[GLLUG] ipv6, privacy addressing, and mail servers.

Andy Smith andy at bitfolk.com
Thu Nov 22 09:29:27 UTC 2018 

Hi Tim,

On Thu, Nov 22, 2018 at 08:41:59AM +0000, Tim Woodall via GLLUG wrote:
> The target mx in question is trying a reverse lookup, that is failing,
> and then the mx is temp-failing my email.

You cannot expect to send an email in today's Internet from an
address that has no reverse DNS. This goes doubly for an IPv6
address because from the start receivers tend to be more strict
about standards for mail from IPv6 addresses. You should not be
putting publicly-accessible Internet servers on privacy addresses.

> What is the 'correct' behaviour?
> 
> 1. I don't want to change privacy addressing - this host also runs a
> squid proxy and I like that the address it uses isn't suitable for
> connecting back to me.
> 
> 2. I could add a wildcard PTR record to einstein - but like 1, this
> makes it easier to determine what address to connect back to me on.
> 
> 3. I could add a wikdcard PTR record that has no matching AAAA record -
> no idea whether this would resolve this issue or not.
> 
> 4. Just say that the target MX is badly configured and ignore the issue.

It's not badly configured.

Even if the receiving network (for example) rejected all mail on
Tuesdays in March it would still not be badly configured because if
they want to reject all mail on Tuesdays in March that is their
business. But temporarily failing (or even outright rejecting) mail
from IPs that have no reverse DNS is extremely common.

May I suggest:

5. Add an extra address to your host that is dedicated to outbound
   mail, set it to have preferred_lft 0 so it is never used as a
   source address for traffic unless forcibly configured that way,
   and configure your MTA to only ever use that address. Then add
   proper reverse DNS for it. That way your mail comes from a known
   address that you have reverse DNS for, but your other traffic
   comes from the privacy addresses.

   For ifupdown (Debian/Ubuntu) this is something like:

   iface eth0 inet6 static
       # […]
       post-up /bin/ip address add 2001:db8::25 dev $IFACE preferred_lft 0

   but in netplan (Ubuntu 18.04+) it's a little more tricky:

   https://bugs.launchpad.net/netplan/+bug/1803203
   https://gist.github.com/grifferz/0421e2876b270bb6816e94e5db37bb2e

> With a handful of exceptions, I'm of the school of thought that 'if
> your mailserver doesn't want my email then I'll respect that and not
> bypass your filtering'

All evidence suggests that they just don't want email from addresses
with no reverse DNS, not that they object to privacy addresses in
any way (they can't tell what is and isn't one). So you could either
give them the reverse DNS they want, or respect their wishes and not
email them. Or Google.

> (But I'm not sure if the IP used by a mailserver should always have a
> PTR record or whether it's just the EHLO host)

Both, in many cases.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

More information about the GLLUG mailing list