local stanza only generated for IPv6

newer
Mail replication fails between...

older
dovecot: doveconf: Fatal:...

Jeremy Ardley

1 Jul 2020 1 Jul '20

7:50 a.m.

I have a mail server with multiple IP addresses and associated DNS names

In the dovecot configuration I have a listen directive:

listen = mail.example.com.com,mail.otherexample.com,localhost

Multiple local stanzas are of the form:

local mail.example.com { protocol imap { ssl_cert =

service imaps_login { inet_listener imaps { address=mail.example.com } inet_listener imap { address=mail.example.com } } } }

mail.example.com has IPv4 and IPv6 addresses in DNS

When I run doveconf -n the local configuration is only generated for the IPv6 address. I can test the operation on IPv6 using openSSL and see different server certificates on different IP addresses as expected.

How do I force local generation for both IPv4 and IPv6 ?

Attachments:

attachment.html (text/html — 1.7 KB)

Show replies by date

Jean-Daniel

1 Jul 1 Jul

8:21 a.m.

...

Le 1 juil. 2020 à 06:50, Jeremy Ardley jeremy@ardley.org a écrit :

I have a mail server with multiple IP addresses and associated DNS names

In the dovecot configuration I have a listen directive:
listen = mail.example.com.com,mail.otherexample.com,localhost
Multiple local stanzas are of the form:

local mail.example.com { protocol imap { ssl_cert =
 service imaps_login {
   inet_listener imaps {
     address=mail.example.com
   }
   inet_listener imap {
     address=mail.example.com
   }
 } 
} }

mail.example.com has IPv4 and IPv6 addresses in DNS

When I run doveconf -n the local configuration is only generated for the IPv6 address. I can test the operation on IPv6 using openSSL and see different server certificates on different IP addresses as expected.

How do I force local generation for both IPv4 and IPv6 ?

You can probably don’t use hostname for address directive, but instead space separated list of IP address you want to listen to.

And unless you need to disable dovecot on some interfaces, you don’t have to specify the listen directive, as it defaults to all IPv4 and IPv6 addresses.

Jeremy Ardley

1:15 p.m.

Further to my report on stanzas being only generated the IPv6 addresses I have found a work-around until someone in the development team comes up with something like inet_listener_6 and inet_listener_4

The workaround is simply to get dovecot to listen in IPv4 and IPv6. It has no effect on clients who will use ordinary MX records to access the normal mailserver name

The workaround requires modifying DNS with duplicate A and AAAA records (not CNAME or ALIAS) for the addresses of interest. So in the instance of one domain:

mail A 192.168.0.1 AAAA 2001:0db8:85a3:0000:0000:8a2e:0370:7334

mail4 A 192.168.0.1

mail6 AAAA 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Then the dovecot.conf file requires multiple local stanzas. In this case two domains requires four stanzas

listen = mail4.example.com,mail6.example.com,mail4.example2.com,mail6.example2.com,localhost

protocols = imap lmtp sieve

ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes

local mail4.example.com { protocol imap { ssl_cert =

service imaps_login_4 { inet_listener imaps { address=mail4.example.com } inet_listener imap { address=mail4.example.com } } } }

local mail6.example.com { protocol imap { ssl_cert =

service imaps_login_6 { inet_listener imaps { address=mail6.example.com } inet_listener imap { address=mail6.example.com } } } }

local mail4.example2.com { protocol imap { ssl_cert =

service imaps_login_44 { inet_listener imaps { address = mail4.example2.com } inet_listener imap { address = mail4.example2.com } } } }

local mail6.example2.com { protocol imap { ssl_cert =

service imaps_login_66 { inet_listener imaps { address = mail6.example2.com } inet_listener imap { address = mail6.example2.com } } } }

Benny Pedersen

2 Jul 2 Jul

5:07 a.m.

Jeremy Ardley skrev den 2020-07-01 06:50:

...

local mail.example.com { protocol imap { ssl_cert =
 service imaps_login {
   inet_listener imaps {
     address=mail.example.com
   }

not using hostname here, it should be either ipv4 or ipv6 not hostname

...

   inet_listener imap {
     address=mail.example.com

does this make sense for ssl ? :=)

...

How do I force local generation for both IPv4 and IPv6 ?

hope i am right, not tested here

Jeremy Ardley

5:24 a.m.

On 2/7/20 10:07 am, Benny Pedersen wrote:

...

Jeremy Ardley skrev den 2020-07-01 06:50:

...
local mail.example.com { protocol imap { ssl_cert =
service imaps_login { inet_listener imaps { address=mail.example.com }

not using hostname here, it should be either ipv4 or ipv6 not hostname

That makes maintenance difficult. postconf is helpful because it looks up the IP from the hostname each time the service is started. The issue is it looks up IPv6 in preference/exclusion to IPv4

...

...
inet_listener imap { address=mail.example.com

does this make sense for ssl ? :=)

Yes, clients can connect on port 143 (imap) but negotiate TLS. Thunderbird checks port 143 first when scanning a server for TLS connections.

1548

Age (days ago)

1549

Last active (days ago)

List overview

4 comments

3 participants

participants (3)

Benny Pedersen
Jean-Daniel
Jeremy Ardley