Aki Tuomi
2021-Apr-08 11:56 UTC
How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?
One has to ask why it has AAAA record in DNS if you don't intend to use it? Aki> On 08/04/2021 14:45 PGNet Dev <pgnet.dev at gmail.com> wrote: > > > How do you turn OFF, or reduce priority of, IPv6 connect attempts by submission relay? > > On 4/3/21 8:03 PM, PGNet Dev wrote: > > my server is a linux, dual-stack IPv4/IPv6 host > > > > it runs multiple services, including, but not limited to, postfix & dovecot > > > > the hostname is > > > > ????internal.mx.example.com > > > > its DNS config, > > > > ????host internal.mx.example.com > > ??????? internal.mx.example.com has address 10.1.1.15 > > ??????? internal.mx.example.com has IPv6 address fd80:10:1::15 > > ??????? internal.mx.example.com mail is handled by 5 internal.mx.example.com. > > > > here, for dovecot > > > > ????dovecot --version > > ??????? 2.3.13 (89f716dc2) > > > > submission is configured to relay to the same-host postfix instance, listening @ port 465 > > > > ????./conf.d/10-master.conf > > ??????? ... > > ??????? protocols = imap submission lmtp sieve > > ??????? ... > > ??????? submission_relay_host?????? = internal.mx.example.com > > ??????? submission_relay_port?????? = 465 > > ??????? submission_relay_ssl??????? = smtps > > ??????? submission_relay_ssl_verify = yes > > ??????? submission_relay_trusted??? = yes > > > > whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4, > > > > ????postconf inet_protocols > > ??????? inet_protocols = ipv4 > > > > and, as intended, simply refuses ipv6 connections > > > > ????telnet 10.1.1.15 465 > > ??????? Trying 10.1.1.15... > > ??????? Connected to 10.1.1.15. > > ??????? Escape character is '^]'. > > ??????? ^] > > ??????? telnet> quit > > ??????? Connection closed. > > > > ????telnet -6 fd80:10:1::15 465 > > ??????? Trying fd80:10:1::15... > > ??????? telnet: connect to address fd80:10:1::15: Connection refused > > > > on each/every mail submit -- via dovecot -- dovecot makes the connection > > > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Server accepted connection (fd=7) > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Connection created > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connection created > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Disconnected > > > > looks up IP address > > > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Looking up IP address > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Performing asynchronous DNS lookup > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Sent: 235 2.7.0 Logged in. > > > > finds BOTH IPs -- IPv4 & IPv6 > > > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: DNS lookup successful; got 2 IPs > > > > then first tries to connect via the host's IPv6 address, > > > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connecting to fd80:10:1::15:465 > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Waiting for connect (fd=8) to finish for max 0 msecs > > > > ############ > > ?FAILS > > ############ > > > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Client connection failed (fd=8) > > > > then proceeds to connect to the host's IPv4 address > > > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting to 10.1.1.15:465 > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connecting > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Waiting for connect (fd=11) to finish for max 0 msecs > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Client connected (fd=11) > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connected to server (from 10.1.1.15:52880) > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Starting SSL handshake > > ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: SSL handshake successful > > ????... > > > > and submission continues/completes > > > > > > I need to get Dovecot to stop trying/failing @ those IPv6 address submission connections. > > > > Either by > > > > ????(1) trying IPv4 *first*, before IPv6, to avoid the FAIL on submission > > > > or > > > > ????(2) turning off submission relay by IPv6 altogether, as I'll never use it > > > > What's the config required to do either/both? > >
PGNet Dev
2021-Apr-08 12:08 UTC
How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?
On 4/8/21 7:56 AM, Aki Tuomi wrote:> One has to ask why it has AAAA record in DNS if you don't intend to use it?Because that's my infrastructure. As already stated in the OP: whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4, I don't intend to use it for POSTFIX. And therefore, neither for Dovecot. In _exactly_ the same manner/sense as dovecot's already-existing option to limit it's OWN listeners (inet_listener ) to IPv4 only.> >> On 08/04/2021 14:45 PGNet Dev <pgnet.dev at gmail.com> wrote: >> >> >> How do you turn OFF, or reduce priority of, IPv6 connect attempts by submission relay? >> >> On 4/3/21 8:03 PM, PGNet Dev wrote: >>> my server is a linux, dual-stack IPv4/IPv6 host >>> >>> it runs multiple services, including, but not limited to, postfix & dovecot >>> >>> the hostname is >>> >>> ????internal.mx.example.com >>> >>> its DNS config, >>> >>> ????host internal.mx.example.com >>> ??????? internal.mx.example.com has address 10.1.1.15 >>> ??????? internal.mx.example.com has IPv6 address fd80:10:1::15 >>> ??????? internal.mx.example.com mail is handled by 5 internal.mx.example.com. >>> >>> here, for dovecot >>> >>> ????dovecot --version >>> ??????? 2.3.13 (89f716dc2) >>> >>> submission is configured to relay to the same-host postfix instance, listening @ port 465 >>> >>> ????./conf.d/10-master.conf >>> ??????? ... >>> ??????? protocols = imap submission lmtp sieve >>> ??????? ... >>> ??????? submission_relay_host?????? = internal.mx.example.com >>> ??????? submission_relay_port?????? = 465 >>> ??????? submission_relay_ssl??????? = smtps >>> ??????? submission_relay_ssl_verify = yes >>> ??????? submission_relay_trusted??? = yes >>> >>> whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4, >>> >>> ????postconf inet_protocols >>> ??????? inet_protocols = ipv4 >>> >>> and, as intended, simply refuses ipv6 connections >>> >>> ????telnet 10.1.1.15 465 >>> ??????? Trying 10.1.1.15... >>> ??????? Connected to 10.1.1.15. >>> ??????? Escape character is '^]'. >>> ??????? ^] >>> ??????? telnet> quit >>> ??????? Connection closed. >>> >>> ????telnet -6 fd80:10:1::15 465 >>> ??????? Trying fd80:10:1::15... >>> ??????? telnet: connect to address fd80:10:1::15: Connection refused >>> >>> on each/every mail submit -- via dovecot -- dovecot makes the connection >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Server accepted connection (fd=7) >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Connection created >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connection created >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Disconnected >>> >>> looks up IP address >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Looking up IP address >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Performing asynchronous DNS lookup >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Sent: 235 2.7.0 Logged in. >>> >>> finds BOTH IPs -- IPv4 & IPv6 >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: DNS lookup successful; got 2 IPs >>> >>> then first tries to connect via the host's IPv6 address, >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connecting to fd80:10:1::15:465 >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Waiting for connect (fd=8) to finish for max 0 msecs >>> >>> ############ >>> ?FAILS >>> ############ >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Client connection failed (fd=8) >>> >>> then proceeds to connect to the host's IPv4 address >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting to 10.1.1.15:465 >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connecting >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Waiting for connect (fd=11) to finish for max 0 msecs >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Client connected (fd=11) >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connected to server (from 10.1.1.15:52880) >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Starting SSL handshake >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: SSL handshake successful >>> ????... >>> >>> and submission continues/completes >>> >>> >>> I need to get Dovecot to stop trying/failing @ those IPv6 address submission connections. >>> >>> Either by >>> >>> ????(1) trying IPv4 *first*, before IPv6, to avoid the FAIL on submission >>> >>> or >>> >>> ????(2) turning off submission relay by IPv6 altogether, as I'll never use it >>> >>> What's the config required to do either/both? >>>