Exim IPv6 bug with reverse_host_lookup

Operating System & Version
Linux host.redacted.ofc 3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
cPanel & WHM Version
96.0 (build 11)

bellwood

Well-Known Member
PartnerNOC
Sep 25, 2012
47
9
133
New York
cPanel Access Level
DataCenter Provider
Exim: version 4.94.2 #2 built 07-May-2021 10:34:38
cPanel: 96.0 (build 11)
OS: Linux host.redacted.ofc 3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Inside the Exim advanced editor, add the following to "custom_begin_connect_post":

Code:
defer !verify = reverse_host_lookup/defer_ok
       log_message = PTR invalid for $sender_host_address
We are seeing IPv6 senders with valid PTR's and matching AAAA's for that host hit the rule:

Code:
2021-06-24 14:29:03 H=[2602:ff1c:1:80::50]:60631 temporarily rejected
connection in "connect" ACL: PTR invalid for 2602:ff1c:1:80::50: host
lookup failed (2602:ff1c:1:80::50 does not match any IP address for
mta4.pr.judicialwatch.org)
On the server however, we get complete A and AAAA:

Code:
host mta4.pr.judicialwatch.org
mta4.pr.judicialwatch.org has address 192.107.243.81
mta4.pr.judicialwatch.org has IPv6 address 2602:ff1c:1:80::50
If you debug it:

Code:
exim -d-all+dns+acl -bh '[2602:ff1c:1:80::50]:60631'

Exim version 4.94.2 uid=0 gid=0 pid=27354 D=24
Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning DANE
DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR SPF Experimental_SRS
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch passwd sqlite
Authenticators: cram_md5 dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [4.8.2 20140120 (Red Hat 4.8.2-16)]
Library version: Glibc: Compile: 2.17
                         Runtime: 2.17
Library version: BDB: Compile: Berkeley DB 5.3.21: (May 11, 2012)
                       Runtime: Berkeley DB 5.3.21: (May 11, 2012)
Library version: OpenSSL: Compile: OpenSSL 1.0.2k-fips  26 Jan 2017
                           Runtime: OpenSSL 1.0.2k-fips  26 Jan 2017
                                  : built on: reproducible build, date unspecified
Library version: IDN: Compile: 1.28
                       Runtime: 1.28
Library version: spf2: Compile: 1.2.10
                        Runtime: 1.2.10
Library version: PCRE: Compile: 8.32
                        Runtime: 8.32 2012-11-30
Library version: SQLite: Compile: 3.7.17
                          Runtime: 3.32.3
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST: "/etc/exim_trusted_configs"
XDG_SESSION_ID in keep_environment? no (end of list)
HOSTNAME in keep_environment? no (end of list)
TERM in keep_environment? no (end of list)
SHELL in keep_environment? no (end of list)
HISTSIZE in keep_environment? no (end of list)
SSH_CLIENT in keep_environment? no (end of list)
SSH_TTY in keep_environment? no (end of list)
USER in keep_environment? no (end of list)
LS_COLORS in keep_environment? no (end of list)
MAIL in keep_environment? no (end of list)
PATH in keep_environment? no (end of list)
PWD in keep_environment? no (end of list)
EDITOR in keep_environment? no (end of list)
LANG in keep_environment? no (end of list)
PS1 in keep_environment? no (end of list)
HISTCONTROL in keep_environment? no (end of list)
SHLVL in keep_environment? no (end of list)
HOME in keep_environment? no (end of list)
LOGNAME in keep_environment? no (end of list)
VISUAL in keep_environment? no (end of list)
SSH_CONNECTION in keep_environment? no (end of list)
LESSOPEN in keep_environment? no (end of list)
XDG_RUNTIME_DIR in keep_environment? no (end of list)
HISTTIMEFORMAT in keep_environment? no (end of list)
_ in keep_environment? no (end of list)
configuration file is /etc/exim.conf
log selectors = 00001ffe 99805426 00000003
trusted user
admin user


**** SMTP testing session as if from host
2602:ff1c:0001:0080:0000:0000:0000:0050
**** but without any ident (RFC 1413) callback.
**** This is not for real!

host in hosts_connection_nolog? no (option unset)
LOG: smtp_connection MAIN
   SMTP connection from [2602:ff1c:0001:0080:0000:0000:0000:0050]:60631
host in host_lookup? no (option unset)
host in host_reject_connection? no (option unset)
host in sender_unqualified_hosts? no (option unset)
host in recipient_unqualified_hosts? no (option unset)
host in helo_verify_hosts? no (option unset)
host in helo_try_verify_hosts? no (option unset)
host in helo_accept_junk_hosts? yes (matched "*")
using ACL "acl_smtp_connect"

...snip...

looking up host name for 2602:ff1c:0001:0080:0000:0000:0000:0050
DNS lookup of
0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa. (PTR)
succeeded
Reverse DNS security status: unverified
IP address lookup yielded "mta4.pr.judicialwatch.org"
DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
checking addresses for mta4.pr.judicialwatch.org
Forward DNS security status: unverified
   192.107.243.81
no IP address for mta4.pr.judicialwatch.org matched
2602:ff1c:0001:0080:0000:0000:0000:0050
2602:ff1c:0001:0080:0000:0000:0000:0050 does not match any IP address
for mta4.pr.judicialwatch.org

...snip...

defer: condition test succeeded in ACL "acl_smtp_connect"
end of ACL "acl_smtp_connect": DEFER
451 Temporary local problem - please try later
LOG: connection_reject MAIN REJECT
   H=[2602:ff1c:0001:0080:0000:0000:0000:0050]:60631 temporarily
rejected connection in "connect" ACL: PTR invalid for
2602:ff1c:0001:0080:0000:0000:0000:0050: host lookup failed
(2602:ff1c:0001:0080:0000:0000:0000:0050 does not match any IP address
for mta4.pr.judicialwatch.org)
Note that we only see "DNS lookup of mta4.pr.judicialwatch.org (A) succeeded" there is no DNS lookup for the AAAA.

Non-cPanel Exim installations on the same Exim version do not exhibit this issue:

Code:
looking up host name for 2602:ff1c:0001:0080:0000:0000:0000:0050
DNS lookup of 0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa. (PTR) succeeded
Reverse DNS security status: unverified
IP address lookup yielded "mta4.pr.judicialwatch.org"
DNS lookup of mta4.pr.judicialwatch.org (AAAA) succeeded
DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
checking addresses for mta4.pr.judicialwatch.org
Forward DNS security status: unverified
2602:ff1c:1:80::50 OK
Edit: clarified title, spelling
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,923
912
313
cPanel Access Level
Root Administrator
I've been having issues getting a proper testing environment setup to replicate this behavior. Could you submit a ticket to our team so we can do some additional work on this for you? Please let me know the ticket number once you've had a chance to do that so I can follow along on my end.
 
Thread starter Similar threads Forum Replies Date
K Email 14
K Email 14
IndicHosts.net Email 1
kiti Email 1
R Email 2