Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
disable ipv6 when sending to gmail ?
1,613 views
Skip to first unread message
Nicolas KOWALSKI
Aug 20, 2013, 1:58:57 PM8/20/13
to
Hello,
The gmail smtp server is now refusing mails from my system when IPv6 is
used, as shown in the log below:
Aug 20 06:25:08 petole postfix/smtp[27705]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
Aug 20 06:25:09 petole postfix/smtp[27705]: 9E2994012F: to=<nicolas....@gmail.com>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25, delay=1.7, delays=0.17/0.1/0.78/0.64, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b] said: 550-5.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6 550-5.7.1 sending guidelines of authentication and rdns resolution of sending 550-5.7.1 ip. Please review 550 5.7.1 https://support.google.com/mail/answer/81126for more information. l8si5663122wiv.72 - gsmtp (in reply to end of DATA command))
I am not able to have an IPv6 rDNS record with my ISP, only an IPv4 one.
I guess this is why it works when using IPv4 (tested by forcing
inet_protocols = ipv4), and does not work any more with IPv6.
Is it possible to have outgoing mail to gmail (or another domain) sent
using my IPv4 interface?
Thanks,
--
Nicolas
The gmail smtp server is now refusing mails from my system when IPv6 is
used, as shown in the log below:
Aug 20 06:25:08 petole postfix/smtp[27705]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
Aug 20 06:25:09 petole postfix/smtp[27705]: 9E2994012F: to=<nicolas....@gmail.com>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25, delay=1.7, delays=0.17/0.1/0.78/0.64, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b] said: 550-5.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6 550-5.7.1 sending guidelines of authentication and rdns resolution of sending 550-5.7.1 ip. Please review 550 5.7.1 https://support.google.com/mail/answer/81126for more information. l8si5663122wiv.72 - gsmtp (in reply to end of DATA command))
I am not able to have an IPv6 rDNS record with my ISP, only an IPv4 one.
I guess this is why it works when using IPv4 (tested by forcing
inet_protocols = ipv4), and does not work any more with IPv6.
Is it possible to have outgoing mail to gmail (or another domain) sent
using my IPv4 interface?
Thanks,
--
Nicolas
Wietse Venema
Aug 20, 2013, 2:23:21 PM8/20/13
to
Nicolas KOWALSKI:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
gmail.com smtp-ipv4:
/etc/postfix/master.cf:
smtp-ipv4 unix .. .. .. .. smtp
-o inet_protocols=ipv4
# postmap /etc/postfix/transport
# postfix reload
For more automatic kludge, you could try to match the server reply
(with your IP address or other distinctive text), and replace "5XX
SPACE text" with "4XX SPACE text":
/etc/postfix/main.cf:
smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter
/etc/postfix/smtp_reply_filter:
# Postfix uses the last reply code in a multi-line reply.
/^5(\d\d .*your:ipv6:addr:here.*)/ 4$1
Then, Postfix will try to deliver to a different IP address.
Wietse
> I am not able to have an IPv6 rDNS record with my ISP, only an IPv4 one.
> I guess this is why it works when using IPv4 (tested by forcing
> inet_protocols = ipv4), and does not work any more with IPv6.
>
> Is it possible to have outgoing mail to gmail (or another domain) sent
> using my IPv4 interface?
/etc/postfix/main.cf:
> I guess this is why it works when using IPv4 (tested by forcing
> inet_protocols = ipv4), and does not work any more with IPv6.
>
> Is it possible to have outgoing mail to gmail (or another domain) sent
> using my IPv4 interface?
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
gmail.com smtp-ipv4:
/etc/postfix/master.cf:
smtp-ipv4 unix .. .. .. .. smtp
-o inet_protocols=ipv4
# postmap /etc/postfix/transport
# postfix reload
For more automatic kludge, you could try to match the server reply
(with your IP address or other distinctive text), and replace "5XX
SPACE text" with "4XX SPACE text":
/etc/postfix/main.cf:
smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter
/etc/postfix/smtp_reply_filter:
# Postfix uses the last reply code in a multi-line reply.
/^5(\d\d .*your:ipv6:addr:here.*)/ 4$1
Then, Postfix will try to deliver to a different IP address.
Wietse
Nicolas KOWALSKI
Aug 21, 2013, 5:00:43 AM8/21/13
to
On Tue, Aug 20, 2013 at 02:23:21PM -0400, Wietse Venema wrote:
> Nicolas KOWALSKI:
> > I am not able to have an IPv6 rDNS record with my ISP, only an IPv4 one.
> > I guess this is why it works when using IPv4 (tested by forcing
> > inet_protocols = ipv4), and does not work any more with IPv6.
> >
> > Is it possible to have outgoing mail to gmail (or another domain) sent
> > using my IPv4 interface?
>
> /etc/postfix/main.cf:
> transport_maps = hash:/etc/postfix/transport
>
> /etc/postfix/transport:
> gmail.com smtp-ipv4:
>
> /etc/postfix/master.cf:
> smtp-ipv4 unix .. .. .. .. smtp
> -o inet_protocols=ipv4
>
> # postmap /etc/postfix/transport
> # postfix reload
Thanks, it works perfectly.
> Nicolas KOWALSKI:
> > I am not able to have an IPv6 rDNS record with my ISP, only an IPv4 one.
> > I guess this is why it works when using IPv4 (tested by forcing
> > inet_protocols = ipv4), and does not work any more with IPv6.
> >
> > Is it possible to have outgoing mail to gmail (or another domain) sent
> > using my IPv4 interface?
>
> /etc/postfix/main.cf:
> transport_maps = hash:/etc/postfix/transport
>
> /etc/postfix/transport:
> gmail.com smtp-ipv4:
>
> /etc/postfix/master.cf:
> smtp-ipv4 unix .. .. .. .. smtp
> -o inet_protocols=ipv4
>
> # postmap /etc/postfix/transport
> # postfix reload
>
> For more automatic kludge, you could try to match the server reply
> (with your IP address or other distinctive text), and replace "5XX
> SPACE text" with "4XX SPACE text":
>
> /etc/postfix/main.cf:
> smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter
>
> /etc/postfix/smtp_reply_filter:
> # Postfix uses the last reply code in a multi-line reply.
> /^5(\d\d .*your:ipv6:addr:here.*)/ 4$1
>
> Then, Postfix will try to deliver to a different IP address.
the server reply is replaced, but the mail is still bounced:
Aug 21 09:56:42 petole postfix/smtp[6690]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
Aug 21 09:56:42 petole postfix/smtp[6690]: gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: replacing server reply "550-5.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6" with "450-5.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6"
Aug 21 09:56:42 petole postfix/smtp[6690]: 0275E402B6: to=<nicolas....@gmail.com>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25, delay=0.92, delays=0.03/0.06/0.63/0.2, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b] said: 450-5.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6 550-5.7.1 sending guidelines of authentication and rdns resolution of sending 550-5.7.1 ip. Please review 550 5.7.1 https://support.google.com/mail/answer/81126for more information. q6si3458600wiz.0 - gsmtp (in reply to end of DATA command))
--
Nicolas
Wietse Venema
Aug 21, 2013, 6:44:55 AM8/21/13
to
Nicolas KOWALSKI:
This pattern replaces both fives just to be sure.
/^5(\d\d )5(.*your:ipv6:addr:here.*)/ 4${1}4$2
Wietse
> > /etc/postfix/smtp_reply_filter:
> > # Postfix uses the last reply code in a multi-line reply.
> > /^5(\d\d .*your:ipv6:addr:here.*)/ 4$1
> >
> > Then, Postfix will try to deliver to a different IP address.
>
> I also tried this workaround, but it does not seem to work as expected:
> the server reply is replaced, but the mail is still bounced:
>
> > # Postfix uses the last reply code in a multi-line reply.
> > /^5(\d\d .*your:ipv6:addr:here.*)/ 4$1
> >
> > Then, Postfix will try to deliver to a different IP address.
>
> I also tried this workaround, but it does not seem to work as expected:
> the server reply is replaced, but the mail is still bounced:
>
> Aug 21 09:56:42 petole postfix/smtp[6690]: 0275E402B6:
> to=<nicolas....@gmail.com>,
> relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25,
> delay=0.92, delays=0.03/0.06/0.63/0.2, dsn=5.7.1, status=bounced
Argh. You need to replace the 5.X.X.
> to=<nicolas....@gmail.com>,
> relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25,
> delay=0.92, delays=0.03/0.06/0.63/0.2, dsn=5.7.1, status=bounced
This pattern replaces both fives just to be sure.
/^5(\d\d )5(.*your:ipv6:addr:here.*)/ 4${1}4$2
Wietse
Nicolas KOWALSKI
Aug 21, 2013, 8:29:08 AM8/21/13
to
On Wed, Aug 21, 2013 at 06:44:55AM -0400, Wietse Venema wrote:
> Argh. You need to replace the 5.X.X.
>
> This pattern replaces both fives just to be sure.
>
> /^5(\d\d )5(.*your:ipv6:addr:here.*)/ 4${1}4$2
I used this one ('-' instead of space):
> Argh. You need to replace the 5.X.X.
>
> This pattern replaces both fives just to be sure.
>
> /^5(\d\d )5(.*your:ipv6:addr:here.*)/ 4${1}4$2
/^5(\d\d-)5(.*2a01:e35:8ae7:65f0::2.*)/ 4${1}4${2}
But even with a return code rewritten as 450-4.X.Y, it bounces:
Aug 21 14:13:07 petole postfix/smtp[15786]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
Aug 21 14:13:08 petole postfix/smtp[15786]: gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: replacing server reply "550-5.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6" with "450-4.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6"
Aug 21 14:13:08 petole postfix/smtp[15786]: 6135140557: to=<nicolas....@gmail.com>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25, delay=0.94, delays=0.03/0/0.28/0.63, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b] said: 450-4.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6 550-5.7.1 sending guidelines of authentication and rdns resolution of sending 550-5.7.1 ip. Please review 550 5.7.1 https://support.google.com/mail/answer/81126for more information. lf4si4080770wjb.170 - gsmtp (in reply to end of DATA command))
How must be the return code for the mail to be retried to another host?
"450 <some-text-here>" or "450-<subcode> <some-text-here>" ?
Thanks,
--
Nicolas
Wietse Venema
Aug 21, 2013, 9:15:46 AM8/21/13
to
Nicolas KOWALSKI:
> /^5(\d\d-)5(.*2a01:e35:8ae7:65f0::2.*)/ 4${1}4${2}
>
>
> But even with a return code rewritten as 450-4.X.Y, it bounces:
Of course. Why can'tt you follow instructions?
Wietse
> On Wed, Aug 21, 2013 at 06:44:55AM -0400, Wietse Venema wrote:
> > Argh. You need to replace the 5.X.X.
> >
> > This pattern replaces both fives just to be sure.
> >
> > /^5(\d\d )5(.*your:ipv6:addr:here.*)/ 4${1}4$2
>
> I used this one ('-' instead of space):
That is incorrect.
> > Argh. You need to replace the 5.X.X.
> >
> > This pattern replaces both fives just to be sure.
> >
> > /^5(\d\d )5(.*your:ipv6:addr:here.*)/ 4${1}4$2
>
> I used this one ('-' instead of space):
> /^5(\d\d-)5(.*2a01:e35:8ae7:65f0::2.*)/ 4${1}4${2}
>
>
> But even with a return code rewritten as 450-4.X.Y, it bounces:
Wietse
Nicolas KOWALSKI
Aug 21, 2013, 10:43:50 AM8/21/13
to
On Wed, Aug 21, 2013 at 09:15:46AM -0400, Wietse Venema wrote:
> Nicolas KOWALSKI:
> > On Wed, Aug 21, 2013 at 06:44:55AM -0400, Wietse Venema wrote:
> > > Argh. You need to replace the 5.X.X.
> > >
> > > This pattern replaces both fives just to be sure.
> > >
> > > /^5(\d\d )5(.*your:ipv6:addr:here.*)/ 4${1}4$2
> >
> > I used this one ('-' instead of space):
>
> That is incorrect.
Sorry, I was confused by the error message, forgetting about the last
> Nicolas KOWALSKI:
> > On Wed, Aug 21, 2013 at 06:44:55AM -0400, Wietse Venema wrote:
> > > Argh. You need to replace the 5.X.X.
> > >
> > > This pattern replaces both fives just to be sure.
> > >
> > > /^5(\d\d )5(.*your:ipv6:addr:here.*)/ 4${1}4$2
> >
> > I used this one ('-' instead of space):
>
> That is incorrect.
line of the server reply.
So, I corrected it to be exactly as you wrote:
/^5(\d\d )5(.*2a01:e35:8ae7:65f0::2.*)/ 4${1}4$2
In the logs, the reply was then not filtered:
Aug 21 15:29:18 petole postfix/smtp[18007]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
Aug 21 15:29:19 petole postfix/smtp[18007]: D424D40555: to=<nicolas....@gmail.com>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25, delay=1.4, delays=0.04/0.07/0.7/0.57, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b] said: 550-5.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6 550-5.7.1 sending guidelines of authentication and rdns resolution of sending 550-5.7.1 ip. Please review 550 5.7.1 https://support.google.com/mail/answer/81126for more information. gp4si4464911wib.46 - gsmtp (in reply to end of DATA command))
By testing the mail sending manually, I saw that the "550 5.7.1 ..."
line, was not containing the IPv6 address:
$ telnet 2a00:1450:400c:c03::1a 25
Trying 2a00:1450:400c:c03::1a...
Connected to 2a00:1450:400c:c03::1a.
Escape character is '^]'.
220 mx.google.com ESMTP pf5si4330259wjb.13 - gsmtp
ehlo petole.demisel.net
250-mx.google.com at your service, [2a01:e35:8ae7:65f0::2]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250 ENHANCEDSTATUSCODES
mail from: <ro...@petole.demisel.net>
250 2.1.0 OK pf5si4330259wjb.13 - gsmtp
rcpt to: <nicolas....@gmail.com>
250 2.1.5 OK pf5si4330259wjb.13 - gsmtp
data
354 Go ahead pf5si4330259wjb.13 - gsmtp
from: <ro...@petole.demisel.net>
to: <nicolas....@gmail.com>
subject: test
test
Nicolas KOWALSKI
Aug 21, 2013, 10:50:30 AM8/21/13
to
550-5.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6
550-5.7.1 sending guidelines of authentication and rdns resolution of sending
550-5.7.1 ip. Please review
550 5.7.1 https://support.google.com/mail/answer/81126for more information. pf5si4330259wjb.13 - gsmtp
550-5.7.1 sending guidelines of authentication and rdns resolution of sending
550-5.7.1 ip. Please review
Now I have put this in the smtp_reply_filter table:
/^5(\d\d )5(.*support.google.com\/mail\/answer\/81126.*)/ 4${1}4$2
It works well:
Aug 21 16:29:26 petole postfix/smtp[19900]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
Aug 21 16:29:27 petole postfix/smtp[19900]: gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: replacing server reply "550 5.7.1 https://support.google.com/mail/answer/81126for more information. x5si3345140wjx.49 - gsmtp" with "450 4.7.1 https://support.google.com/mail/answer/81126for more information. x5si3345140wjx.49 - gsmtp"
Aug 21 16:29:27 petole postfix/smtp[19900]: 0EFB640557: host gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b] said: 550-5.7.1 [2a01:e35:8ae7:65f0::2 16] The sender does not meet basic ipv6 550-5.7.1 sending guidelines of authentication and rdns resolution of sending 550-5.7.1 ip. Please review 450 4.7.1 https://support.google.com/mail/answer/81126for more information. x5si3345140wjx.49 - gsmtp (in reply to end of DATA command)
Aug 21 16:29:27 petole postfix/smtp[19900]: Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.66.26]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
Aug 21 16:29:28 petole postfix/smtp[19900]: 0EFB640557: to=<nicolas....@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.66.26]:25, delay=2, delays=0.05/0.07/1.5/0.32, dsn=2.0.0, status=sent (250 2.0.0 OK 1377095368 w8si10322842wib.85 - gsmtp)
Thanks a lot for your help,
--
Nicolas
Wietse Venema
Aug 21, 2013, 1:32:50 PM8/21/13
to
Nicolas KOWALSKI:
> On Wed, Aug 21, 2013 at 09:15:46AM -0400, Wietse Venema wrote:
> > Nicolas KOWALSKI:
> > > On Wed, Aug 21, 2013 at 06:44:55AM -0400, Wietse Venema wrote:
> > > > Argh. You need to replace the 5.X.X.
> > > >
> > > > This pattern replaces both fives just to be sure.
> > > >
> > > > /^5(\d\d )5(.*your:ipv6:addr:here.*)/ 4${1}4$2
> > >
> > > I used this one ('-' instead of space):
> >
> > That is incorrect.
>
> Sorry, I was confused by the error message, forgetting about the last
> line of the server reply.
>
> So, I corrected it to be exactly as you wrote:
>
> /^5(\d\d )5(.*2a01:e35:8ae7:65f0::2.*)/ 4${1}4$2
>
>
> In the logs, the reply was then not filtered:
>
> Aug 21 15:29:18 petole postfix/smtp[18007]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
You made a mistake.
> On Wed, Aug 21, 2013 at 09:15:46AM -0400, Wietse Venema wrote:
> > Nicolas KOWALSKI:
> > > On Wed, Aug 21, 2013 at 06:44:55AM -0400, Wietse Venema wrote:
> > > > Argh. You need to replace the 5.X.X.
> > > >
> > > > This pattern replaces both fives just to be sure.
> > > >
> > > > /^5(\d\d )5(.*your:ipv6:addr:here.*)/ 4${1}4$2
> > >
> > > I used this one ('-' instead of space):
> >
> > That is incorrect.
>
> Sorry, I was confused by the error message, forgetting about the last
> line of the server reply.
>
> So, I corrected it to be exactly as you wrote:
>
> /^5(\d\d )5(.*2a01:e35:8ae7:65f0::2.*)/ 4${1}4$2
>
>
> In the logs, the reply was then not filtered:
>
> Aug 21 15:29:18 petole postfix/smtp[18007]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
With this:
% cat /tmp/x.pcre
/^5(\d\d )5(.*)/ 4${1}4$2
% postmap -q - pcre:/tmp/x.pcre
550 5.7.1 whatever
550 5.7.1 whatever 450 4.7.1 whatever
So you erred in your text inside the second ().
Wietse
0 new messages