Thanks Google for your new IPv6 mail policy

Wednesday, October 16. 2013

The short version is: Fucking idiots!

Long version:
Google Mail introduced a new policy somewhere in August 2013 for receiving e-mail via IPv6. Earlier the policy was same for IPv4 and IPv6, but they decided to make Internet a better place by employing a much tighter policy for e-mail senders. Details can be found from their support pages.

For e-mail Authentication & Identification they state:

  • Use a consistent IP address to send bulk mail.
  • Keep valid reverse DNS records for the IP address(es) from which you send mail, pointing to your domain.
  • Use the same address in the 'From:' header on every bulk mail you send.
  • We also recommend publishing an SPF record
  • We also recommend signing with DKIM. We do not authenticate DKIM using less than a 1024-bit key.
  • The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. Otherwise, mail will be marked as spam or possibly rejected.
  • The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam.

First: My server does not send bulk mail. It sends mail now an then. If the idiots label my box as a "bulk sender" (whatever that means), there is nothing I can do to help it.

Second: I already have done all of the above. I even checked my PTR-record twice. Yes, it is in the above list two times using different words.

Still, after jumping all the hoops, crossing all the Ts and dotting all the Is: they don't accept email from my box anymore. They dominate the universe, they set new policies, start to enforce them without notice and fail to provide any kind of support. At minimum a web page to fill in couple of fields to a form to test how they perceive your server and give a result what to fix. But no. They don't do that, they just stop to accept any email.

To provide matching words for their search engine, I post a log entry (wrapped to multiple lines) from my Postfix:

postfix/smtp[6803]: A82C94E6CE:
to=<my@sending.address.fi>,
orig_to=<the@recipient's.address.net>,
relay=aspmx.l.google.com[2a00:1450:4008:c01::1b]:25,
delay=0.76,
delays=0.04/0/0.35/0.37,
dsn=5.7.1,
status=bounced (host aspmx.l.google.com[2a00:1450:4008:c01::1b] said:
550-5.7.1 [2001:-my-IPv6-address-      16]
Our system has detected 550-5.7.1 that this message does not meet IPv6 sending guidelines regarding
PTR 550-5.7.1 records and authentication.
Please review 550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more 550 5.7.1 information.
qc2si10501687bkb.307 - gsmtp (in reply to end of DATA command))

I'm not alone with my problem. Easily a number of people complaining about the same issue can be found: Gmail, why are you doing this to me? and Google, your IPv6-related email restrictions suck. Most people simply stop using IPv6 to deliver mail to Google. My choice is to fight to the bitter end.

While complaining the un-justified attitude I get from Google, I got a piece of advice: "Why don't you check what Google's DNS thinks of your setup?". I was like "WHAAT? What Google DNS?"

In fact there is a public DNS offered by Google. It is described in article Using Google Public DNS. I did use that to confirm that my DNS and reverse-DNS were set up correctly. I typed this into a BASH-shell:

# dig -x 2001:-my-IPv6-address- @2001:4860:4860::8888

It yielded correct results. There was nothing I could do to fix this issue more. :-( As it turned out, I did not change anything but after a couple of days, they just seemed to like my DNS more and allowed my email to pass. Perhaps one of these days I'll write something similar to my open recursive DNS tester.

Idiots!

by Jari Turkia in Companies at 13:13 | Comments (13) | Share in LinkedIn

Comments
Display comments as (Linear | Threaded)

Regan on :

You posted a potential solution to the postfix users list - but the link you provided went to a page with no content. I'm interested to see how you solved the problem?
Comment (1)

Jari Turkia on :

Sorry about that, now the post is visible at http://blog.hqcodeshop.fi/archives/122-Fixing-Googles-new-IPv6-mail-policy-with-Postfix.html
Comments (5)

Fred on :

I like the short version ! Thanks :-D
Comment (1)

Andi on :

They decided it's time to take over the mail universe. We have also perfectly matching IPv6 forward/reverse but from time to time when Googles resolvers are lame they reject because of this tempfail. Only MS can top this idioty with their "blocked using Blocklist 1" rejects.
Comments (2)

Jari Turkia on :

As much as I hate their "we dominate the world, everybody else shut up" or "we don't respond to your feeble requests" -style of customer disservice... I have to say, that their IPv6 mail service has improved from the time I wrote about it.
Comments (5)

Andi on :

As to "improved":
Nov 21 13:07:17 mailer postfix/smtp[28901]: 323121816D6: to=, relay=gmr-smtp-in.l.google.com[2a00:1450:4013:c00::e]:25, delay=5.6, delays=0.05/0.02/2.8/2.7, dsn=5.7.1, status=bounced (host gmr-smtp-in.l.google.com[2a00:1450:4013:c00::e] said: 550-5.7.1 [2a03:3500:111:4::2] Our system has detected that this message does 550-5.7.1 not meet IPv6 sending guidelines regarding PTR records and 550-5.7.1 authentication. Please review 550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more 550 5.7.1 information. s6si25419wif.0 - gsmtp (in reply to end of DATA command))

and some minutes later:
Nov 21 13:22:37 mailer postfix/smtp[31240]: 6A067181B91: to=, relay=gmr-smtp-in.l.google.com[2a00:1450:4013:c00::e]:25, delay=0.98, delays=0.04/0.02/0.52/0.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1416572557 r13si511694wib.0 - gsmtp)

Their IPv6 PTR resolver simply sucks. We have switched to IPv4 transport for mail directed to this IPv6 promoter...
Comments (2)

Jari Turkia on :

I have to say, I haven't enabled the IPv6 transport to Gmail since writing the post. I need the mail to go there every time.
Comments (5)

Gregor on :

Maybe, you have the following situation:

DNS:
server.example.com A 123.1.1.1
server.example.com AAAA 2001::1
mail.example.com A 123.1.1.1
mail.example.com AAAA 2001::2

123.1.1.1 PTR server.example.com.
2001::1 PTR server.example.com.
2001::2 PTR mail.example.com.

Postfix:
myhostname=server.example.com
inet_interfaces=mail.example.com
The default for smtp_helo_name is $myhostname.

Now, if smtp is using a IPv4 connection, it will send "EHLO server.example.com". For Gmail's smtpd, the connection comes from 123.1.1.1, which rDNS-entry matches the helo-string. => Everything is perfect.

If smtp is using a IPv6 connection, it will still send "EHLO server.example.com". This is independent of the interface smtp is using (which is 2001::2, as inet_interfaces only contains one IPv6 address). So Gmail's smtpd receives a connection from 2001::2, but the corresponding rDNS-entry doesn't match the helo-string. => "Puh, that may be spam"
Comments (2)

Jari Turkia on :

That is a very nice theory, but does not apply to me. I have only one name and one IPv6-address for the server.
Comments (5)

Gregor on :

As I've subscribed to my posting, I received an email from your server. After looking at its header, I guess the issue is quite similar to the one I discribed above.

The relevant header (anonymized):

Received: from hosting1.XXXX.net (XXXX.net [IPv6:2001:...:2236])

According to the RFC [1], this has to be read as follows:
- hosting1.XXXX.net is the HELO/EHLO-String
- The domain and IP-Adress within the paratheses are the information derived by my mailserver from the TCP connection.

That means, the rDNS for 2001:...:2236 is XXXX.net, not hosting1.XXXX.net. Which can be confirmed by dig:

> dig -x 2001:....:2236 +short
XXXX.net.


[1] RFC 5321, Section 4.4 (https://tools.ietf.org/html/rfc5321#section-4.4)
Comments (2)

Julius B. Thijssen on :

Sorry, but nope. The past week Google was at it again. Suddenly blocking mail from my server, while claiming its IPv6 PTR does not match.

Let's analyze, shall we?

[2001:67c:12a0:3:d9:abe7:630b:f4b8] The IP address sending this 550-5.7.1 message does not have a PTR record setup. As a policy, Gmail does not 550-5.7.1 accept messages from IPs with missing PTR records.

http://www.sput.nl/internet/ipv6/chkip6rev.html

All is fine with that IPv6 address. The hostname is just 1 FQDN, the same as HELO, and the same as its IPv4 PTR.

Fucking assholes at Google forced me to spend hours on this because they think they're the masters of everything and decided to just spam-tag perfectly valid mail.
By the way, if you have a gmail account, check its Spam folder because it's literally FULL of false positives nowadays!
Comment (1)

Jari Turkia on :

Thanks for the update. They are sure doing a shitty job with that Gmail/IPv6-thingie. :-(
Comments (5)

Amul Franchise on :

Nice Post thanks for the information, good information &amp; very helpful for others. haldiram franchise, haldiram franchise cost, hamdard distributorship, hamdard franchise, himalaya franchise, dabur distributorship, amul franchise, amul franchise, supriya
Comment (1)

Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

Submitted comments will be subject to moderation before being displayed.

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back November '24 Forward
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License