Postfix with IPv6 and TLS

Dean Strik <dean@ipnet6.org>

Current version: patch 1.26 for Postfix releases 2.0.20 and 2.1.5.

NEWS: TLS and IPv6 support are incorporated in Postfix snapshot 2.2-20050117. No new 2.2-snapshot patches will be released.

• Introduction and history
• Disclaimer
• Supported platforms
• Latest version
• Installation and configuration
• ChangeLog
• Downloads
• RPMs and other packages
• Mailing lists
• Open issues and todo items
• Reporting bugs

Introduction and history

Even though the Postfix mail system is great, there is a number of features not implemented by the official source code. This includes, for example the possibility of encrypting sessions and authentication using TLS (Transport Layer Security, a version of SSL). Another feature not included in the official source, is IPv6: the next generation of the internet addressing protocol.

Patches to support these (and other features) have been written by others. The author of the great TLS patch is Lutz Jänicke.

In January 2005, the first Postfix 2.2 snapshot with IPv6 support was released. This snapshot incorporateds Dean Strik's IPv6 patch and Lutz Jänicke's TLS patch, both revised by Wietse Venema, author of Postfix.

Back to the IPv6 patch history. The original IPv6 patch was written by Mark Huizer, and then substantially improved by Jun-ichiro 'itojun' Hagino. Since then, we speak of the KAME patch. Unfortunately, the KAME patch was written for KAME/KAME-merged systems. So later on, it was ported to other stacks (notably USAGI) by people of the PLD Linux Distribution PLD. We speak of the PLD patch. A very important feature of the PLD patch was that it can work with Lutz' TLS patch.

Unfortunately, the KAME patch was not kept uptodate with newer Postfix versions. Several people have modified the patch so it would still compile with the later versions, but in many cases the patches were bug-ridden and did not add IPv6 support for newer features of Postfix.

Major changes to network address storage in Postfix were not integrated well. Until version 1.9 of my own derivation (see below), there was no support for IPv6 netmasks/prefixlengths, sometimes causing Postfix to be an open IPv6 relay.

When also the PLD patch wasn't kept uptodate enough for my liking, and several bugs were not addressed because they did not occur with the official PLD distribution, I decided to split off my own version of the patch. This patch would have several goals, not all of which are currently realized:

• For both branches - Since Postfix 2.0, the patch works for both official releases and snapshots. Before 2.0, only snapshots were supported.
• Bugs fixed - Active maintainership and fixing of bugs, both old and new. Quite a few bugs have been fixed, including severe relaying holes.
• New features - Later additions to Postfix are ported to IPv6 as well. The LMTP client, the QMQP server and several other subsystems now support IPv6.
• Uptodate - Patches are provided for new Postfix releases and snapshots within a few days.
• Portability - The patch is not restricted to KAME or USAGI systems. The patch currently works on a variety of IPv6-enabled operating systems, including *BSD, Linux, Solaris and Tru64Unix.
• Choice of TLS inclusion - TLS is often not needed; packagers and users alike may have the choice. Two separate versions are therefore availabe: with and without TLS support.

Now that IPv6 and TLS support have been included into an official Postfix 2.2 snapshot, this patch is close to the end of it's life, with the code part of the Postfix releases. Patches will however still be available for Postfix 2.1.x and, for a while, 2.0.x.

Disclaimer

This software is provided "as-is". You are using it at your own risk. I will take no liability in any case.

Supported platforms

Currently, the following platforms are supported by the patch. Of course, it is required that IPv6 is supported by your kernel and system libraries.

• FreeBSD 4.x and 5.x
• OpenBSD 2.x and 3.x
• NetBSD 1.5 and up
• Solaris 8 and up
• Linux 2.x and up
• Darwin 7.3 and up (new!)
• HP/Compaq Tru64Unix V5.1 and up

Postfix may not work correctly on older versions of these operating systems. If you managed to get things working on another operating system, please let me know. Also, if you find any problems related to the IPv6 patch on one of the above platforms, please mail me a bug report. (Note: Postfix 2.2 snapshots with IPv6 also support IBM's AIX version 5.1 and up).

Latest version

The latest version of the patch is 1.26. The patch is distributed for both Postfix releases and Postfix snapshots. TLS+IPv6 combo patches are available as well as IPv6-only versions. TLS-only patches can be downloaded from Lutz J&aum;nicke's Postfix/TLS page.

Installation and configuration

The patch is distributed as a gzipped context diff (versions older than 1.16a used universal diff, but this was changed due to unidiff limitations).

We assume Postfix is already extracted, to the directory postfix-2.1.5.

1. Decompress the patch:
   $ gunzip tls+ipv6-1.26-pf-2.1.5.patch.gz
2. Change directory to the postfix source directory:
   $ cd postfix-2.1.5
3. Apply the patch:
   $ patch -s -p 1 < ../tls+ipv6-1.26-pf-2.1.5.patch
4. Build Postfix. The IPv6 patch does not require additional environment variables or arguments to 'make'. To enable TLS, add the flag -DHAS_SSL to the CCARGS make variable. See the TLS documentation for more information.

In theory, no special post-installation configuration of Postfix is required, although you may want to extend the value of the 'mynetworks' parameter to include the IPv6 networks the system is in. Also you can restrict Postfix to use IPv6-only or IPv4-only by changing the 'inet_interfaces' parameter. The main.cf parameters regarding IPv6 are documented in the file sample.ipv6 in the samples/ directory.

