Force IPv4 by Destination MX

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Force IPv4 by Destination MX

Scott Talbert
Hello,

New to Postfix here.

Unfortunately Google has stopped accepting mail from my server via IPv6
and I haven't been able to figure out why or resolve the problem.
However, it accepts mail via IPv4 just fine.  Thus, I would like to
configure Postfix to use IPv4 when sending mail to Google.  I can see that
this is posible by destination domain using transport_maps.  So, I could
use transport_maps to specify that all mail to @gmail.com would be sent
via IPv4.  However, there are many other domains that use Google's email
services.  Rather than try to list all of them, I was wondering if instead
it was possible to force IPv4 by destination MX instead.  In that case, I
could just specify all of Google's MX's and work around this problem.

Thanks,
Scott
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Benny Pedersen-2
Scott Talbert skrev den 2017-07-09 05:27:

> New to Postfix here.

http://postfix.1071664.n5.nabble.com/smtp-IPv4-IPv6-map-td61342.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Wietse Venema
In reply to this post by Scott Talbert
Scott Talbert:

> Hello,
>
> New to Postfix here.
>
> Unfortunately Google has stopped accepting mail from my server via IPv6
> and I haven't been able to figure out why or resolve the problem.
> However, it accepts mail via IPv4 just fine.  Thus, I would like to
> configure Postfix to use IPv4 when sending mail to Google.  I can see that
> this is posible by destination domain using transport_maps.  So, I could
> use transport_maps to specify that all mail to @gmail.com would be sent
> via IPv4.  However, there are many other domains that use Google's email
> services.  Rather than try to list all of them, I was wondering if instead
> it was possible to force IPv4 by destination MX instead.  In that case, I
> could just specify all of Google's MX's and work around this problem.

Sorry, transport mapping happens before DNS lookup. Maybe you can
fix your IPv6 setup by making sure that the PTR record for your
IPv6 address resolves properly: the address->name lookup should
produce a name that resolves to the IPv6 address. Otherwise you
can expect delivery problems.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Mark Raynsford
In reply to this post by Scott Talbert
On 2017-07-08T23:27:31 -0400
Scott Talbert <[hidden email]> wrote:
>
> Unfortunately Google has stopped accepting mail from my server via IPv6
> and I haven't been able to figure out why or resolve the problem.

Hello.

Are you by any chance seeing this message?

Jul  9 08:43:06 mail postfix/smtp[18059]: C95E4849A: to=*, relay=gmail-smtp-in.l.google.com[2607:f8b0:400d:c0b::1b]:25, delay=1.3, delays=0.29/0.04/0.53/0.46, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:400d:c0b::1b] said: 550-5.7.1 [2001:19f0:5:752:f000::       1] Our system has detected an unusual 550-5.7.1 rate of unsolicited mail originating from your IP address. To protect 550-5.7.1 our users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedIPError to review our 550 5.7.1 Bulk Email Senders Guidelines. j64si7748761qte.160 - gsmtp (in reply to end of DATA command))

If so... You might want to try going through the sender guidelines page.
I'm running a clean MTA on a fresh IPv6 address, with correct reverse DNS,
correct SPF, etc, etc. I've never sent or relayed unsolicited mail in my life.

There's a form you can fill out at the end to dispute the mail blocking
once you've ensured you follow all of the guidelines. I filled in the
form this morning, and am waiting for a response.

I think you're just falling foul of a ridiculously and unreasonably
heavy-handed anti-spam process.

M

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Scott Talbert
In reply to this post by Wietse Venema
On Sun, 9 Jul 2017, Wietse Venema wrote:

>> Unfortunately Google has stopped accepting mail from my server via IPv6
>> and I haven't been able to figure out why or resolve the problem.
>> However, it accepts mail via IPv4 just fine.  Thus, I would like to
>> configure Postfix to use IPv4 when sending mail to Google.  I can see that
>> this is posible by destination domain using transport_maps.  So, I could
>> use transport_maps to specify that all mail to @gmail.com would be sent
>> via IPv4.  However, there are many other domains that use Google's email
>> services.  Rather than try to list all of them, I was wondering if instead
>> it was possible to force IPv4 by destination MX instead.  In that case, I
>> could just specify all of Google's MX's and work around this problem.
>
> Sorry, transport mapping happens before DNS lookup. Maybe you can
> fix your IPv6 setup by making sure that the PTR record for your
> IPv6 address resolves properly: the address->name lookup should
> produce a name that resolves to the IPv6 address. Otherwise you
> can expect delivery problems.

Thanks - I have FCrDNS configured already for my IPv6 address (and have
for some time), so that doesn't seem to be the problem.

Scott
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Scott Talbert
In reply to this post by Mark Raynsford
On Sun, 9 Jul 2017, Mark Raynsford wrote:

>> Unfortunately Google has stopped accepting mail from my server via IPv6
>> and I haven't been able to figure out why or resolve the problem.
>
> Hello.
>
> Are you by any chance seeing this message?
>
> Jul  9 08:43:06 mail postfix/smtp[18059]: C95E4849A: to=*, relay=gmail-smtp-in.l.google.com[2607:f8b0:400d:c0b::1b]:25, delay=1.3, delays=0.29/0.04/0.53/0.46, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:400d:c0b::1b] said: 550-5.7.1 [2001:19f0:5:752:f000::       1] Our system has detected an unusual 550-5.7.1 rate of unsolicited mail originating from your IP address. To protect 550-5.7.1 our users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedIPError to review our 550 5.7.1 Bulk Email Senders Guidelines. j64si7748761qte.160 - gsmtp (in reply to end of DATA command))
>
> If so... You might want to try going through the sender guidelines page.
> I'm running a clean MTA on a fresh IPv6 address, with correct reverse DNS,
> correct SPF, etc, etc. I've never sent or relayed unsolicited mail in my life.
>
> There's a form you can fill out at the end to dispute the mail blocking
> once you've ensured you follow all of the guidelines. I filled in the
> form this morning, and am waiting for a response.
>
> I think you're just falling foul of a ridiculously and unreasonably
> heavy-handed anti-spam process.

No, I'm seeing this message:

Jul  7 23:10:57 bear postfix/smtp[29598]: 92F8422A0C90: to=<[hidden email]>,
relay=aspmx.l.google.com[2607:f8b0:400d:c0b::1a]:25, delay=0.65,
delays=0.13/0/0.29/0.22, dsn=5.7.1, status=bounced (host
aspmx.l.google.com[2607:f8b0:400d:c0b::1a] said: 550-5.7.1
[2607:f308:1:1::2      12] Our system has detected that this message
550-5.7.1 is likely unsolicited mail. To reduce the amount of spam sent to
550-5.7.1 Gmail, this message has been blocked. Please visit 550-5.7.1
https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for
more information. o74si4960796qkl.67 - gsmtp (in reply to end of DATA
command))

I would agree with you that I'm running into an unreasonable and
untransparent anti-spam process.  I'm just looking for ways to work around
it.

I've got FCrDNS, SPF, DKIM, all configured correctly and verified by
multiple test sites.

Admittedly, one of my user's accounts was hacked and was being used for a
brief period of time to send spam.  However, this was stopped on 19 June,
and here we are several weeks later still running into this problem.

I'm sure there are dozens of gmail accounts being used to send spam at any
given time, but you don't see everyone else refusing to receive mail from
gmail!

Scott
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Wietse Venema
Scott Talbert:

> Jul  7 23:10:57 bear postfix/smtp[29598]: 92F8422A0C90: to=<[hidden email]>,
> relay=aspmx.l.google.com[2607:f8b0:400d:c0b::1a]:25, delay=0.65,
> delays=0.13/0/0.29/0.22, dsn=5.7.1, status=bounced (host
> aspmx.l.google.com[2607:f8b0:400d:c0b::1a] said: 550-5.7.1
> [2607:f308:1:1::2      12] Our system has detected that this message
> 550-5.7.1 is likely unsolicited mail. To reduce the amount of spam sent to
> 550-5.7.1 Gmail, this message has been blocked. Please visit 550-5.7.1
> https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for
> more information. o74si4960796qkl.67 - gsmtp (in reply to end of DATA
> command))

Was your mail really sent from 2607:f308:1:1::212? According to DNS,
your primary MX is bear.techie.net, with IP addresses 205.134.185.202
and 2607:f308:1:1::2.

If may be worthwhile to fix the SMTP client IP address with
"smtp_bind_address6 = 2607:f308:1:1::2", at least for off-site
email.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Scott Talbert
On Sun, 9 Jul 2017, Wietse Venema wrote:

>> Jul  7 23:10:57 bear postfix/smtp[29598]: 92F8422A0C90: to=<[hidden email]>,
>> relay=aspmx.l.google.com[2607:f8b0:400d:c0b::1a]:25, delay=0.65,
>> delays=0.13/0/0.29/0.22, dsn=5.7.1, status=bounced (host
>> aspmx.l.google.com[2607:f8b0:400d:c0b::1a] said: 550-5.7.1
>> [2607:f308:1:1::2      12] Our system has detected that this message
>> 550-5.7.1 is likely unsolicited mail. To reduce the amount of spam sent to
>> 550-5.7.1 Gmail, this message has been blocked. Please visit 550-5.7.1
>> https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for
>> more information. o74si4960796qkl.67 - gsmtp (in reply to end of DATA
>> command))
>
> Was your mail really sent from 2607:f308:1:1::212? According to DNS,
> your primary MX is bear.techie.net, with IP addresses 205.134.185.202
> and 2607:f308:1:1::2.
>
> If may be worthwhile to fix the SMTP client IP address with
> "smtp_bind_address6 = 2607:f308:1:1::2", at least for off-site
> email.

No, it's sent from 2607:f308:1:1::2.  I don't know what the extra spaces +
12 after the IP address mean in that error report from gmail.

Scott
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Wietse Venema
Scott Talbert:

> On Sun, 9 Jul 2017, Wietse Venema wrote:
>
> >> Jul  7 23:10:57 bear postfix/smtp[29598]: 92F8422A0C90: to=<[hidden email]>,
> >> relay=aspmx.l.google.com[2607:f8b0:400d:c0b::1a]:25, delay=0.65,
> >> delays=0.13/0/0.29/0.22, dsn=5.7.1, status=bounced (host
> >> aspmx.l.google.com[2607:f8b0:400d:c0b::1a] said: 550-5.7.1
> >> [2607:f308:1:1::2      12] Our system has detected that this message
> >> 550-5.7.1 is likely unsolicited mail. To reduce the amount of spam sent to
> >> 550-5.7.1 Gmail, this message has been blocked. Please visit 550-5.7.1
> >> https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for
> >> more information. o74si4960796qkl.67 - gsmtp (in reply to end of DATA
> >> command))
> >
> > Was your mail really sent from 2607:f308:1:1::212? According to DNS,
> > your primary MX is bear.techie.net, with IP addresses 205.134.185.202
> > and 2607:f308:1:1::2.
> >
> > If may be worthwhile to fix the SMTP client IP address with
> > "smtp_bind_address6 = 2607:f308:1:1::2", at least for off-site
> > email.
>
> No, it's sent from 2607:f308:1:1::2.  I don't know what the extra spaces +
> 12 after the IP address mean in that error report from gmail.

How do you know?  Did you record the packets?

I know that your primary MX service is not reachable on 2607:f308:1:1::2,
but it is reachable on 205.134.185.202.

    % telnet 2607:f308:1:1::2 smtp
    Trying 2607:f308:1:1::2...
    ^C
    % telnet 205.134.185.202 smtp
    Trying 205.134.185.202...
    Connected to bear.techie.net.
    Escape character is '^]'.
    220 bear.techie.net ESMTP Postfix (Ubuntu)
    quit
    221 2.0.0 Bye

This would not be the first time that some IPv6 stack grabs an
unexpected IPv6 address.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Scott Talbert


On July 9, 2017 11:52:44 AM EDT, [hidden email] wrote:

>Scott Talbert:
>> On Sun, 9 Jul 2017, Wietse Venema wrote:
>>
>> >> Jul  7 23:10:57 bear postfix/smtp[29598]: 92F8422A0C90:
>to=<[hidden email]>,
>> >> relay=aspmx.l.google.com[2607:f8b0:400d:c0b::1a]:25, delay=0.65,
>> >> delays=0.13/0/0.29/0.22, dsn=5.7.1, status=bounced (host
>> >> aspmx.l.google.com[2607:f8b0:400d:c0b::1a] said: 550-5.7.1
>> >> [2607:f308:1:1::2      12] Our system has detected that this
>message
>> >> 550-5.7.1 is likely unsolicited mail. To reduce the amount of spam
>sent to
>> >> 550-5.7.1 Gmail, this message has been blocked. Please visit
>550-5.7.1
>> >> https://support.google.com/mail/?p=UnsolicitedMessageError 550
>5.7.1  for
>> >> more information. o74si4960796qkl.67 - gsmtp (in reply to end of
>DATA
>> >> command))
>> >
>> > Was your mail really sent from 2607:f308:1:1::212? According to
>DNS,
>> > your primary MX is bear.techie.net, with IP addresses
>205.134.185.202
>> > and 2607:f308:1:1::2.
>> >
>> > If may be worthwhile to fix the SMTP client IP address with
>> > "smtp_bind_address6 = 2607:f308:1:1::2", at least for off-site
>> > email.
>>
>> No, it's sent from 2607:f308:1:1::2.  I don't know what the extra
>spaces +
>> 12 after the IP address mean in that error report from gmail.
>
>How do you know?  Did you record the packets?

