Home > Server Admin > IPv6 support for tcpserver and rblsmtpd

IPv6 support for tcpserver and rblsmtpd

August 7th, 2009
Goto comments Leave a comment

This post is part of a series of posts dedicated to IPv6 support for qmail:

ucspi-tcp

The ucspi-tcp package provides the tcpserver and rblsmtpd programs. tcpserver accepts incoming TCP connections and passes them to another program such as qmail-smtpd. rblsmtpd blocks connections from RBL listed IPs.

Thanks to Fefe, a patch has been around for a while that adds IPv6 support to tcpserver. Fefe’s patch does not touch rblsmtpd, however.

I’ve modified Fefe’s patch to patch rblsmtpd as well. You can easily apply my ucspi-tcp-0.88-ipv6.patch:

$ wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
$ wget http://www.bltweb.net/qmail/ucspi-tcp-0.88-ipv6.patch
$ tar -xzf ucspi-tcp-0.88.tar.gz
$ cd ucspi-tcp-0.88
$ patch -p1 < ../ucspi-tcp-0.88-ipv6.patch
$ make
$ sudo make install

tcpserver

To understand what the tcpserver portion of the IPv6 patch does, you should read Fefe’s ucspi-tcp page. Essentially, if a client connects via IPv4, tcpserver exhibits it’s normal behavior. If a client connects with IPv6, the PROTO environment variable will be set to “TCP6“.

The patch also supports using IPv6 addresses in your tcprules files. A new rule may look like this:

# Ignore RBL lookups for home server
2001:470:1f0f:350::1:allow:RBLSMTPD=”"

After applying this patch, you may notice that your logs are filled with addresses similar to: ::ffff:192.168.1.1. This is because internally tcpserver treats every IP as an IPv6 address. IPv4 addresses are represented using their IPv4 mapped address.

rblsmtpd

When patching rblsmtpd for IPv6 support, I had to decide how to lookup IPv6 addresses. As far as I know, there aren’t any IPv6 blacklists yet. There isn’t a spec on how these addresses should be queried. My patch will use a new namespace, ipv6, when querying RBLs as described here. This means if you connect via 2001:470:1f0f:350::1, a TXT DNS lookup will be made to:

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.3.0.f.0.f.1.0.7.4.0.1.0.0.2.ipv6.rbl.example.org

If anyone knows of a working RBL that differs, please let me know.

Summary

If you have any comments, corrections, or questions, please feel free to leave a comment below. Remember Gentoo users can apply all of my qmail patches automatically by using the ebuilds in my gentoo-overlay.

Once you’ve patched tcpserver, you should move on to patching ucspi-ssl (sslserver) for IPv6.

Brandon Server Admin ,

  1. No comments yet.
  1. No trackbacks yet.