Re: opensmtpd: limit mta for mx

2018-03-05 Thread Stuart Henderson 
On 2018-03-05, Nick  wrote:
> Hi misc@, long time no see (and please CC me),
>
> In smtpd.conf, the "limit mta" line can be qualified like this:
>
> limit mta for domain gmail.com inet4
>
> which I did because I recently started getting bounces from google saying
>
> 550-5.7.1 [2001:19f0:5001:2f5:5400:ff:fe77:861d] Our system has detected that 
> this message does not meet IPv6 sending guidelines regarding PTR records and 
> authentication. Please review  
> https://support.google.com/mail/?p=IPv6AuthError for more information . 
> d63si3145626edc.222 - gsmtp
>
> I think they started prioritizing their  (IPv6) records over their A 
> (IPv4) DNS records, so now opensmtpd is preferring to use IPv6. I tried a bit 
> but I don't really know what they're mad about, and whatever, I don't want to 
> fight them, I just want my mail to get through.
>
> That limit line fixed it for gmail.com, but now I have a new problem: the 
> huge number of domains that are actually hosted on smtp.gmail.com. I am 
> wondering if there is some way to express "use IPv4 if the mail *server* is 
> gmail" instead of "if the mail *domain* is gmail". Something like:
>
> limit mta for mx smtp.gmail.com inet4
>
> Right now I'm stuck enumerating all Google Apps for Business accounts I know 
> of and adding a line for each.
>
>= Nick
>
>

For your situation, can't you just add an  record for
comms.kousu.ca pointing at 2001:19f0:5001:2f5:5400:ff:fe77:861d?
That will fix the things that google are complaining about on your
system.

Otherwise... It doesn't help you directly with smtpd, but Postfix
has a way to filter out DNS records, added exactly for this situation:

smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter

$ cat /etc/postfix/smtp_dns_reply_filter
# /domain ttl IN  address/ action, all case-insensitive.
# Note: the domain name ends in ".".
/^\S+\.google.com\.\s+\S+\s+\S+\s+\s+/ IGNORE

Perhaps it would make sense for smtpd to support something like
"limit mta for mx XXX inet4" (i.e. match on hostnames rather than
domain names, and limit address family in a similar way).
It would seem more useful to match on hostnames than email domains
for that.

Re: opensmtpd: limit mta for mx

2018-03-05 Thread Constantine A. Murenin 
On 4 March 2018 at 23:11, Nick  wrote:
> In smtpd.conf, the "limit mta" line can be qualified like this:
>
> limit mta for domain gmail.com inet4
>
> which I did because I recently started getting bounces from google saying
>
> 550-5.7.1 [2001:19f0:5001:2f5:5400:ff:fe77:861d] Our system has detected that 
> this message does not meet IPv6 sending guidelines regarding PTR records and 
> authentication. Please review  
> https://support.google.com/mail/?p=IPv6AuthError for more information . 
> d63si3145626edc.222 - gsmtp

Whilst this is a valid question for OpenSMTPD, from the sysadmin side,
the solution is much simpler.

Your reverse name is fake, as it does not resolve forward:

% host 2001:19f0:5001:2f5:5400:ff:fe77:861d
d.1.6.8.7.7.e.f.f.f.0.0.0.0.4.5.5.f.2.0.1.0.0.5.0.f.9.1.1.0.0.2.ip6.arpa
domain name pointer comms.kousu.ca.
% host comms.kousu.ca.
comms.kousu.ca has address 108.61.165.176
%

I'm surprised you don't get other hosts rejecting your mail, too; I
suspect it may have to do simply with gmail being the monoculture of
mail nowadays.

My suggestion would be to fix the forward name, else, fix the reverse
name to point to something like IPv6.example.org, which you should
ensure exists and points back.  Sometime ago, making the reverse point
back to itself (e.g., a PTR with the value of the IPv6 address itself)
also made gmail happy to accept the mail as well, but I'm not too sure
if that's still the case.

Cheers,
Constantine.
http://cm.su/

opensmtpd: limit mta for mx

2018-03-05 Thread Nick 
Hi misc@, long time no see (and please CC me),

In smtpd.conf, the "limit mta" line can be qualified like this:

limit mta for domain gmail.com inet4

which I did because I recently started getting bounces from google saying

550-5.7.1 [2001:19f0:5001:2f5:5400:ff:fe77:861d] Our system has detected that 
this message does not meet IPv6 sending guidelines regarding PTR records and 
authentication. Please review  https://support.google.com/mail/?p=IPv6AuthError 
for more information . d63si3145626edc.222 - gsmtp

I think they started prioritizing their  (IPv6) records over their A (IPv4) 
DNS records, so now opensmtpd is preferring to use IPv6. I tried a bit but I 
don't really know what they're mad about, and whatever, I don't want to fight 
them, I just want my mail to get through.

That limit line fixed it for gmail.com, but now I have a new problem: the huge 
number of domains that are actually hosted on smtp.gmail.com. I am wondering if 
there is some way to express "use IPv4 if the mail *server* is gmail" instead 
of "if the mail *domain* is gmail". Something like:

limit mta for mx smtp.gmail.com inet4

Right now I'm stuck enumerating all Google Apps for Business accounts I know of 
and adding a line for each.

= Nick