tickets #156502
open
mx1 attempts connections to {discourse01,obsreview}.i.o.o on port 25 over IPv4
Added by crameleon 3 months ago.
Updated 3 months ago.
Description
The following is repeatedly observed:
Mar 03 17:20:20 asgard1 kernel: [asgard] Forward Dropped: IN=os-mail OUT=nat64 MACSRC=52:54:00:02:76:42 MACDST=d2:e1:4b:98:46:1f MACPROTO=0800 SRC=172.16.131.11 DST=172.16.164.160 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10313 DF PROTO=TCP SPT=39428 DPT=25 SEQ=3606642437 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
Mar 03 17:22:19 asgard1 kernel: [asgard] Forward Dropped: IN=os-mail OUT=nat64 MACSRC=52:54:00:02:76:42 MACDST=d2:e1:4b:98:46:1f MACPROTO=0800 SRC=172.16.131.11 DST=172.16.164.163 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=33073 DF PROTO=TCP SPT=51932 DPT=25 SEQ=2072061109 ACK=0 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 OPT
172.16.131.11 -> mx1.i.o.o (native)
172.16.164.160 -> discourse01.i.o.o (NAT64)
172.16.164.163 -> obsreview.i.o.o (NAT64)
TCP/25 -> SMTP (probably)
SMTP connectivity from mx* to discourse01 is expected, we permitted it in the past - however, it may not happen over IPv4. It needs to use IPv6 connectivity.
SMTP connectivity from mx* to obsreview is not expected, it should preferably be stopped on the source instead of having it run into firewall denials.
Related issues
1 (1 open — 0 closed)
- Private changed from Yes to No
- Description updated (diff)
I don't see any issue in $SUBJ, and I believe it is to be expected. mx1 will attempt to connect using ipv6, but will fall back to ipv4 when it does not work:
2024-03-03T00:25:04.172309+00:00 mx1 postfix/smtp[25170]: 2F7BB55FC: host discourse01.infra.opensuse.org[2a07:de40:b27e:1203::b47] said: 451 4.3.5 <noreply@forums.opensuse.org>: Recipient address rejected: Server configuration problem (in reply to RCPT TO command)
2024-03-03T00:25:04.176808+00:00 mx1 postfix/smtp[25169]: 24068575A: host discourse01.infra.opensuse.org[2a07:de40:b27e:1203::b47] said: 451 4.3.5 <a@forums.opensuse.org>: Recipient address rejected: Server configuration problem (in reply to RCPT TO command)
2024-03-03T00:25:04.184583+00:00 mx1 postfix/smtp[25175]: D1BC4579F: host discourse01.infra.opensuse.org[2a07:de40:b27e:1203::b47] said: 451 4.3.5 <noreply@forums.opensuse.org>: Recipient address rejected: Server configuration problem (in reply to RCPT TO command)
Hi,
from the network side, it should work:
mx1 (mx1.o.o):~ # nc -6vz discourse01 25
Connection to discourse01 25 port [tcp/smtp] succeeded!
Then the issue with discourse01 is https://progress.opensuse.org/issues/137999?
crameleon wrote in #note-4:
Hi,
from the network side, it should work:
mx1 (mx1.o.o):~ # nc -6vz discourse01 25
Connection to discourse01 25 port [tcp/smtp] succeeded!
Then the issue with discourse01 is https://progress.opensuse.org/issues/137999?
Yup. Basically a poor mailserver config in need of some TLC. For instance, unknown addresses should be receive a permanent eject.
- Is duplicate of tickets #137999: discourse01 - said 451 4.3.5 <zyka@forums.opensuse.org>: Recipient address rejected: Server configuration problem added
OK, got it, so just a side effect.
What about obsreview, why is there a connection in the first place? This one we are not allowing (neither via IPv6, it has never been a requirement).
Also available in: Atom
PDF