On 4/8/21 7:56 AM, Aki Tuomi wrote:
One has to ask why it has AAAA record in DNS if you don't intend to use it?
Because that's my infrastructure.
As already stated in the OP:
whereas other services listen at both IPv4 & IPv6 addresses, with IPv6
preferred over IPv4, postfix listens ONLY on IPv4,
I don't intend to use it for POSTFIX. And therefore, neither for Dovecot.
In _exactly_ the same manner/sense as dovecot's already-existing option to
limit it's OWN listeners (inet_listener
) to IPv4 only.
On 08/04/2021 14:45 PGNet Dev <pgnet....@gmail.com> wrote:
How do you turn OFF, or reduce priority of, IPv6 connect attempts by submission relay?
On 4/3/21 8:03 PM, PGNet Dev wrote:
my server is a linux, dual-stack IPv4/IPv6 host
it runs multiple services, including, but not limited to, postfix & dovecot
the hostname is
internal.mx.example.com
its DNS config,
host internal.mx.example.com
internal.mx.example.com has address 10.1.1.15
internal.mx.example.com has IPv6 address fd80:10:1::15
internal.mx.example.com mail is handled by 5 internal.mx.example.com.
here, for dovecot
dovecot --version
2.3.13 (89f716dc2)
submission is configured to relay to the same-host postfix instance, listening
@ port 465
./conf.d/10-master.conf
...
protocols = imap submission lmtp sieve
...
submission_relay_host = internal.mx.example.com
submission_relay_port = 465
submission_relay_ssl = smtps
submission_relay_ssl_verify = yes
submission_relay_trusted = yes
whereas other services listen at both IPv4 & IPv6 addresses, with IPv6
preferred over IPv4, postfix listens ONLY on IPv4,
postconf inet_protocols
inet_protocols = ipv4
and, as intended, simply refuses ipv6 connections
telnet 10.1.1.15 465
Trying 10.1.1.15...
Connected to 10.1.1.15.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
telnet -6 fd80:10:1::15 465
Trying fd80:10:1::15...
telnet: connect to address fd80:10:1::15: Connection refused
on each/every mail submit -- via dovecot -- dovecot makes the connection
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-server: conn 10.1.2.163:35388 [1]: Server accepted connection (fd=7)
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-server: conn 10.1.2.163:35388 [1]: Connection created
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connection created
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 [1]: Disconnected
looks up IP address
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 [1]: Looking up IP address
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 [1]: Performing asynchronous DNS
lookup
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-server: conn 10.1.2.163:35388 [1]: Sent: 235 2.7.0 Logged in.
finds BOTH IPs -- IPv4 & IPv6
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 [1]: DNS lookup successful; got
2 IPs
then first tries to connect via the host's IPv6 address,
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 [1]: Connecting to
fd80:10:1::15:465
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]:
Connecting
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]:
Waiting for connect (fd=8) to finish for max 0 msecs
############
FAILS
############
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]:
Client connection failed (fd=8)
then proceeds to connect to the host's IPv4 address
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 ([fd80:10:1::15]:465) [1]:
Connecting to 10.1.1.15:465
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connecting
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Waiting for
connect (fd=11) to finish for max 0 msecs
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Client
connected (fd=11)
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Connected
to server (from 10.1.1.15:52880)
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: Starting
SSL handshake
2021-04-03 19:35:35 submission(mai...@mx.example.com)</tnO6xm/PIqsHgsH>:
Debug: smtp-client: conn internal.mx.example.com:465 (10.1.1.15:465) [1]: SSL
handshake successful
...
and submission continues/completes
I need to get Dovecot to stop trying/failing @ those IPv6 address submission
connections.
Either by
(1) trying IPv4 *first*, before IPv6, to avoid the FAIL on submission
or
(2) turning off submission relay by IPv6 altogether, as I'll never use it
What's the config required to do either/both?
