Adventures in IPv6, part 4 (Postfix)

Setting up Postfix to use IPv6 was a little tricky.

Obviously I needed to configure my DNS servers to have an AAAA record for the mail server which is listed in my MX record (see my earlier post).

Then I followed the instructions in the README, but the only things I really had to do were to set

inet_protocols = all

and to add my IPv6 addresses alongside my IPv4 ones in mynetworks, so that my other servers can connect to my mail relay over IPv6.

Testing it was a little fun and found a few issues.

I first tested an outgoing mail from my server over IPv6 with Gmail. Gmail supports IPv6 fully so by sending a mail to my Gmail account and checking the full headers I was able to see what it thought of my setup. In fact at first the mail didn’t get through at all, my first mails to Gmail were rejected with a complaint in the logs that I didn’t have PTR record for my IPv6 address matching the domain (it appears Google insist on forward-confirmed reverse DNS if you are sending to them over IPv6). A support ticket to my VPS host fixed that one.

My mails that then got through to Gmail showed another problem, SPF validation was failing. My SPF record included an explicit ip4: entry for my mail server, but not an ip6: one. Adding that to the DNS record was an easy fix (although I had to be patient enough to let the TTL pass, so Gmail’s cached lookup expired, before it worked).

To test incoming mail over IPv6 I found the test at Webwiz very useful. It spotted that when trying to send over IPv6 to my server, Postfix was rejecting the mail with a Temporary lookup failure message. A bit of searching around found a comment at ServerFault which suggested that this could be due the address I’d specified in mynetworks containing some bits that would be masked out by the subnet mask I’d specified. That post was referring to IPv4, but it turned out the same problem applies with IPv6. I’d listed my full IPv6 address with a /64 range, which upset Postfix. Simply removing the subnet specifier and leaving only the full address did the trick (as, I expect, would have leaving the bottom 64 bits of my address as all zero in the myneworks field, though I didn’t try this).

After that, I sent a mail to my server with Gmail and the Received: header showed that it was indeed sent over IPv6:

Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e])

Hooray!