Nightmare IPv6: How to disable IPv6 in FreeBSD

[clive]

Sendmail (up to 13.2 in base system) does not have an option to stop using IPv6 when sending email, but you can use pf to block IPv6 smtp traffic. Try something like this:

/etc/pf: ext_if="em0" block out quick on $ext_if inet6 proto tcp from self to any port 25

Then test it by telnet. If you see permission denied, then sendmail will use IPv4 for sure.

% telnet -6 aspmx.l.google.com 25 Trying .......... telnet: connect to address ..........: Permission denied telnet: Unable to connect to remote host

 

[clive]

Sorry for reply in old thread. For sendmail 8.18.1, which is in FreeBSD 14.3 now, there's a better way to only use ipv4 for outgoing smtp connection. I put this define before MAILER in my .mc

define(`SMTP_MAILER_FLAGS', `4')

 

[DerTeufel]

I send mail via IPv6 without problems, although the domain name use in MAIL FROM: and the host name of the sending server must have the right PTR and SPF records must exist for them including all addresses.
If you get back the message that the PTR does not match, verify it using dig -x <IPv6 address>. It must give you back the hostname of your server. Also make sure that the reverse zone is properly updated on all authoritative DNS servers, sometimes this takes some time.

 

[clive]

I send mail via IPv6 without problems, although the domain name use in MAIL FROM: and the host name of the sending server must have the right PTR and SPF records must exist for them including all addresses.
If you get back the message that the PTR does not match, verify it using dig -x <IPv6 address>. It must give you back the hostname of your server. Also make sure that the reverse zone is properly updated on all authoritative DNS servers, sometimes this takes some time.

Since MAIL FROM is mentioned, I'd like to add note about "sending email by yourself in 2026." There are 3 configurations to check. SPF, DKIM, and DMARC. Major providers (like google, yahoo, hotmail) will verify the MAIL FROM and From: header domains against these 3 setups to "mark incoming mails possibly SPAM or not."

Matching forward and reverse DNS is a plus. Some will reject if no exact match, some will accept even if no PTR. In my case, I have full control over my IPv4 PTR records, but no control over IPv6. That's why I want all my SMTP out traffic over IPv4.

SPF and DMARC are easy to setup. DKIM is something like signing email by private key and hide the signature in the header, so other people can verify it by public key (spread via dns). Opendkim in the ports is a good start. Some cloud providers (oops, I only know one, it's aws) may provide simpler setup for DKIM. That can be used as well, to keep everyone’s mail servers happy.