google bouncing emails - ipv6 ptr problem?

classic Classic list List threaded Threaded
31 messages Options
12
Reply | Threaded
Open this post in threaded view
|

google bouncing emails - ipv6 ptr problem?

Robert Moskowitz
Perhaps this should go to the bind list, but all of my checking shows my ipv6 ptr record is working.

This started, I think, last week.  I was running an old mailserver and sent many an email to the cubieboard list.

Just today I finally upgraded my mailserver, but still get the bounce.  My current system is running Redsleeve 6 (Centos 6 for ARM), and postfix-2.6.6-6

The bounce from google says:

                   The mail system

[hidden email]: host
    gmr-smtp-in.l.google.com[2607:f8b0:4001:c08::e] said: 550-5.7.1
    [2607:f4b8:3:3:67:15ff:fe00:180] Our system has detected that this
    550-5.7.1 message does not meet IPv6 sending guidelines regarding PTR
    records 550-5.7.1 and authentication. Please review 550-5.7.1
    https://support.google.com/mail/?p=ipv6_authentication_error for more 550
    5.7.1 information. f9si145249igt.0 - gsmtp (in reply to end of DATA
    command)

Reporting-MTA: dns; z9m9z.htt-consult.com
X-Postfix-Queue-ID: 6FC565FA07
X-Postfix-Sender: rfc822; [hidden email]
Arrival-Date: Wed, 19 Nov 2014 08:48:16 -0500 (EST)

Final-Recipient: rfc822; [hidden email]
Original-Recipient: [hidden email]
Action: failed
Status: 5.7.1
Remote-MTA: dns; gmr-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.1 [2607:f4b8:3:3:67:15ff:fe00:180] Our system
    has detected that this 550-5.7.1 message does not meet IPv6 sending
    guidelines regarding PTR records 550-5.7.1 and authentication. Please
    review 550-5.7.1
    https://support.google.com/mail/?p=ipv6_authentication_error for more 550
    5.7.1 information. f9si145249igt.0 - gsmtp



I checked via my Verizon wireless MiFi connection and that IPv6 address ptr does point to z9m9z.htt-consult.com  I have gone to the listed web page, and believe my ipv6 dns is correct.  I have not implemented spf or dkim.  I am now getting TLS connections between my MTA and others.

Could it be some other problem with my postfix setup?  Or DNS?


Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Mark Martinec-5
Robert Moskowitz wrote:

> Perhaps this should go to the bind list, but all of my checking shows
> my ipv6 ptr record is working.
>
> This started, I think, last week.  I was running an old mailserver and
> sent many an email to the cubieboard list.
>
> Just today I finally upgraded my mailserver, but still get the bounce.
>  My current system is running Redsleeve 6 (Centos 6 for ARM), and
> postfix-2.6.6-6
>
> The bounce from google says:
>
>                    The mail system
>
> <[hidden email]>: host
>     gmr-smtp-in.l.google.com[2607:f8b0:4001:c08::e] said: 550-5.7.1
>     [2607:f4b8:3:3:67:15ff:fe00:180] Our system has detected that this
>     550-5.7.1 message does not meet IPv6 sending guidelines regarding
> PTR
>     records 550-5.7.1 and authentication. Please review 550-5.7.1
>     https://support.google.com/mail/?p=ipv6_authentication_error  for
> more 550
>     5.7.1 information. f9si145249igt.0 - gsmtp (in reply to end of DATA
>     command)

Note the '...and authentication' in that message!

Read that web document again, note the 'Additional guidelines for IPv6'
and the second bullet there:

   . The sending domain should pass either SPF check or DKIM check.
     Otherwise, mail might be marked as spam.


> I checked via my Verizon wireless MiFi connection and that IPv6
> address ptr does point to z9m9z.htt-consult.com  I have gone to the
> listed web page, and believe my ipv6 dns is correct.

Looks alright, although DNS checkers have some complaints
regarding your domain:

   http://www.webwiz.co.uk/domain-tools/
   http://www.intodns.com/
   http://www.dnsqueries.com/en/


> I have not implemented spf or dkim.

There you go!
Consider also publishing a DMARC record, not necessarily restrictive.

   Mark
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Wietse Venema
In reply to this post by Robert Moskowitz
Robert Moskowitz:
> Perhaps this should go to the bind list, but all of my checking shows my
> ipv6 ptr record is working.
>
> This started, I think, last week.  I was running an old mailserver and
> sent many an email to the cubieboard list.

I had one email bounce last week. Looks like they handle DNS
timeouts badly.  I now send their mail via a transport with
soft_bonce=yes.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Robert Moskowitz
In reply to this post by Mark Martinec-5
This is kind of what I was thinking was the case...

On 11/19/2014 07:28 PM, Mark Martinec wrote:

> Robert Moskowitz wrote:
>> Perhaps this should go to the bind list, but all of my checking shows
>> my ipv6 ptr record is working.
>>
>> This started, I think, last week.  I was running an old mailserver and
>> sent many an email to the cubieboard list.
>>
>> Just today I finally upgraded my mailserver, but still get the bounce.
>>  My current system is running Redsleeve 6 (Centos 6 for ARM), and
>> postfix-2.6.6-6
>>
>> The bounce from google says:
>>
>>                    The mail system
>>
>> <[hidden email]>: host
>>     gmr-smtp-in.l.google.com[2607:f8b0:4001:c08::e] said: 550-5.7.1
>>     [2607:f4b8:3:3:67:15ff:fe00:180] Our system has detected that this
>>     550-5.7.1 message does not meet IPv6 sending guidelines regarding
>> PTR
>>     records 550-5.7.1 and authentication. Please review 550-5.7.1
>> https://support.google.com/mail/?p=ipv6_authentication_error for more
>> 550
>>     5.7.1 information. f9si145249igt.0 - gsmtp (in reply to end of DATA
>>     command)
>
> Note the '...and authentication' in that message!
>
> Read that web document again, note the 'Additional guidelines for IPv6'
> and the second bullet there:
>
>   . The sending domain should pass either SPF check or DKIM check.
>     Otherwise, mail might be marked as spam.

But until I confirmed from others that DNS looked ok.  Also until today,
I could not implement DKIM, if I wanted to.


>
>
>> I checked via my Verizon wireless MiFi connection and that IPv6
>> address ptr does point to z9m9z.htt-consult.com  I have gone to the
>> listed web page, and believe my ipv6 dns is correct.
>
> Looks alright, although DNS checkers have some complaints
> regarding your domain:
>
>   http://www.webwiz.co.uk/domain-tools/

There ARE some reverse look up issues, but I am doing it the way you
need to if your reverse lookup is delegated from a larger block.  I will
need to look further into this.

>   http://www.intodns.com/
>   http://www.dnsqueries.com/en/
>
>
>> I have not implemented spf or dkim.
>
> There you go!
> Consider also publishing a DMARC record, not necessarily restrictive.

Will have to read up on DMARC records.  Hopefully they are not as bad as
spf are.


Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Robert Moskowitz
In reply to this post by Wietse Venema

On 11/19/2014 07:46 PM, Wietse Venema wrote:
> Robert Moskowitz:
>> Perhaps this should go to the bind list, but all of my checking shows my
>> ipv6 ptr record is working.
>>
>> This started, I think, last week.  I was running an old mailserver and
>> sent many an email to the cubieboard list.
> I had one email bounce last week. Looks like they handle DNS
> timeouts badly.  I now send their mail via a transport with
> soft_bonce=yes.

Can you point me to more for me to learn about soft_bounce?  And how you
have a transport specific to google?

Thanks for the continued education.  Finally I am running my own config
that I had to build myself (with lots of help!), so now I need to
continue along this path.


Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Robert Schetterer-2
In reply to this post by Wietse Venema
Am 20.11.2014 um 01:46 schrieb Wietse Venema:

> Robert Moskowitz:
>> Perhaps this should go to the bind list, but all of my checking shows my
>> ipv6 ptr record is working.
>>
>> This started, I think, last week.  I was running an old mailserver and
>> sent many an email to the cubieboard list.
>
> I had one email bounce last week. Looks like they handle DNS
> timeouts badly.  I now send their mail via a transport with
> soft_bonce=yes.
>
> Wietse
>

workaround maybe ,use ipv4 "only" transport ,for google


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

lst_hoe02
In reply to this post by Wietse Venema

Zitat von [hidden email]:

> Robert Moskowitz:
>> Perhaps this should go to the bind list, but all of my checking shows my
>> ipv6 ptr record is working.
>>
>> This started, I think, last week.  I was running an old mailserver and
>> sent many an email to the cubieboard list.
>
> I had one email bounce last week. Looks like they handle DNS
> timeouts badly.  I now send their mail via a transport with
> soft_bonce=yes.
>
> Wietse
I also noticed some Google mailbounces because of (temporary) IPv6 PTR  
resolve errors on their side. I now use IPv4 only to deliver to them  
and it never happend again until now.

Regards

Andreas



smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Robert Moskowitz
In reply to this post by Robert Schetterer-2

On 11/20/2014 12:50 AM, Robert Schetterer wrote:

> Am 20.11.2014 um 01:46 schrieb Wietse Venema:
>> Robert Moskowitz:
>>> Perhaps this should go to the bind list, but all of my checking shows my
>>> ipv6 ptr record is working.
>>>
>>> This started, I think, last week.  I was running an old mailserver and
>>> sent many an email to the cubieboard list.
>> I had one email bounce last week. Looks like they handle DNS
>> timeouts badly.  I now send their mail via a transport with
>> soft_bonce=yes.
>>
>> Wietse
>>
> workaround maybe ,use ipv4 "only" transport ,for google

How do you set this up?




Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Wietse Venema
Robert Moskowitz:

>
> On 11/20/2014 12:50 AM, Robert Schetterer wrote:
> > Am 20.11.2014 um 01:46 schrieb Wietse Venema:
> >> Robert Moskowitz:
> >>> Perhaps this should go to the bind list, but all of my checking shows my
> >>> ipv6 ptr record is working.
> >>>
> >>> This started, I think, last week.  I was running an old mailserver and
> >>> sent many an email to the cubieboard list.
> >> I had one email bounce last week. Looks like they handle DNS
> >> timeouts badly.  I now send their mail via a transport with
> >> soft_bonce=yes.
> >>
> >> Wietse
> >>
> > workaround maybe ,use ipv4 "only" transport ,for google
>
> How do you set this up?

/etc/postfix/master.cf:
    forced-ipv4 unix  -       -       n       -       -       smtp
        -o inet_protocols=ipv4

/etc/postfix/transport:
    google.com forced-ipv4:
    gmail.com forced-ipv4:

/etc/postfix/main.cf:
    transport_maps = hash:/etc/postfix/transport

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Robert Schetterer-2
In reply to this post by Robert Moskowitz
Am 20.11.2014 um 18:54 schrieb Robert Moskowitz:

>
> On 11/20/2014 12:50 AM, Robert Schetterer wrote:
>> Am 20.11.2014 um 01:46 schrieb Wietse Venema:
>>> Robert Moskowitz:
>>>> Perhaps this should go to the bind list, but all of my checking
>>>> shows my
>>>> ipv6 ptr record is working.
>>>>
>>>> This started, I think, last week.  I was running an old mailserver and
>>>> sent many an email to the cubieboard list.
>>> I had one email bounce last week. Looks like they handle DNS
>>> timeouts badly.  I now send their mail via a transport with
>>> soft_bonce=yes.
>>>
>>>     Wietse
>>>
>> workaround maybe ,use ipv4 "only" transport ,for google
>
> How do you set this up?
>
>
>
>

http://blog.schaal-24.de/ipv6/mails-mit-postfix-fuer-einzelne-domains-nur-ueber-ipv4-oderipv6-verschicken/







Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Peter Ajamian
In reply to this post by Wietse Venema
On 11/21/2014 07:02 AM, Wietse Venema wrote:

> /etc/postfix/master.cf:
>     forced-ipv4 unix  -       -       n       -       -       smtp
> -o inet_protocols=ipv4
>
> /etc/postfix/transport:
>     google.com forced-ipv4:
>     gmail.com forced-ipv4:
>
> /etc/postfix/main.cf:
>     transport_maps = hash:/etc/postfix/transport

Unfortunately the above solution assumes that all recipients that use
the google MX servers will have email addresses with google.com or
gmail.com domains.  Unfortunately there is literally an endless number
of domains that use the google MXes (google apps anyone?) so a solution
that looks up the MX of the recipient domain and picks a transport based
on that would be better.  I'm not aware of a postfix setting that
directly allows this and the best thing I can think of is a policy
daemon that will look up the recipient MX and direct mail accordingly.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

L. D. James
Actually, all people who use google MX will have google.com or gmail.com
in their domains.

They can use other email servers on their devices.  However, those
servers will not be google.com or gmail.com email addresses.  They can
publish their google.com or gmail.com addresses as their return
address.  But if they are actually using a different email provider,
they the actually email provider will provide their own domain.com smtp
servers and configurations for those clients.

