'Re: Google rejecting IPv6 mails'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Google rejecting IPv6 mails
From:       Erinn Looney-Triggs <erinn.looneytriggs () gmail ! com>
Date:       2013-10-08 15:00:50
Message-ID: 52541E22.604 () gmail ! com
[Download RAW message or body]


On 10/8/2013 6:26 AM, Wietse Venema wrote:
> Wietse Venema:
>> postfix:
>>> Mail from our system wasn't accepted oftentimes by Google either.
>>> I discovered the following solution: Our mail server has got two IPv6 
>>> addresses in the open Internet, one is specific, the other one 
>>> automatically created. The first one was in the DNS, the second one not. 
>>> I noticed that many times messages where sent using the automatically 
>>> generated IPv6 address, which were the mails Google rejected. Since I 
>>> introduced the automatically generated IPv6 address into the DNS, Google 
>>> accepts all mail from our server.
>>
>> Solutions other than turning off IPv6 autoconfiguration on servers:
> 
> That remains my preferred solution, but it may not be possible if
> you don't control the infrastructure.
> 
>> - Specify all Postfix IP addresses in main.cf:inet_interfaces.
>>
>>    /etc/postfix/main.cf:
>>        inet_interfaces = 1.2.3.4 127.0.0.1 1:2:3:4:5:6:7:8 ::1
> 
> That example is wrong. inet_interfaces does not restrict the SMTP
> client IP address when there more than one.
> 
>> - Specify the Postfix IPv6 address in master.cf:
>>
>>    /etc/postfix/master.cf:
>>        relay ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
>>        smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
> 
> That example is good. It uses master.cf instead of main.cf, to avoid
> conflicts with content filters.
> 
> 	Wietse
> 

This sounds an awful lot like privacy extensions are enabled for the
interface. If you disable privacy extensions, even with stateless
autoconfiguration enabled, the address should be the same unless the MAC
changes on the nic. Since this is a server privacy extensions should be
disabled.

cat /proc/sys/net/ipv6/conf/eth0/use_tempaddr

use_tempaddr - INTEGER
        Preference for Privacy Extensions (RFC3041).
          <= 0 : disable Privacy Extensions
          == 1 : enable Privacy Extensions, but prefer public
                 addresses over temporary addresses.
          >  1 : enable Privacy Extensions and prefer temporary
                 addresses over public addresses.
        Default:  0 (for most devices)
                 -1 (for point-to-point devices and loopback devices)

-Erinn



["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic