diff --git a/changes/bug20165 b/changes/bug20165
new file mode 100644
index 00000000000..26da8b61cb7
--- /dev/null
+++ b/changes/bug20165
@@ -0,0 +1,5 @@
+  o Minor bugfixes (self-testing):
+    - Relays now only mark their OR ports as reachable when they get
+      a circuit on an incoming connection _to the right address_.  Previously,
+      any incoming connection would make the port count as reachable.
+      Fixes bug 20165; bugfix on 0.1.0.1-rc.
diff --git a/src/core/or/channeltls.c b/src/core/or/channeltls.c
index f874e399464..1d167d9711f 100644
--- a/src/core/or/channeltls.c
+++ b/src/core/or/channeltls.c
@@ -1761,10 +1761,18 @@ channel_tls_process_netinfo_cell(cell_t *cell, channel_tls_t *chan)
    * This is actually never going to happen, since my_addr_len is at most 255,
    * and CELL_PAYLOAD_LEN - 6 is 503.  So we know that cp is < end. */
 
+  /* We should find out if we're canonical to our peer, so we know if we
+   * were extended (or if we extended ourselves) using the right address.
+   *
+   * Clients have no IDs and are never canonical.  Bridges can be canonical on
+   * incomin connections, but never on outgoing connections. */
+  const bool may_be_canonical_to_peer = me &&
+    (!get_options()->BridgeRelay || !started_here);
+
   if (my_addr_type == RESOLVED_TYPE_IPV4 && my_addr_len == 4) {
     tor_addr_from_ipv4n(&my_apparent_addr, get_uint32(my_addr_ptr));
 
-    if (!get_options()->BridgeRelay && me &&
+    if (may_be_canonical_to_peer &&
         get_uint32(my_addr_ptr) == htonl(me->addr)) {
       TLS_CHAN_TO_BASE(chan)->is_canonical_to_peer = 1;
     }
@@ -1772,7 +1780,7 @@ channel_tls_process_netinfo_cell(cell_t *cell, channel_tls_t *chan)
   } else if (my_addr_type == RESOLVED_TYPE_IPV6 && my_addr_len == 16) {
     tor_addr_from_ipv6_bytes(&my_apparent_addr, (const char *) my_addr_ptr);
 
-    if (!get_options()->BridgeRelay && me &&
+    if (may_be_canonical_to_peer &&
         !tor_addr_is_null(&me->ipv6_addr) &&
         tor_addr_eq(&my_apparent_addr, &me->ipv6_addr)) {
       TLS_CHAN_TO_BASE(chan)->is_canonical_to_peer = 1;
diff --git a/src/core/or/circuitbuild.c b/src/core/or/circuitbuild.c
index f3a5791d6c4..c716efc51eb 100644
--- a/src/core/or/circuitbuild.c
+++ b/src/core/or/circuitbuild.c
@@ -1514,7 +1514,8 @@ onionskin_answer(or_circuit_t *circ,
    * TestingTorNetwork sets ExtendAllowPrivateAddresses. */
   if ((!channel_is_local(circ->p_chan)
        || get_options()->ExtendAllowPrivateAddresses)
-      && !channel_is_outgoing(circ->p_chan)) {
+      && !channel_is_outgoing(circ->p_chan)
+      && circ->p_chan->is_canonical_to_peer) {
     /* record that we could process create cells from a non-local conn
      * that we didn't initiate; presumably this means that create cells
      * can reach us too. */