Email sending broken after updating to 8.2.x (due to IPv6 issues)
-
@avatar1024 Is 421 4.7.23 your VPS IP?
@scooke nope 421 4.7.23 is the Google error code I believe, see https://support.google.com/a/answer/81126?visit_id=638750398959602051-541616874&p=sender-guidelines&rd=1.
The IP(v6) of the server is the one in the error message right after 421 4.7.23 in [] which I've hidden with xxx.
-
Given this only happens with forwards it seems it might have to do with the SRS rewrite. The weird thing is why does it only happens if the original sender is Gmail?
-
So with a self hosted install I would need to ask the ISP to set up the ipv6 PTR like they ip4 record ?
@AartJansen said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
So with a self hosted install I would need to ask the ISP to set up the ipv6 PTR like they ip4 record ?
yes
-
I've started to have this issue again randomly (emails only sometimes bounce...helpful I know) despite having IPv6 is disabled on both Cloudron and on the Network interface for that server.
@avatar1024 Right so here I had made a mistake, I hadn't disabled IPv6 on the network interface on my server persistently and I reckon it got reactivate after a reboot. I've updated my post here for clarity: https://forum.cloudron.io/post/100505
-
For Hetzner... it looks like the PTR setting for an IPv6 is not checking if its correctly set. You will need to add the last piece - in my case "::1" - to the PTR record - even if Hetzner also accepts "::" only. I guessed this will cover the whole range - but I was wrong.
(Ask me about B2B marketing automation & low code business solutions, if thats interesting for you.)
-
For Hetzner... it looks like the PTR setting for an IPv6 is not checking if its correctly set. You will need to add the last piece - in my case "::1" - to the PTR record - even if Hetzner also accepts "::" only. I guessed this will cover the whole range - but I was wrong.
@dsp76 I have it as
::/64which is my full IPv6 address as shown atdash > IP's > IPv6and it's been working fine for me. In case it matters, I'm on the CCX plan (VDS).Edit: asked chatgpt about this and it looks like I got it wrong too (possibly a security issue too). But, it mentioned that ::1 might be reserved by Hetzner so we'll need to manually assign it to something else.
That means your IPv6 address is `xxxx:xxx:xx:xxxx::1`, and it’s using the `/64` subnet. If others have had issues with `::1`, you might want to pick another address, like `::100` or `::abcd`. You can assign it manually with: ip -6 addr add xxxx:xxx:xx:xxxx::100/64 dev eth0 Then, set the PTR record for `xxxx:xxx:xx:xxxx::100` in Hetzner’s panel. If everything works, make it persistent by adding it to your network config (`/etc/network/interfaces` or equivalent, depending on your OS).Edit 2: so dug some more and setting the ptr to cover the entire /64 block is a bit riskier. With that said, it's OK in my case since I'm using Hetzner's vDedicated (CCX) plan and according to Mr.GPT, I'm the sole user on for that IP. Also, security wise, I'm in the clear if I have set SPF, DMARC, and DKIM records.
I did a Reverse lookup on Mxtoolbox for my IPv6 address and it's reporting back my mailserver domain
.Give it a shot and see if that works for you.
-
@nebulon said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
The check and thus the warning is fixed with https://git.cloudron.io/platform/box/-/commit/6fcfa6cac06cf2f0880669b22f154d2ae89be6de
As for other providers we also have a link to setup PTR on hetzner at https://docs.cloudron.io/email/#ptr-record
@nebulon I don't have a Hetzner Cloud server (I have dedicated) so I hadn't looked at
https://docs.hetzner.com/cloud/servers/cloud-server-rdns/ as linked to there, I had only seen:
https://docs.hetzner.com/robot/dedicated-server/ip/ip-addresses#reverse-dns
Which wasn't very informative.
I had tried this:
Which hadn't worked, but looking at https://docs.hetzner.com/cloud/servers/cloud-server-rdns/ gave me the clue that I should remove the
/64bit and now it seems to have worked! Phew! I just once that has propagated I'll hopefully be able to send emails again...@humptydumpty I've got a dedicated server with Hetzner and having /64 at the end didn't work for me:
@jdaviescoates said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
I had tried this:
Screenshot from 2025-01-14 12-45-06.png
Which hadn't worked, but looking at https://docs.hetzner.com/cloud/servers/cloud-server-rdns/ gave me the clue that I should remove the /64 bit and now it seems to have worked!
