Nightmare IPv6: How to disable IPv6 in FreeBSD

[SirDice]

I guess that my statements above have come across misleadingly because the IP 192.168.0.30 (my desktop computer) is the internal IP address in my LAN at home and not on the FreeBSD server.

Right, then this does make sense:

Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 220 mail.MyDomain.de ESMTP Sendmail 8.17.1/8.16.1; Fri, 7 Jan 2022 13:44:16 +0100 (CET)
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: <-- EHLO [192.168.0.30]

afterwards sendmail seems to pass that IP number 192.168.0.30 to the receiving mail server.

It won't. The MTA doesn't know or care where the email came from.

 

[sidney2017]

Right, then this does make sense:

Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 220 mail.MyDomain.de ESMTP Sendmail 8.17.1/8.16.1; Fri, 7 Jan 2022 13:44:16 +0100 (CET)
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: <-- EHLO [192.168.0.30]

Thanks!

I didn't know if it is normal that in the constellation I described, my local IP 182.168.0.30 from my PC shows up in the EHLO in /var/maillog.

Kind regards
Sidney2017

 

[covacat]

sendmail will ignore the ehlo arg and will try to reverse resolve the ip and put it in the answer
iirc sendmail used not to like /etc/hosts and always tried to resolve the ip by dns queries
but try what SirDice said, just add it to /etc/hosts, maybe sendmail's behaviour has changed

nc myhost.ro 25
220 myhost.ro ESMTP of Borg. You will be assimilated; Fri, 7 Jan 2022 19:03:27 +0200 (EET)
ehlo iAmGroot
250-myhost.ro Hello allwinnerh6.myhost.local [10.1.1.172], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 50000000
250-ETRN
250-AUTH LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP

 

[sidney2017]

Hi covacat,

If I understood SirDice correctly with his last answer, I don't have to/shouldn't add anything to my FreeBSD server´s /etc/host, because the IP 192.168.0.30 has nothing to do with the LAN of the FreeBSD server, but comes from the LAN at my home.

SirDice wrote:

Right, then this does make sense:

Code:
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: --- 220 mail.MyDomain.com ESMTP Sendmail 8.17.1/8.16.1; Fri, 7 Jan 2022 13:44:16 +0100 (CET)
Jan 7 13:44:16 MyDomain sm-mta[1220]: 207CiGjp001220: <-- EHLO [192.168.0.30]

Or did I misinterpret his answer?

Best regards
Sidney2017

 

[Vull]

sendmail will ignore the ehlo arg and will try to reverse resolve the ip and put it in the answer
iirc sendmail used not to like /etc/hosts and always tried to resolve the ip by dns queries
but try what SirDice said, just add it to /etc/hosts, maybe sendmail's behaviour has changed
<snip>...

The DNS vs. /etc/hosts preference behavior is normally controlled by the "hosts" line in /etc/nsswitch.conf. The default setting is hosts: files dns which means look in /etc/hosts first and do DNS lookups only if the IP address is not found there. nsswitch.conf(5)

Using the /etc/hosts file for frequently accessed LAN addresses can speed up performance considerably in some network configurations, but it might not be worth the trouble, since it can also be problematic in some situations. This is an old un*x trick that goes back at least as far as Solaris when network accesses were much slower.

 

[Argentum]

No, it is not possible in their robot-webif (No AAAA).

EDIT: There is a tiny PLUS-Symbol one can click on which opens a text field for the eDNS of the IPv6!

Regards
Sidney2017

Correct. I happen to have a (FreeBSD) server in Hetzner also. Now, after long time logging toe the robot I can confirm that there is no reverse DNS configuration menu. I your situation I would connect the customer support.

EDIT: I was wrong here! Hetzner has a function to add a new reverse DNS entry for IPv6 in their robot.

 

[Argentum]

Correct. I happen to have a (FreeBSD) server in Hetzner also. Now, after long time logging toe the robot I can confirm that there is no reverse DNS configuration menu. I your situation I would connect the customer support.

And now, trying again. Looks like I was wrong here. There is a little + sign for adding new reverse DNS entries and I was able to add one for IPv6.

 

[sidney2017]

And now, trying again. Looks like I was wrong here. There is a little + sign for adding new reverse DNS entries and I was able to add one for IPv6.

What I already wrote here - even quoted by you here!

Regards
Sidney2017

 

[Argentum]

What I already wrote here - even quoted by you here!

Regards
Sidney2017

For some reason I mised that. The thing started to bother me - how can it be that one cannot set the reverse address there. As I wrote, I have also a FreeBSD server running there with IP6, but I had no need for reverse. No I can confirm that it actually works.

So, you can mark this thread solved?

 

[sidney2017]

Since in the course of the discussion by hints of other posters it became clear that sendmail prioritizes IPv6 first by default and my initial problem could be caused by it and beyond that further hints came that one should not deactivate IPv6 completely because of the sendmail problem, the question arises since then, how I deactivate IPv6 support best in sendmail.

And since covacat here advised to compile sendmail again WITHOUT IPv6 support, I followed his recommendation, with the just described contradictory output of sendmail to IPv6 support.

Regards
Sidney2017

 

[sidney2017]

For some reason I mised that. The thing started to bother me - how can it be that one cannot set the reverse address there. As I wrote, I have also a FreeBSD server running there with IP6, but I had no need for reverse.

For the IPv4 eDNS the robot interface shows the input field directly in the same raw like the IPv4 number whereas this is not the case for the eDNS field of the IPv6 number. Here you have to click on the tiny plus-symbol.

The whole thing only became important for me because the Telekom denies delivering mails to customers sometimes when there isn´t a corresponding reverse dns entry for the mail servers IP number. They consider this as spam. This is what they wrote me by email.

Kind regards
Sidney2017

 

[trev]

I use the base system sendmail and compile my own trimmed down STABLE branch. My /etc/make.confcontains:

SENDMAIL_CFLAGS= -UNETINET6 # no ISP IPv6 rDNS, so ditch IPv6 for sendmail

It was the only reliable way I found to stop sendmail using IPv6

 

[sidney2017]

Hi trev,

thanks for that information!

But even though I placed "ENDMAIL_CFLAGS= -UNETINET6" in make.conf and rebuilt sendmail from the port, "/usr/local/sbin/sendmail -bt -d0.1" still displays

"Compiled with: DANE DNSMAP IPV6_FULL ...".

Even commenting out IPv6-Support in the port's makefile doesn't change this, so I have to assume that this is a bug in the current sendmail-port.

#.if ${PORT_OPTIONS:MIPV6}
#SITE+= ${FILESDIR}/site.config.m4.ipv6
#.endif

Kind regards
Sidney2017

 

[Argentum]

The whole thing only became important for me because the Telekom denies delivering mails to customers sometimes when there isn´t a corresponding reverse dns entry for the mail servers IP number. They consider this as spam. This is what they wrote me by email.

This is simple yet powerful measure against malicious botnets. Bots do not have means to configure the reverse address. With my own mail servers I have always configured this option.

 

[zirias@]

But even though I placed "ENDMAIL_CFLAGS= -UNETINET6" in make.conf and rebuilt sendmail from the port, "/usr/local/sbin/sendmail -bt -d0.1" still displays

Two errors here:

• There's an 'S' missing (probably just typo?)
• This setting is for building the base sendmail, see https://cgit.freebsd.org/src/tree/usr.sbin/sendmail/Makefile#n66

I'd rather put it in /etc/src.conf cause it only applies to the base src tree.

And generally, nowadays it would make more sense to fix whatever is broken with your IPv6 setup instead of just disabling it...

 

[covacat]

ignore IPV6_FULL. it probably has no effect without -DNETINET6

 

[sidney2017]

This is simple yet powerful measure against malicious botnets. Bots do not have means to configure the reverse address. With my own mail servers I have always configured this option.

In my case the mail server passes all test of MXToolbox.com and nevertheless the mails are returned (ONLY from Telekom).

Kind regards
Sidney2017

 

[zirias@]

(ONLY from Telekom)

I doubt that very much. My MX would reject them as well. Basically, what Argentum said. No single measure works well against email spam, but rejecting anything where the sender has no (or broken) RDNS is a proven strategy to filter a substantial part of crap.

If your hoster doesn't allow you to configure RDNS records for your IPv6 addresses, complain to them. That's crucial functionality missing.

 

[sidney2017]

I doubt that very much. My MX would reject them as well. Basically, what Argentum said.

If your hoster doesn't allow you to configure RDNS records for your IPv6 addresses, complain to them. That's crucial functionality missing.

Didn´t you read what I had written?

"In my case the mail server passes all test of MXToolbox.com"

This includes eDNS checks etc. since - what I mentioned several times in this thread - I found the option to enter a Reverse DNS entry for IPv6 in Hetzner´s robot console.

Kind regards
Sidney2017

 

[zirias@]

Don't you read what you write yourself? In your post Argentum quoted, you're talking about missing RDNS records.

 

[sidney2017]

Don't you read what you write yourself? In your post Argentum quoted, you're talking about missing RDNS records.

Apparently you are unaware that new points of view can arise in the course of a discussion, for example that even a set eDNS does not solve a problem that has been raised.

If you had bothered to read this thread in its entirety, you would have noticed that this is also about disabling IPv6 in sendmail, so that a PTR for an IPv6 address is no longer needed if you don't want to use IPv6 anyway.

Thanks for your answers anyway!

Kind regards
Sidney2017

 

[zirias@]

Yeah, how about you first read all my answers properly and second don't randomly change quoted context?

 

[sidney2017]

How about just not commenting anymore unless something constructive could still be contributed?

Regards
Sidney2017

 

[zirias@]

Ah, so you finally found all my posts. Just to state it, it also makes a lot of sense to take quoted text for context, but whatever...

 

[Argentum]

How about just not commenting anymore unless something constructive could still be contributed?

If you still need to remove all the IPv6, you can build a custom kernel without IPv6. See grep INET6 /usr/src/sys/amd64/conf/GENERIC.

options         INET6                   # IPv6 communications protocols

You can remove INET6 from kernel configuration and build a custom kernel. I wouldn't do that, but if there is no other way...