Am Mon, 11 Jun 2018 schrieb Shane Kerr:
I set up a mail server zone to have an IPv6-only primary and a dual-protocol secondary, [...] Mail delivery via IPv6 works fine (as you would expect), and mail delivery from some IPv4-only servers also works fine (as I think the standards dictate).
My concern is that some mail servers may choke on this setup. For example, http://mailtester.com complains "Network is unreachable".
I have been running a similar setup for the last ~10 years and didn't see much problems with real smtp servers per se. But every now and then, services like mailtester in your case only check for the first MX and return a permanent error, _even_ if there is another dualstack MX configured. I have seen this a lot with newsletter services or with live email-address-verification in various webinterfaces where they try a quick VRFY on the first MX AND do it legacy-only. The same webservices and simple servers fail to verify email addresses from IPv6-only setups (for obvious reasons). I started to file Bugreports in these cases, because in my point of view, running an smtp without IPv6 should nowadays be considered to be a grave configuration bug. Sometimes the reaction is quite fast. One german server hoster, for example, did IPv4 VRFY for the customer email address when they received DNS Zone Updates via Webinterface from a logged-in user. This failed badly if you had an IPv6-only email address. But they needed only 2 work-days to fix their setup. Others are not so eager to help and ignore their trouble tickets for months or try to find excuses¹.
Of course, I also worry about all the spammers who may not be able to deliver because of incomplete mail implementations on the trojans and other viruses infecting their zombie hosts. 😉
Current spam-rate (with ~10k mails per day running through a system _without_any_spamfilter_at_all is roughly 1 spam mail every two or three days. The domain for this test was conituously active since the mid 90's. So, real IPv6 spam is probably not (yet) the issue. But it is unclear, if greylisting, DNS black- and whitelists or other countermeasures will scale, when spammers really start to use IPv6. Unfortunately, "ip reputation" is something, people tend to misunderstand. Just a few weeks ago, a mail admin told me, that my "sending IPv6 IP has a bad reputation", because "google moved the message to the spamfolder". Yeah. He alias-forwarded all mail from his personal mailserver and -domain to google. But my sending domain has an SPF record, so google decided to ditch it. Works like expected. But I can already hear the drums: "Oh, NO. I won't do IPv6 on mailservers .... google tends to drop those mails ..." ;-) Cheers, Bjørn ¹) https://www.penguin.de/blog/bbu/2018/0411_the_good_the_bad_and_the_ugly_-_my...