Dynamic temporary IPv6 addresses conflict with SPF rule

gerben · May 31, 2016, 5:55pm

Hi all,
Ubuntu seems to assign itself temporary IPv6 addresses (within the server’s subnet), besides its static (MAC-address based) one. It uses such a temporary address for outward connections, but then a well-configured receiving server rejects the message, since my SPF record tells that only messages from ip address in my MX records are authentic. So I would think that either:

My server should use its static ip also for outgoing connections (why need temporary addresses anyway? I would suppose mails servers do not need the bit of extra privacy…)
The SPF record should tell that any IPs from the IPv6 subnet are authentic.

Would anyone have a clue how this could be configured correctly?
Cheers,

Gerben

JoshData · May 31, 2016, 9:09pm

This should be fixed/working in the latest version.

This could also be responsible for the problem.

github.com

mail-in-a-box/mailinabox/blob/master/setup/mail-postfix.sh#L67


# Set some basic settings...
#
# * Have postfix listen on all network interfaces.
# * Make outgoing connections on a particular interface (if multihomed) so that SPF passes on the receiving side.
# * Set our name (the Debian default seems to be "localhost" but make it our hostname).
# * Set the name of the local machine to localhost, which means xxx@localhost is delivered locally, although we don't use it.
# * Set the SMTP banner (which must have the hostname first, then anything).
tools/editconf.py /etc/postfix/main.cf \
	inet_interfaces=all \
	smtp_bind_address=$PRIVATE_IP \
	smtp_bind_address6=$PRIVATE_IPV6 \
	myhostname=$PRIMARY_HOSTNAME\
	smtpd_banner="\$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)" \
	mydestination=localhost


# Tweak some queue settings:
# * Inform users when their e-mail delivery is delayed more than 3 hours (default is not to warn).
# * Stop trying to send an undeliverable e-mail after 2 days (instead of 5), and for bounce messages just try for 1 day.
tools/editconf.py /etc/postfix/main.cf \
	delay_warning_time=3h \
	maximal_queue_lifetime=2d \

gerben · May 31, 2016, 9:56pm

Thanks for the reply.The problem however still exists with v0.18b, which I suppose you referred to with ‘latest version’.

If the line you highlight sets the IP that we use for outgoing connections, should it perhaps say $PUBLIC_IPV6 rather than $PRIVATE_IPV6? At least for me, mailinabox calls my static IP ‘public’ and the temporary IP ‘private’ (though I am not sure if this is designed that way or picked by chance).

JoshData · May 31, 2016, 10:41pm

Sorta but not really. This is by design. Take a look at Why is nsd service listening on private IPv6 address? for why we do this.

system · June 7, 2016, 10:41pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.