Hi,
Until recently I was using HE tunnel as IPv6 provider until AWS enabled native IPv6 support in my region and everything was working without problems. Since I have enabled native IPv6 on my mail server and have problem with DANE tester site https://dane.sys4.de/smtp/augustin.pl
It always times out on IPv6 address and I am confident that everything is configured properly as I receive lots of connections by IPv6 including gmail, Debian and Postfix mailing lists etc.
Jan 20 06:32:38 mail postfix/postscreen[17537]: CONNECT from [2604:8d00:0:1::4]:54406 to [2a05:d018:76d:5af6:d050:9b30:6bf7:df98]:25 Jan 20 06:32:38 mail postfix/postscreen[17537]: WHITELISTED [2604:8d00:0:1::4]:54406 Jan 20 06:32:38 mail postfix/smtpd[17538]: connect from russian-caravan.cloud9.net[2604:8d00:0:1::4] Jan 20 06:32:39 mail postfix/smtpd[17538]: Trusted TLS connection established from russian-caravan.cloud9.net[2604:8d00:0:1::4]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
You can see test results here: https://network-tools.webwiz.net/email-test.htm?email=augustin%2Epl&conn...
Is there any known problem with DANE tester IPv6 configuration?
I appreciate your help.
Karol
On 2018-01-20 12:34, Karol Augustin wrote:
Hi,
Until recently I was using HE tunnel as IPv6 provider until AWS enabled native IPv6 support in my region and everything was working without problems. Since I have enabled native IPv6 on my mail server and have problem with DANE tester site https://dane.sys4.de/smtp/augustin.pl
It always times out on IPv6 address and I am confident that everything is configured properly as I receive lots of connections by IPv6 including gmail, Debian and Postfix mailing lists etc.
Ok, it looks like I am hitting firewall on mail.sys4.de:
Jan 20 12:35:00 mail postfix/smtp[29506]: connect to mail.sys4.de[2001:1578:400:111::7]:25: Permission denied Jan 20 12:35:06 mail postfix/smtp[29506]: Verified TLS connection established to mail.sys4.de[194.126.158.132]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
ping 2001:1578:400:111::7 PING 2001:1578:400:111::7(2001:1578:400:111::7) 56 data bytes
From 2001:1578:0:ff::1:2 icmp_seq=2 Destination unreachable:
Administratively prohibited
From 2001:1578:0:ff::1:2 icmp_seq=3 Destination unreachable:
Administratively prohibited
From 2001:1578:0:ff::1:2 icmp_seq=8 Destination unreachable:
Administratively prohibited
Is there any reason for blocking AWS IPv6?
Jan 20 06:32:38 mail postfix/postscreen[17537]: CONNECT from [2604:8d00:0:1::4]:54406 to [2a05:d018:76d:5af6:d050:9b30:6bf7:df98]:25 Jan 20 06:32:38 mail postfix/postscreen[17537]: WHITELISTED [2604:8d00:0:1::4]:54406 Jan 20 06:32:38 mail postfix/smtpd[17538]: connect from russian-caravan.cloud9.net[2604:8d00:0:1::4] Jan 20 06:32:39 mail postfix/smtpd[17538]: Trusted TLS connection established from russian-caravan.cloud9.net[2604:8d00:0:1::4]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
You can see test results here: https://network-tools.webwiz.net/email-test.htm?email=augustin%2Epl&conn...
Is there any known problem with DANE tester IPv6 configuration?
I appreciate your help.
Karol
Is there any reason for blocking AWS IPv6?
I don't think that AWS is blocked but IPv6 prefixes > 32 are. I have the same problem with my mail server which is an /48 PI.
Your IP is announced by AWS in a /38:
# sh ipv6 route 2a05:d018:76d:5af6:d050:9b30:6bf7:df98 Routing entry for 2a05:d018:400::/38 Known via "bgp", distance 20, metric 0, best Last update 04w0d01h ago * fe80::e6aa:5dff:fe82:e001, via eth0
And as a general tip:
Use a TCP variant of traceropute, newer version have -T option for this and also try tracepath(6) so see if there are any MTU issuse.
Jens
On 2018-01-20 13:16, Jens Link wrote:
Is there any reason for blocking AWS IPv6?
I don't think that AWS is blocked but IPv6 prefixes > 32 are. I have the same problem with my mail server which is an /48 PI.
Thanks, it explains it. I was using HE tunnel before and it was working fine. Anyway that seems weird to me to block >32 prefixes especially if the biggest cloud provider in the world is hit by that.
Karol
Your IP is announced by AWS in a /38:
# sh ipv6 route 2a05:d018:76d:5af6:d050:9b30:6bf7:df98 Routing entry for 2a05:d018:400::/38 Known via "bgp", distance 20, metric 0, best Last update 04w0d01h ago * fe80::e6aa:5dff:fe82:e001, via eth0
And as a general tip:
Use a TCP variant of traceropute, newer version have -T option for this and also try tracepath(6) so see if there are any MTU issuse.
Yeah, it was the first thing I have checked and there is no problems with MTU.
Jens
Jens Link lists@quux.de writes:
Is there any reason for blocking AWS IPv6?
I don't think that AWS is blocked but IPv6 prefixes > 32 are. I have the same problem with my mail server which is an /48 PI.
Your IP is announced by AWS in a /38:
# sh ipv6 route 2a05:d018:76d:5af6:d050:9b30:6bf7:df98 Routing entry for 2a05:d018:400::/38 Known via "bgp", distance 20, metric 0, best Last update 04w0d01h ago * fe80::e6aa:5dff:fe82:e001, via eth0
I don't think that is it. One of my mail servers is fine (in a /32 prefix), but the other one (in a /24 prefix) is not.
See https://dane.sys4.de/smtp/mork.no
Bjørn
Bjørn Mork bjorn@mork.no writes:
Hi,
I don't think that is it. One of my mail servers is fine (in a /32 prefix), but the other one (in a /24 prefix) is not.
just talked to the provider, looks like a wired routing issue, they are working on a fix.
Jens, Hm, I somehow sound like all the provider hotline I talked to in the last couple of weeks ;-=)
Jens Link lists@quux.de writes:
just talked to the provider, looks like a wired routing issue, they are working on a fix.
okay, at least for me it's working now.
Jens
On 2018-01-22 9:34, Jens Link wrote:
Jens Link lists@quux.de writes:
just talked to the provider, looks like a wired routing issue, they are working on a fix.
okay, at least for me it's working now.
It's working for me as well. Thanks for looking into that!
Karol
participants (3)
-
Bjørn Mork
-
Jens Link
-
Karol Augustin