Changing IPv6 address to new /64 subnet

Folks:

I was given an IPv6 /64 subnet for my Linode which is in addition to the assigned /128 IPv6 address that my Linode was originally assigned. This is due to being flagged for spam by Spamhaus who has resolution down to /64 and not down to /128.

According to the ticket, the new/64 subnet is routable through my current assigned /128 address.

Do I simply add a IPv6 address from my new subnet onto my Linode and leave in the existing IPv4 address and then replace both the A record and the rPTR record in the DNS entry for my IPv6 address to the new one?

6 Replies

Yes, exactly.

You can pick one or more addresses from your /64 (I use one address per domain).

I always refer to this guide to configure my Linode:

https://www.linode.com/docs/networking/linux-static-ip-configuration/

You may need to configure either the Linux OS or your mail transfer agent to use the IPv6 address from your /64 as the default outgoing one. (I think Linux uses the most recently added IPv6 as the default one.)

Don't forget to also set your reverse DNS on the IPv6 address before you start sending mail using it.

@andysh writes:

You may need to configure either the Linux OS or your mail transfer agent to use the IPv6 address from your /64 as the default outgoing one. (I think Linux uses the most recently added IPv6 as the default one.)

Beware that some of the big network companies that provide email delivery to their subscribers do not like IPv6 addresses for transfer agents at all! Comcast is the most notable offender here.

If you use postfix(1), you can tell it to only use IPv4 for SMTP transactions by including the configuration parameter:

# force postfix to use ipv4
#
inet_protocols=ipv4
#inet_protocols = all

If you use an IPv6 address to conduct an SMTP transaction with a Comcast mail server, that address will invariably end up on SpamHaus's SBLCSS. You can remove it but how many times a day do you want to do this? This behavior appears to be the result of a lazily-programmed spam filter that doesn't understand IPv6 addresses. Of course, complaining to Comcast about this is like talking to the mirror…

-- sw

Thank you for the help, folks!

To Steve:

I am a bit confused. I thought that everyone was urging full adoption of IPv6 since IPv4 space is running out. Or am I wrong?

Reading what you are saying, am I correct that even if I do use the new /64 subnet, which our support ticket claims is clean, would still cause an SBLCSS even if I am the only one on that /64? If that's so, then I am very confused as to how Spamhause works. I thought it is done on spam mail complaints? So Comcast files a complaint with Spamhaus every time someone uses IPv6 to open SMTP connection for mail?

If that is correct; and if my sole purpose for asking for the new /64 subnet is for email purposes; and if I am to configure my Postfix not to even use IPv6; then shall I might as well not even configure the /64 and turn it over back to Linode's pool?

Right now, my Postfix is shut down until I get full understanding.

Unfortunately, I am afraid I am a bit more confused than going in. Arn't we as a community fully embracing IPv6 or am I personally way off on Cloud 9 of wishful thinking?

Or is ComQuack full of pin nosed needle brains who don't know what they are doing in server/network configuration?

Thank you for letting me cry on your shoulders

Mark Allyn
Bellingham, Washington

Comcast treats every address as a spammer unless they can prove otherwise. Assimilate. Resistance is futile.

I'm pretty sure that since Linode's IPv6 addresses come from a /64 CIDR block and are auto-configured using SLAAC, Comcast treats the every address in the block as they would as a member of a pool dynamically-assigned by DHCP. This is just lazy, IMHO.

You write:

So Comcast files a complaint with Spamhaus every time someone uses IPv6 to open SMTP connection for mail?

Not exactly… Since Linode's IPv6 addresses are are dynamically-assigned (like DHCP addresses are in the IPv4 world), Comcast assumes the address is a spammer because it's dynamically-assigned. Comcast reports the address to SpamHaus as a spammer. At least that's the theory I've been using. God knows what their rationale is for this…getting them to talk to you about "internal policy" is another exercise in futility (even if you are a Comcast customer).

You can turn off SLAAC (and I did that once) to solve a problem unrelated to this but I found that doing this caused other problems…as well as a configuration headache. Besides, why should I jump through hoops because some bozo at Comcast wanted to leave early on a Friday to beat the rush at the brewpub?

You write:

if I am to configure my Postfix not to even use IPv6; then shall I might as well not even configure the /64 and turn it over back to Linode's pool?

You get the /64 block as part of your Linode subscription. It's not necessary to turn it back over to Linode's pool. My IPv6 address belongs to the subnet 2600:3c01::/32. There are 4294967296 /64 blocks in that subnet (more than 4 trillion…I'm pretty sure that's enough to go around ;-) ).

The only things for which I use IPv4 exclusively are smtp (port 25) and submission (ports 587/465)…both are part of postfix(1). The following all can and do use IPv6:

  • imap (ports 143/465…these and lmtp are the dovecot(1) part of email delivery…lmtp uses a local-domain socket -- as do all my filters/milters: opendkim, dmarc, postgrey & whatnot);
  • http (ports 80/443); and
  • ssh (port 22).

I wouldn't say IPv6 is useless.

My firewall is configured for IPv4/IPv6 as well…as are my blacklists.

Maybe someone on the Linode staff can shed some light on this. I'd certainly like to figure this out too. Maybe there's some way to configure postfix(1) to use IPv4 when talking to a server in a list of subnets and choose IPv4/IPv6 everywhere else.

-- sw

Thank you, Steve.

I will go ahead and lock out IPv6 on my postfix. Perhaps if I get some energy, I would try to block ComQuack's IPv6 subnets?

My Linodes are running Ubuntu; UFW is what I am using. I just might play with that once I get in the mood of accidentally locking myself out which means I need to have a console terminal up and running to quickly get to :)

At least you folks have given me enough to get my Postfix back safely on-line.

I am still unclear about this. I have the ip6 address
2600:3c03::f03c:92ff:fe42:5a6d
and that is how it is entered into my DNS configuration on Linode.
It is there as an AAAA record, in my spf record (txt)
And in my RDNS record, which is, in full

2600:3c03::f03c:92ff:fe42:5a6d IPv6 – SLAAC fe80::1 ffff:ffff:ffff:ffff:: jbaron.org

I don't understand this, but when I check reverse DNS ipv6 with
http://www.webdnstools.com/dnstools/dns-lookup-ipv6
it all seems to work.

Yet Spamhaus keeps putting on the blacklist.

I have one address. It sends email. I don't need any others.

Somehow I got the idea what I am supposed to put /64 somewhere, despite the apparent fact that the address I have is really /128.

I tried putting /64 after the AAAA record, and it complained.

Is there a solution to the Spamhaus problem?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct