Routing mail over ipv6 for the first time ever
Well, I got my first ever encrypted starttls and smtpd over ipv6 to work early this morning.
I didn't quite get it done the way that I wanted, but so far it seems to work. I'm not going to write a howto on this, but roughly, what I did was:
Enabled ipv6 in postfix 2.3.X on both boxes. That's a two liner in /etc/postfix/main.cf:
inet_interfaces = all
inet_protocols = all
Added a AAAA record in dns for my default mail host (which is on a ipv6 native network) so it had both AAAA and A records. Added another pure ipv6 domain that only got mail via a AAAA address...
Got a tunnel for my ipv4 server from Hurricane Electric's tunnel broker
. A couple clicks and one automagically made script and an entry in /etc/rc.local and I was done.
Went through a whole lot of hell with SSL certs. I'm not going to go into that here.
Got a good buddy to bail me out of that jam, who also sneered at my ipv4 spam stopping setup and laid some seriously heavyweight anti-spam stuff all over it while I slept.
Tested so far has been interactions with gmail and a few friend's mailers running postfix, mostly.
Email over ipv6 works! And because I ignore rbls, email gets through, encrypted, in seconds, rather than minutes. And I haven't seen a single spammer attempt to connect to the ipv6 address.
Nobody cares! Nobody, but nobody, is routing mail over ipv6 but these two servers it seems. Gmail doesn't even try to use starttls, either.
Losing the rbl system is going to hurt.
Now, what I had wanted to do was setup a mx 10 the_ipv6_address and a mx 20 the_ipv4 address, but I ran into issues with the tls certs not working with the different names and I gave up.
The only thoughts I can think of at the moment (it has been a long night filled with other geeky pleasures, like wrestling with and failing at 6in4 tunneling through an apparently stateful firewall)
1) greylisting - with only a weak reliance on the ip address - probably would help in the ipv6 case...
2) Man, dealing with your own email server almost requires a masters degree these days. This stuff used to be easy. Yes, I regarded configuring sendmail, back in the 90s - as EASY. It SHOULD be easy, especially if you are only dealing with 8 email addresses, as I am, but nooo...
3) I'd still like to relay from my laptop in the field, rather than run imap/etc. Get the graphical clients out of this... I broke sending email from clients somewhere along the way last night (I think I need to switch back from sasl to dovecot), which kind of makes all this moot - been sending test mails via the grungy old Mail utility....
3a) getting the voicemail to email gateway to work on the blackfin is looking really hard now.
4) Probably makes sense to "secure by obscurity" the mail server's ipv6 address, and only
accept mail on those ipv6 addresses, and rotate them regularly.
5) For ipv6 email, a basic web of trust get established now, with support for revocation of certs,
a free crypto infrastructure (verisign charges 2600 dollars for an SSL cert! for a string of numbers! WTF!?), and we repeal the rfc that says MUST NOT on encryption, and make it MUST.
6) Securing other avenues of attack - e.g. via the web - is going to be no picnic either.
more after I get some sleep.
Labels: ipv6, networking