ietf
[Top] [All Lists]

Re: Reverse IPv6 DNS checks on ietf MXs?

2009-03-05 08:16:29
Tim Chown wrote:
[...]
It's not uncommon for IPv6 servers to be multiaddressed, so mail admins
will probably just need to be a wee bit more careful, and certainly try
to avoid using autoconf globals on servers.

Nothing wrong with EUI-64 or autoconf, as long as you actually want them
there ;)

and otherwise on eg Linux:
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_ra=0
other mechanisms hopefully available on your favourite OS.

As for the IETF mailservers rejecting it, clearly there was a
misconfiguration and they caught that perfectly fine. Misconfigured
boxes should not be able to send out mail, there is most often other
things also misconfigured then and/or they are not monitored and thus
just used for abuse.

In our case our server
acquired an additional global autoconf address on top of its manually
configured address, which it started sending from, and as this had no 
reverse DNS entry we encountered the Rejects.

I suggest installing NDPMon (http://ndpmon.sourceforge.net/) next to
your arpwatch that you should have running for IPv4. Of course
protecting your L2 with 802.1x or a similar system next to that is also
a good hint.

BTW: for postfix, smtp_bind_address6 allows you to fix the outgoing
address to a certain IP (smtp_bind_address for IPv4 ;)

Greets,
 Jeroen


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf