Re: [exim] Google/gmail timeouts, IPv6 conntrack issue?

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Christian Balzer
日付:  
To: exim-users
題目: Re: [exim] Google/gmail timeouts, IPv6 conntrack issue?

Hello,

firstly this was mostly meant as a heads up to other potentially
encountering this and of course a "have you seen this before" kinda query.

On Wed, 16 Feb 2022 21:45:31 +0000 Jeremy Harris via Exim-users wrote:

> On 16/02/2022 07:17, Christian Balzer via Exim-users wrote:
> > Now the reason this happens is that the local iptables
> > (Established, Related is set) is starting to reject packets coming back
> > from google to here after about 2 seconds. (dump attached)
>
> That's... cute. I take it the sample packet content of
> the ICMPs shows nothing objectionable?
>

If found it excruciatingly hard to correlate tcpdump and nf_conntrack
flows, but those ICMP6 destination unreachable packets are the result of
the local iptables rejecting a connection to port 43922 (the originating
outbound SMTP session from here), something it allowed for the first 2
seconds just fine.

The:
---
-A INPUT -p icmpv6 -j ACCEPT
-A INPUT -i bond+ -m state --state ESTABLISHED,RELATED -j ACCEPT
---
Works fine for others for longer that 2 seconds, so thus my suspicion

> You could turn on iptables (or whatever *tables it is these days)
> logging, that might give a hint on why the reject.
>
> I can't see right away why this would affect *only* TCP/25
> unless you have some odd rules in there.
>
>
> As to why retry always goes to ipv4, hmm.
> Does anything end up for the ipv6 addr in question in a hints DB?
>

There indeed was one, so that explains that.

>
> You could always just punt on trying to talk ipv6 to G :-
>
> hostlist google_ipv6 = <; 2001:4860::/32 ; 2401:fa00::/32 ; 2404:6800::/32 ; 2600:1900::/28 \
>          ; 2605:ef80::/32 ; 2607:f8b0::/32 ; 2620:0:1000::/40 ; 2620:120:e000::/40 ; 2620:15c::/36 \
>          ; 2800:3f0::/32 ; 2a00:1450::/32 ; 2a00:79e0::/32 ; 2a03:ace0::/32 ; 2c0f:fb50::/32

>
> # dnslookup router
> ignore_target_hosts = +google_ipv6


Yeah, I have too many specific routers and transports already, my
"favorite" being NTT Docomo, who love to defecate on RFCs with a classic
"we are the phone company" attitude.

But thanks for that comprehensive list (which would need to be maintained
of course) anyway. ^o^

I "fixed" that for the time being on the firewall side and have tried to
reach out to google, but people with much more clout and better access
told me that this is likely to result in nothing at all.

Regards,

Christian
-- 
Christian Balzer        Network/Systems Engineer                
chibi@???       Rakuten Communications