-- L. James

--
L. D.  James
[hidden email]
www.apollo3.com/~ljames

On 11/21/2014 10:25 PM, Peter wrote:

> On 11/21/2014 07:02 AM, Wietse Venema wrote:
>> /etc/postfix/master.cf:
>>      forced-ipv4 unix  -       -       n       -       -       smtp
>> -o inet_protocols=ipv4
>>
>> /etc/postfix/transport:
>>      google.com forced-ipv4:
>>      gmail.com forced-ipv4:
>>
>> /etc/postfix/main.cf:
>>      transport_maps = hash:/etc/postfix/transport
> Unfortunately the above solution assumes that all recipients that use
> the google MX servers will have email addresses with google.com or
> gmail.com domains.  Unfortunately there is literally an endless number
> of domains that use the google MXes (google apps anyone?) so a solution
> that looks up the MX of the recipient domain and picks a transport based
> on that would be better.  I'm not aware of a postfix setting that
> directly allows this and the best thing I can think of is a policy
> daemon that will look up the recipient MX and direct mail accordingly.
>
>
> Peter

Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Peter Ajamian
On 11/22/2014 04:32 PM, L. D. James wrote:
> Actually, all people who use google MX will have google.com or gmail.com
> in their domains.

Wrong, and this is easy to disprove:

$ dig pajamian.dhs.org MX +short
0 ASPMX.L.GOOGLE.COM.
10 ALT1.ASPMX.L.GOOGLE.COM.
10 ALT2.ASPMX.L.GOOGLE.COM.
20 ASPMX2.GOOGLEMAIL.COM.
...

Yes, this is my own domain, which does *not* have google.com or
gmail.com in the domain name and certainly *does* use google MX.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

L. D. James
On 11/21/2014 11:14 PM, Peter wrote:

> On 11/22/2014 04:32 PM, L. D. James wrote:
>> Actually, all people who use google MX will have google.com or gmail.com
>> in their domains.
> Wrong, and this is easy to disprove:
>
> $ dig pajamian.dhs.org MX +short
> 0 ASPMX.L.GOOGLE.COM.
> 10 ALT1.ASPMX.L.GOOGLE.COM.
> 10 ALT2.ASPMX.L.GOOGLE.COM.
> 20 ASPMX2.GOOGLEMAIL.COM.
> ...
>
> Yes, this is my own domain, which does *not* have google.com or
> gmail.com in the domain name and certainly *does* use google MX.
>
>
> Peter

I'm sorry.  But I thought the question was about users who were using
the google domains, not yours or mine.  You're right.  The solution to
get pass the google domain configuration might not work for the other
domains.

-- L. James

--
L. D. James
[hidden email]
www.apollo3.com/~ljames
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

A. Schulze
In reply to this post by Peter Ajamian

Peter:

> Unfortunately the above solution assumes that all recipients that use
> the google MX servers will have email addresses with google.com or
> gmail.com domains.

(@Wietse: correct me, if I'm wrong)
that's a general consequence of postfix design.
postfix is destination domain centric. It does not know, if two  
destinations (domains) share the same mx host.

to workaround the mentioned problem I see two possibilities:
  - modify your local dns resolver to strip the AAAA part in it's  
answer for the hosts in question
  - modify your local firewall to *reject* outbound connections to the  
IPv6 address in question
sure, both are not perfect any may have unwanted side effects.

But finally I wonder about the problem. Google does simply *require* a  
clean setup.
not more, not less. But *much more* strength in IPv6 then in IPv4 world.
One may see this strength as a service. They implicit say "your setup  
is broken".

So instead implementing strange workarounds, one should search, find,  
understand and fix the real problem.
Once.

or like Wietse use to say:
Rule number one on fixing problems: fix the right problem.

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Wietse Venema
A. Schulze:
> So instead implementing strange workarounds, one should search, find,  
> understand and fix the real problem.

Google bounced my mail because of a temp error. I changed nothing
in my DNS or DKIM. It's their bug, not mine.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

A. Schulze

wietse:

> A. Schulze:
>> So instead implementing strange workarounds, one should search, find,
>> understand and fix the real problem.
>
> Google bounced my mail because of a temp error. I changed nothing
> in my DNS or DKIM. It's their bug, not mine.