I'm pretty sure, but I will verify 100% with tcpdump.

>I know that your primary MX service is not reachable on
>2607:f308:1:1::2,
>but it is reachable on 205.134.185.202.
>
>    % telnet 2607:f308:1:1::2 smtp
>    Trying 2607:f308:1:1::2...
>    ^C
>    % telnet 205.134.185.202 smtp
>    Trying 205.134.185.202...
>    Connected to bear.techie.net.
>    Escape character is '^]'.
>    220 bear.techie.net ESMTP Postfix (Ubuntu)
>    quit
>    221 2.0.0 Bye

Yes, that's because I have inet_protocols = ipv4 at the moment.

Scott
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Viktor Dukhovni
In reply to this post by Scott Talbert

> On Jul 9, 2017, at 11:39 AM, Scott Talbert <[hidden email]> wrote:
>
>>> Jul  7 23:10:57 bear postfix/smtp[29598]: 92F8422A0C90: to=<[hidden email]>,
>>> relay=aspmx.l.google.com[2607:f8b0:400d:c0b::1a]:25, delay=0.65,
>>> delays=0.13/0/0.29/0.22, dsn=5.7.1, status=bounced (host
>>> aspmx.l.google.com[2607:f8b0:400d:c0b::1a] said: 550-5.7.1
>>> [2607:f308:1:1::2      12] Our system has detected that this message
>>> 550-5.7.1 is likely unsolicited mail. To reduce the amount of spam sent to
>>> 550-5.7.1 Gmail, this message has been blocked. Please visit 550-5.7.1
>>> https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for
>>> more information. o74si4960796qkl.67 - gsmtp (in reply to end of DATA
>>> command))
>>
>> Was your mail really sent from 2607:f308:1:1::212? According to DNS,
>> your primary MX is bear.techie.net, with IP addresses 205.134.185.202
>> and 2607:f308:1:1::2.
>>
>> If may be worthwhile to fix the SMTP client IP address with
>> "smtp_bind_address6 = 2607:f308:1:1::2", at least for off-site
>> email.
>
> No, it's sent from 2607:f308:1:1::2.  I don't know what the extra spaces + 12 after the IP address mean in that error report from gmail.

Likely Google sees your address as 2607:f308:1:1::212, but long SMTP replies
get folded across multiple lines, and unfolded with the whitespace you observe.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Wietse Venema
Viktor Dukhovni:
>
> > On Jul 9, 2017, at 11:39 AM, Scott Talbert <[hidden email]> wrote:
> >
> >>> Jul  7 23:10:57 bear postfix/smtp[29598]: 92F8422A0C90: to=<[hidden email]>,
> >>> relay=aspmx.l.google.com[2607:f8b0:400d:c0b::1a]:25, delay=0.65,
> >>> delays=0.13/0/0.29/0.22, dsn=5.7.1, status=bounced (host
> >>> aspmx.l.google.com[2607:f8b0:400d:c0b::1a] said: 550-5.7.1
> >>> [2607:f308:1:1::2      12] Our system has detected that this message
...

> >> Was your mail really sent from 2607:f308:1:1::212? According to DNS,
> >> your primary MX is bear.techie.net, with IP addresses 205.134.185.202
> >> and 2607:f308:1:1::2.
> >>
> >> If may be worthwhile to fix the SMTP client IP address with
> >> "smtp_bind_address6 = 2607:f308:1:1::2", at least for off-site
> >> email.
> >
> > No, it's sent from 2607:f308:1:1::2.  I don't know what the extra spaces + 12 after the IP address mean in that error report from gmail.
>
> Likely Google sees your address as 2607:f308:1:1::212, but long SMTP replies
> get folded across multiple lines, and unfolded with the whitespace you observe.

Here is an example from a few posts ago in this thread, with long
lines broken with backslash-newline for readability.

