README_FILES/IPV6_README


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249

PPoossttffiixx IIPPvv66 SSuuppppoorrtt

-------------------------------------------------------------------------------

IInnttrroodduuccttiioonn

Postfix 2.2 introduces support for the IPv6 (IP version 6) protocol. IPv6
support for older Postfix versions was available as an add-on patch. The
section "Compatibility with Postfix <2.2 IPv6 support" below discusses the
differences between these implementations.

The main feature of interest is that IPv6 uses 128-bit IP addresses instead of
the 32-bit addresses used by IPv4. It can therefore accommodate a much larger
number of hosts and networks without ugly kluges such as NAT. A side benefit of
the much larger address space is that it makes random network scanning
impractical.

Postfix uses the same SMTP protocol over IPv6 as it already uses over the older
IPv4 network, and does AAAA record lookups in the DNS in addition to the older
A records. Information about IPv6 can be found at http://www.ipv6.org/.

This document provides information on the following topics:

  * Supported platforms
  * Configuration
  * Known limitations
  * Compatibility with Postfix <2.2 IPv6 support
  * IPv6 Support for unsupported platforms
  * Credits

SSuuppppoorrtteedd PPllaattffoorrmmss

Postfix version 2.2 supports IPv4 and IPv6 on the following platforms:

  * AIX 5.1+
  * Darwin 7.3+
  * FreeBSD 4+
  * Linux 2.4+
  * NetBSD 1.5+
  * OpenBSD 2+
  * