• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Announcement

Collapse
No announcement yet.

Multiple Domains - IPv6 SMTP Routing Issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple Domains - IPv6 SMTP Routing Issues

    Hi,

    I recently configured my Axigen 10.1.5 server to work in IPv4 mode and IPv6 mode. Everything works great.

    However, I ran into a problem when I added a second domain. I tried setting up some email routing policies in the advanced tab so that the second domain would use a different IPv4 interface address and a different IPv6 interface address. The reason for this is due to the PTR records that are set up in DNS records.

    When sending email, the log files say ?IPv4 interface address set for domain two,? then subsequently say ?IPv6 interface address set for domain 2.? The problem arises when Axigen then attempts to deliver mail from the IPv6 interface address on my server to the recipient email servers IPv4 address and thus fails. It then tries connecting to the recipient email server's IPv6 address on port 25 and then the connection just hangs.

    I think additional rules need to be added such as STARTTLS and such for the second domain but I?m not sure how to add them properly.

    Any help would be greatly appreciated.

    Thanks in advance!

  • #2
    Hello,

    Please share your smtpFilters.script file (which could be found into the filters sub-directory of the working directory).

    BR,
    Ioan

    Comment


    • #3
      event onConnect {
      set (allowedCountries_0, " ");
      set (bannedCountries_0, "");
      set (isGeoIPBanned_0, "%isGeoIPBanned%");
      set (GeoIPResult_0, "%GeoIPResult%");
      call (WA_Acceptance_basic_banner);
      call (smtpbanner1);
      call (smtpbanner2);
      call (smtpbanner1v6);
      call (smtpbanner2v6);
      }

      event onEhlo {
      call (WA_Routing_basic_delivery);
      call (WA_Greylisting);
      call (WA_Acceptance_basic);
      call (checkSPF);
      call (WA_AntiSpam_SPF_OnEhlo_Fail);
      call (WA_AntiSpam_SPF_OnEhlo_Err);
      call (WA_AntiSpam_SPF_OnEhlo_None);
      call (wizard_generated_relay);
      }

      event onMailFrom {
      call (checkSPF);
      call (WA_AntiSpam_SPF_Fail);
      call (WA_AntiSpam_SPF_Err);
      call (WA_AntiSpam_SPF_None);
      call (Exceptions_Greylisting);
      call (Exceptions_SPF);
      }

      event onRcptTo {
      }

      event onHeadersReceived {
      }

      event onBodyChunk {
      }

      event onDataReceived {
      call (Check_DomainKeys_and_DKIM);
      }

      event onRelay {
      call (WA_Routing_basic);
      call (smtprelay2);
      }

      event onDeliveryFailure {
      }

      event onTemporaryDeliveryFailure {
      }

      event onProcessing {
      call (DomainSign-example1_com);
      call (DomainSign-example2_com);
      }

      method WA_Acceptance_basic_banner {
      }

      method WA_GeoIP {
      if (
      anyOf (
      isCase (isGeoIPBanned_0, "no")
      )
      ) {
      }
      }

      method smtpbanner1 {
      if (
      anyOf (
      ipRange (smtpIP, "X.X.X.1-X.X.X.1")
      )
      ) {
      set (smtpGreeting, "mail.example1.com");
      }
      }

      method smtpbanner2 {
      if (
      anyOf (
      ipRange (smtpIP, "X.X.X.2-X.X.X.2")
      )
      ) {
      set (smtpGreeting, "mail.example2.com");
      }
      }

      method smtpbanner1v6 {
      if (
      anyOf (
      ipRange (smtpIP, "2001:X:X:X:X:X:X:1-2001:X:X:X:X:X:X:1")
      )
      ) {
      set (smtpGreeting, "mail.example1.com");
      }
      }

      method smtpbanner2v6 {
      if (
      anyOf (
      ipRange (smtpIP, "2001:X:X:X:X:X:X:2-2001:X:X:X:X:X:X:2")
      )
      ) {
      set (smtpGreeting, "mail.example2.com");
      }
      }

      method WA_Routing_basic_delivery {
      set (remoteDelivery, "auth");
      }

      method WA_Greylisting {
      set (activateGreylisting, "yes");
      }

      method WA_Acceptance_basic {
      set (maxDataSize, "10240");
      set (maxReceivedHeaders, "30");
      set (maxRcptCount, "1000");
      set (waitProcessingTimeout, "10");
      set (allowStartTLS, "yes");
      set (allow8bitMime, "yes");
      set (allowBinaryData, "yes");
      set (allowPipelining, "yes");
      set (localDelivery, "all");
      }

      method WA_AntiSpam_SPF_OnEhlo_Fail {
      if (
      anyOf (
      isCase (SPFResult, "fail")
      )
      ) {
      set (smtpAction, "reject");
      set (smtpExplanation, "SPF check failed for <%ehloHost%> with result <%SPFResult%>: <%SPFExplanation%>");
      }
      }

      method WA_AntiSpam_SPF_OnEhlo_Err {
      if (
      anyOf (
      isCase (SPFResult, "temperror"),
      isCase (SPFResult, "permerror")
      )
      ) {
      }
      }

      method WA_AntiSpam_SPF_OnEhlo_None {
      if (
      anyOf (
      isCase (SPFResult, "none")
      )
      ) {
      }
      }

      method wizard_generated_relay {
      if (
      anyOf (
      ipRange (remoteSmtpIp, "X.X.X.1/255.255.255.248"),
      ipRange (remoteSmtpIp, "127.0.0.1/255.0.0.0")
      )
      ) {
      set (remoteDelivery, "all");
      }
      }

      method WA_AntiSpam_SPF_Fail {
      if (
      anyOf (
      isCase (SPFResult, "fail")
      )
      ) {
      set (smtpAction, "reject");
      set (smtpExplanation, "SPF check failed for <%ehloHost%> with result <%SPFResult%>: <%SPFExplanation%>");
      }
      }

      method WA_AntiSpam_SPF_Err {
      if (
      anyOf (
      isCase (SPFResult, "temperror"),
      isCase (SPFResult, "permerror")
      )
      ) {
      }
      }

      method WA_AntiSpam_SPF_None {
      if (
      anyOf (
      isCase (SPFResult, "none")
      )
      ) {
      }
      }

      method WA_DNS_Checks_RDNS {
      if (
      anyOf (
      isCase (ReverseDNSResult, "neutral"),
      isCase (ReverseDNSResult, "fail")
      )
      ) {
      set (smtpAction, "reject");
      set (smtpExplanation, "Reverse DNS check failed for <%ehloHost%> connected from <%remoteSmtpIp%>");
      }
      }

      method WA_DNS_Checks_MX {
      if (
      anyOf (
      isCase (SenderMXCheckResult, "fail")
      )
      ) {
      set (smtpAction, "reject");
      set (smtpExplanation, "Sender domain <%mailFromDomain%> has no DNS MX entry");
      }
      }

      method Exceptions_Greylisting {
      if (
      anyOf (
      ipRange (remoteSmtpIP, "127.0.0.1-127.0.0.1"),
      isCase (mailFromDomain, "gmail.com"),
      isCase (mailFromDomain, "yahoo.com")
      )
      ) {
      set (activateGreylisting, "no");
      }
      }

      method Exceptions_SPF {
      if (
      anyOf (
      isCase (mailFromDomain, "domain1.tld"),
      isCase (mailFromDomain, "domain2.tld")
      )
      ) {
      set (smtpAction, "accept");
      set (smtpExplanation, "Accepted due to requested SPF exception");
      }
      }

      method Check_DomainKeys_and_DKIM {
      call (checkDomainKeys);
      call (checkDKIM);
      }

      method WA_Routing_basic {
      set (sslEnabled, "no");
      set (localInterface, "0.0.0.0");
      set (allowStartTLS, "yes");
      set (allowedSSLVersions, "ssl3 tls1 tls11 tls12 ");
      }

      method smtprelay2 {
      if (
      allOf (
      isCase (mailFromDomain, "example2.com")
      )
      ) {
      set (localInterface, "X.X.X.2");
      set (allowStartTLS, "yes");
      }
      }

      method DomainSign-example1_com {
      if (
      allOf (
      isCase (mailFromDomain, "example1.com"),
      not (
      is (authUser, "")
      )
      )
      ) {
      set (DKSignerSelector, "2016");
      set (DKIMSignerSelector, "2016");
      set (DKSignerKey, "/var/opt/axigen/dkim.privkey.example1_com.pem");
      set (DKIMSignerKey, "/var/opt/axigen/dkim.privkey.example1_com.pem");
      call (signDomainKeys);
      call (signDKIM);
      }
      }

      method DomainSign-example2_com {
      if (
      allOf (
      isCase (mailFromDomain, "example2.com"),
      not (
      is (authUser, "")
      )
      )
      ) {
      set (DKSignerSelector, "2018");
      set (DKIMSignerSelector, "2018");
      set (DKSignerKey, "/var/opt/axigen/dkim.privkey.example2_com.pem");
      set (DKIMSignerKey, "/var/opt/axigen/dkim.privkey.example2_com.pem");
      call (signDomainKeys);
      call (signDKIM);
      }
      }

      event onConnect {
      set (allowedCountries_0, " ");
      set (bannedCountries_0, "");
      set (isGeoIPBanned_0, "%isGeoIPBanned%");
      set (GeoIPResult_0, "%GeoIPResult%");
      call (WA_Acceptance_basic_banner);
      }

      event onEhlo {
      call (WA_Greylisting);
      call (WA_Acceptance_basic);
      }

      event onMailFrom {
      call (checkSPF);
      call (WA_AntiSpam_SPF_Fail);
      call (WA_AntiSpam_SPF_Err);
      call (WA_AntiSpam_SPF_None);
      call (Exceptions_Greylisting);
      call (Exceptions_SPF);
      }

      event onRcptTo {
      }

      event onHeadersReceived {
      }

      event onBodyChunk {
      }

      event onDataReceived {
      call (Check_DomainKeys_and_DKIM);
      }

      event onRelay {
      }

      event onDeliveryFailure {
      }

      event onTemporaryDeliveryFailure {
      }

      event onProcessing {
      }

      method WA_GeoIP {
      if (
      anyOf (
      isCase (isGeoIPBanned_0, "no")
      )
      ) {
      }
      }

      method WA_Acceptance_basic_banner {
      }

      method WA_AntiSpam_SPF_Fail {
      if (
      anyOf (
      isCase (SPFResult, "fail")
      )
      ) {
      set (smtpAction, "reject");
      set (smtpExplanation, "SPF check failed for <%ehloHost%> with result <%SPFResult%>: <%SPFExplanation%>");
      }
      }

      method WA_AntiSpam_SPF_Err {
      if (
      anyOf (
      isCase (SPFResult, "temperror"),
      isCase (SPFResult, "permerror")
      )
      ) {
      }
      }

      method WA_AntiSpam_SPF_None {
      if (
      anyOf (
      isCase (SPFResult, "none")
      )
      ) {
      }
      }

      method WA_AntiSpam_SPF_OnEhlo_Fail {
      if (
      anyOf (
      isCase (SPFResult, "fail")
      )
      ) {
      set (smtpAction, "reject");
      set (smtpExplanation, "SPF check failed for <%ehloHost%> with result <%SPFResult%>: <%SPFExplanation%>");
      }
      }

      method WA_AntiSpam_SPF_OnEhlo_Err {
      if (
      anyOf (
      isCase (SPFResult, "temperror"),
      isCase (SPFResult, "permerror")
      )
      ) {
      }
      }

      method WA_AntiSpam_SPF_OnEhlo_None {
      if (
      anyOf (
      isCase (SPFResult, "none")
      )
      ) {
      }
      }

      method WA_Greylisting {
      set (activateGreylisting, "yes");
      }

      method WA_Acceptance_basic {
      set (maxDataSize, "10240");
      set (maxReceivedHeaders, "30");
      set (maxRcptCount, "1000");
      set (waitProcessingTimeout, "10");
      set (allowStartTLS, "yes");
      set (allow8bitMime, "yes");
      set (allowBinaryData, "yes");
      set (allowPipelining, "yes");
      set (localDelivery, "all");
      }

      method WA_DNS_Checks_RDNS {
      if (
      anyOf (
      isCase (ReverseDNSResult, "neutral"),
      isCase (ReverseDNSResult, "fail")
      )
      ) {
      set (smtpAction, "reject");
      set (smtpExplanation, "Reverse DNS check failed for <%ehloHost%> connected from <%remoteSmtpIp%>");
      }
      }

      method WA_DNS_Checks_MX {
      if (
      anyOf (
      isCase (SenderMXCheckResult, "fail")
      )
      ) {
      set (smtpAction, "reject");
      set (smtpExplanation, "Sender domain <%mailFromDomain%> has no DNS MX entry");
      }
      }

      method Exceptions_Greylisting {
      if (
      anyOf (
      ipRange (remoteSmtpIP, "127.0.0.1-127.0.0.1"),
      isCase (mailFromDomain, "gmail.com"),
      isCase (mailFromDomain, "yahoo.com")
      )
      ) {
      set (activateGreylisting, "no");
      }
      }

      method Exceptions_SPF {
      if (
      anyOf (
      isCase (mailFromDomain, "domain1.tld"),
      isCase (mailFromDomain, "domain2.tld")
      )
      ) {
      set (smtpAction, "accept");
      set (smtpExplanation, "Accepted due to requested SPF exception");
      }
      }

      method Check_DomainKeys_and_DKIM {
      call (checkDomainKeys);
      call (checkDKIM);
      }
      Last edited by kolpinkb; 03-21-2018, 03:23 PM.

      Comment


      • #4
        Hello,

        Could you confirm if both IPv4 and IPv6 addresses intended to be used for domain2 are sharing the same network interface?

        Basically, by using the action set (localInterface, "X.X.X.2") you are configuring Axigen to select the network interface on which address X.X.X.2 is defined and use it when initiating the SMTP-OUT session.

        If you still are facing problems, could you share a fresh Axigen log (please set before DNR, PROCESSING and SMTP-OUT log level to Protocol Communication) in order to be checked by our dev team?

        BR,
        Ioan

        Comment


        • #5
          Hi Loan,

          Thank you for getting back to me. I'm sorry I'm responding almost two months later. The email part of my IPv6 deployment was put on hold. I have do what you asked above to enable more verbose log file entries. To whom may I send the log files to? I would prefer not to post them on this public forum.

          Thanks,

          Kris

          Comment


          • #6
            I also noticed the following in my logs:
            2018-03-20 22:18:53 -0400 02 mail SMTP-OUT:00000001: Unable to perform STARTTLS 2018-03-20 22:18:53 -0400 08 mail SMTP-OUT:00000001: Disconnected from 2001:4b98:dc2:90:217:70:186:186 2018-03-20 22:18:53 -0400 08 mail SMTP-OUT:00000001: Use 217.70.186.186 to relay mail 1C0D5C for domain support.gandi.net 2018-03-20 22:18:53 -0400 02 mail SMTP-OUT:00000000: Relay mail 1C0D5C: cannot deliver to IPv4 host 217.70.186.186 using IPv6 local interface 2001:470:1d:1a4:XXXX:XXXX:XXXX:XXXX 2018-03-20 22:18:53 -0400 08 mail SMTP-OUT:00000001: Relay mail 1C0D5C: no more relays for support.gandi.net 2018-03-20 22:18:53 -0400 04 mail SMTP-OUT:00000001: Delivery attempt completed for mail 1C0D5C; 1 recipients remaining; reschedule for delivery 2018-03-20 22:18:53 -0400 08 mail SMTP-OUT:00000001: Set mail state to SEND FAILURE

            Comment


            • #7
              Hello,

              Could you confirm if both IPv4 and IPv6 addresses intended to be used for domain2 are sharing the same network interface?

