Fixing Google's new IPv6 mail policy with Postfix
Friday, October 18. 2013
I covered Google's new & ridiculous e-mail policy in my previous post.
The author of my favorite MTA, Postfix, Mr. Wietse Venema offered a piece of advice to another poor postmaster like me in the official Postfix User's Mailing list "disable ipv6 when sending to gmail?"
The idea is to use Postfix's SMTP reply-filter feature. With that, postmaster can re-write something the remote server said into something useful to alter Postfix's behavior. In this case, I'd prefer a retry using IPv4 instead of IPv6. Luckily the ability of dropping down to IPv4 is already built in, the only issue is to convince Postfix that what Google said is not true. For the IPv6-issue they state that the e-mail in question cannot be delivered due to a permanent error. A status code of 5.5.0 is given in this case. What Wietse suggest is to re-write the 5.5.0 into a 4.5.0 which indicates a temporary failure. This triggers the mechanism to do an IPv4 attempt immediately after failure.
I added following into /etc/postfix/main.cf:
# Gmail IPv6 retry:
smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter
Then I created the file of /etc/postfix/smtp_reply_filter and made it contain:
# Convert Google Mail IPv6 complaint permanent error into a temporary error.
# This way Postfix will attempt to deliver this e-mail using another MX
# (via IPv4).
/^5(\d\d )5(.*information. \S+ - gsmtp.*)/ 4${1}4$2
Reload Postfix just to make sure the main.cf change is in effect, no need to postmap the PCRE-file.
Effectively the last line of Google error message:
550-5.7.1 [2001:-my-IPv6-address-here- 16] Our system has detected
550-5.7.1 that this message does not meet IPv6 sending guidelines regarding PTR
550-5.7.1 records and authentication. Please review
550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more
550 5.7.1 information. dj7si12191118bkc.191 - gsmtp (in reply to end of DATA command))
will be transformed into:
450 4.7.1 information. dj7si12191118bkc.191 - gsmtp (in reply to end of DATA command))
And my mail gets delivered! Nice. Thanks Wietse! Shame on you Google!
peterlim on :
Jari Turkia on :
komal on :
candy crush on :
Sam Nuzbrokh on :
Cees van Veelen on :
Then it works like a charm.
Brad Koehn on :
Thanks much.
Jari Turkia on :
Nowwhat on :
After having SPF going great,
'dk-filter' add, DKIM up and running,
DMARC humming - My IPv6 reverse set and good....
Google is yelling at me:
550-5.7.1 [2001:41d0:1:97a5::5 12] Our system has detected that this
550-5.7.1 message is likely unsolicited mail. To reduce the amount of spam sent
550-5.7.1 to Gmail, this message has been blocked. Please visit
550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 450 4.7.1 more information. k12si30883217qav.129 - gsmtp (in reply to end of DATA command)
Needless to say that I 'control' all IPv4 and IPv6 for years now. I know what gets in, I know what gets out, and I'm (of course
Btw: note: Gmail was accepting my IPv6 mails from my server to my Gmail account at the end of last 2013 .... they fiddled something up lately, like adding DMARC support (which I added also) but I still found myself with these "5.5.0".
I also use "sender_dependent_default_transport_maps" which means that, depending the sender domain name, I 'switch' to the right outgoing IPv4 or IPv6. Postfix always tries the IPv6 first.
Your solution makes it trying again, using the right bound IP with v4 - which works great !!
Good to see your advise actually working in the postfix logs:
brit-hotel-fumel_fr/smtp[2118]: gmail-smtp-in.l.google.com[2607:f8b0:400d:c00::1b]:25: replacing server reply "550 5.7.1 more information. k12si30883217qav.129 - gsmtp" with "450 4.7.1 more information. k12si30883217qav.129 - gsmtp"
Many thanks !
Jari Turkia on :
I cannot comprehend how their dark souls make these decisions. They seem quite irrational to me.
digital marketing training in pitampura on :
Jari Turkia on :
Nowwhat on :
Jul 15 18:57:43 mail my_server/smtp[30937]: 68A0088C6C2: to=, relay=gmail-smtp-in.l.google.com[2607:f8b0:400d:c00::1b]:25, delay=2.9, delays=0.04/0.1/1.1/1.7, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:400d:c00::1b] said:
#550-5.7.1 [2001:41d0:1:97a5::1 1] Our system has detected an unusual rate
#550-5.7.1 of unsolicited mail originating from your IP address. To protect our
#550-5.7.1 users from spam, mail sent from your IP address has been blocked.
#550-5.7.1 Please visit 550-5.7.1 http://www.google.com/mail/help/bulk_mail.html to review our Bulk
#550 5.7.1 Email Senders Guidelines. c77si15644818qge.0 - gsmtp (in reply to end of DATA command))
GMAIL said: I bounced your mail.
Of course, the PRCE filter didn't work.... no phrase to match.
BUT: surprise: the mail came through !! It was marked as spam in GMAIL (but I filtered my sender mail address as wanted mail
Btw: verification headers produced by GMAIL were:
Received-SPF: pass (google.com: domain of me@my-domaine.tld designates 2001:41d0:1:xx7a5::1 as permitted sender) client-ip=2001:41d0:1:xxa5::1;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of me@my-domaine.tld designates 2001:41d0:1:xxa5::1 as permitted sender) smtp.mail=me@my-domaine.tld;
dkim=pass header.i=@my-domaine.tld;
dmarc=pass (p=REJECT dis=NONE) header.from=my-domaine.tld
So, GMAIL says the mail is 'perfect'.
GMAIL's IPv6 front-end thinks otherwise .... says it bounces, but it didn't ....
I wonder if it is possible to add another line to the smtp_reply_filter file with this
/^5(\d\d )5(.*Guidelines. \S+ - gsmtp.*)/ 4${1}4$2
Jari Turkia on :
I don't see why your suggested line wouldn't work. When looking at the documentation (http://www.postfix.org/postconf.5.html#smtp_reply_filter) it really does not specify anything about multiple regular expressions, but I'm assuming it would work logically from top to bottom.
If you put two regexps to replace codes beware that the first does not change the line. In your case, I don't see that happening.
Please, tell me if you succeed in adding the 2nd regexp.
192.168.100.1 on :
Jari Turkia on :
As this is not an advertisement platform, please refrain from posting comments for purely promoting your services.
John Matthews on :
I've got valid forward AND reverse AAAA DNS entries as well as valid SPF records. I still get the occasional "you are a spammer" message. I'm about ready to disable IPv6 entirely on my server because of Google's utter ineptitude. And I only have this problem with Google mail servers. Stupid! Stupid, stupid, stupid, stupid! As far as I'm concerned, this is just one more reason to stay as far away from Google as possible and use them only for their search engine. The day a company offers actual customer service with a similar platform is the day Google loses the majority of their current "customers" and won't ever regain them because their culture is the antithesis of customer service.
At any rate, I've applied this patch to my postfix config. I shouldn't have to patch what is entirely Google's problem, but I am now. Thanks for providing this post - hopefully I won't have to disable IPv6 support entirely.
Jari Turkia on :
All the brains at Google and all they get is anybody using IPv6 categorised as a spammer. Nice going! Some of us here are trying to fight the spam, not be spammers.
Nowwhat on :
=> I didn't chose GMail, but some of my contact partners did ( I guess it has something to do with the price I GMail asks
=> Before Gmail, we had Yahoo (they gave up ... ) - we had to DK-filter ....
=> And before that we had hotmail (even when M$Soft wans't running the place) - we learned about SPF ....
=> before that ... well, we had these millions of sys-admin who couldn't 'set up' their mail server right, so mail didn't pas 'well' for x million reasons.
=> A guy found out "IPv6" - and all BIG mail operators asked themselves: How do we blacklist a 'bad IP" ? (how big should the database be this time ?)
=> Etc
What I really want to say: GMail knows what they are doing.
They have a reason for doing so.
ME not understanding the reasons put ME in the right spot, that is, the place where I can only say: "I don't know why the do that".
It's not my problem anymore - my mails go to GMail very well now !
The good news is: WE DON'T care.
The subject is very well documented.
The answer is ON THIS PAGE.
We might even forget the solution mentioned over here after couple of weaks, months, years because:
If all goes well, these extra "rules" aren't needed anymore.
New hassle will pop up.
Btw: I guess that Google's Ph.D doesn't even know that 'his' company works in the 'email' business
Nudge on :
Fahim on :
can you give me the working configure for setup ipv6 on postfix?
Jari Turkia on :
Benjamin Goldberg on :
Frederic MARTIN on :
Gmail changed its error messages so the previous PCRE regex don't work anymore.
'information' text string is not present anymore.
You'll have to change:
/^5(\d\d )5(.*information. \S+ - gsmtp.*)/ 4${1}4$2
into
/^5(\d\d )5(.*. \S+ - gsmtp.*)/ 4${1}4$2
It will work with the previous message too.
Jari Turkia on :
What you suggest above is valid. I just didn't notice it. I got some of my mail delivered to spam-folder in Gmail, but didn't have the time to investigate. You saved me the time of doing that. Excellent!
Terry Hobart on :
Had to install the pcre and use the #10 change but now it works 08/2017. (I hope - still testing
Rafael on :
And if there is a real error, such as an email address does not exist or the domain does not exist, then what will? Again and again, Postfix will send a message?
Jari Turkia on :
Briefly: The rule alters only IPv6 permanent failure because of PTR-record failure. A retry will be done with the other protocol and since IPv4 PTR-record -check cannot produce an error matching the regexp, it cannot be rewritten from permanent to temporary and any permanent failure will be handled accordingly.
Ether Hunk on :
Jari Turkia on :
subway surfers on :
fnaf on :
Mihai P. on :
Jari Turkia on :
vex 4 on :
Myltfilma on :
komal on :
robbyjaksan on :
Jari Turkia on :
Why are you advertising here? This is not the correct forum for that kind of activity.
Also, what does that have to do with IPv6, Google or IPv6 with Google? Nothing. Idiots.
joyhopson12 on :
Jari Turkia on :
What exactly has this to do with Google and/or Gmail?
niocop on :
Jack on :
How should that be done? Or where is it explained?
Thanks
Jari Turkia on :
top free blogging platforms on :
Oscar Price on :
Patsy on :
Jari Turkia on :
abhi dilip rane on :
tejaswani on :
Jari Turkia on :
Now that your comment doesn't have a plug for your website, it is even more valuable for me!
Sam Nuzbrokh on :
Ryan Walsh on :
Jari Turkia on :
You're also not very good in attempts to advertise your website. Please go someplace else for your own publicity.
Don Maxwell on :
home tuition on :
I find a very good website for the english tuition singapore, You can visit this site.
Jari Turkia on :
Maybe you should place your advertisements someplace else?
Mick John on :
thecareershapers on :
Jari Turkia on :
Jessica Kiely on :
pia on :
meanwhile don't checkout best digital marketing institute in
Webcore Digital on :
Jari Turkia on :
Instead of advertising your site, tell us what the missing lines are?
Yes, I know, you have no idea how to fix this or anything. The only idea was to post an ad.
Webcore Digital on :
Jari Turkia on :
Please note, you're commenting on article written in Friday, October 18. 2013. This kind of changes in policy will happen and obviiously we'd love to be informed.
What you missed in your AI-powered advertisement-frenzy was the fact, that in the blog post I told how to implement forcing Postfix to use IPv4. Ultimately, those generated phrases of text are mostly useless.