-
@humptydumpty I've got a dedicated server with Hetzner and having /64 at the end didn't work for me:
@jdaviescoates said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
I had tried this:
Screenshot from 2025-01-14 12-45-06.png
Which hadn't worked, but looking at https://docs.hetzner.com/cloud/servers/cloud-server-rdns/ gave me the clue that I should remove the /64 bit and now it seems to have worked!
@jdaviescoates Does it fail the reverse lookup or Hetzner doesn't save the entry?
-
@jdaviescoates Does it fail the reverse lookup or Hetzner doesn't save the entry?
@humptydumpty said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
Hetzner doesn't save the entry?
This. Hetzner just says it's invalid.
-
To summarize the situation:
-
starting 8.2, it seems the mail server has started to prefer using IPv6 for gmail. This wasn't a change in Cloudron consciously at least. I have looked into the Haraka changes and cannot find anything specific there either. I do see that gmail has IPv6 mail servers now, not sure if they were there before or not.
-
To fix the situation, you simply have to set IPv6 PTR record . Cloudron has not implemented a IPv6 PTR check in 8.2 but a check is implemented for next release. The PTR record is set in the VPS provider. Usually, IPv6 is allocated a block of addresses and not a single address like IPv4.
-
If you run
curl https://ipv6.api.cloudron.io/api/v1/helper/public_ip, this will give you the specific IPv6 address that Cloudron is using to connect to gmail. You have to set the PTR for this specific IPv6 address. -
If your VPS provider does not allow you to set IPv6 PTR , then just disable IPv6 in the interfaces.
sysctl -w net.ipv6.conf.ens18.disable_ipv6=1for example . You have to putnet.ipv6.conf.ens18.disable_ipv6=1in your /etc/sysctl.conf for this to persist reboots. After you do this, also disable IPv6 in Cloudron, Network -> IPv6 -> Disable.
@girish said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
If your VPS provider does not allow you to set IPv6 PTR , then just disable IPv6 in the interfaces. sysctl -w net.ipv6.conf.ens18.disable_ipv6=1 for example . You have to put net.ipv6.conf.ens18.disable_ipv6=1 in your /etc/sysctl.conf for this to persist reboots. After you do this, also disable IPv6 in Cloudron, Network -> IPv6 -> Disable.
Hi @girish,
IPv6 keeps coming back on on my servers network interface (it's not activated on Cloudron). Every so often
curl https://ipv6.api.cloudron.io/api/v1/helper/public_ipkeeps returning the IPv6 address and I get the Gmail errors again. I have done both:sysctl -w net.ipv6.conf.ens18.disable_ipv6=1and putnet.ipv6.conf.ens18.disable_ipv6=1in /etc/sysctl.conf (replacing ens18 by eth0 which does disable IPv6 for that interface...but then after a while it comes back on).Any idea?
-
-
@joseph said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
@avatar1024 I would check if ens18 is actually your interface ? ip addr
sysctl -w net.ipv6.conf.ens18.disable_ipv6=1returns
sysctl: cannot stat /proc/sys/net/ipv6/conf/ens18/disable_ipv6: No such file or directorywhereas
sysctl -w net.ipv6.conf.eth0.disable_ipv6=1returns
net.ipv6.conf.eth0.disable_ipv6 = 1and subsequently
curl https://ipv6.api.cloudron.io/api/v1/helper/public_ipreturns as expected
curl: (7) Failed to connect to ipv6.api.cloudron.io port 443 after 1 ms: Couldn't connect to server, instead of the IPv6 address which shows IPv6 is deactivated.So I'm pretty sure eth0 is the correct one (also, when active, the IPv6 address is displayed for that interface via ifconfig).
And it all works fine temporarily, it just doesn't stays that way, even after adding
net.ipv6.conf.eth0.disable_ipv6=1at the bottom of the /etc/sysctl.conf file. -
Right so, after adding to /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.eth0.disable_ipv6 = 1on reboot,
cat /proc/sys/net/ipv6/conf/all/disable_ipv6return1so one would think it's all good, but it isn't.curl https://ipv6.api.cloudron.io/api/v1/helper/public_ipstill retunrs the IPv6 address and I can still see it in ifconfig for the network interface. Yet manually running eithersysctl -porsysctl -w net.ipv6.conf.eth0.disable_ipv6=1post boot works just fine to disable IPv6. So there is something at boot time that prevents disabling IPv6.I therefore went the bulletproof way and disabled ipv6 as a boot argument in grub (GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"). But then I got of errors at boot time when services start, especially for nginx so that;s not working either.