              Best regards,
              Ioan

              Comment


              • #8
                Yes, there is only one physical network interface on my system. However, there are additional static IPv4 and IPv6 IP's assigned to the same interface. Everything works fine on all of the other Axigen components such as webmail, webadmin, and others. I did some more digging and I think I have an idea about what is happening.

                See the following log:
                Code:
                2018-03-20 22:13:52 -0400 08 mail PROCESSING:001C0D5C: Relay mail 1C0D5C: found IPv4 MX entry 217.70.182.71 for domain support.gandi.net with priority 10
                2018-03-20 22:13:52 -0400 08 mail PROCESSING:001C0D5C: Relay mail 1C0D5C: found IPv4 MX entry 217.70.186.186 for domain support.gandi.net with priority 30
                2018-03-20 22:13:52 -0400 08 mail PROCESSING:001C0D5C: Relay mail 1C0D5C: found IPv6 MX entry 2001:4b98:dc2:90:217:70:186:186 for domain support.gandi.net with priority 30
                2018-03-20 22:13:52 -0400 08 mail PROCESSING:001C0D5C: Use 217.70.182.71 to relay mail 1C0D5C for domain support.gandi.net
                2018-03-20 22:13:52 -0400 02 mail SMTP-OUT:00000000: Relay mail 1C0D5C: cannot deliver to IPv4 host 217.70.182.71 using IPv6 local interface 2001:470:1d:1a4:XXXX:XXXX:XXXX:XXXX
                2018-03-20 22:13:52 -0400 08 mail PROCESSING:001C0D5C: Use 2001:4b98:dc2:90:217:70:186:186 to relay mail 1C0D5C for domain support.gandi.net
                Because support.gandi.net does not have an equivalent IPv6 MX record with priority 10, Axigen (using its IPv6 address) tries to deliver to the IPv4 MX record with priority 10 I think Axigen should deliver to the lower priority MX record and stay IPv6. Google for example has equivalent priority MX record for all IPv4 and IPv6 records. There will be cases where some recipient servers have IPv4 MX records set higher than IPv6 records and Axigen needs to be able to deal with this.
                Last edited by indreias; 03-22-2018, 06:20 PM. Reason: format log as code

                Comment


                • #9
                  Hello,

                  I understand that you have only one physical network interface, let's call it eth0. Assuming that you have created additional virtual network interfaces on top of it (via IP aliasing) you will have eth0:1, eth0:2, etc. In such way you will dedicate a virtual interface for each domain so you could specify its own set of (IPv4, IPv6) addresses to be used for SMTP outgoing traffic.

                  What you have to know is that when you are selecting a specific local interface (via the SMTP advance rules) you are selecting the network interface (physical or virtual) on which the mentioned IP (v4 or v6) address is configured.

                  Now, it is mandatory that on the interface that have been selected (let's say it was eth0:5) both IPv4 AND IPv6 address are defined, otherwise you will experience similar errors like the one reported above.

                  Does make sense?

                  Best regards,
                  Ioan

                  Comment


                  • #10
                    Hi Ion,

                    Thanks for your reply. Ubuntu did away with virtual interfaces a while ago for IPv4 addresses. Multiple IPv4 addresses can be aliased to the same "eth0". i.e. no more eth0:1, eth0:2, etc. As for IPv6, this has been built into the spec since it's inception.

                    Everything works in this configuration except SMTP. Web mail works, web admin works, imap works. They all respond with the appropriate domain for a given IPv4/IPv6 address pair.

                    Comment


                    • #11
                      Hello,

                      Please understand that WebMail, WebAdmin, IMAP and POP3 are all incoming protocols.

