How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?
PGNet Dev
pgnet.dev at gmail.com
Thu Apr 8 14:45:02 EEST 2021
How do you turn OFF, or reduce priority of, IPv6 connect attempts by submission relay?
On 4/3/21 8:03 PM, PGNet Dev wrote:
> my server is a linux, dual-stack IPv4/IPv6 host
>
> it runs multiple services, including, but not limited to, postfix & dovecot
>
> the hostname is
>
> internal.mx.example.com
>
> its DNS config,
>
> host internal.mx.example.com
> internal.mx.example.com has address 10.1.1.15
> internal.mx.example.com has IPv6 address fd80:10:1::15
> internal.mx.example.com mail is handled by 5 internal.mx.example.com.
>
> here, for dovecot
>
> dovecot --version
> 2.3.13 (89f716dc2)
>
> submission is configured to relay to the same-host postfix instance, listening @ port 465
>
> ./conf.d/10-master.conf
> ...
> protocols = imap submission lmtp sieve
> ...
> submission_relay_host = internal.mx.example.com
> submission_relay_port = 465
> submission_relay_ssl = smtps
> submission_relay_ssl_verify = yes
> submission_relay_trusted = yes
>
> whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4,
>
> postconf inet_protocols
> inet_protocols = ipv4
>
> and, as intended, simply refuses ipv6 connections
>
> telnet 10.1.1.15 465
> Trying 10.1.1.15...
> Connected to 10.1.1.15.
> Escape character is '^]'.
> ^]
> telnet> quit
> Connection closed.
>
> telnet -6 fd80:10:1::15 465
> Trying fd80:10:1::15...
> telnet: connect to address fd80:10:1::15: Connection refused
>
> on each/every mail submit -- via dovecot -- dovecot makes the connection
>
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Server accepted connection (fd=7)
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Connection created
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connection created
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Disconnected
>
> looks up IP address
>
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Looking up IP address
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Performing asynchronous DNS lookup
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Sent: 235 2.7.0 Logged in.
>
> finds BOTH IPs -- IPv4 & IPv6
>
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: DNS lookup successful; got 2 IPs
>
> then first tries to connect via the host's IPv6 address,
>
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connecting to fd80:10:1::15:465
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Waiting for connect (fd=8) to finish for max 0 msecs
>
> ############
> FAILS
> ############
>
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Client connection failed (fd=8)
>
> then proceeds to connect to the host's IPv4 address
>
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting to 10.1.1.15:465
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connecting
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Waiting for connect (fd=11) to finish for max 0 msecs
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Client connected (fd=11)
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connected to server (from 10.1.1.15:52880)
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Starting SSL handshake
> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: SSL handshake successful
> ...
>
> and submission continues/completes
>
>
> I need to get Dovecot to stop trying/failing @ those IPv6 address submission connections.
>
> Either by
>
> (1) trying IPv4 *first*, before IPv6, to avoid the FAIL on submission
>
> or
>
> (2) turning off submission relay by IPv6 altogether, as I'll never use it
>
> What's the config required to do either/both?
>
More information about the dovecot
mailing list