PGNet Dev
2021-Apr-08 12:08 UTC
How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?
On 4/8/21 7:56 AM, Aki Tuomi wrote:> One has to ask why it has AAAA record in DNS if you don't intend to use it?Because that's my infrastructure. As already stated in the OP: whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4, I don't intend to use it for POSTFIX. And therefore, neither for Dovecot. In _exactly_ the same manner/sense as dovecot's already-existing option to limit it's OWN listeners (inet_listener ) to IPv4 only.> >> On 08/04/2021 14:45 PGNet Dev <pgnet.dev at gmail.com> wrote: >> >> >> How do you turn OFF, or reduce priority of, IPv6 connect attempts by submission relay? >> >> On 4/3/21 8:03 PM, PGNet Dev wrote: >>> my server is a linux, dual-stack IPv4/IPv6 host >>> >>> it runs multiple services, including, but not limited to, postfix & dovecot >>> >>> the hostname is >>> >>> ????internal.mx.example.com >>> >>> its DNS config, >>> >>> ????host internal.mx.example.com >>> ??????? internal.mx.example.com has address 10.1.1.15 >>> ??????? internal.mx.example.com has IPv6 address fd80:10:1::15 >>> ??????? internal.mx.example.com mail is handled by 5 internal.mx.example.com. >>> >>> here, for dovecot >>> >>> ????dovecot --version >>> ??????? 2.3.13 (89f716dc2) >>> >>> submission is configured to relay to the same-host postfix instance, listening @ port 465 >>> >>> ????./conf.d/10-master.conf >>> ??????? ... >>> ??????? protocols = imap submission lmtp sieve >>> ??????? ... >>> ??????? submission_relay_host?????? = internal.mx.example.com >>> ??????? submission_relay_port?????? = 465 >>> ??????? submission_relay_ssl??????? = smtps >>> ??????? submission_relay_ssl_verify = yes >>> ??????? submission_relay_trusted??? = yes >>> >>> whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4, >>> >>> ????postconf inet_protocols >>> ??????? inet_protocols = ipv4 >>> >>> and, as intended, simply refuses ipv6 connections >>> >>> ????telnet 10.1.1.15 465 >>> ??????? Trying 10.1.1.15... >>> ??????? Connected to 10.1.1.15. >>> ??????? Escape character is '^]'. >>> ??????? ^] >>> ??????? telnet> quit >>> ??????? Connection closed. >>> >>> ????telnet -6 fd80:10:1::15 465 >>> ??????? Trying fd80:10:1::15... >>> ??????? telnet: connect to address fd80:10:1::15: Connection refused >>> >>> on each/every mail submit -- via dovecot -- dovecot makes the connection >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Server accepted connection (fd=7) >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Connection created >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connection created >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Disconnected >>> >>> looks up IP address >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Looking up IP address >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Performing asynchronous DNS lookup >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Sent: 235 2.7.0 Logged in. >>> >>> finds BOTH IPs -- IPv4 & IPv6 >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: DNS lookup successful; got 2 IPs >>> >>> then first tries to connect via the host's IPv6 address, >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connecting to fd80:10:1::15:465 >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Waiting for connect (fd=8) to finish for max 0 msecs >>> >>> ############ >>> ?FAILS >>> ############ >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Client connection failed (fd=8) >>> >>> then proceeds to connect to the host's IPv4 address >>> >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting to 10.1.1.15:465 >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connecting >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Waiting for connect (fd=11) to finish for max 0 msecs >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Client connected (fd=11) >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connected to server (from 10.1.1.15:52880) >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Starting SSL handshake >>> ????2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: SSL handshake successful >>> ????... >>> >>> and submission continues/completes >>> >>> >>> I need to get Dovecot to stop trying/failing @ those IPv6 address submission connections. >>> >>> Either by >>> >>> ????(1) trying IPv4 *first*, before IPv6, to avoid the FAIL on submission >>> >>> or >>> >>> ????(2) turning off submission relay by IPv6 altogether, as I'll never use it >>> >>> What's the config required to do either/both? >>>
@lbutlr
2021-Apr-09 12:08 UTC
How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?
On 08 Apr 2021, at 06:08, PGNet Dev <pgnet.dev at gmail.com> wrote:> whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4,Do you mean that YOUR postfix only listens to ipv4? If so, wouldn't the solution be to setup postfix to listen to ipv6? Postfix added support for IPv6 back in version 2 days. inet_protocols = ipv4, ipv6 or inet_protocols = all (My ISP does not provide IPv6, so I have little experience with it, so entirely possible I am missing something here). -- Eliot: Jesus. Alice has gone full Harry Potter part seven/eight over there. Margo: God, I hope we're winning.