thr3ads.net - dovecot - local stanza only generated for IPv6 [Jul 2020]

If this information is useful, please help other people find it:
Share via:

Jeremy Ardley

2020-Jul-01 04:50 UTC

local stanza only generated for IPv6

I have a mail server with multiple IP addresses and associated DNS names

In the dovecot configuration I have a listen directive:

??? listen = mail.example.com.com,mail.otherexample.com,localhost

Multiple local stanzas are of the form:

local mail.example.com {
? protocol imap {
???? ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
???? ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

???? service imaps_login {
?????? inet_listener imaps {
???????? address=mail.example.com
?????? }
?????? inet_listener imap {
???????? address=mail.example.com
?????? }
???? }
? }
}

mail.example.com has IPv4 and IPv6 addresses in DNS

When I run doveconf -n the local configuration is only generated for the
IPv6 address. I can test the operation on IPv6 using openSSL and see
different server certificates on different IP addresses as expected.

How do I force local generation for both IPv4 and IPv6 ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200701/4ed9d702/attachment.html>

Jean-Daniel

2020-Jul-01 05:21 UTC

head link

local stanza only generated for IPv6

> Le 1 juil. 2020 ? 06:50, Jeremy Ardley <jeremy at ardley.org> a ?crit
:
> 
> I have a mail server with multiple IP addresses and associated DNS names
> 
> In the dovecot configuration I have a listen directive:
> 
>     listen = mail.example.com.com,mail.otherexample.com,localhost
> 
> Multiple local stanzas are of the form:
> 
> local mail.example.com {
>   protocol imap {
>      ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
>      ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
> 
>      service imaps_login {
>        inet_listener imaps {
>          address=mail.example.com
>        }
>        inet_listener imap {
>          address=mail.example.com
>        }
>      } 
>   }
> }
> 
> mail.example.com has IPv4 and IPv6 addresses in DNS
> 
> When I run doveconf -n the local configuration is only generated for the
IPv6 address. I can test the operation on IPv6 using openSSL and see different
server certificates on different IP addresses as expected.
> 
> How do I force local generation for both IPv4 and IPv6 ?
> You can probably don?t use hostname for address directive, but instead space
separated list of IP address you want to listen to.

And unless you need to disable dovecot on some interfaces, you don?t have to
specify the listen directive, as it defaults to all IPv4 and IPv6 addresses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200701/691f01d7/attachment.html>

Jeremy Ardley

2020-Jul-01 10:15 UTC

head link

local stanza only generated for IPv6

Further to my report on stanzas being only generated the IPv6 addresses
I have found a work-around until someone in the development team comes
up with something like inet_listener_6 and inet_listener_4

The workaround is simply to get dovecot to listen in IPv4 and IPv6. It
has no effect on clients who will use ordinary MX records to access the
normal mailserver name

The workaround requires modifying DNS with duplicate A and AAAA records
(not CNAME or ALIAS) for the addresses of interest. So in the instance
of one domain:

mail??? A??? ?? 192.168.0.1
??? ??? AAAA??? 2001:0db8:85a3:0000:0000:8a2e:0370:7334

mail4?? A??? ?? 192.168.0.1

mail6?? AAAA??? 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Then the dovecot.conf file requires multiple local stanzas. In this case
two domains requires four stanzas

listen
mail4.example.com,mail6.example.com,mail4.example2.com,mail6.example2.com,localhost

protocols = imap lmtp sieve

ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes

local mail4.example.com {
? protocol imap {
???? ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
???? ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

???? service imaps_login_4 {
?????? inet_listener imaps {
???????? address=mail4.example.com
?????? }
?????? inet_listener imap {
???????? address=mail4.example.com
?????? }
???? }
? }
}

local mail6.example.com {
? protocol imap {
???? ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
???? ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

???? service imaps_login_6 {
?????? inet_listener imaps {
???????? address=mail6.example.com
?????? }
?????? inet_listener imap {
???????? address=mail6.example.com
?????? }
???? }
? }
}


local mail4.example2.com {
? protocol imap {
??? ssl_cert = </etc/letsencrypt/live/example2.com/fullchain.pem
??? ssl_key = </etc/letsencrypt/live/example2.com/privkey.pem

??? service imaps_login_44 {
????? inet_listener imaps {
???????? address = mail4.example2.com
????? }
????? inet_listener imap {
???????? address = mail4.example2.com
????? }
??? }
? }
}

local mail6.example2.com {
? protocol imap {
??? ssl_cert = </etc/letsencrypt/live/example2.com/fullchain.pem
??? ssl_key = </etc/letsencrypt/live/example2.com/privkey.pem

??? service imaps_login_66 {
????? inet_listener imaps {
???????? address = mail6.example2.com
????? }
????? inet_listener imap {
???????? address = mail6.example2.com
????? }
??? }
? }
}

Benny Pedersen

2020-Jul-02 02:07 UTC

head link

local stanza only generated for IPv6

Jeremy Ardley skrev den 2020-07-01 06:50:
> local mail.example.com {
>   protocol imap {
>      ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
>      ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
> 
>      service imaps_login {
>        inet_listener imaps {
>          address=mail.example.com
>        }
not using hostname here, it should be either ipv4 or ipv6 not hostname
>        inet_listener imap {
>          address=mail.example.com
does this make sense for ssl ? :=)
> How do I force local generation for both IPv4 and IPv6 ?
hope i am right, not tested here

Jeremy Ardley

2020-Jul-02 02:24 UTC

head link

local stanza only generated for IPv6

On 2/7/20 10:07 am, Benny Pedersen wrote:> Jeremy Ardley skrev den 2020-07-01 06:50:
>
>> local mail.example.com {
>> ? protocol imap {
>> ???? ssl_cert =
</etc/letsencrypt/live/mail.example.com/fullchain.pem
>> ???? ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
>>
>> ???? service imaps_login {
>> ?????? inet_listener imaps {
>> ???????? address=mail.example.com
>> ?????? }
>
> not using hostname here, it should be either ipv4 or ipv6 not hostname
That makes maintenance difficult. postconf is helpful because it looks
up the IP from the hostname each time the service is started. The issue
is it looks up IPv6 in preference/exclusion to IPv4
>
>> ?????? inet_listener imap {
>> ???????? address=mail.example.com
>
> does this make sense for ssl ? :=)
Yes, clients can connect on port 143 (imap) but negotiate TLS.
Thunderbird checks port 143 first when scanning a server for TLS
connections.

Reasonably Related Threads

Search for more reasonably related threads

dovecot - Jul 2020 - local stanza only generated for IPv6

local stanza only generated for IPv6

local stanza only generated for IPv6

local stanza only generated for IPv6

local stanza only generated for IPv6

local stanza only generated for IPv6

Reasonably Related Threads