How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?
Aki Tuomi
aki.tuomi at open-xchange.com
Thu Apr 8 14:56:06 EEST 2021
One has to ask why it has AAAA record in DNS if you don't intend to use it?
Aki
> On 08/04/2021 14:45 PGNet Dev <pgnet.dev at gmail.com> wrote:
>
>
> How do you turn OFF, or reduce priority of, IPv6 connect attempts by submission relay?
>
> On 4/3/21 8:03 PM, PGNet Dev wrote:
> > my server is a linux, dual-stack IPv4/IPv6 host
> >
> > it runs multiple services, including, but not limited to, postfix & dovecot
> >
> > the hostname is
> >
> > internal.mx.example.com
> >
> > its DNS config,
> >
> > host internal.mx.example.com
> > internal.mx.example.com has address 10.1.1.15
> > internal.mx.example.com has IPv6 address fd80:10:1::15
> > internal.mx.example.com mail is handled by 5 internal.mx.example.com.
> >
> > here, for dovecot
> >
> > dovecot --version
> > 2.3.13 (89f716dc2)
> >
> > submission is configured to relay to the same-host postfix instance, listening @ port 465
> >
> > ./conf.d/10-master.conf
> > ...
> > protocols = imap submission lmtp sieve
> > ...
> > submission_relay_host = internal.mx.example.com
> > submission_relay_port = 465
> > submission_relay_ssl = smtps
> > submission_relay_ssl_verify = yes
> > submission_relay_trusted = yes
> >
> > whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4,
> >
> > postconf inet_protocols
> > inet_protocols = ipv4
> >
> > and, as intended, simply refuses ipv6 connections
> >
> > telnet 10.1.1.15 465
> > Trying 10.1.1.15...
> > Connected to 10.1.1.15.
> > Escape character is '^]'.
> > ^]
> > telnet> quit
> > Connection closed.
> >
> > telnet -6 fd80:10:1::15 465
> > Trying fd80:10:1::15...
> > telnet: connect to address fd80:10:1::15: Connection refused
> >
> > on each/every mail submit -- via dovecot -- dovecot makes the connection
> >
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Server accepted connection (fd=7)
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Connection created
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connection created
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Disconnected
> >
> > looks up IP address
> >
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Looking up IP address
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Performing asynchronous DNS lookup
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Sent: 235 2.7.0 Logged in.
> >
> > finds BOTH IPs -- IPv4 & IPv6
> >
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: DNS lookup successful; got 2 IPs
> >
> > then first tries to connect via the host's IPv6 address,
> >
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connecting to fd80:10:1::15:465
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Waiting for connect (fd=8) to finish for max 0 msecs
> >
> > ############
> > FAILS
> > ############
> >
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Client connection failed (fd=8)
> >
> > then proceeds to connect to the host's IPv4 address
> >
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting to 10.1.1.15:465
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connecting
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Waiting for connect (fd=11) to finish for max 0 msecs
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Client connected (fd=11)
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connected to server (from 10.1.1.15:52880)
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Starting SSL handshake
> > 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: SSL handshake successful
> > ...
> >
> > and submission continues/completes
> >
> >
> > I need to get Dovecot to stop trying/failing @ those IPv6 address submission connections.
> >
> > Either by
> >
> > (1) trying IPv4 *first*, before IPv6, to avoid the FAIL on submission
> >
> > or
> >
> > (2) turning off submission relay by IPv6 altogether, as I'll never use it
> >
> > What's the config required to do either/both?
> >
More information about the dovecot
mailing list