How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?
PGNet Dev
pgnet.dev at gmail.com
Thu Apr 8 15:08:44 EEST 2021
On 4/8/21 7:56 AM, Aki Tuomi wrote:
> One has to ask why it has AAAA record in DNS if you don't intend to use it?
Because that's my infrastructure.
As already stated in the OP:
whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4,
I don't intend to use it for POSTFIX. And therefore, neither for Dovecot.
In _exactly_ the same manner/sense as dovecot's already-existing option to limit it's OWN listeners (inet_listener
) to IPv4 only.
>
>> On 08/04/2021 14:45 PGNet Dev <pgnet.dev at gmail.com> wrote:
>>
>>
>> How do you turn OFF, or reduce priority of, IPv6 connect attempts by submission relay?
>>
>> On 4/3/21 8:03 PM, PGNet Dev wrote:
>>> my server is a linux, dual-stack IPv4/IPv6 host
>>>
>>> it runs multiple services, including, but not limited to, postfix & dovecot
>>>
>>> the hostname is
>>>
>>> internal.mx.example.com
>>>
>>> its DNS config,
>>>
>>> host internal.mx.example.com
>>> internal.mx.example.com has address 10.1.1.15
>>> internal.mx.example.com has IPv6 address fd80:10:1::15
>>> internal.mx.example.com mail is handled by 5 internal.mx.example.com.
>>>
>>> here, for dovecot
>>>
>>> dovecot --version
>>> 2.3.13 (89f716dc2)
>>>
>>> submission is configured to relay to the same-host postfix instance, listening @ port 465
>>>
>>> ./conf.d/10-master.conf
>>> ...
>>> protocols = imap submission lmtp sieve
>>> ...
>>> submission_relay_host = internal.mx.example.com
>>> submission_relay_port = 465
>>> submission_relay_ssl = smtps
>>> submission_relay_ssl_verify = yes
>>> submission_relay_trusted = yes
>>>
>>> whereas other services listen at both IPv4 & IPv6 addresses, with IPv6 preferred over IPv4, postfix listens ONLY on IPv4,
>>>
>>> postconf inet_protocols
>>> inet_protocols = ipv4
>>>
>>> and, as intended, simply refuses ipv6 connections
>>>
>>> telnet 10.1.1.15 465
>>> Trying 10.1.1.15...
>>> Connected to 10.1.1.15.
>>> Escape character is '^]'.
>>> ^]
>>> telnet> quit
>>> Connection closed.
>>>
>>> telnet -6 fd80:10:1::15 465
>>> Trying fd80:10:1::15...
>>> telnet: connect to address fd80:10:1::15: Connection refused
>>>
>>> on each/every mail submit -- via dovecot -- dovecot makes the connection
>>>
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Server accepted connection (fd=7)
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Connection created
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connection created
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Disconnected
>>>
>>> looks up IP address
>>>
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Looking up IP address
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Performing asynchronous DNS lookup
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-server: conn 10.1.2.163:35388 [1]: Sent: 235 2.7.0 Logged in.
>>>
>>> finds BOTH IPs -- IPv4 & IPv6
>>>
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: DNS lookup successful; got 2 IPs
>>>
>>> then first tries to connect via the host's IPv6 address,
>>>
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connecting to fd80:10:1::15:465
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Waiting for connect (fd=8) to finish for max 0 msecs
>>>
>>> ############
>>> FAILS
>>> ############
>>>
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Client connection failed (fd=8)
>>>
>>> then proceeds to connect to the host's IPv4 address
>>>
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]: Connecting to 10.1.1.15:465
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connecting
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Waiting for connect (fd=11) to finish for max 0 msecs
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Client connected (fd=11)
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connected to server (from 10.1.1.15:52880)
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Starting SSL handshake
>>> 2021-04-03 19:35:35 submission(mailer at mx.example.com)</tnO6xm/PIqsHgsH>: Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: SSL handshake successful
>>> ...
>>>
>>> and submission continues/completes
>>>
>>>
>>> I need to get Dovecot to stop trying/failing @ those IPv6 address submission connections.
>>>
>>> Either by
>>>
>>> (1) trying IPv4 *first*, before IPv6, to avoid the FAIL on submission
>>>
>>> or
>>>
>>> (2) turning off submission relay by IPv6 altogether, as I'll never use it
>>>
>>> What's the config required to do either/both?
>>>
More information about the dovecot
mailing list