Monday, March 05, 2018

Re: opensmtpd: limit mta for mx

On 2018-03-05, Nick <nick@kousu.ca> wrote:
> Hi misc@, long time no see (and please CC me),
>
> In smtpd.conf, the "limit mta" line can be qualified like this:
>
> limit mta for domain gmail.com inet4
>
> which I did because I recently started getting bounces from google saying
>
> 550-5.7.1 [2001:19f0:5001:2f5:5400:ff:fe77:861d] Our system has detected that this message does not meet IPv6 sending guidelines regarding PTR records and authentication. Please review https://support.google.com/mail/?p=IPv6AuthError for more information . d63si3145626edc.222 - gsmtp
>
> I think they started prioritizing their AAAA (IPv6) records over their A (IPv4) DNS records, so now opensmtpd is preferring to use IPv6. I tried a bit but I don't really know what they're mad about, and whatever, I don't want to fight them, I just want my mail to get through.
>
> That limit line fixed it for gmail.com, but now I have a new problem: the huge number of domains that are actually hosted on smtp.gmail.com. I am wondering if there is some way to express "use IPv4 if the mail *server* is gmail" instead of "if the mail *domain* is gmail". Something like:
>
> limit mta for mx smtp.gmail.com inet4
>
> Right now I'm stuck enumerating all Google Apps for Business accounts I know of and adding a line for each.
>
>= Nick
>
>

For your situation, can't you just add an AAAA record for
comms.kousu.ca pointing at 2001:19f0:5001:2f5:5400:ff:fe77:861d?
That will fix the things that google are complaining about on your
system.

Otherwise... It doesn't help you directly with smtpd, but Postfix
has a way to filter out DNS records, added exactly for this situation:

smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter

$ cat /etc/postfix/smtp_dns_reply_filter
# /domain ttl IN AAAA address/ action, all case-insensitive.
# Note: the domain name ends in ".".
/^\S+\.google.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE

Perhaps it would make sense for smtpd to support something like
"limit mta for mx XXX inet4" (i.e. match on hostnames rather than
domain names, and limit address family in a similar way).
It would seem more useful to match on hostnames than email domains
for that.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)