tickets #156502
open
mx1 attempts connections to {discourse01,obsreview,paste}.i.o.o on port 25 over IPv4
Added by crameleon about 1 year ago.
Updated 8 months ago.
Description
The following is repeatedly observed:
Mar 03 17:20:20 asgard1 kernel: [asgard] Forward Dropped: IN=os-mail OUT=nat64 MACSRC=52:54:00:02:76:42 MACDST=d2:e1:4b:98:46:1f MACPROTO=0800 SRC=172.16.131.11 DST=172.16.164.160 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10313 DF PROTO=TCP SPT=39428 DPT=25 SEQ=3606642437 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
Mar 03 17:22:19 asgard1 kernel: [asgard] Forward Dropped: IN=os-mail OUT=nat64 MACSRC=52:54:00:02:76:42 MACDST=d2:e1:4b:98:46:1f MACPROTO=0800 SRC=172.16.131.11 DST=172.16.164.163 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=33073 DF PROTO=TCP SPT=51932 DPT=25 SEQ=2072061109 ACK=0 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 OPT
172.16.131.11 -> mx1.i.o.o (native)
172.16.164.160 -> discourse01.i.o.o (NAT64)
172.16.164.163 -> obsreview.i.o.o (NAT64)
TCP/25 -> SMTP (probably)
SMTP connectivity from mx* to discourse01 is expected, we permitted it in the past - however, it may not happen over IPv4. It needs to use IPv6 connectivity.
SMTP connectivity from mx* to obsreview is not expected, it should preferably be stopped on the source instead of having it run into firewall denials.
Related issues
1 (1 open — 0 closed)
- Private changed from Yes to No
- Description updated (diff)
I don't see any issue in $SUBJ, and I believe it is to be expected. mx1 will attempt to connect using ipv6, but will fall back to ipv4 when it does not work:
2024-03-03T00:25:04.172309+00:00 mx1 postfix/smtp[25170]: 2F7BB55FC: host discourse01.infra.opensuse.org[2a07:de40:b27e:1203::b47] said: 451 4.3.5 <noreply@forums.opensuse.org>: Recipient address rejected: Server configuration problem (in reply to RCPT TO command)
2024-03-03T00:25:04.176808+00:00 mx1 postfix/smtp[25169]: 24068575A: host discourse01.infra.opensuse.org[2a07:de40:b27e:1203::b47] said: 451 4.3.5 <a@forums.opensuse.org>: Recipient address rejected: Server configuration problem (in reply to RCPT TO command)
2024-03-03T00:25:04.184583+00:00 mx1 postfix/smtp[25175]: D1BC4579F: host discourse01.infra.opensuse.org[2a07:de40:b27e:1203::b47] said: 451 4.3.5 <noreply@forums.opensuse.org>: Recipient address rejected: Server configuration problem (in reply to RCPT TO command)
Hi,
from the network side, it should work:
mx1 (mx1.o.o):~ # nc -6vz discourse01 25
Connection to discourse01 25 port [tcp/smtp] succeeded!
Then the issue with discourse01 is https://progress.opensuse.org/issues/137999?
crameleon wrote in #note-4:
Hi,
from the network side, it should work:
mx1 (mx1.o.o):~ # nc -6vz discourse01 25
Connection to discourse01 25 port [tcp/smtp] succeeded!
Then the issue with discourse01 is https://progress.opensuse.org/issues/137999?
Yup. Basically a poor mailserver config in need of some TLC. For instance, unknown addresses should be receive a permanent eject.
- Is duplicate of tickets #137999: discourse01 - said 451 4.3.5 <zyka@forums.opensuse.org>: Recipient address rejected: Server configuration problem added
OK, got it, so just a side effect.
What about obsreview, why is there a connection in the first place? This one we are not allowing (neither via IPv6, it has never been a requirement).
Noticing to paste.i.o.o as well.
- Subject changed from mx1 attempts connections to {discourse01,obsreview}.i.o.o on port 25 over IPv4 to mx1 attempts connections to {discourse01,obsreview,paste}.i.o.o on port 25 over IPv4
It seems to partially be bounce emails
E69B9796C 3543 Thu Jul 25 02:56:10 MAILER-DAEMON
(delivery temporarily suspended: connect to paste.infra.opensuse.org[2a07:de40:b27e:1203::c2]:25: Permission denied)
paste@paste.infra.opensuse.org
I'm not sure what paste.i.o.o would be sending that would even receive bounces, but maybe those should be re-routed to admin-auto@ somehow ?
postcat -q $queueid helps to find out what's going on ;-)
The paste mails/bounces are caused by nuke_bad_patterns.rb running as paste. I added MAILTO=root to the crontab, but maybe adding >/dev/null might make more sense.
One of the forum bounce I checked is more interesting:
<wsch****@ameritech.net>: host al-ip4-mx-vip1.prodigy.net[144.160.235.143]
said: 553 5.3.0 alph732 DNSBL:RBL 521< 195.135.223.51 >_is_blocked.For
assistance forward this error to abuse_rbl@abuse-att.net (in reply to MAIL
FROM command)
So it looks like we ended up on their blacklist, and should ask to get removed.
paste.i.o.o needed two additional changes to finally get mails from the paste user to admin-auto:
- main.cf:
mydestination = paste.infra.opensuse.org so that the machine feels responsible for its own mails and applies /etc/aliases (we should probably salt this - makes sense on all VMs)
- master.cf: restored original file from the postfix package (see master.cf_paste for the old, non-working previous file)
Also available in: Atom
PDF