Hi Leo, > Am 11.01.2022 um 19:10 schrieb Leo Unglaub <[email protected]>: > > Hey friends, > i am running OpenBSD 7.0 with all patches applied. Some weeks ago i noticed a > very strange issue with my OpenSMTPd instance. People are unable to use TLS > when connecting via IPv6. This is not just my observation, some people on > misc@ told me so as well. > > I talked to gilles@ in private and he could confirm the issue, but he thinks > its not related to OpenSMTPd itsef and might be even an OpenBSD (LibreSSL) > issue itself. gilles@ told me to post this to the ML because it might be a > little bit more complicated. > > Here are some basics from the System. I am using the real hostname and IP > addresses so every one can look at the problem directly. > > The Server is configured to use both IPv4 and IPv6: > >> $ cat /etc/hostname.vio0 >> inet >> 116.202.103.165 255.255.255.255 >> inet6 2a01:4f8:c010:3301::dead:beef 64 -soii >> !route add -inet 172.31.1.1 -llinfo -link -static -iface vio0 >> !route add -inet default 172.31.1.1 > > I confimed it via ifconfig: > >> $ ifconfig vio0 vio0: >> flags=408843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,INET6_NOSOII> mtu 1500 >> lladdr 96:00:00:31:1f:b5 >> index 1 priority 0 llprio 3 >> groups: egress >> media: Ethernet autoselect >> status: active >> inet 116.202.103.165 netmask 0xffffffff >> inet6 fe80::9400:ff:fe31:1fb5%vio0 prefixlen 64 scopeid 0x1 >> inet6 2a01:4f8:c010:3301::dead:beef prefixlen 64 > > I also can use ping and ping6 to reach other servers and the server can be > reached over IPv4 and IPv6. So this seams to work.
You can test the SSL connection (from a host that supports OpenSSL and IPv6) as follows: $ openssl s_client -connect [2a01:4f8:c010:3301::dead:beef]:25 -starttls smtp </dev/null ###$ openssl s_client -connect [2a01:4f8:c010:3301::dead:beef]:465 </dev/null $ openssl s_client -connect [2a01:4f8:c010:3301::dead:beef]:587 -starttls smtp </dev/null Port 465 (submissions) seems to be closed on your server, which is fine. And for client mail access: $ openssl s_client -connect [2a01:4f8:c010:3301::dead:beef]:110 -starttls pop3 </dev/null $ openssl s_client -connect [2a01:4f8:c010:3301::dead:beef]:143 -starttls imap </dev/null $ openssl s_client -connect [2a01:4f8:c010:3301::dead:beef]:993 </dev/null $ openssl s_client -connect [2a01:4f8:c010:3301::dead:beef]:995 </dev/null Compare the results to the same queries targeting 116.202.103.165. At first glance I would say its working fine. hardenize.com seems to agree: https://www.hardenize.com/report/storm-peaks.northrend.azeroth.wow-data.net/1641931125 HTH Mike
