This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Turned on IPv6, email connections from IPv6 addresses fail

Have turned on IPv6 in Interfaces & Routing/IPv6. Now the SMTP proxy is not letting emails through, if they are coming from an IPv6 address.

 

Eg:

 

2019:05:20-22:15:00 astaro1-1 exim-in[32339]: 2019-05-20 22:15:00 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56596 (TCP/IP connection count = 1)
2019:05:20-22:15:02 astaro1-1 exim-in[18409]: 2019-05-20 22:15:02 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56596 closed by QUIT
2019:05:20-22:15:14 astaro1-1 exim-in[32339]: 2019-05-20 22:15:14 SMTP connection from [80.82.64.98]:59986 (TCP/IP connection count = 1)
2019:05:20-22:15:15 astaro1-1 exim-in[18537]: 2019-05-20 22:15:15 SMTP connection from (User) [80.82.64.98]:59986 closed by QUIT
2019:05:20-22:15:19 astaro1-1 exim-in[32339]: 2019-05-20 22:15:19 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56605 (TCP/IP connection count = 1)
2019:05:20-22:15:21 astaro1-1 exim-in[18549]: 2019-05-20 22:15:21 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56605 closed by QUIT
2019:05:20-22:15:31 astaro1-1 exim-in[32339]: 2019-05-20 22:15:31 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56626 (TCP/IP connection count = 1)
2019:05:20-22:15:33 astaro1-1 exim-in[18599]: 2019-05-20 22:15:33 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56626 closed by QUIT
2019:05:20-22:15:34 astaro1-1 exim-in[32339]: 2019-05-20 22:15:34 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56633 (TCP/IP connection count = 1)
2019:05:20-22:15:36 astaro1-1 exim-in[18604]: 2019-05-20 22:15:36 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56633 closed by QUIT
2019:05:20-22:15:37 astaro1-1 exim-in[32339]: 2019-05-20 22:15:37 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56634 (TCP/IP connection count = 1)
2019:05:20-22:15:39 astaro1-1 exim-in[18609]: 2019-05-20 22:15:39 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56634 closed by QUIT
2019:05:20-22:15:52 astaro1-1 exim-in[32339]: 2019-05-20 22:15:52 SMTP connection from [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56641 (TCP/IP connection count = 1)
2019:05:20-22:15:54 astaro1-1 exim-in[18655]: 2019-05-20 22:15:54 SMTP connection from ([IPv6:2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]) [2a02:a03f:5ec3:7a00:3581:5223:d2e:6057]:56641 closed by QUIT

Any ideas what I'm doing wrong?

In IPv6 Global I have:

Native over External: 2001:8000:104:8f::2
Subnet: 2001:8000:104:8f::/64

6to4 is off.

Mail server is running on our network.

Running Release 9.602-3

Thanks,

James.



This thread was automatically locked due to age.
  • Don't know why you think something's not working, James.  It looks like something connects and then immediately sends a QUIT before even EHLO.  The IPv4 address is in the Seychelles and the IPv6 in Belgium.

    Has a correspondent complained?  Are you seeing IPv4 addresses with an immediate QUIT that functioned correctly before?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, Thanks for replying.

    I know it does not work because I get people saying their email program can't send emails. I get them to go to whatsmyip.org in a web browser and it shows an IPv6 address. If their MUA gives more detailed error it is usually something like "SMTP Error: Could not authenticate". (I have Verify recipients set to "With callout").

    No issues with people submitting from IPv4 addresses.

    If I turn off the SMTP Proxy in Global, they can submit (on port 465 or 587) from IPv6.

    This might be relevant: When I look at the mail server's network settings I see that it has a manually set IPv4 address, but for IPv6 it is set to Automatic (ie DHCP) but has no number. 

    Shouldn't it get the IP from the UTM? Just realised I had IPv6 turned on for External interface but not Internal one. Have now turned it on. But when I go to Interfaces/IPv6/Prefix Advertisement it will not let me set one up for Internal interface as "Interface Internal has not IPv6 address configured".

    James.

  • Hi Bob, I think it is a firewall issue. Packetfilter.log:

    2019:05:22-16:32:59 astaro1-1 ulogd[15074]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="0" initf="eth3" srcmac="84:78:ac:39:57:9b" dstmac="00:1a:8c:f0:84:43" proto="6" length="80" srcip="2a01:4f8:191:22c4::2" dstip="2001:8000:104:8f::2" hlim="52" srcport="41042" dstport="465" tcpflags="SYN" 
    2019:05:22-16:33:00 astaro1-1 ulogd[15074]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="0" initf="eth3" srcmac="84:78:ac:39:57:9b" dstmac="00:1a:8c:f0:84:43" proto="6" length="80" srcip="2a01:4f8:191:22c4::2" dstip="2001:8000:104:8f::2" hlim="52" srcport="41042" dstport="465" tcpflags="SYN" 
    2019:05:22-16:33:02 astaro1-1 ulogd[15074]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="0" initf="eth3" srcmac="84:78:ac:39:57:9b" dstmac="00:1a:8c:f0:84:43" proto="6" length="80" srcip="2a01:4f8:191:22c4::2" dstip="2001:8000:104:8f::2" hlim="52" srcport="41042" dstport="465" tcpflags="SYN” 
     
    And:
     
    2019:05:22-07:57:53 astaro1-1 ulogd[15074]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth3" srcmac="84:78:ac:39:57:9b" dstmac="00:1a:8c:f0:84:43" proto="6" length="84" srcip="2001:8004:c00:29d8:281d:ddae:f2f4:4a3" dstip="2001:8000:104:8f::2" hlim="249" srcport="53262" dstport="993" tcpflags="SYN" 
    2019:05:22-08:38:49 astaro1-1 ulogd[15074]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth3" srcmac="84:78:ac:39:57:9b" dstmac="00:1a:8c:f0:84:43" proto="6" length="84" srcip="2001:8004:c00:29d8:281d:ddae:f2f4:4a3" dstip="2001:8000:104:8f::2" hlim="249" srcport="53271" dstport="993" tcpflags="SYN” 
     
    (2001:8004:c00:29d8:281d:ddae:f2f4:4a3 is the IP of a user’s iPad and he was complaining about not being able to send emails)

     

  • For the lines at 16:3x, fwrule="0" implies you could try disabling 'Block invalid packets' in 'Protocol Handling' on the 'Advanced' tab in 'Network Protection >> Firewall'. Any luck with that?

    The blocks of dstport="993" would indicate that the POP3 proxy is not enabled if this is inbound traffic.  If outbound, then it seems a firewall rule would be called for.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob. "Block Invalid packets" is already turned off. In the Protocol Handling section I only have 'Enable TCP window scaling' and 'Validate packet length' checked. I'll uncheck the latter and see what happens.

     

    The blocking of dstport="993" I have POP3 Proxy turned on, but in my Allowed Networks I only have 'Internal (Network)' in 'Allowed Networks'. So I suppose I should put 'External (Network)' in there?

  • Not sure why you would want the POP3 Proxy to accept traffic from "External (Network)." 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Just thought it might stop that error message in the log. I'll leave it at internal network only.  

  • James, do the messages stop after you take the proxy out of Transparent mode?  I recommend Transparent only for some situations where one is debugging a problem - and then only for the short time I'm testing.  It's been so long ago that I don't even remember why I used it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • You mean in Mail Protection/POP3/Advanced, add Internal network to Transparent Mode Skiplist?

  • No, this is about the 'Transparent Mode' section on the 'Advanced' tab of 'SMTP' - none of those boxes need to be checked for the SMTP Proxy to do its job.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA