Mailsending ipv6 to Google-Mailservice fails

Discussion in 'Server Operation' started by muelli75, Aug 14, 2022.

Tags:
  1. muelli75

    muelli75 Member

    Hi!

    If I our mailserver sends mails to gmail, the delivering fails. This is the bounce of gMail

    Code:
                       The mail system
    
    <[email protected]>: host
        gmail-smtp-in.l.google.com[2a00:1450:4025:402::1a] said: 550-5.7.1
        [2a01:4f8:212:f65::2] Our system has detected that this message does
        550-5.7.1 not meet IPv6 sending guidelines regarding PTR records and
        550-5.7.1 authentication. Please review 550-5.7.1
        https://support.google.com/mail/?p=IPv6AuthError for more information 550
        5.7.1 . w13-20020a05640234cd00b0043bd6cf51d1si5536605edc.530 - gsmtp (in
        reply to end of DATA command)
    
    Reporting-MTA: dns; tesoro2.products4more.at
    X-Postfix-Queue-ID: D8ECA4A21450
    X-Postfix-Sender: rfc822; [email protected]
    Arrival-Date: Sun, 14 Aug 2022 02:16:05 +0200 (CEST)
    
    Final-Recipient: rfc822; [email protected]
    Original-Recipient: rfc822;[email protected]
    Action: failed
    Status: 5.7.1
    Remote-MTA: dns; gmail-smtp-in.l.google.com
    Diagnostic-Code: smtp; 550-5.7.1 [2a01:4f8:212:f65::2] Our system has detected
       that this message does 550-5.7.1 not meet IPv6 sending guidelines regarding
       PTR records and 550-5.7.1 authentication. Please review 550-5.7.1
       https://support.google.com/mail/?p=IPv6AuthError for more information 550
       5.7.1 . w13-20020a05640234cd00b0043bd6cf51d1si5536605edc.530 - gsmtp
    
    If I check the PTR-Record of our system (https://network-tools.webwiz.net/reverse-dns.htm)
    all seems fine. There is a PTR-Record to 2a01:4f8:212:f65:: which we set on the admin-panel of our server-provider. Take a look on this screenshot.
    [​IMG] https://ibb.co/myKGZrg [/IMG]

    Now lets have a look to
    Code:
    admin@customermail # ifconfig
    enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 136.243.47.106  netmask 255.255.255.192  broadcast 136.243.47.127
            inet6 fe80::921b:eff:fedb:519  prefixlen 64  scopeid 0x20<link>
            inet6 2a01:4f8:212:f65::2  prefixlen 64  scopeid 0x0<global>
    
    Any ideas what is to do, to make the delivering to gmail possible?

    Thanks in advance, Martin
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. muelli75

    muelli75 Member

    Th0m likes this.
  4. muelli75

    muelli75 Member

    Hm - the posted solution works for mail pointing directly to gmail but not for domains which are hosted at googleservices.

    So, if we send mails to [email protected] there comes the following bounce
    Code:
    Betreff:     Undelivered Mail Returned to Sender
    Datum:     Fri, XX XXXX 2022 14:32:08 +0200 (CEST)
    Von:     Mail Delivery System <[email protected]>
    An:     [email protected]
    
    
    This is the mail system at host tesoro2.products4more.at.
    
    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.
    
    For further assistance, please send mail to postmaster.
    
    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.
    
    The mail system
    
    <[email protected]>: host ASPMX.L.GOOGLE.COM[2a00:1450:4025:402::1a]
    said: 550-5.7.1 [2a01:4f8:212:f65::2] Our system has detected that this
    message does 550-5.7.1 not meet IPv6 sending guidelines regarding PTR
    records and 550-5.7.1 authentication. Please review 550-5.7.1
    https://support.google.com/mail/?p=IPv6AuthError for more information 550
    5.7.1 . cr13-20020a170906d54d00b00730632d2a0fsi1725389ejc.452 - gsmtp (in
    reply to end of DATA command)
    We got 4 such bounces in the last days for different domains, so fixing that with transportmaps is rather cumbersome.

    Any other ideas how to fix that ip4/ip6-problem?

    TIA, Martin
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    According to Google, you missed setting up a correct PTR record for your IPv6 address.
     
  6. muelli75

    muelli75 Member

    Yes till, you are right - but I did a IPv6-setup as mentioned in my initial post.

