dovecot - Apr 2021 - How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?

Citeren PGNet Dev <pgnet.dev at gmail.com>:
> On 4/9/21 8:08 AM, @lbutlr wrote:
>> On 08 Apr 2021, at 06:08, PGNet Dev <pgnet.dev at gmail.com>
wrote:
>>> whereas other services listen at both IPv4 & IPv6 addresses,
with
>>> IPv6 preferred over IPv4, postfix listens ONLY on IPv4,
>>
>> Do you mean that YOUR postfix only listens to ipv4?
>
> Yep.
>
>> If so, wouldn't the solution be to setup postfix to listen to ipv6?
>
> That would work, of course, but that's not the point.  I'm not  
> planning to open postfix listener on the public IPv6 in order to  
> accommodate one service connection (Dovecot's relay submit), only to  
> have to add add'l knobs to lock down access.
There is no need to use a global address, assuming the systems Postfix  
and Dovecot are on the same LAN, a link-local IPv6 address would be  
just fine. This is no less insecure than a RFC1918 IPv4 address.
> And it's a bad assumption that since the host is dual-stack that all  
> services on it will be.
I fail to see why. If a hostname resolves to both an A and AAAA  
record, it should provides services on both.
> The 'solution' is to have Dovecot relay submit connect where &
how
> you TELL it to connect, NOT where it assumes it's OK to connect.
You've already told it where to connect: internal.mx.example.com.  
Since that host has both an A and AAAA record, you're telling it both  
are equally fine. If that's not what you want, either hardcode the  
IPv4 address in the submission_relay_host or create an  
internal-ipv4.mx.example.com A record.
> It's already possible to set
>
>  submission_relay_host       >  submission_relay_port       > 
submission_relay_ssl        >  submission_relay_ssl_verify > 
submission_relay_trusted    >
> in order to specify exactly how/where to securely connect for relay.
>
> It's a head scratcher what the philosophical reticence is for  
> completing the picture with a
>
>  submission_relay_inet_protocols
>
> or somesuch.
It's a head scratcher why people still insist on running services on  
legacy IPv4 only.

>> And it's a bad assumption that since the host is dual-stack that
all services on it will be.
> 
> If a hostname resolves to both an A and AAAA record, it should provides
services on both.
Says who/what?

There is no should/must/shall in any internet standard that
suggest/implies/requires that.

On 09 Apr 2021, at 07:57, Arjen de Korte <build+dovecot at de-korte.org>
wrote:
> Citeren PGNet Dev <pgnet.dev at gmail.com>:
>> And it's a bad assumption that since the host is dual-stack that
all services on it will be.
> I fail to see why. If a hostname resolves to both an A and AAAA record, it
should provides services on both.
Yes, that would be my stance on it.
>> The 'solution' is to have Dovecot relay submit connect where
& how you TELL it to connect, NOT where it assumes it's OK to connect.
> 
> You've already told it where to connect: internal.mx.example.com. Since
that host has both an A and AAAA record, you're telling it both are equally
fine. If that's not what you want, either hardcode the IPv4 address in the
submission_relay_host or create an internal-ipv4.mx.example.com A record.
Right. The tools are already there, there is no need for dovecot to add another
specific setting for this edge case when it is entirely unnecessary.
> It's a head scratcher why people still insist on running services on
legacy IPv4 only.
Some of us have no choice, sadly. Two of the largest ISPs (Comcast and Century
Link) in the US refuse to offer IPv6 to business customers, and have gone to
some lengths to screw up IPv6 for their consumer customers.

-- 
Alice: If you would just shut up for about for two seconds, this sex dream
       would pass the Bechdel test.