Internal sendmail problems

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Jan 2 17:41:38 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark Blackman wrote:
> 
> On 2 Jan 2008, at 16:40, Mark Blackman wrote:
> 
>>
>> On 2 Jan 2008, at 16:26, Mark Blackman wrote:
>>
>>>
>>> On 2 Jan 2008, at 16:15, O'Connor, Kevin wrote:
>>>
>>>> Mark,
>>>>
>>>> I ran tcpdump as you suggested and I'm seeing lots of the following
>>>>
>>>> 15:53:08.372068 IP (tos 0x0, ttl  64, id 25688, offset 0, flags [none],
>>>> proto: UDP (17), length: 57, bad cksum 0 (->ac3a)!) 10.10.0.4.58007 >
>>>> 10.10.86.10.53: [bad udp cksum 5042!]  46723+ AAAA?exchcluster. (29)
>>>> 15:53:08.372708 IP (tos 0x0, ttl 126, id 7951, offset 0, flags [none],
>>>> proto: UDP (17), length: 57) 10.10.86.10.53 > 10.10.0.4.58007: [udp sum
>>>> ok]  46723 ServFail q: AAAA? exchcluster. 0/0/0 (29)
>>>>
>>>> I have assumed that sendmail on FreeBSD has sendmail's
>>>> WorkAroundBrokenAAAA option but this appears to either not be the case
>>>> or the option fails to resolve the IP6 issue with W2K3 DNS servers.
>>>>
>>>> At this point any and all suggestions (That do not involve removing MS
>>>> DNS and/or Exchange) would be welcome.
>>>
>>> http://zaib.as/node/8
>>>
>>> appears to spell out the issue. I'd suggest rebuilding sendmail
>>> as per..
>>>
>>> http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2006-07/msg01020.html
>>>
>>>
>>> *OR*
>>>
>>> use the ports system to replace sendmail with a different MTA,
>>> my personal preference is postfix.
>>>
>>> Possibly, you could rebuild the resolver library with different options
>>> as well. To be honest, I'm surprised this issue still exists over a year
>>> later.
>>>
>>> - Mark
>>
>> There's a line in /etc/mail/sendmail.cf, whose removal may work to fix
>> this case.
>>
>> Try deleting the line with
>>
>> O DaemonPortOptions=Name=IPv6, Family=inet6, Modifiers=O
>>
> 
> In fact, re-reading the config. more carefully, that's the listening
> daemon and
> that's not the problem. Try *uncommenting* the following line.
> 
> #O ClientPortOptions=Family=inet, Address=0.0.0.0
> 
> That might force sendmail to use just inet instead of attempting inet6
> when sending and
> avoid the AAAA lookup.
> 
> I hate sendmail anyway, so I've not tested anything. :)

This won't achieve anything I'm afraid.  The problem you have quite
neatly identified is in the DNS resolver: whether sendmail can
communicate traffic over IPv6 or not, you'll still see the same effect
because of the calls to getipnodebyname(3).

The correct solution is to fix the broken DNS server that is
returning ServFail instead of NXDOMAIN on AAAA lookups.  IPv6 RFCs
have been published for about 15 years so it's a sign of very
shoddy resolver software if it can't DTRT as of this late date.

In extreme cases, you could run a local caching nameserver on your
FreeBSD box, and create local zone files to override the incorrect
data.

Finally, instead of solving the problem, you can sweep it under the
carpet by completely stripping out the ability to deal with IPv6 at all.
Do that by defining WITHOUT_INET6 in /etc/src.conf or /etc/make.conf
- -- you'll have to rebuild world and kernel, and quite possibly you'll
also need to add the ports knob 'WITHOUT_IPV6' and recompile affected
ports too.

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHe8zS8Mjk52CukIwRCMPEAKCAN2SFuDq8zbeFlOyF6h5Ra6OuKACfRr8u
oeoTWZw2HN2WPvPnbajD9Ck=
=rOoG
-----END PGP SIGNATURE-----




More information about the Ukfreebsd mailing list