    Jul  9 08:43:06 mail postfix/smtp[18059]: C95E4849A: to=*, \
    relay=gmail-smtp-in.l.google.com[2607:f8b0:400d:c0b::1b]:25\
    , delay=1.3, delays=0.29/0.04/0.53/0.46, dsn=5.7.1, status=\
    bounced (host gmail-smtp-in.l.google.com[2607:f8b0:400d:c0b\
    ::1b] said: 550-5.7.1 [2001:19f0:5:752:f000::       1] Our \
    system has detected an un...

Note the spaces inside the IPv6 address.

You can convince yourself with tcpdump, or set "smtp_bind_address6
= 2607:f308:1:1::2" and see if that makes a difference.

Again, it would not be the first time that some IPv6 stack grabs
an unexpected IPv6 address.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

James Cloos-9
In reply to this post by Wietse Venema
>>>>> "WV" == Wietse Venema <[hidden email]> writes:

WV> Sorry, transport mapping happens before DNS lookup. Maybe you can
WV> fix your IPv6 setup by making sure that the PTR record for your
WV> IPv6 address resolves properly

That is not sufficient.  Goog's v6 MXs stopped accepting from me, too,
recently.  And I have ptr, dkim and spf all configured.

-JimC
--
James Cloos <[hidden email]>         OpenPGP: 0x997A9F17ED7DAEA6


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Scott Talbert
In reply to this post by Wietse Venema
On Sun, 9 Jul 2017, Wietse Venema wrote:

>>>>> Jul  7 23:10:57 bear postfix/smtp[29598]: 92F8422A0C90: to=<[hidden email]>,
>>>>> relay=aspmx.l.google.com[2607:f8b0:400d:c0b::1a]:25, delay=0.65,
>>>>> delays=0.13/0/0.29/0.22, dsn=5.7.1, status=bounced (host
>>>>> aspmx.l.google.com[2607:f8b0:400d:c0b::1a] said: 550-5.7.1
>>>>> [2607:f308:1:1::2      12] Our system has detected that this message
> ...
>>>> Was your mail really sent from 2607:f308:1:1::212? According to DNS,
>>>> your primary MX is bear.techie.net, with IP addresses 205.134.185.202
>>>> and 2607:f308:1:1::2.
>>>>
>>>> If may be worthwhile to fix the SMTP client IP address with
>>>> "smtp_bind_address6 = 2607:f308:1:1::2", at least for off-site
>>>> email.
>>>
>>> No, it's sent from 2607:f308:1:1::2.  I don't know what the extra spaces + 12 after the IP address mean in that error report from gmail.
>>
>> Likely Google sees your address as 2607:f308:1:1::212, but long SMTP replies
>> get folded across multiple lines, and unfolded with the whitespace you observe.
>
> Here is an example from a few posts ago in this thread, with long
> lines broken with backslash-newline for readability.
>
>    Jul  9 08:43:06 mail postfix/smtp[18059]: C95E4849A: to=*, \
>    relay=gmail-smtp-in.l.google.com[2607:f8b0:400d:c0b::1b]:25\
>    , delay=1.3, delays=0.29/0.04/0.53/0.46, dsn=5.7.1, status=\
>    bounced (host gmail-smtp-in.l.google.com[2607:f8b0:400d:c0b\
>    ::1b] said: 550-5.7.1 [2001:19f0:5:752:f000::       1] Our \
>    system has detected an un...
>
> Note the spaces inside the IPv6 address.
>
> You can convince yourself with tcpdump, or set "smtp_bind_address6
> = 2607:f308:1:1::2" and see if that makes a difference.
>
> Again, it would not be the first time that some IPv6 stack grabs
> an unexpected IPv6 address.

Okay, so I confirmed with Wireshark that my server is definitely using
2607:f308:1:1::2 and not 2607:f308:1:1::212.  In fact, I see this in part
of the exchange:

250-mx.google.com at your service, [2607:f308:1:1::2]

So, it remains a mystery as to what that 12 means.  Perhaps some sort of
code indicating why the message was rejected?

Scott
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Force IPv4 by Destination MX

Wietse Venema
Scott Talbert:
> Okay, so I confirmed with Wireshark that my server is definitely using
> 2607:f308:1:1::2 and not 2607:f308:1:1::212.  In fact, I see this in part
> of the exchange:
>
> 250-mx.google.com at your service, [2607:f308:1:1::2]
>
> So, it remains a mystery as to what that 12 means.  Perhaps some sort of
> code indicating why the message was rejected?

Thanks, so this appears to be thrash. Meanwhile I have dug up a
three-year old solution to disable IPv6 for all domains hosted at
Google, posted to a separate thread.

        Wietse
Loading...