Re: dual stack and secondary relays -- how to do?

2024-05-07 Thread James J. Lippard
I've found a workaround and narrowed down the source of the problem by using
tables for src and helo-src (the latter of which proved unnecessary and
irrelevant).  It turns out that in this line:

  action "relayext" relay host  src smtp-ext.domain.com helo 
smtp.domain.com pki "smtp.domain.com" ca "my-ca"

it fails using a DNS name for src, but works just fine with a table
in its place that contains two entries, one for the IPv4 address from that
DNS name's A record and one for the IPv6 address from that DNS name's
 record.

I'm not sure why it fails with the DNS name--I would have thought my
table setup was equivalent--unless it's looking instead for a
(nonexistent) MX record.

BTW, the documentation for helo-src says:

"Use the mapping table to look up a hostname matching the
source address, to advertise during the HELO phase."

It is unclear from this whether "source address" means the local mail
server address or the remote one, but from playing with it it seems that
it means the remote mail server's IP address (i.e., the relay being
connected to in my case).

On Sun, May 05, 2024 at 05:42:58PM -0700, James J. Lippard wrote:
> On Thu, Apr 18, 2024 at 12:18:04PM +0200, Philipp wrote:
> > Hi
> 
> Hi, sorry about the delay.
> 
> > [2024-04-16 16:44] "James J. Lippard" 
> > > I run dual-stack IPv6/IPv4 networks, including mail servers. On occasion
> > > I may not have IPv6 connectivity, but have IPv4 connectivity. When that
> > > happens, I find that my mail queue accumulates mail that arrives over
> > > IPv6, but cannot be sent out on an IPv6 interface.
> > 
> > Which IP version was used to enqueue a mail is indipendent from the
> > IP version used to relay a mail. Also for most cases dual stack just
> > works(tm) when using hostnames with A and  records and use "listen on"
> > with interface name.
> 
> It is likely I've created some dependency with overcomplication -- I'm
> doing split horizon DNS as well as dual-stack IPv4/v6 , and am also
> listening on IPv6 unique local addresses rather than the public
> addresses that correspond to the public DNS names.  I'll have to see
> if I can simplify it and still run into issues.
> 
> I attempted to change the "src" on my outbound relay actions to use a
> single DNS name with the correct outbound IPv4 and IPv6 addresses:
> 
> action "relayext" relay host  src smtp-ext.domain.com helo 
> smtp.domain.com pki "smtp.domain.com" ca "my-ca"
> 
> which led to the error:
> 
> smtpd[60955]: warn: Failed to get source address for 
> [relay:[mx.domain.com],port=587,smtp+tls,pki_name=smtp.domain.com,mx,sourcetable=,heloname=smtp.domain.com]
> 
> This then leads to stat="No valid route to destination" and
> result="TempFail" on the mta delivery.
> 
> All works fine if I continue to have separate v4/v6 actions to relay
> using IP address instead of DNS name.  This is still with separate
> listens for v4 and v6.
> 
> It looks like the issue here may be caused by smtp.domain.com--the
> name used for helo and pki but not for the IP address to send
> from--not being in internal DNS?  But if that's the case, why does it work 
> fine
> if I use an IP address instead of an FQDN for "src"?  Is the logic that
> it is picking address family for the outbound connection on the src address,
> if evident, but then using helo or pki if src is a FQDN with both  and A
> records?
> 
> > > (1) How to relay both IPv4/IPv6 outbound mail, regardless of whether it
> > > came to the mail server via IPv4 or IPv6?
> > >
> > > Is it possible to set up a relay action that works with either IPv6 or
> > > IPv4, perhaps with a preference for one or the other?  I've tried
> > > using "src |" on my relay action, but this
> > > results in "No valid route to destination" errors (apparently due to
> > > the name resolution on the smtp+tls:// URL returning the address from
> > > the family opposite the selected src interface?).
> > >
> > > I'd like inbound mail to come in via IPv4 or IPv6 and go out with a
> > > preference for IPv6 but still work with IPv4 if IPv6 is unavailable.
> > 
> > I don't understand what what exactly is the problem. Can you share your
> > config and a short explanation what you want to achive? Some logs
> > showing the problem could also help.
> > 
> > > (2) How to set up a secondary relay to use if a destination relay is
> > > unavailable?
> > >
> > > Is it possible to define multiple relay hosts in one action, or to
> > > specify that a second relay action is to occur in the event of failure
> > > of the first using match rules?
> > 
> > The host option of action relay takes a table. So you can simply specify
> > multible relay-urls with something like:
> > 
> > > { smtp+tls://hosta.example.com , smtp+tls://hostb.example.com }
> 
> This works great, thank you.
> 
> -- 
> Jim Lippardlippard-opensm...@discord.org   http://www.discord.org/
> GPG Key ID: 0x99FD5CD6
> 
> 
> 

-- 
Jim Lippardlippard-opensm...@discord.org   http://www.discord.org/
GPG Key

Re: dual stack and secondary relays -- how to do?

2024-05-05 Thread James J. Lippard
On Thu, Apr 18, 2024 at 12:18:04PM +0200, Philipp wrote:
> Hi

Hi, sorry about the delay.

> [2024-04-16 16:44] "James J. Lippard" 
> > I run dual-stack IPv6/IPv4 networks, including mail servers. On occasion
> > I may not have IPv6 connectivity, but have IPv4 connectivity. When that
> > happens, I find that my mail queue accumulates mail that arrives over
> > IPv6, but cannot be sent out on an IPv6 interface.
> 
> Which IP version was used to enqueue a mail is indipendent from the
> IP version used to relay a mail. Also for most cases dual stack just
> works(tm) when using hostnames with A and  records and use "listen on"
> with interface name.

It is likely I've created some dependency with overcomplication -- I'm
doing split horizon DNS as well as dual-stack IPv4/v6 , and am also
listening on IPv6 unique local addresses rather than the public
addresses that correspond to the public DNS names.  I'll have to see
if I can simplify it and still run into issues.

I attempted to change the "src" on my outbound relay actions to use a
single DNS name with the correct outbound IPv4 and IPv6 addresses:

action "relayext" relay host  src smtp-ext.domain.com helo 
smtp.domain.com pki "smtp.domain.com" ca "my-ca"

which led to the error:

smtpd[60955]: warn: Failed to get source address for 
[relay:[mx.domain.com],port=587,smtp+tls,pki_name=smtp.domain.com,mx,sourcetable=,heloname=smtp.domain.com]

This then leads to stat="No valid route to destination" and
result="TempFail" on the mta delivery.

All works fine if I continue to have separate v4/v6 actions to relay
using IP address instead of DNS name.  This is still with separate
listens for v4 and v6.

It looks like the issue here may be caused by smtp.domain.com--the
name used for helo and pki but not for the IP address to send
from--not being in internal DNS?  But if that's the case, why does it work fine
if I use an IP address instead of an FQDN for "src"?  Is the logic that
it is picking address family for the outbound connection on the src address,
if evident, but then using helo or pki if src is a FQDN with both  and A
records?

> > (1) How to relay both IPv4/IPv6 outbound mail, regardless of whether it
> > came to the mail server via IPv4 or IPv6?
> >
> > Is it possible to set up a relay action that works with either IPv6 or
> > IPv4, perhaps with a preference for one or the other?  I've tried
> > using "src |" on my relay action, but this
> > results in "No valid route to destination" errors (apparently due to
> > the name resolution on the smtp+tls:// URL returning the address from
> > the family opposite the selected src interface?).
> >
> > I'd like inbound mail to come in via IPv4 or IPv6 and go out with a
> > preference for IPv6 but still work with IPv4 if IPv6 is unavailable.
> 
> I don't understand what what exactly is the problem. Can you share your
> config and a short explanation what you want to achive? Some logs
> showing the problem could also help.
> 
> > (2) How to set up a secondary relay to use if a destination relay is
> > unavailable?
> >
> > Is it possible to define multiple relay hosts in one action, or to
> > specify that a second relay action is to occur in the event of failure
> > of the first using match rules?
> 
> The host option of action relay takes a table. So you can simply specify
> multible relay-urls with something like:
> 
> > { smtp+tls://hosta.example.com , smtp+tls://hostb.example.com }

This works great, thank you.

-- 
Jim Lippardlipp...@discord.org   http://www.discord.org/
GPG Key ID: 0x99FD5CD6





Re: dual stack and secondary relays -- how to do?

2024-04-18 Thread Philipp
Hi

[2024-04-16 16:44] "James J. Lippard" 
> I run dual-stack IPv6/IPv4 networks, including mail servers. On occasion
> I may not have IPv6 connectivity, but have IPv4 connectivity. When that
> happens, I find that my mail queue accumulates mail that arrives over
> IPv6, but cannot be sent out on an IPv6 interface.

Which IP version was used to enqueue a mail is indipendent from the
IP version used to relay a mail. Also for most cases dual stack just
works(tm) when using hostnames with A and  records and use "listen on"
with interface name.

> (1) How to relay both IPv4/IPv6 outbound mail, regardless of whether it
> came to the mail server via IPv4 or IPv6?
>
> Is it possible to set up a relay action that works with either IPv6 or
> IPv4, perhaps with a preference for one or the other?  I've tried
> using "src |" on my relay action, but this
> results in "No valid route to destination" errors (apparently due to
> the name resolution on the smtp+tls:// URL returning the address from
> the family opposite the selected src interface?).
>
> I'd like inbound mail to come in via IPv4 or IPv6 and go out with a
> preference for IPv6 but still work with IPv4 if IPv6 is unavailable.

I don't understand what what exactly is the problem. Can you share your
config and a short explanation what you want to achive? Some logs
showing the problem could also help.

> (2) How to set up a secondary relay to use if a destination relay is
> unavailable?
>
> Is it possible to define multiple relay hosts in one action, or to
> specify that a second relay action is to occur in the event of failure
> of the first using match rules?

The host option of action relay takes a table. So you can simply specify
multible relay-urls with something like:

> { smtp+tls://hosta.example.com , smtp+tls://hostb.example.com }

Philipp