I don't expect your setup is obviously broken and also I don't want to
attack somebody. Sorry if that was misunderstood.

but in general I often notice people tend to claim it's *always*  
Google's fault
which is simply not true /from my/ experience. I send >10k messages per day
to Google mx servers and never noticed such problems.
OK, maybe I'm in a magic Google whitelist because of my volume but I'm  
not aware of this.

Andreas


Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Robert Schetterer-2
Am 22.11.2014 um 14:50 schrieb A. Schulze:

>
> wietse:
>
>> A. Schulze:
>>> So instead implementing strange workarounds, one should search, find,
>>> understand and fix the real problem.
>>
>> Google bounced my mail because of a temp error. I changed nothing
>> in my DNS or DKIM. It's their bug, not mine.
>
> I don't expect your setup is obviously broken and also I don't want to
> attack somebody. Sorry if that was misunderstood.
>
> but in general I often notice people tend to claim it's *always*
> Google's fault
> which is simply not true /from my/ experience. I send >10k messages per day
> to Google mx servers and never noticed such problems.
> OK, maybe I'm in a magic Google whitelist because of my volume but I'm
> not aware of this.
>

Hi Andreas , there a "wide" reports that google sometimes fails somehow
 with ipv6, i investigated in this hardly , it simply looks its their
bug, my best speculation goes in sometimes not working spf ipv6 stuff at
their site


> Andreas
>
>



Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

lst_hoe02
In reply to this post by A. Schulze

Zitat von "A. Schulze" <[hidden email]>:

> wietse:
>
>> A. Schulze:
>>> So instead implementing strange workarounds, one should search, find,
>>> understand and fix the real problem.
>>
>> Google bounced my mail because of a temp error. I changed nothing
>> in my DNS or DKIM. It's their bug, not mine.
>
> I don't expect your setup is obviously broken and also I don't want to
> attack somebody. Sorry if that was misunderstood.
>
> but in general I often notice people tend to claim it's *always*  
> Google's fault
> which is simply not true /from my/ experience. I send >10k messages per day
> to Google mx servers and never noticed such problems.
> OK, maybe I'm in a magic Google whitelist because of my volume but  
> I'm not aware of this.
>
> Andreas
Same here as Wietse said. We have not changed DNS for the mailer for  
years, but once in while if Google fail to resolve the IPv6 PTR they  
reject the mail. With the same setup to the same destination and the  
very same content some minutes later it works. This is annoying to say  
at least. Maybe you simply have been lucky until now or your DNS  
records tend to stay in the Google DNS cache for a longer time.

Regards

Andreas




smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: google bouncing emails - ipv6 ptr problem?

Wietse Venema
In reply to this post by Robert Schetterer-2
Robert Schetterer:
> Hi Andreas , there a "wide" reports that google sometimes fails somehow
>  with ipv6, i investigated in this hardly , it simply looks its their
> bug, my best speculation goes in sometimes not working spf ipv6 stuff at
> their site

My domain has no SPF, but it signs all mail with DKIM.  Google
decided to reject a single email message at end-of-DATA on 11 Nov
2014 11:55:15 -0500. Minutes later, the same email message passed
(see logfile records below).

Given that TCP worked, I suspect that some DNS lookup failed (PTR,
AAAA, DKIM, etc.). The entire session lasted only a few seconds,
so I suspect they use short timeouts without retries.
       
        Wietse

Nov 11 11:55:15 spike postfix/smtp[22958]: 3jcZv4004YzJrPw:
to=<censored>, relay=aspmx.l.google.com[2607:f8b0:400d:c04::1a]:25,
delay=3.6, delays=0.12/0.01/2.6/0.93, dsn=5.7.1, status=bounced
(host aspmx.l.google.com[2607:f8b0:400d:c04::1a] said: 550-5.7.1
[2604:8d00:189::2] Our system has detected that this message does
not 550-5.7.1 meet IPv6 sending guidelines regarding PTR records
and authentication 550-5.7.1 . Please review 550-5.7.1
https://support.google.com/mail/?p=ipv6_authentication_error for
more 550 5.7.1 information. l17si30149401qaj.81 - gsmtp (in reply
to end of DATA command))

Nov 11 11:58:29 spike postfix/smtp[22980]: 3jcZyr2BpqzJrPw:
to=<censored>, relay=aspmx.l.google.com[2607:f8b0:400d:c04::1a]:25,
delay=1.4, delays=0.11/0.01/0.19/1.1, dsn=2.0.0, status=sent (250
2.0.0 OK 1415725109 k30si37581932qge.88 - gsmtp)

12