About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [ipv6-wg] Real-world IPv6 SMTP experience

  • To: Florian Weimer <
    >
  • From: Jeroen Massar <
    >
  • Date: Wed, 21 Dec 2005 13:26:48 +0100
  • Openpgp: id=333E7C23;url=http://unfix.org/~jeroen/jeroen-unfix.org-pgpkey
  • Organization: Unfix
Florian Weimer wrote:
> Hi,
> 
> is there any document that contrasts RFC 3974 with the real world?

No, because that setup works perfectly well. Do you have reason to
believe that it doesn't?

> I
> try to create a set of MX RRs which includes an IPv6 MX host, does not
> negatively impact reachability from v4-only hosts (or v6-enabled hosts
> without v6 connectivity), prefers v6 over v4 when possible, and does
> not waste any IPv4 addresses.

Then do it like described in the above RFC.

> This is what I've come up with so far:
> 
> deneb.enyo.de.          172800  IN MX      9  v6.mail.enyo.de.
> deneb.enyo.de.          172800  IN MX      10 v4.mail.enyo.de.
> 
> v6.mail.enyo.de.        172800  IN A       212.9.189.167
> v6.mail.enyo.de.        172800  IN AAAA    2001:14b0:202:1::a7
> v4.mail.enyo.de.        172800  IN A       212.9.189.167

This will (normally) never hit v4.mail.enyo.de as the SMTP client will
try v6.mail.enyo.de IPv6's address, if that connect fails it will try
v6.mail.enyo.de's IPv4 address.

If v6.mail.enyo.de returns a 4xx then the client will try
v4.mail.enyo.de, which only has an IPv4 address.

> The A RR of v6.mail is necessary because some broken anti-spam checks
> reject mail from deneb.enyo.de if they cannot find an A record for the
> primary MX.

Blame the broken implementation. Not much you can do about except
contacting them to fix their setup.

> The v4.mail MX host is needed because some MTAs suppress
> A record lookup if they discover an AAAA record (even if there's no v6
> connectivity available).

Then those implementations are wrong and need to be fixed.

Thus simply use the following as in the RFC:

deneb.enyo.de.	MX	10 mx1.enyo.de.
deneb.enyo.de.	MX	20 mx2.enyo.de.

mx1.enyo.de.	A	212.9.189.167
		AAAA	2001:14b0:202:1::a7
mx2.enyo.de.	A	<second mx's IPv4 address>
		AAAA	<second mx's IPv6 address>

Correct implementations will then first try mx1.enyo.de's IPv6 address,
if the IPv6 connect fails it will try mx1's IPv4. If mx1 gives 4xx it
will try mx2's IPv6, if that IPv6 connect fails it falls back to mx2's IPv4.

This works flawlessly. If there is an implementation/setup that doesn't
work with the above setup then contact them to let them fix it.

I haven't seen any issues with setups of the above form btw and I have
been running a A/AAAA setup for almost 4 years now on several domains.

Also note that you might want to have more than 1 physically separated
MX. If your sole machine now dies your mail will not be delivered.
Having a separated MX will allow it to be directly delivered at that
place and not entering queues at remote sites. Unless you loadbalance
and have a 99.999999999999999% SLA on the link to the internet of course.

Greets,
 Jeroen

Attachment: signature.asc
Description: OpenPGP digital signature

Post To The List:

Replies

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community