    Here is another small piece of the puzzle to confirm the correctness of the setup
    Code:
    #ip -6 addr show scope global
    2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
        inet6 2a01:4f8:212:f65::2/64 scope global
           valid_lft forever preferred_lft forever
    and the proof of ptr-check-service
    [​IMG][​IMG]
    https://ibb.co/BnCMQrg
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Add a PTR record for the exact IPv6 IP, not the subnet. Add a PTR for 2a01:4f8:212:f65::2 that you are using for sending. It might be that you have to remove the one for the subnet.

    I received the same error on some of my servers and they are gone after adding a PTR for the exact IPv6 address.
     
  8. muelli75

    muelli75 Member

    thank you - additional ptr is done. so lets have a look if that helped.
     
  9. odea

    odea New Member

    Hi Till,
    I'm very curious to know how you did it, I read a lot of different way to do that.
    I also had an "ipv6 ptr" issue with gmail, so I disabled ipv6 with postfix, but emails are still considered as spam from gmail (I have SPF, DMARC, DKIM), I have no error message from gmail, so I don't know why my emails are considered as spam, and DMARC checks are OK. I want to try to re-enable ipv6 in postfix and add an ipv6 ptr record to see if it solves the problem.

    For ipv4 I did that :
    upload_2023-8-16_22-38-39.png
    Then, inside this zone :
    upload_2023-8-16_22-39-37.png

    First is it the correct way to do it for ipv4 ? and if so, is it the same way to do it for ipv6 ?
    I read that I need a AAAA record (in what zone ?)
    here is my ipv6, and it's DNS format :
    2001:41d0:e:942::1 in reverse DNS format:
    1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.9.0.e.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa
    Thanks for the help !
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Probably not.
    Read my tutorial on name service with ISPConfig, link in my signature.
    Same zone as the A record.
     
  11. odea

    odea New Member

    Hi Taleman,
    thanks for your reply !
    I read you tutorial, and indeed you said that :
    So I connected to my OVH admin panel and I have this :
    upload_2023-8-17_10-42-46.png
    Unfortunately, if I try to put ns1.vegan.fr as reverse name for ipv6 IP I have this message :
    upload_2023-8-17_10-45-12.png
    :confused:
    Also, if I can not use my own name server, then what do I have to do in ispconfig ?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The reverse record has to be set in the authoritative DNS server for the IP address (which is OVH in this case) and not on your own DNS server. Your DNS server is used for the DNS record of the domain, not the reverse record.

    According to the error message, you must create an AAAA record in the zone vegan.fr for ns1 pointing to that IPv6 IP address.
     
  13. odea

    odea New Member

    I added an AAAA record for ns1.vegan.fr, now I have :
    upload_2023-8-17_11-10-37.png
    it looks like I still have to do something in ispconfig...
    edit: I was writing this message while you replied till, thanks for your answer
     
  14. odea

    odea New Member

    my mistake : I used the ipv6 proposed by default by ispconfig, it seems that it wasn't the good one. Now it works ! Thanks :)
    Do I still have to do something in ispconfig ?
    I have to ask OVH to add a PTR record ? everybody does that ?
     
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    DNS is now OK for IPv6 and PTR. So nothing to do for those. Since you hijacked this old thread, I am not sure if there is some other ultimate problem you are trying to resolve.
    From what you wrote in #11 I assumed you understood the PTR record registration? Maybe you should formulate your question more explicitly.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    No, except that you might want to delete the reverse zone in ISPConfig as your system should not have that when it is not the DNS server that is responsible for that reverse zones.

    As long as the IP owner (which is OVH and not you) has not delegated DNS for this IP to your DNS server (which OVH likely will not do and which other server providers or datacenters do not do as well), then you'll have to use the DNS of OVH for the reverse record. Running your own DNS for reverse zones is not very common for 'retail' users, so as long as you do not run your own datacenter, its not very likely that you set up a reverse zone on your own DNS server,
     
  17. odea

    odea New Member

    That's clear, thank you Taleman and till for your help :) and sorry for digging this old thread
     
  18. odea

    odea New Member

    FYI it solved some problem but not all, my emails are still considered as spam from gmail, I'm trying to sign into their "postmater tools" to have some details stats about why emails are seeing as spam from google. Maybe a bad reputation IP, I don't know yet.
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    And take care you have set up spf record and also activated dkim mail signing.
     
  20. odea

    odea New Member

    Yes, SPF and DKIM checks passed, "The Truth Is Out There" !
     

Share This Page