ChangeLog

Here is a list of the most recent changes to the patch. The full ChangeLog can be found here.

Changes in 1.26

• Bugfix: Incomplete error checking in getaddrinfo() could cause lmtpd to crash with debug_peer_list defined. Carsten Hoeger, SuSE.
  File: util/match_ops.c
• Linux workaround: When mynetworks isn't set, a chrooted process could not read the IPv6 address information from /proc. We now invoke own_inet_addr() before chrooting, while processing main.cf. [backported from 2.2-nonprod snapshot]
  File: global/mail_params.c
• Safety: when IPv6 netmask can't be determined, mynetworks is not set and mynetworks_style = subnet, assume /128 (host only). Until now, Tru64Unix assumed /64 (good for real subnets, but not safe for tunnel ranges etc.).
  File: util/inet_addr_local.c

Changes in 1.25

• Bugfix: Misplaced myfree() caused a small memory leak. Reported by Christian von Roques.
  File: util/match_ops.c
• Removed the colon (:) from the characters XFORWARD replaces by a question mark (IPv6 addresses looked like 2001?610?1108?5010?1 in logging). Reported by Philipp Morger.
  File: smtpd/smtpd.c

Changes in 1.24

• Bugfix: Prefixlen non-null host portion validation (in CIDR maps for example) yielded incorrect results sometimes because signed arithmetic was used instad of unsigned.
  File: util/match_ops.c
• Patch correction: The TLS+IPv6 patch for Postfix 2.1.0 missed the master.cf update (used for new installattions). Added it back.

Changes in 1.23

• Patch fixes: Several code fixes to make the patch compile and work correctly when compiled without IPv6 support.
• Bugfix (Solaris only?): address family length was not updated which could cause client hostname validation errors.
  File: smtpd/smtpd_peer.c
• Portability: added support for Darwin 7.3+. This may need some further testing.
• Cleanup: Restructure and redocument interface address retrieval functions. (This reduced the number of preprocessor statements from 99 to 93 ;)
  File: util/inet_addr_local.c
• Cleanup: make several explicit casts to have compilers shut their pie holes about uninteresting things.

For older versions, see the full ChangeLog.

Downloads

Downloads of the patches are available by HTTP and FTP. Old versions can be found in the FTP tree only.

For ease of download, Postfix tarballs can be downloaded along with the patches.

Current version: 1.26

Previous versions

Version 1.25 download overview (FTP and HTTP links).

Version 1.24 download overview (FTP and HTTP links).

Version 1.23 download overview (FTP and HTTP links).

Version 1.22 download overview (FTP and HTTP links).

Version 1.21/1.21a download overview (FTP and HTTP links).

Version 1.20 download overview (FTP and HTTP links).

Version 1.19: this version was soon replaced with version 1.20 to fix a bug introduced in 1.19 (see ChangeLog).

Version 1.18/1.18a/1.18b download overview (FTP and HTTP links).

Version 1.17 download overview (FTP and HTTP links).

Version 1.16: this version was soon replaced with version 1.17 as 1.16 introduced a bug that could possibly result in memory corruption in arbitrary places. Please no not use 1.16 but use 1.17 or newer instead.

Version 1.15 download overview (FTP and HTTP links).

Version 1.14 download overview (FTP and HTTP links).

For older versions, please look at the FTP site.

RPMs and other packages

Tuomo Soini provides source RPMs of Postfix with IPv6 support. You can find his Postfix RPM page here.

IPv6 support is also available as an option in Simon J Mudd's Postfix Source RPMs, also available via FTP.

I would be interested in linking to other RPMs and packages.

Miscellaneous

Dr. Peter Bieringer provides a version of his patch for simple SMTP authentication linked against TLS+IPv6 for Postfix releases.

Mailing lists

The Postfix-IPv6 and Postfix-IPv6-announce lists have been terminated. For questions and discussions, you can use the postfix-users mailing list (see the Postfix website).

Open issues and todo items

The patch comes with an IPv6-ChangeLog file. Please always validate whether you have the latest version. You can always download the latest ChangeLog at

ftp://ftp.stack.nl/pub/postfix/tls+ipv6/current/IPv6-ChangeLog
http://www.ipnet6.org/postfix/IPv6-ChangeLog

The following 'issues' and todo items are known (none critical):

• The 'smtp_host_lookup' parameter is not effective with IPv6. This is because a different lookup mechanism is used that cannot easily disable the 'local' (i.e., non-DNS) lookups. Whether local files or the DNS are used first, is determined by your operating system, e.g. in /etc/nsswitch.conf or /etc/host.conf.
• The order of IPv6/IPv4 outgoing connection attempts is not yet configurable. This will be configurable in a later, soon to be released version. Currently, IPv6 is tried before IPv4.
• No IPv6 open relay checks. Since there is no IPv6 RBL service around at the moment (I'm considering setting one up but it's not a very hot issue), no lookups for IPv6 clients are ever done. Let's not have a lot of worthless DNS traffic. Of course, when this gets implemented, IPv6 client lookups will only be made to DNSBLs that support these.
• On Tru64Unix, when using 'mynetwork_style = subnet' (or: class), all prefixlengths are set to 128 (host-only) because we cannot determine the prefixlengths automatically.