local stanza only generated for IPv6
I have a mail server with multiple IP addresses and associated DNS names
In the dovecot configuration I have a listen directive:
listen = mail.example.com.com,mail.otherexample.com,localhost
Multiple local stanzas are of the form:
local mail.example.com { protocol imap { ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
service imaps_login { inet_listener imaps { address=mail.example.com } inet_listener imap { address=mail.example.com } } } }
mail.example.com has IPv4 and IPv6 addresses in DNS
When I run doveconf -n the local configuration is only generated for the IPv6 address. I can test the operation on IPv6 using openSSL and see different server certificates on different IP addresses as expected.
How do I force local generation for both IPv4 and IPv6 ?
Le 1 juil. 2020 à 06:50, Jeremy Ardley <jeremy@ardley.org> a écrit :
I have a mail server with multiple IP addresses and associated DNS names
In the dovecot configuration I have a listen directive:
listen = mail.example.com.com,mail.otherexample.com,localhost
Multiple local stanzas are of the form:
local mail.example.com { protocol imap { ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
service imaps_login { inet_listener imaps { address=mail.example.com } inet_listener imap { address=mail.example.com } }
} }
mail.example.com has IPv4 and IPv6 addresses in DNS
When I run doveconf -n the local configuration is only generated for the IPv6 address. I can test the operation on IPv6 using openSSL and see different server certificates on different IP addresses as expected.
How do I force local generation for both IPv4 and IPv6 ?
You can probably don’t use hostname for address directive, but instead space separated list of IP address you want to listen to.
And unless you need to disable dovecot on some interfaces, you don’t have to specify the listen directive, as it defaults to all IPv4 and IPv6 addresses.
Further to my report on stanzas being only generated the IPv6 addresses I have found a work-around until someone in the development team comes up with something like inet_listener_6 and inet_listener_4
The workaround is simply to get dovecot to listen in IPv4 and IPv6. It has no effect on clients who will use ordinary MX records to access the normal mailserver name
The workaround requires modifying DNS with duplicate A and AAAA records (not CNAME or ALIAS) for the addresses of interest. So in the instance of one domain:
mail A 192.168.0.1 AAAA 2001:0db8:85a3:0000:0000:8a2e:0370:7334
mail4 A 192.168.0.1
mail6 AAAA 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Then the dovecot.conf file requires multiple local stanzas. In this case two domains requires four stanzas
listen = mail4.example.com,mail6.example.com,mail4.example2.com,mail6.example2.com,localhost
protocols = imap lmtp sieve
ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes
local mail4.example.com { protocol imap { ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
service imaps_login_4 { inet_listener imaps { address=mail4.example.com } inet_listener imap { address=mail4.example.com } } } }
local mail6.example.com { protocol imap { ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
service imaps_login_6 { inet_listener imaps { address=mail6.example.com } inet_listener imap { address=mail6.example.com } } } }
local mail4.example2.com { protocol imap { ssl_cert = </etc/letsencrypt/live/example2.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example2.com/privkey.pem
service imaps_login_44 { inet_listener imaps { address = mail4.example2.com } inet_listener imap { address = mail4.example2.com } } } }
local mail6.example2.com { protocol imap { ssl_cert = </etc/letsencrypt/live/example2.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example2.com/privkey.pem
service imaps_login_66 { inet_listener imaps { address = mail6.example2.com } inet_listener imap { address = mail6.example2.com } } } }
Jeremy Ardley skrev den 2020-07-01 06:50:
local mail.example.com { protocol imap { ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
service imaps_login { inet_listener imaps { address=mail.example.com }
not using hostname here, it should be either ipv4 or ipv6 not hostname
inet_listener imap { address=mail.example.com
does this make sense for ssl ? :=)
How do I force local generation for both IPv4 and IPv6 ?
hope i am right, not tested here
On 2/7/20 10:07 am, Benny Pedersen wrote:
Jeremy Ardley skrev den 2020-07-01 06:50:
local mail.example.com { protocol imap { ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
service imaps_login { inet_listener imaps { address=mail.example.com }
not using hostname here, it should be either ipv4 or ipv6 not hostname
That makes maintenance difficult. postconf is helpful because it looks up the IP from the hostname each time the service is started. The issue is it looks up IPv6 in preference/exclusion to IPv4
inet_listener imap { address=mail.example.com
does this make sense for ssl ? :=)
Yes, clients can connect on port 143 (imap) but negotiate TLS. Thunderbird checks port 143 first when scanning a server for TLS connections.
participants (3)
-
Benny Pedersen
-
Jean-Daniel
-
Jeremy Ardley