PGNet Dev
2021-Apr-04 00:03 UTC
How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?
my server is a linux, dual-stack IPv4/IPv6 host it runs multiple services, including, but not limited to, postfix & dovecot the hostname is internal.mx.example.com its DNS config, host internal.mx.example.com internal.mx.example.com has address 10.1.1.15 internal.mx.example.com has IPv6 address fd80:10:1::15 internal.mx.example.com mail is handled by 5 internal.mx.example.com. here, for dovecot dovecot --version 2.3.13 (89f716dc2) submission is configured to relay to the same-host postfix instance, listening @ port 465 ./conf.d/10-master.conf ... protocols = imap submission lmtp sieve ... submission_relay_host = internal.mx.example.com submission_relay_port = 465 submission_relay_ssl = smtps submission_relay_ssl_verify = yes submission_relay_trusted = yes whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4, postconf inet_protocols inet_protocols = ipv4 and, as intended, simply refuses ipv6 connections telnet 10.1.1.15 465 Trying 10.1.1.15... Connected to 10.1.1.15. Escape character is '^]'. ^] telnet> quit Connection closed. telnet -6 fd80:10:1::15 465 Trying fd80:10:1::15... telnet: connect to address fd80:10:1::15: Connection refused on each/every mail submit -- via dovecot -- dovecot makes the connection 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Server accepted connection (fd=7) 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Connection created 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connection created 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Disconnected looks up IP address 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Looking up IP address 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Performing asynchronous DNS lookup 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Sent: 235 2.7.0 Logged in. finds BOTH IPs -- IPv4 & IPv6 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: DNS lookup successful; got 2 IPs then first tries to connect via the host's IPv6 address, 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connecting to fd80:10:1::15:465 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Waiting for connect (fd=8) to finish for max 0 msecs ############ FAILS ############ 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Client connection failed (fd=8) then proceeds to connect to the host's IPv4 address 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting to 10.1.1.15:465 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connecting 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Waiting for connect (fd=11) to finish for max 0 msecs 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Client connected (fd=11) 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connected to server (from 10.1.1.15:52880) 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Starting SSL handshake 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: SSL handshake successful ... and submission continues/completes I need to get Dovecot to stop trying/failing @ those IPv6 address submission connections. Either by (1) trying IPv4 *first*, before IPv6, to avoid the FAIL on submission or (2) turning off submission relay by IPv6 altogether, as I'll never use it What's the config required to do either/both?
PGNet Dev
2021-Apr-08 11:45 UTC
How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?
How do you turn OFF, or reduce priority of, IPv6 connect attempts by submission relay? On 4/3/21 8:03 PM, PGNet Dev wrote:> my server is a linux, dual-stack IPv4/IPv6 host > > it runs multiple services, including, but not limited to, postfix & dovecot > > the hostname is > > ????internal.mx.example.com > > its DNS config, > > ????host internal.mx.example.com > ??????? internal.mx.example.com has address 10.1.1.15 > ??????? internal.mx.example.com has IPv6 address fd80:10:1::15 > ??????? internal.mx.example.com mail is handled by 5 internal.mx.example.com. > > here, for dovecot > > ????dovecot --version > ??????? 2.3.13 (89f716dc2) > > submission is configured to relay to the same-host postfix instance, listening @ port 465 > > ????./conf.d/10-master.conf > ??????? ... > ??????? protocols = imap submission lmtp sieve > ??????? ... > ??????? submission_relay_host?????? = internal.mx.example.com > ??????? submission_relay_port?????? = 465 > ??????? submission_relay_ssl??????? = smtps > ??????? submission_relay_ssl_verify = yes > ??????? submission_relay_trusted??? = yes > > whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4, > > ????postconf inet_protocols > ??????? inet_protocols = ipv4 > > and, as intended, simply refuses ipv6 connections > > ????telnet 10.1.1.15 465 > ??????? Trying 10.1.1.15... > ??????? Connected to 10.1.1.15. > ??????? Escape character is '^]'. > ??????? ^] > ??????? telnet> quit > ??????? Connection closed. > > ????telnet -6 fd80:10:1::15 465 > ??????? Trying fd80:10:1::15... > ??????? telnet: connect to address fd80:10:1::15: Connection refused > > on each/every mail submit -- via dovecot -- dovecot makes the connection > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Server accepted connection (fd=7) > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Connection created > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connection created > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Disconnected > > looks up IP address > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Looking up IP address > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Performing asynchronous DNS lookup > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Sent: 235 2.7.0 Logged in. > > finds BOTH IPs -- IPv4 & IPv6 > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: DNS lookup successful; got 2 IPs > > then first tries to connect via the host's IPv6 address, > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connecting to fd80:10:1::15:465 > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Waiting for connect (fd=8) to finish for max 0 msecs > > ############ > ?FAILS > ############ > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Client connection failed (fd=8) > > then proceeds to connect to the host's IPv4 address > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting to 10.1.1.15:465 > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connecting > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Waiting for connect (fd=11) to finish for max 0 msecs > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Client connected (fd=11) > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connected to server (from 10.1.1.15:52880) > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Starting SSL handshake > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: SSL handshake successful > ????... > > and submission continues/completes > > > I need to get Dovecot to stop trying/failing @ those IPv6 address submission connections. > > Either by > > ????(1) trying IPv4 *first*, before IPv6, to avoid the FAIL on submission > > or > > ????(2) turning off submission relay by IPv6 altogether, as I'll never use it > > What's the config required to do either/both? >