Postfix uses temporary IPv6 address for outbound connections

Bug #1089342 reported by Neil Wilson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
New
Undecided
Unassigned
postfix (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

Refer to https://help.ubuntu.com/lts/serverguide/postfix.html

By default IPv6 privacy extensions is installed on Ubuntu server and temporary addresses are preferred.

This means that outgoing connections from Postfix will use the temporary IPv6 addresses, which will likely fail reverse DNS checks and cause mail to bounce.

Postfix should implement the requirements of RFC5014 and ensure that it sets the IPV6_PREFER_SRC_PUBLIC IPv6 socket option (or possibly provide a configuration option to enforce that requirement).

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: postfix (not installed)
ProcVersionSignature: Ubuntu 3.2.0-34.53-generic 3.2.33
Uname: Linux 3.2.0-34-generic x86_64
ApportVersion: 2.0.1-0ubuntu15
Architecture: amd64
CheckboxSubmission: 55cafa5b8b82ed224cc59d444cb1fc25
CheckboxSystem: 3e53d3ea5811723345f19eff5070f9ab
Date: Wed Dec 12 11:51:28 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
MarkForUpload: True
SourcePackage: postfix
UpgradeStatus: Upgraded to precise on 2012-05-07 (218 days ago)

Tags: serverguide
Revision history for this message
Neil Wilson (neil-aldur) wrote :
Revision history for this message
Scott Kitterman (kitterman) wrote :

Postfix gets used in many different situations in Ubuntu since it is the default MTA. In many of these cases, using the privacy extensions is perfectly appropriate, so I don't think that making this change by default is appropriate. For traditional MTA applications, I agree it should be set and it might be nice to provide this as a configuration option (I did get burned by this too the first time I set up postfix on an IPv6 connected host).

Changed in postfix (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Neil Wilson (neil-aldur) wrote :

This is only really a problem when you use the default wildcard address for your MTA binds.

And it looks like there already is an option in postfix that allows you to fix the outbound source address.

smtp_bind_address6

So perhaps its a configuration/documentation issue.

Revision history for this message
Neil Wilson (neil-aldur) wrote :
Revision history for this message
Scott Kitterman (kitterman) wrote :

What we ship now is the upstream default and that is the correct thing to do by default. I think it's a fair point to discuss if, given the increasing availability of IPv6, there should be a debconf question about this. I think it would make sense to add it as a low priority (not normally asked) question so the answer can be pre-seeded.

I think the documentation (as usual for postfix) is excellent. When I ran into this problem myself, I was able to solve it using the available documentation. Postfix documentation is not, however, aimed at new postfix users. It would probably make sense to add a discussion about this to the Ubuntu Server Guide.

Changed in ubuntu-docs (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
milestone: none → ubuntu-13.04-beta-1
Changed in ubuntu-docs (Ubuntu):
milestone: ubuntu-13.04-beta-1 → ubuntu-13.04-beta-2
Revision history for this message
LaMont Jones (lamont) wrote :

This is actually a bug in the ubuntu server settings. Servers should not have ipv6 privacy on by default, and postfix should honor what the admin has set.

I'll revisit this and either close it with a reference to the other bug, or reassign it, as appropriate.

Revision history for this message
John Kim (kotux) wrote :

Updated the description with link to the possible page of concern.

The serverguide for saucy doesn't have postfix.page. Has it been dropped deliberately?

description: updated
tags: added: serverguide
removed: amd64 apport-bug precise running-unity
no longer affects: ubuntu-docs (Ubuntu)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.