                      Your problem is for SMTP-OUT service (used for outgoing connections) where you could not select the desired interface, facing IPv4/ IPv6 routing issues.

                      In order to refer to your specific configuration please share your network configuration (like the output of ip address command) and any other information you are considering relevant to your particular installation.

                      Basically you should have a network configuration where both IPv4 and IPv6 addresses you like to use for a particular domain are configured on the same network interface.

                      Looking forward for your data.

                      Best regards,
                      Ioan
                      Last edited by indreias; 03-26-2018, 05:47 PM.

                      Comment


                      • #12
                        Hi Ioan,

                        Thank you for the clarification on the incoming protocols. Please find below the additional information you requested regarding my network configuration. I have obfuscated the IP address and DNS info slightly.

                        user1@mail:~$ ip addr
                        1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
                        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
                        inet 127.0.0.1/8 scope host lo
                        valid_lft forever preferred_lft forever
                        inet6 ::1/128 scope host
                        valid_lft forever preferred_lft forever
                        2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
                        link/ether XX:XX:XX:XX:XX:40 brd ff:ff:ff:ff:ff:ff
                        inet XXX.XXX.XXX.52/28 brd XXX.XXX.XXX.63 scope global enp6s0
                        valid_lft forever preferred_lft forever
                        inet XXX.XXX.XXX.53/28 brd XXX.XXX.XXX.63 scope global secondary enp6s0
                        valid_lft forever preferred_lft forever
                        inet XXX.XXX.XXX.54/28 brd XXX.XXX.XXX.63 scope global secondary enp6s0
                        valid_lft forever preferred_lft forever
                        inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:3bab/128 scope global
                        valid_lft forever preferred_lft forever
                        inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:3bac/128 scope global
                        valid_lft forever preferred_lft forever
                        inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:3baa/128 scope global
                        valid_lft forever preferred_lft forever
                        inet6 fe80::XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:a740/64 scope link
                        valid_lft forever preferred_lft forever


                        user1@mail:~$ sudo vi /etc/network/interfaces
                        [sudo] password for user1:
                        user1@mail:~$ sudo vi /etc/network/interfaces
                        # This file describes the network interfaces available on your system
                        # and how to activate them. For more information, see interfaces(5).

                        source /etc/network/interfaces.d/*

                        # The loopback network interface
                        auto lo
                        iface lo inet loopback
                        iface lo inet6 loopback

                        # The primary network interface
                        auto enp6s0
                        iface enp6s0 inet dhcp
                        iface enp6s0 inet static
                        address XXX.XXX.XXX.53/28
                        iface enp6s0 inet static
                        address XXX.XXX.XXX.54/28

                        iface enp6s0 inet6 dhcp

                        dns-nameservers XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:b349
                        dns-nameservers 192.171.62.57
                        dns-search example1.com
                        dns-domain example1.com

                        iface enp6s0 inet6 static
                        address XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:3bab
                        netmask 128

                        iface enp6s0 inet6 static
                        address XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:3bac
                        netmask 128

                        Thank for your help so far. It's much appreciated.

                        Kris

                        Comment


                        • #13
                          Hello Kris,

                          I had time to double check all information you have shared till now on this thread and after a session with one of our developers we confirmed that forcing a set of IPv4 and IPv6 for a specific domain for SMTP-OUT connections is not possible.

                          As you have noticed, you could set only one localInterface value and, beside having errors like the one reported here, the issue is that you'll be unable to send to IPv4 only domains if you are setting an IPv6 address.

                          This limitation will be addressed in one of our next releases (but not in 10.2, which is planned to be released till the end of this month) and I'll put here an update when any news about this matter will be available.

                          Thank you for the patient and sharing the configuration you are currently using.

                          Best regards,
                          Ioan

                          Comment


                          • #14
                            Hi Ioan,

                            I'm glad to hear that you and your team were able to identify the issue. I'm looking forward to testing it in a future release.

                            Thanks,

                            Kris

                            Comment

                            Working...
                            X