Gmail 550-5.7.25 in response to outgoing email when my box is set up with a new IPv6 range

I followed this guide Mail blocked using zen.spamhaus.org - #6 by openletter to get a new range to avoid spam filters. While this was successful, and I can send and receive email to previously blocked addresses, gmail has taken issue with my new set up.

The error is as follows: 550-5.7.25 [2a01:7e <censored> d0] The IP address sending this message does not have a PTR record setup, or the corresponding forward entry does not point to the sending IP.

The address in questions is the old SLAAC assigned IP: 2a01:7e <censored> d0, which still has a PTR record towards my mail server.
2a01:7e <censored>00 (The new address) also had a PTR to the mail server.

My suspicion is that the MIAB instance claims to have the new public IPv6 address, but still uses the private (old SLAAC assigned) address.

Netplan configuration is as follows. Linode’s auto config is disabled and the old config file has been removed.

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: yes
      accept-ra: yes
      ipv6-privacy: no
      addresses:
        - "2a01:7e <censored> /64"
      routes:
        - to: default
          via: "fe80::1"

How do I go about fixing this?

Have a look in /etc/mailinabox.conf - it contains the settings used by the prior install, which become defaults for the next install. You can edit it and then rerun the install.

In /etc/mailinabox.conf I find that for IPV4, the addresses are equal, but for IPV6, they are not. Is something wrong with these settings?

STORAGE_USER=user-data
STORAGE_ROOT=/home/user-data
PRIMARY_HOSTNAME=box.<censored>.com
PUBLIC_IP=172.<censored>
PUBLIC_IPV6=2a01:7e <censored> 00 
PRIVATE_IP=172.<censored, same as public>
PRIVATE_IPV6=2a01:7e <censored> d0
MTA_STS_MODE=enforce

While testing again after replying, I noticed that I can now send emails to gmail. Perhaps they had cached something for my domain, or DNS propagation had to happen…

I would still like to verify if there is any issue with different public and private IPs for IPv6. For one thing, I notices that nsd was not running on the public IP. However, after adding it to /etc/nsd/nsd.conf everything seems to be working.

Not sure if this info will help you, but on my Linode MiaB server, both variable, PUBLIC_IPV6 and PRIVATE_IPV6 are set to the same address. I would think if you want to stop using the old address completely, you might want to try making them the same.

Also, I would try grep’ing through /etc/ to see if there are any instances of the old IPv6 addr still in use, and if so, consider manually changing these occurrences to the new address (if appropriate), then running sudo mailinabox and rebooting one more time. The command would be:
sudo grep -rs '<last 4 of old ipv6 addr>' /etc

I suggest that step because I have a suspicion that there may be some lingering instances of the old address hanging around in config files or under the /etc/nsd/ area.

There are indeed several instances:

/etc/mailinabox.conf:PRIVATE_IPV6=2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/postfix/.bak.main.cf:smtp_bind_address6=2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/postfix/main.cf:smtp_bind_address6=2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/nsd/nsd.conf:  ip-address: 2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/nsd/zones/box.valutadev.com.txt:   IN      AAAA    2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/nsd/zones/box.valutadev.com.txt:ns1        IN      AAAA    2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/nsd/zones/box.valutadev.com.txt:ns2        IN      AAAA    2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/nsd/zones/box.valutadev.com.txt:www        IN      AAAA    2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/nsd/zones/box.valutadev.com.txt.signed:box.valutadev.com.  86400   IN      AAAA    2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/nsd/zones/box.valutadev.com.txt.signed:ns1.box.valutadev.com.      86400   IN      AAAA    2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/nsd/zones/box.valutadev.com.txt.signed:ns2.box.valutadev.com.      86400   IN      AAAA    2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/nsd/zones/box.valutadev.com.txt.signed:www.box.valutadev.com.      86400   IN      AAAA    2a01:7e01::f03c:91ff:fe6b:bdd0
/etc/systemd/network/10-eth0.network-backup:Address=2a01:7e01::f03c:91ff:fe6b:bdd0/64

I made sure to rename the last entry so that it is now:

/etc/systemd/network/.10-eth0.network-backup:Address=2a01:7e01::f03c:91ff:fe6b:bdd0/64

As far as I understand it, postfix, nsd, and nsd zones are configured by MIAB when the setup script is executed. And the setup script overwrites mailinabox.conf.

Could the backup file be read even with the changed name perhaps?

When you say “backup file”, do you mean the duplicity backup? If so, yes, the backup only requires the correct secret key.

I mentioned looking for the old address because back when I upgraded to Ubuntu 22, I changed the IPv4 address on my linode after MiaB had been installed and I noticed back then that there were multiple references to the old IP address in /etc even after running sudo mailinabox. I didn’t dig into why this was happening, I just took the easy route, changed all the old IP instances to the new IP by hand, ran sudo mailinabox again, rebooted and moved on.

IPv6 does not (normally) use NAT, so your private and public IPv6 addresses should be the same.

I would:

  • Confirm your actual IPv6 address. The command “ip -6 addr show scope global” will show you multiple IPv6 addresses for your box. The one you want does not start fd or fe, and is not flagged mngtmpaddr.

  • Edit mailinabox.conf and put the same correct address in both PUBLIC_IPV6 and PRIVATE_IPV6.

  • Rerun the install.

PS. It would be easier to help if you did not censor your IP addresses. Your intentionally public DNS records exist specifically so the rest of the world can find your IP address and contact your server! Censoring does not hide anything, but does make it harder for us to see the subtle details of your setup.

Ah, no the backup file is referring to 10-eth.network-backup.

It appears I can no longer edit the original post, but I agree with your reasoning. My thoughts went along the lines of: If something in my setup reveals a config error leading to a vulnerability; it is probably good if people can’t immediately figure out where to go and abuse this. However, I no longer think that that is part of the problem.

The output of ip -6 addr show scope global

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:7e01::f03c:91ff:fe6b:bdd0/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 5142sec preferred_lft 1542sec
    inet6 2a01:7e01:e001:483::/64 scope global
       valid_lft forever preferred_lft forever

Where 2a01:7e01::f03c:91ff:fe6b:bdd0 is the original SLAAC address and 2a01:7e01:e001:483::/64 is the new range Linode assigned the server.

After editing the config and then running mailinabox again, the config was overwritten by the setup script back to the version above.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.