On Mon, Dec 19, 2016 at 3:31 PM, Tom Preissler <tom@???> wrote:
> Hi,
>
> I recently setup SPF/DKIM/DMARC on my mail server, so far quite happy
> with it and Exim. I have some commercial domains on my server and these
> were using my "private" domain and IP for emailling out. As I didn't
> want to get my "private" IP blacklisted - just in case - I setup
> domain-specific rules, ie: I duplicated remote_smtp and bound it to the
> "commercial" IPv4 and a router decides which transport to use depending on
> the sender domain. I also have IPv6 enabled as well, web+email.
> So far so good, all working.
>
> I noticed now that I am getting "fails" back from DMARC for SPF on my
> commercial domain.
>
> It appears to me that when emailling @gmail.com from my commercial
> domain, it *always* goes out via the main IPv6 address. This is kinda
> expected, as I am IPv6 enabled and Google, too. But it's kinda
> unexpected as I am specifically telling it on the remote_smtp_cc
> transport to use a valid, local IPv4 address. This IPv4 address was used
> just fine when doing tests when I configured the "multi-domain" setup.
>
> I am aware I could fix this by adding a separate IPv6 address to the
> commercial mailer+DNS. Yeah, there are plenty of IPv6 addresses out there.
>
>
> Is this "wanted" behaviour? Does IPv6 takes precedence over a specific
> "interface" statement? I have to admit, the fallback in this case is
> rather unexpected.
>
It is generally desirable to prefer IPv6 over IPv4, so I'd classify it as
wanted behaviour.
As you note, you should probably specify a specific IPv6 interface for
Google interactions.
Please note, however, that whatever you do based on "gmail.com" won't help
with Google Apps hosted domains.
Anyway, for forcing IPv4 delivery of Gmail stuff, here are some hopefully
helpful excerpts from a modified Debian setup:
# Separate file, in Exim's configuration directory, "misc" subdirectory,
file "ipv4_force_domains"
gmail.com
# Early in the Exim config:
domainlist ipv4_force_domains = ${if
exists{CONFDIR/misc/ipv4_force_domains} {CONFDIR/misc/ipv4_force_domains}
{}}
# End of acl_check_rcpt, modify the accept statement
accept
domains = +relay_to_domains : +smarthost_domains : +ipv4_force_domains
endpass
verify = recipient
# A bit further down, modify the dnslookup_relay_to_domains and dnslookup
sections:
dnslookup_relay_to_domains:
debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain"
driver = dnslookup
domains = ! +local_domains : ! +smarthost_domains : ! +ipv4_force_domains
: +relay_to_domains
transport = remote_smtp
same_domain_copy_routing = yes
no_more
dnslookup:
debug_print = "R: dnslookup for $local_part@$domain"
driver = dnslookup
domains = ! +local_domains : ! +smarthost_domains : ! +ipv4_force_domains
transport = remote_smtp
same_domain_copy_routing = yes
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
255.255.255.255
no_more
# Add an ipv4_force_domains section, note how it explictly ignores IPv6:
ipv4_force_domains:
debug_print = "R: ipv4_force_domains for $local_part@$domain"
driver = dnslookup
domains = +ipv4_force_domains
transport = ipv4_smtp
ignore_target_hosts = <; 0::0/0
# Replace "transport = ipv4_smtp" with the transport that you use for your
commercial needs.
# Ensure that you keep the logic that separates your commercial
communication from private, so that the above section doesn't override that
and always use your "commercial" IPv4 address for contacting Google.
--
Jan