IPv6 and PTR records

Started by gizmo71, Dec 03, 2018, 08:20:24

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

gizmo71

Now that I've finally got globally routable IPv6 running properly on my home network, Google's refusal to accept email from source addresses which have no PTR records in DNS tripped me up. My Postfix server is already locked down to just IPv4 for this reason, but once a month I send a bunch of tracer emails out from a script to test that my DKIM, DMARC and SPF records are okay, and of course it tripped over Google as it now defaults to trying to send over IPv6.

Has anybody had reverse resolution (PTR) records set up for addresses 'inside' their router with IDNet? Do IDNet have any way to delegate reverse resolution to a customer nameserver?
SimRacing.org.uk Director General | Team Shark Online Racing - on the podium since 1993
Up the Mariners!

nowster

Theoretically it's easier to delegate the PTR records for v6 than for v4, as the dots are at nybble (4 bit) boundaries, rather than byte (8 bit) boundaries.

As end user allocations are /48 or /56 (or worst case /64), this is easy to do.

andrue

#2
My server works fine over IPv6. I just did the equivalent of things that I did for IPv4 - MX record, AAAA record, SPF record. Then asked IDNet to set up a reverse pointer for one of my IPv6 addresses.

The only gotcha I ran into was that I couldn't persuade my Windows box to take a static IPv6 address. It just kept crashing the network stack (very annoying with a headless server  >:( ) but in the end I disabled the automatic address change and tied the address to its NIC MAC.

That was the address I gave to IDNet Support and I have both HTTP/HTTPS, SMTP and IMAP across IPv6.

I run VPOP3 and I did have to upgrade my license to Enterprise in order to bind the server to both IPv4 and IPv6 but that was all. Didn't cost much and anyway I also needed that for SSL support. I pay more for the certificate than I do for VPOP3 :)

gizmo71

Thanks, Andrue, I'll figure out static addresses for the mail servers (they're on Linux - currently CentOS and moving to Docker on Fedora, so no problem there) and drop support and email to get PTRs set up. :thumb:
SimRacing.org.uk Director General | Team Shark Online Racing - on the podium since 1993
Up the Mariners!

andrue

Quote from: gizmo71 on Dec 08, 2018, 10:31:11
Thanks, Andrue, I'll figure out static addresses for the mail servers (they're on Linux - currently CentOS and moving to Docker on Fedora, so no problem there) and drop support and email to get PTRs set up. :thumb:
Hopefully Linux will let you go with static. I've no idea why Windows 7 wasn't having it. I was all set up to go with ::::1 (because it was my first server, lol) and it wasn't having it. Any attempt to set a static IPv6 address as the network stack crashed :(

andrue

Turns out there was another gotcha I didn't know about. It didn't actually prevent anything working but it turns out my certificate was a bit lacking. I paid for a single domain and unbeknown to me that meant my mail SSL connections were partly in error.

The problem was that my cert only covered <mydomain> and www.<mydomain> whereas the mail server is listed in MX records as mailserver2.<mydomain> and ipv6.<mydomain>. So I've just shelled out a bit more and got a certificate that supports SANs (Subject Alternate Names) to cover those two.

At first I thought this was why my phone couldn't connect any longer but that turned out to be because Vodafone are doing something to traffic sent to port 143. It looks like they are deliberately removing the STARTTLS command presumably in an attempt to allow emails to be scanned for viruses and other things. It's a bit irritating because I have that feature supposedly turned off. For now I've just added another port mapping for IPv4 and will consider moving to SSL at some point.

nowster

Is there any reason you can't use a free Let's Encrypt certificate?

https://letsencrypt.org/

andrue

#7
Quote from: nowster on Dec 12, 2018, 13:10:42
Is there any reason you can't use a free Let's Encrypt certificate?

https://letsencrypt.org/
We use them at work for development servers but I couldn't be bothered to go through the hassle of changing the certificate four times a year. Also there was some uncertainty back when it was first launched over using them for email servers. They have now clarified the confusion there.

I might revisit the idea at my next renewal but the 90 day renewal is an annoyance and I'm not sure how far it could be automated. Currently updating the certificate requires me to use the admin Web UI on my mail server. That means it would have to be a manual process where I download the cert chain then login, update it and restart the server. It's not the most onerous task in the world but doing it four times a year is a bit much.

One thing I like about running my own server is that it can be left to its own devices for 99% of the time. I have no desire to start taking on admin tasks to keep it running properly. It's a domestic server used primarily because it provides me with a nice DEA anti-spam system and because it's kind of 'geeky cool' to host a server publicly. But the moment I have to start keeping an eye on it and acting like a proper IT admin it will lose it's charm.

