This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Turned on IPv6, email connections from IPv6 addresses fail

Have turned on IPv6 in Interfaces & Routing/IPv6. Now the SMTP proxy is not letting emails through, if they are coming from an IPv6 address.

 

Eg:

 

2019:05:20-22:15:00 astaro1-1 exim-in[32339]: 2019-05-20 22:15:00 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56596 (TCP/IP connection count = 1)
2019:05:20-22:15:02 astaro1-1 exim-in[18409]: 2019-05-20 22:15:02 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56596 closed by QUIT
2019:05:20-22:15:14 astaro1-1 exim-in[32339]: 2019-05-20 22:15:14 SMTP connection from [80.82.64.98]:59986 (TCP/IP connection count = 1)
2019:05:20-22:15:15 astaro1-1 exim-in[18537]: 2019-05-20 22:15:15 SMTP connection from (User) [80.82.64.98]:59986 closed by QUIT
2019:05:20-22:15:19 astaro1-1 exim-in[32339]: 2019-05-20 22:15:19 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56605 (TCP/IP connection count = 1)
2019:05:20-22:15:21 astaro1-1 exim-in[18549]: 2019-05-20 22:15:21 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56605 closed by QUIT
2019:05:20-22:15:31 astaro1-1 exim-in[32339]: 2019-05-20 22:15:31 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56626 (TCP/IP connection count = 1)
2019:05:20-22:15:33 astaro1-1 exim-in[18599]: 2019-05-20 22:15:33 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56626 closed by QUIT
2019:05:20-22:15:34 astaro1-1 exim-in[32339]: 2019-05-20 22:15:34 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56633 (TCP/IP connection count = 1)
2019:05:20-22:15:36 astaro1-1 exim-in[18604]: 2019-05-20 22:15:36 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56633 closed by QUIT
2019:05:20-22:15:37 astaro1-1 exim-in[32339]: 2019-05-20 22:15:37 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56634 (TCP/IP connection count = 1)
2019:05:20-22:15:39 astaro1-1 exim-in[18609]: 2019-05-20 22:15:39 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56634 closed by QUIT
2019:05:20-22:15:52 astaro1-1 exim-in[32339]: 2019-05-20 22:15:52 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56641 (TCP/IP connection count = 1)
2019:05:20-22:15:54 astaro1-1 exim-in[18655]: 2019-05-20 22:15:54 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56641 closed by QUIT

Any ideas what I'm doing wrong?

In IPv6 Global I have:

Native over External: 2001:8000:104:8f::2
Subnet: 2001:8000:104:8f::/64

6to4 is off.

Mail server is running on our network.

Running Release 9.602-3

Thanks,

James.



This thread was automatically locked due to age.
Parents
  • Don't know why you think something's not working, James.  It looks like something connects and then immediately sends a QUIT before even EHLO.  The IPv4 address is in the Seychelles and the IPv6 in Belgium.

    Has a correspondent complained?  Are you seeing IPv4 addresses with an immediate QUIT that functioned correctly before?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, I think it is a firewall issue. Packetfilter.log:

    2019:05:22-16:32:59 astaro1-1 ulogd[15074]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="0" initf="eth3" srcmac="84:78:ac:39:57:9b" dstmac="00:1a:8c:f0:84:43" proto="6" length="80" srcip="2a01:4f8:191:22c4::2" dstip="2001:8000:104:8f::2" hlim="52" srcport="41042" dstport="465" tcpflags="SYN" 
    2019:05:22-16:33:00 astaro1-1 ulogd[15074]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="0" initf="eth3" srcmac="84:78:ac:39:57:9b" dstmac="00:1a:8c:f0:84:43" proto="6" length="80" srcip="2a01:4f8:191:22c4::2" dstip="2001:8000:104:8f::2" hlim="52" srcport="41042" dstport="465" tcpflags="SYN" 
    2019:05:22-16:33:02 astaro1-1 ulogd[15074]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="0" initf="eth3" srcmac="84:78:ac:39:57:9b" dstmac="00:1a:8c:f0:84:43" proto="6" length="80" srcip="2a01:4f8:191:22c4::2" dstip="2001:8000:104:8f::2" hlim="52" srcport="41042" dstport="465" tcpflags="SYN” 
     
    And:
     
    2019:05:22-07:57:53 astaro1-1 ulogd[15074]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth3" srcmac="84:78:ac:39:57:9b" dstmac="00:1a:8c:f0:84:43" proto="6" length="84" srcip="2001:8004:c00:29d8:281d:ddae:f2f4:4a3" dstip="2001:8000:104:8f::2" hlim="249" srcport="53262" dstport="993" tcpflags="SYN" 
    2019:05:22-08:38:49 astaro1-1 ulogd[15074]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth3" srcmac="84:78:ac:39:57:9b" dstmac="00:1a:8c:f0:84:43" proto="6" length="84" srcip="2001:8004:c00:29d8:281d:ddae:f2f4:4a3" dstip="2001:8000:104:8f::2" hlim="249" srcport="53271" dstport="993" tcpflags="SYN” 
     
    (2001:8004:c00:29d8:281d:ddae:f2f4:4a3 is the IP of a user’s iPad and he was complaining about not being able to send emails)

     

  • For the lines at 16:3x, fwrule="0" implies you could try disabling 'Block invalid packets' in 'Protocol Handling' on the 'Advanced' tab in 'Network Protection >> Firewall'. Any luck with that?

    The blocks of dstport="993" would indicate that the POP3 proxy is not enabled if this is inbound traffic.  If outbound, then it seems a firewall rule would be called for.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob. "Block Invalid packets" is already turned off. In the Protocol Handling section I only have 'Enable TCP window scaling' and 'Validate packet length' checked. I'll uncheck the latter and see what happens.

     

    The blocking of dstport="993" I have POP3 Proxy turned on, but in my Allowed Networks I only have 'Internal (Network)' in 'Allowed Networks'. So I suppose I should put 'External (Network)' in there?

  • Not sure why you would want the POP3 Proxy to accept traffic from "External (Network)." 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Just thought it might stop that error message in the log. I'll leave it at internal network only.  

  • James, do the messages stop after you take the proxy out of Transparent mode?  I recommend Transparent only for some situations where one is debugging a problem - and then only for the short time I'm testing.  It's been so long ago that I don't even remember why I used it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • You mean in Mail Protection/POP3/Advanced, add Internal network to Transparent Mode Skiplist?

  • No, this is about the 'Transparent Mode' section on the 'Advanced' tab of 'SMTP' - none of those boxes need to be checked for the SMTP Proxy to do its job.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • No, this is about the 'Transparent Mode' section on the 'Advanced' tab of 'SMTP' - none of those boxes need to be checked for the SMTP Proxy to do its job.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • OK, I have now turned that off. When I turn that off, does it actually do any spam/malware etc blocking? Nothing shows up in Mail Manager.

    SMTP Proxy log now just shows:

    2019:05:27-09:28:01 astaro1-1 exim-out[16368]: 2019-05-27 09:28:01 Start queue run: pid=16368
    2019:05:27-09:28:01 astaro1-1 exim-out[16368]: 2019-05-27 09:28:01 End queue run: pid=16368
    repeated every minute
     

    Will see if IPv6 users can send now.

  • Hi Bob, turned off SMTP on port 25 (it was already off for port 465 and 587, the problem ones)

    My users still can't submit emails:

    2019:05:27-09:31:34 astaro1-1 exim-in[32339]: 2019-05-27 09:31:34 SMTP connection from [2001:8003:d865:2700:96e:5012:53f2:39bf]:57274 (TCP/IP connection count = 1)
    2019:05:27-09:31:42 astaro1-1 exim-in[17393]: 2019-05-27 09:31:42 SMTP connection from ([IPv6:2001:8003:d865:2700:96e:5012:53f2:39bf]) [2001:8003:d865:2700:96e:5012:53f2:39bf]:57274 closed by QUIT
     
    But it can still receive on port 25:
     
    2019:05:27-09:33:35 astaro1-1 exim-in[32339]: 2019-05-27 09:33:35 SMTP connection from [2404:3800:f:1:0:1:0:a9]:60448 (TCP/IP connection count = 1)
    2019:05:27-09:33:36 astaro1-1 exim-in[18200]: 2019-05-27 09:33:36 H=johnson.smtp.mailx.hosts.net.nz [2404:3800:f:1:0:1:0:a9]:60448 Warning: bordo.com.au profile excludes greylisting: Skipping greylisting for this message
    2019:05:27-09:33:37 astaro1-1 exim-in[18200]: 2019-05-27 09:33:37 DNS list lookup defer (probably timeout) for 9.a.0.0.0.0.0.0.1.0.0.0.0.0.0.0.1.0.0.0.f.0.0.0.0.0.8.3.4.0.4.2.black.rbl.ctipd.astaro.local: assumed not in list
    2019:05:27-09:33:37 astaro1-1 exim-in[18200]: 2019-05-27 09:33:37 [2404:3800:f:1:0:1:0:a9] F=<someone@drillstapsdies.co.nz> R=<my.user@bordo.com.au> Verifying recipient address with callout
    2019:05:27-09:33:40 astaro1-1 exim-in[18200]: 2019-05-27 09:33:40 1hV2e1-0004jY-11 ctasd reports 'Unknown' RefID:str=0001.0A150203.5CEB2254.0062,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    2019:05:27-09:33:40 astaro1-1 exim-in[18200]: 2019-05-27 09:33:40 1hV2e1-0004jY-11 <= someone@drillstapsdies.co.nz H=johnson.smtp.mailx.hosts.net.nz [2404:3800:f:1:0:1:0:a9]:60448 P=esmtps X=TLSv1.2:AES128-GCM-SHA256:128 S=48401 id=000a01d5141b$6ec16be0$4c4443a0$@drillstapsdies.co.nz
    2019:05:27-09:33:40 astaro1-1 exim-in[18200]: 2019-05-27 09:33:40 SMTP connection from johnson.smtp.mailx.hosts.net.nz [2404:3800:f:1:0:1:0:a9]:60448 closed by QUIT
    2019:05:27-09:33:41 astaro1-1 smtpd[32244]: QMGR[32244]: 1hV2e1-0004jY-11 moved to work queue
    2019:05:27-09:33:50 astaro1-1 smtpd[18235]: SCANNER[18235]: 1hV2eE-0004k7-Gx <= someone@drillstapsdies.co.nz R=1hV2e1-0004jY-11 P=INPUT S=46909
    2019:05:27-09:33:52 astaro1-1 smtpd[18235]: SCANNER[18235]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="2404:3800:f:1:0:1:0:a9" from="someone@drillstapsdies.co.nz" to="my.user@bordo.com.au" subject="RE: Purchase Order from Drills, Taps & Dies Limited" queueid="1hV2eE-0004k7-Gx" size="46909"
    2019:05:27-09:33:52 astaro1-1 smtpd[18235]: SCANNER[18235]: 1hV2e1-0004jY-11 => work R=SCANNER T=SCANNER
    2019:05:27-09:33:52 astaro1-1 smtpd[18235]: SCANNER[18235]: 1hV2e1-0004jY-11 Completed
    2019:05:27-09:33:55 astaro1-1 exim-out[18244]: 2019-05-27 09:33:55 1hV2eE-0004k7-Gx => my.user@bordo.com.au P=<someone@drillstapsdies.co.nz> R=static_route_hostlist T=static_smtp H=192.168.1.9 [192.168.1.9]:25 C="250 2.0.0 Ok: queued as 1EA7E18E7045"
    2019:05:27-09:33:55 astaro1-1 exim-out[18244]: 2019-05-27 09:33:55 1hV2eE-0004k7-Gx Completed
  • I don't understand, James - why allow users to submit emails to the SMTP Proxy instead of to your mail server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • After restarting the UTM (to apply the 9.603-1 update) it started providing IPv6 numbers to hosts on my network. Once the mail server got one people were able to submit to it from IPv6 addresses.