Any idea?
-
Right so, after adding to /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.eth0.disable_ipv6 = 1on reboot,
cat /proc/sys/net/ipv6/conf/all/disable_ipv6return1so one would think it's all good, but it isn't.curl https://ipv6.api.cloudron.io/api/v1/helper/public_ipstill retunrs the IPv6 address and I can still see it in ifconfig for the network interface. Yet manually running eithersysctl -porsysctl -w net.ipv6.conf.eth0.disable_ipv6=1post boot works just fine to disable IPv6. So there is something at boot time that prevents disabling IPv6.I therefore went the bulletproof way and disabled ipv6 as a boot argument in grub (GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"). But then I got of errors at boot time when services start, especially for nginx so that;s not working either.
Any idea?
-
@avatar1024 usually, if that happens it's because something else is enabling ipv6 on the interface. Do you use netplan? If so, I could chek
/etc/netplan/50-cloud-init.yaml. Does it have some statically assigned ipv6 block?@joseph said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
Do you use netplan? If so, I could chek /etc/netplan/50-cloud-init.yaml . Does it have some statically assigned ipv6 block?
I was not aware I did use netplan (I don;t even really know what it is), but yes there is this config file and it seems to contain static IPs, see:
network: version: 2 ethernets: eth0: match: macaddress: "xx:xx:xx:xx:xx:xx" addresses: - "152.xx.xx.43/22" - "2a03:4000:xx:xx:xxxx:xxxx:xxxx:6007/64" nameservers: addresses: - 46.38.225.230 - 46.38.252.230 - 2a03:4000:0:1::e1e6 routes: - to: "default" via: "152.xx.xx.1" - on-link: true to: "default" via: "fe80::1"If you tell me how i should modify the file then I'll try it out.
Thanks a lot for your help.
-
@joseph said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
Do you use netplan? If so, I could chek /etc/netplan/50-cloud-init.yaml . Does it have some statically assigned ipv6 block?
I was not aware I did use netplan (I don;t even really know what it is), but yes there is this config file and it seems to contain static IPs, see:
network: version: 2 ethernets: eth0: match: macaddress: "xx:xx:xx:xx:xx:xx" addresses: - "152.xx.xx.43/22" - "2a03:4000:xx:xx:xxxx:xxxx:xxxx:6007/64" nameservers: addresses: - 46.38.225.230 - 46.38.252.230 - 2a03:4000:0:1::e1e6 routes: - to: "default" via: "152.xx.xx.1" - on-link: true to: "default" via: "fe80::1"If you tell me how i should modify the file then I'll try it out.
Thanks a lot for your help.
@avatar1024 said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
- "2a03:4000:xx:xx:xxxx:xxxx:xxxx:6007/64"yup, this is the culprit. The IPv6 address is statically assigned here. You have to put a # in front of the line to comment it out and reboot the machine.
-
@avatar1024 said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
- "2a03:4000:xx:xx:xxxx:xxxx:xxxx:6007/64"yup, this is the culprit. The IPv6 address is statically assigned here. You have to put a # in front of the line to comment it out and reboot the machine.
@joseph said in Email sending broken after updating to 8.2.x (due to IPv6 issues):
yup, this is the culprit. The IPv6 address is statically assigned here. You have to put a # in front of the line to comment it out and reboot the machine.
THANK YOU! That worked.
Seems like netplan is here by default since Ubuntu 18: https://pscl4rke.wordpress.com/2019/10/01/disabling-ipv6-on-ubuntu-18-04-the-netplan-version/
-
@avatar1024 I found this https://github.com/canonical/netplan/blob/main/doc/netplan-tutorial.md#editing-netplan-yaml-files-to-disable-ipv6 . Can't figure where this page is "published" . The yaml ref is at https://netplan.readthedocs.io/en/latest/netplan-yaml/
-
Just for the reference:
netplan tryis usually a better way, as it might save from end up getting locked out from the server. I also usually run a background cron task, that removes those temporary files from /etc/netplan, when messing with the network.