Also at present I have to ask my registrar to update my DNS and although they respond quickly I don't see the point of annoying them with repeated requests every 90 days if they can't automate this. The nice thing about renewing my cert at the moment is that I don't have to do that. My issuer knows me and just tells me when the new cert is ready to be downloaded.

Right now it's simpler and less hassle to pay a renewal fee and forget about it for two years.

andrue

#8
The question has been asked of the suppliers of my mail software but their response suggested some difficulties are involved:

https://helpdesk.pscs.co.uk/444950-LetsEncrypt-SSL-Certs

My mail server actually doesn't have that problem because I don't host a 'proper' website and thus my web server runs on standard HTTP(S) ports. But I can't see them developing this feature just to support the minority of users running like that.

Oh Gawd! Okay so maybe I'm reading this wrong (it's the evening and I'm trying to watch TV) but this all sounds like a lot of hassle plus a couple of posts implied the cert has to be renewed every 60 days.

gizmo71

I use Let's Encrypt for all my certs, fully automated including mail server and HAProxy restarts, about 30 lines of shell script all told using the Lego client.
SimRacing.org.uk Director General | Team Shark Online Racing - on the podium since 1993
Up the Mariners!

nowster

Quote from: andrue on Dec 12, 2018, 20:40:52
We use them at work for development servers but I couldn't be bothered to go through the hassle of changing the certificate four times a year.
You do it manually? It's all automated for me.

andrue

Quote from: gizmo71 on Dec 12, 2018, 21:47:16
I use Let's Encrypt for all my certs, fully automated including mail server and HAProxy restarts, about 30 lines of shell script all told using the Lego client.
Great. When you've worked out how to do that for the software I'm running let me know.

Quote from: nowster on Dec 13, 2018, 00:05:13
You do it manually? It's all automated for me.
Yes, it's automated at work, because we spent more time investigating and opted for an open-source Linux solution built on top of (I think) Apache.

But I'm talking about my personal mail server, running on a machine in my house. I've been running that software for nearly two decades now (*). It is a standalone Windows application so pretty much everything it does it does it's own way. It's proven to be extremely reliable, powerful and yet easy to use. Unfortunately in this one particular case it's 'proprietary' nature seems to preclude any kind of automation.

(*)When I first started using it the installer didn't even offer a 'run as a service option', it was just a Windows application.

nowster

Quote from: andrue on Dec 13, 2018, 16:57:35
But I'm talking about my personal mail server, running on a machine in my house. I've been running that software for nearly two decades now.
Ditto. But mine's using open source software on Linux, on a Gandi VM I run. The IMAP server (dovecot), the HTTP server (lighttpd, not Apache) and the SMTP server (exim) all use the same cert, which is automagically kept up to date. I could run it at home (I do run the secondary MX there), but Virgin doesn't do IPv6 yet.

The difference is that I ran an ISP from 1994 to 2009, so I (mostly) know my way round these things.

andrue

Quote from: nowster on Dec 13, 2018, 17:27:29
Ditto. But mine's using open source software on Linux, on a Gandi VM I run. The IMAP server (dovecot), the HTTP server (lighttpd, not Apache) and the SMTP server (exim) all use the same cert, which is automagically kept up to date. I could run it at home (I do run the secondary MX there), but Virgin doesn't do IPv6 yet.

The difference is that I ran an ISP from 1994 to 2009, so I (mostly) know my way round these things.
I know my way around them as well, albeit mostly for Windows. One of my previous jobs was helping maintain and develop an Exchange recovery tool and as part of that I've had to install more domains, Exchange servers, Sharepoint servers and enterprise level backup software than anyone should ever have to.

However when I'm at home I like to leave my work behind so I look for simple solutions that don't require me to do any fiddling. When I first decided to set up a mail server VPOP3 was the easy route. It was literally a case of running the installer then setting up a wildcard forwarding system. From what I remember it took about half an hour. Since then I've hardly ever had to touch it. I occasionally have to add a specific address to my blacklist and every two years I have to install a new certificate.

If I was starting again I would consider going the Linux route but frankly I doubt I'd bother. VPOP3 is so very powerful and so ridiculously easy to operate that I just can't see any other option. It may even be possible to automate the certificate stuff if I could be bothered to investigate. It supports something called LUA and it might be possible to get the creator to extend that to certifcate installation if it doesn't already. Or if the certs are stored on the database I could probably knock up a script for that since it uses Postgres which I'm very familiar with.

But all of that requires that I undertake technical work while at home and I simply don't want to. I only do technical work when I'm paid or when I'm forced to.

nowster

Lua is a very minimal programming language. My first task at my previous job was to write a web interface for a gadget they were making, using Lua.