Nightmare IPv6: How to disable IPv6 in FreeBSD

[sidney2017]

Hi,

after renting a server that has been assigned an IPv6 address in addition to an Ipv4 address, I am getting an increasing number of email undeliverable responses when using sendmail in my FreeBSD 13 environment, citing some IPv6 reason.

For example:
554 5.7.1 The sending mail server at XXXX:4f8:212:XXXX::2 does not have a reverse (address-to-name) DNS entry cf http://en.wikipedia.org/wiki/Reverse_DNS_lookup
554 5.0.0 Service unavailable
However, the PRT was set in the Hetzner Robot Console.

What is the fastest way to throw out all the IPv6 stuff in FreeBSD? In Linux it is supposed to be sufficient even to kill a certain process.

Thanks in advance and kind regards
Sidney2017

 

[Argentum]

Hi,

after renting a server that has been assigned an IPv6 address in addition to an Ipv4 address, I am getting an increasing number of email undeliverable responses when using sendmail in my FreeBSD 13 environment, citing some IPv6 reason.

For example:
554 5.7.1 The sending mail server at XXXX:4f8:212:XXXX::2 does not have a reverse (address-to-name) DNS entry cf http://en.wikipedia.org/wiki/Reverse_DNS_lookup
554 5.0.0 Service unavailable
However, the PRT was set in the Hetzner Robot Console.

What is the fastest way to throw out all the IPv6 stuff in FreeBSD? In Linux it is supposed to be sufficient even to kill a certain process.

Thanks in advance and kind regards
Sidney2017

ifconfig(8)

However you should be able to configure IPv6 reverse DNS name in Hetzner...

 

[covacat]

try

How to stop Sendmail sending mail from IPv6 instead of IPv4

Today I noticed that Gmail sends all messages received from my server to the Spam folder. I checked message header and found the following: Authentication-Results: mx.google.com; spf=neutral (

serverfault.com

e.g. if your IPv4 address is 1.2.3.4, specify (sendmail.mc):
CLIENT_OPTIONS(`Family=inet6,Addr=::ffff:1.2.3.4')dnl

 

[sidney2017]

ifconfig(8)

However you should be able to configure IPv6 reverse DNS name in Hetzner...

No, it is not possible in their robot-webif (No AAAA).

EDIT: There is a tiny PLUS-Symbol one can click on which opens a text field for the eDNS of the IPv6!

Regards
Sidney2017

 

[sidney2017]

try

How to stop Sendmail sending mail from IPv6 instead of IPv4

Today I noticed that Gmail sends all messages received from my server to the Spam folder. I checked message header and found the following: Authentication-Results: mx.google.com; spf=neutral (

serverfault.com

e.g. if your IPv4 address is 1.2.3.4, specify (sendmail.mc):
CLIENT_OPTIONS(`Family=inet6,Addr=::ffff:1.2.3.4')dnl

Hi,

unfortunately this did not work for me: After inserting that CLIENT_OPTIONS-Line into my sendmail.mc and rebuilding the .cf I got following message in /var/log/maillog when restarting sendmail:

mydomain [84423]: gethostbyaddr(IPv6:XXXX:4f8:XXX:12XX:0:0:0:2) failed: 1

Here another returned mail with a similar meaning like the one in my first post:

<<< 550-5.7.1 [XXXX:4f8:XXX:12XX::2] Our system has detected that this message does
<<< 550-5.7.1 not meet IPv6 sending guidelines regarding PTR records and
<<< 550-5.7.1 authentication. Please review
<<< 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information
<<< 550 5.7.1 . g17si26341879wrs.732 - gsmtp
554 5.0.0 Service unavailable

I tried it with "ipv6_activate_all_interfaces="NO" in my rc.conf, but also without success!

So the question still is how to "ban" IPv6 from my FreeBSD or sendmail?

Kind regards
Sidney2017

 

[jamie]

Do you have a line something like:

ifconfig_vtnet0_ipv6="inet6 accept_rtadv" ?

Remove it!

Note, you need to restart the networking for this to take effect... Easiest way is to just reboot the machine.

As for sendmail, you should see these lines in your sendmail.cf:

O ClientPortOptions=Family=inet, Address=a.b.c.d
O DaemonPortOptions=Name=MTA, M=h, Family=inet, Address=a.b.c.d

and no other ClientPortOptions / DaemonPortOptions lines.

P.S. IPv6 isn't a nightmare. It seems you need to direct your anger at your dns provider!

 

[Phishfry]

/etc/rc.conf

ipv6_activate_all_interfaces="NO"
ip6addrctl_enable="NO"

 

[sidney2017]

Do you have a line something like:

ifconfig_vtnet0_ipv6="inet6 accept_rtadv" ?

No!

Remove it!

Note, you need to restart the networking for this to take effect... Easiest way is to just reboot the machine.

I use
service netif restart && service routing restart

As for sendmail, you should see these lines in your sendmail.cf:

O ClientPortOptions=Family=inet, Address=a.b.c.d
O DaemonPortOptions=Name=MTA, M=h, Family=inet, Address=a.b.c.d

On another FreeBSD server that has not been assigned an IPv6 address, the following is entered in sendmail.cf:

O DaemonPortOptions=Name=IPv4,Family=inet
O DaemonPortOptions=Port=587, Name=MSA, M=E

And this works fine for years. That's why I added these entries to the sendmail.cf also on the machine with IPv6

I replaced those lines with the ones you mentioned and restarted sendmail!
sendmail still seems to work but I still get the "returned mails: see transcript for details" message which I already mentioned in my initial post and here.

By the way: When restarting sendmail you get following error message in /var/maillog:

sendmail[3848]: gethostbyaddr(IPv6:XXX:4f8:XXX:XXX:0:0:0:2) failed: 1

So the problem obviously indeed has to do with the fact that for the IPv6-Adress cannot be resolved to a corresponding reverse DNS entry.

IPv6 isn't a nightmare. It seems you need to direct your anger at your dns provider!

I guess you are right but I need a solution as soon as possible.

Kind regards
Sidney2017

 

[covacat]

iirc you have sendmail from ports
build it again without ipv6 support
make config and uncheck ipv6

 

[MATPOCKuH]

/etc/rc.conf

ipv6_activate_all_interfaces="NO"
ip6addrctl_enable="NO"

Please use ip6addrctl_policy="ipv4_prefer"

 

[SirDice]

Please use ip6addrctl_policy="ipv4_prefer"

This doesn't disable IPv6. It sets a preference for IPv4 on a dual-stack configuration.

 

[jamie]

No!


I use
service netif restart && service routing restart

I can't remember off hand if that is sufficient!

Can you post the contents of /etc/rc.conf ?

On another FreeBSD server that has not been assigned an IPv6 address, the following is entered in sendmail.cf:

O DaemonPortOptions=Name=IPv4,Family=inet
O DaemonPortOptions=Port=587, Name=MSA, M=E

And this works fine for years. That's why I added these entries to the sendmail.cf also on the machine with IPv6

It's been suggested that you are using sendmail from ports.. Don't take offence, but are you sure you're editting the files for the sendmail port and not the base sendmail (i.e. not /etc/mail but /usr/local/etc/....) ?

I replaced those lines with the ones you mentioned and restarted sendmail!
sendmail still seems to work but I still get the "returned mails: see transcript for details" message which I already mentioned in my initial post and here.

By the way: When restarting sendmail you get following error message in /var/maillog:


So the problem obviously indeed has to do with the fact that for the IPv6-Adress cannot be resolved to a corresponding reverse DNS entry.

From sendmails point of view, that is a warning. That doesn't break sendmail, but of course, as you're aware, most remote mail servers will reject message from an IPv6 address without a valid AAAA

I guess you are right but I need a solution as soon as possible.

Kind regards
Sidney2017

A bit of overkill, but you could add:

ipfw add 50 reset ip6 from any to any via <enter the ID of your ethernet interface>

If you don't have ipfw loaded, you can use kldload ifpw

but beware that you'll end up locking out all IP access unless you add something like

ipfw add 100 allow ip from any to any

so, put the 3 lines in a script to run!

 

[Cath O'Deray]

I use
service netif restart && service routing restart

Good luck;

… service routing restart is not reliable <https://pastebin.com/mXmVPruq>. Instead, I stop then start services: …

YMMV

 

[sidney2017]

Hi,

thanks for all your hints and recommendations!

In order to be able to make some tests I need to know how I can track the communication data between my sendmail and the receiving mail server?

For example:

I use Thunderbird with Windows 10
SENDER: sidney@mydomain.com (IP 1.2.3.4)
SMTP-Server: mail.mydomain.com (IP 1.2.3.4) Port 587 or another one of my domains (mail.myotherdomain with IP 1.2.3.4).

and send an email to user@receiverdomain.tld.

Now I want see exactly the server sided "traffic" under FreeBSD between my sendmail and the receiverdomain.tld in order to see which FQDN my sendmail uses for EHLO etc. in order to send my mail to user@receiverdomain.tld.
How can I make this?

Background: I have several domains for which IP 1.2.3.4 is set in DNS. The MX-Record points to 1.2.3.4 too.
I never had problems to set up accounts in my Thunderbird like sidney@mydomainXY.tld, smtp.mydomainXY.tld:587 while the PTR is set to a totally other one of my domains but not mydomainXY.tld.

This never resulted in returned Mails related to eDNS issues etc.
But in those cases IPv6 was not enabled on the server managing those domains.


Kind regards and thanks again
Sidney2017

 

[covacat]

O LogLevel=33 will log smtp handshakes
33 is pulled out of the ... but it does the job

Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-host.dom Hello [2.56.57.170], pleased to meet you
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-ENHANCEDSTATUSCODES
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-PIPELINING
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-8BITMIME
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-SIZE 50000000
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-ETRN
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-AUTH LOGIN
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-STARTTLS
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-DELIVERBY
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250 HELP
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: <-- AUTH LOGIN
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 334 VXNlcm5hbWU6
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 334 UGFzc3dvcmQ6
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 535 5.7.0 authentication failed
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed,
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: <-- QUIT
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 221 2.0.0 host.dom closing connection
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: Milter (spamassassin): quit filter
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: Milter (sentinel): quit filter
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: Milter (clmilter): quit filter
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: Milter (dkim-filter): quit filter

 

[freebuser]

O LogLevel=33 will log smtp handshakes
33 is pulled out of the ... but it does the job

Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-host.dom Hello [2.56.57.170], pleased to meet you
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-ENHANCEDSTATUSCODES
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-PIPELINING
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-8BITMIME
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-SIZE 50000000
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-ETRN
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-AUTH LOGIN
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-STARTTLS
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-DELIVERBY
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250 HELP
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: <-- AUTH LOGIN
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 334 VXNlcm5hbWU6
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 334 UGFzc3dvcmQ6
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 535 5.7.0 authentication failed
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed,
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: <-- QUIT
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 221 2.0.0 host.dom closing connection
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: Milter (spamassassin): quit filter
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: Milter (sentinel): quit filter
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: Milter (clmilter): quit filter
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: Milter (dkim-filter): quit filter

TLDR;
Also check what is your ip assigned to the outgoing something like
curl http://ipinfo.io/ip
May be your ISP is sending through ipv6 by default.

 

[freebuser]

Hi,

thanks for all your hints and recommendations!

In order to be able to make some tests I need to know how I can track the communication data between my sendmail and the receiving mail server?

For example:

I use Thunderbird with Windows 10
SENDER: sidney@mydomain.com (IP 1.2.3.4)
SMTP-Server: mail.mydomain.com (IP 1.2.3.4) Port 587 or another one of my domains (mail.myotherdomain with IP 1.2.3.4).

and send an email to user@receiverdomain.tld.

Now I want see exactly the server sided "traffic" under FreeBSD between my sendmail and the receiverdomain.tld in order to see which FQDN my sendmail uses for EHLO etc. in order to send my mail to user@receiverdomain.tld.
How can I make this?

Background: I have several domains for which IP 1.2.3.4 is set in DNS. The MX-Record points to 1.2.3.4 too.
I never had problems to set up accounts in my Thunderbird like sidney@mydomainXY.tld, smtp.mydomainXY.tld:587 while the PTR is set to a totally other one of my domains but not mydomainXY.tld.

This never resulted in returned Mails related to eDNS issues etc.
But in those cases IPv6 was not enabled on the server managing those domains.


Kind regards and thanks again
Sidney2017

TLDR;
Also check what is your ip assigned to the outgoing something like
curl http://ipinfo.io/ip
May be your ISP is sending through ipv6 by default.

 

[sidney2017]

Indeed I think that the main factor for my problem is that an activated IPv6-Support on the Hetzner machine results in priorising IPv6 even if you do not want to use it for sendmail.

In the meantime, Hetzner support has explained to me how to enter an eDNS in the Robot for the IPv6 address as well. It is a tiny PLUS symbol, so different from the IPv4 eDNS-address field in the Robot webif. And you must not forget then to set the AAAA entry for that IPv6 address in DNS. Since then, at least the emails to xy@gmail.com go through without the error message mentioned at the beginning.

On the other hand, the emails to xy@t-online.tld still come back. However, I assume that the IP of my server is on a blacklist of t-online meanwhile.

Today I tested the whole thing on another Hetzner server, which also contains IPv6 for free. On this server, the problems discussed at the beginning do NOT appear. However, on this server, at least in rc.conf, IPV6 is not bound to the network card, which confirms my suspicion that the whole issue is ultimately due to IPv6 only:

IF it is enabled, you quickly fall into the prioritization trap and various things have to be taken into account, such as the eDNS record for the IPv6 address and the AAAA in DNS.

I'll have to see what command I can use to find out if the FreeBSD kernel on this machine might not have been built with IPv6 support.

Kind regards
Sidney2017

 

[sidney2017]

O LogLevel=33 will log smtp handshakes
33 is pulled out of the ... but it does the job

Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-host.dom Hello [2.56.57.170], pleased to meet you
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-ENHANCEDSTATUSCODES
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-PIPELINING
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-8BITMIME
...

Hi covacat,

is this logged in /maillog?

Thanks and regards
Sidney2017

 

[sidney2017]

TLDR;
Also check what is your ip assigned to the outgoing something like
curl http://ipinfo.io/ip
May be your ISP is sending through ipv6 by default.

A nice idea!
But the machine´s IPv4 address is returned.

Kind regards
Sidney2017

 

[sidney2017]

...
It's been suggested that you are using sendmail from ports.. Don't take offence, but are you sure you're editting the files for the sendmail port and not the base sendmail (i.e. not /etc/mail but /usr/local/etc/....) ?

Hi Jamie,

yes, I am sure!

/usr/src/etc/sendmail/freebsd.mc from which the actual configuration file /etc/mail/sendmail.cf is created!

I had to build sendmail with the port to get rid of that "PICKY-HELO-CHECK".


Best regards
Sidney2017

 

[sidney2017]

iirc you have sendmail from ports
build it again without ipv6 support
make config and uncheck ipv6

I think that would have saved me a lot of trouble if I had done this right at the beginning.

Kind regards
Sidney2017

 

[sidney2017]

O LogLevel=33 will log smtp handshakes
33 is pulled out of the ... but it does the job

Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-host.dom Hello [2.56.57.170], pleased to meet you
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-ENHANCEDSTATUSCODES
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-PIPELINING
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-8BITMIME
Jan  7 00:45:28 ns sm-mta[8978]: 206MjSMj008978: --- 250-SIZE 50000000
...

Hi,

the LogLevel=33 setting works like a charme.

But I wonder if it is normal that the EHLO below mentions my internal LAN IP Number 192.168.0.30?

Kind regards
Sidney2017

Jan 7 13:44:16 MyDomain sm-mta[1220]: NOQUEUE: connect from dslb-123-064-456-076.789.064.pools.vodafone-ip.de [1.2.3.4]
Jan 7 13:44:16 MyDomain sm-mta[1220]: AUTH: available mech=SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 OTP NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS, allowed mech=PLAIN LOGIN
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: Milter: no active filter
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 220 mail.MyDomain.de ESMTP Sendmail 8.17.1/8.16.1; Fri, 7 Jan 2022 13:44:16 +0100 (CET)
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: <-- EHLO [192.168.0.30]
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 250-mail.MyDomain.de Hello dslb-123-064-456-076.789.064.pools.vodafone-ip.de [1.2.3.4], pleased to meet you
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 250-ENHANCEDSTATUSCODES
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 250-PIPELINING
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 250-8BITMIME
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 250-SIZE
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 250-DSN
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 250-AUTH PLAIN LOGIN
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 250-STARTTLS
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 250-DELIVERBY
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 250 HELP
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: <-- STARTTLS

 

[SirDice]

Add your hostname with the internal IP to /etc/hosts. The problem here is likely that 192.168.0.30 doesn't reverse resolve.

 

[sidney2017]

Add your hostname with the internal IP to /etc/hosts. The problem here is likely that 192.168.0.30 doesn't reverse resolve.

Hello,

thanks for your reply!

I guess that my statements above have come across misleadingly because the IP 192.168.0.30 (my desktop computer) is the internal IP address in my LAN at home and not on the FreeBSD server.

Obviously my Thunderbird-EmailClient transmits my desktop PC´s IP address while my Thunderbird contacts the smtp-server (sendmail) running on my FreeBSD at Hetzner and afterwards sendmail seems to pass that IP number 192.168.0.30 to the receiving mail server.

I wonder if this is a normal behaviour?

Kind regards
Sidney2017