTO="root";
CRON_PARMS="";
LOG_CMDS="No";
HANDS_OFF="No";
AGE_DATA="";
DAEMON_RUNASUSER="No";
DAEMON_STATS="${DAEMON_MAILSTATS}";
MSP_STATS="${MSP_MAILSTATS}";


sendmail.mc:
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.15.2-18 2020-03-08 00:39:49 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`access_db', , `skip')dnl
FEATURE(`greet_pause', `1000')dnl 1 seconds
FEATURE(`delay_checks', `friend', `n')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
include(`/etc/mail/m4/dialup.m4')dnl
include(`/etc/mail/m4/provider.m4')dnl
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl

submit.mc...
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: submit.mc, v 8.15.2-18 2020-03-08 00:39:49 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-msp')dnl
FEATURE(`msp', `[127.0.0.1]', `25')dnl


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sendmail-bin depends on:
ii  debconf              1.5.74
ii  init-system-helpers  1.57
ii  libc6                2.30-8
ii  libdb5.3             5.3.28+dfsg1-0.6
ii  libldap-2.4-2        2.4.50+dfsg-1
ii  liblockfile1         1.16-1.1
ii  libsasl2-2           2.1.27+dfsg-2
ii  libssl1.1            1.1.1g-1
ii  libwrap0             7.6.q-30
ii  lsb-base             11.1.0
ii  procps               2:3.3.16-5
ii  sendmail-base        8.15.2-18
ii  sendmail-cf          8.15.2-18

sendmail-bin recommends no packages.

Versions of packages sendmail-bin suggests:
ii  libsasl2-modules  2.1.27+dfsg-2
ii  openssl           1.1.1g-1
pn  sasl2-bin         <none>
pn  sendmail-doc      <none>

Versions of packages sensible-mda depends on:
ii  libc6     2.30-8
ii  procmail  3.22-26

Versions of packages sendmail depends on:
ii  sendmail-base  8.15.2-18
ii  sendmail-cf    8.15.2-18
ii  sensible-mda   8.15.2-18

Versions of packages sendmail suggests:
pn  rmail         <none>
pn  sendmail-doc  <none>

-- no debconf information

--- a/debian/configure.ac.orig	2020-03-08 00:39:49.000000000 +0100
+++ b/debian/configure.ac	2020-05-25 17:44:34.527721758 +0200
@@ -1398,14 +1398,27 @@
 			fi;
 		fi;
 
+# sendmail does not use getaddrinfo()
+#	if test $sm_have_ipv6 = yes; then
+#		AC_CHECK_FUNCS(getaddrinfo,
+#			[sm_have_ipv6=yes]
+#			,[sm_have_ipv6=no])
+#		if test $sm_have_ipv6 = no; then
+#			AC_MSG_ERROR([IPv6 support requires getaddrinfo])
+#			fi;
+#		fi;
+
+# sendmail supports gethostbyname2()
 	if test $sm_have_ipv6 = yes; then
-		AC_CHECK_FUNCS(getaddrinfo,
+		AC_CHECK_FUNCS(gethostbyname2,
 			[sm_have_ipv6=yes]
 			,[sm_have_ipv6=no])
 		if test $sm_have_ipv6 = no; then
-			AC_MSG_ERROR([IPv6 support requires getaddrinfo])
-			fi;
+			AC_MSG_ERROR([IPv6 support requires gethostbyname2])
+		else
+			sm_envdef="$sm_envdef -DHAS_GETHOSTBYNAME2=1"
 		fi;
+	fi;
 
 	if test $sm_have_ipv6 = yes; then
 		v2i 8.10.0;

Reply to:

Follow-Ups:
- Bug#961538: marked as done (/usr/lib/sm.bin/sendmail: IPv6 reverse-then-forward lookup broken, possibly by glibc-2.30.patch)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Product Enquiry
Next by Date: Bug#961538: marked as done (/usr/lib/sm.bin/sendmail: IPv6 reverse-then-forward lookup broken, possibly by glibc-2.30.patch)
Previous by thread: xmms2_0.8+dfsg-19_amd64.changes is NEW
Next by thread: Bug#961538: marked as done (/usr/lib/sm.bin/sendmail: IPv6 reverse-then-forward lookup broken, possibly by glibc-2.30.patch)
Index(es):
- Date
- Thread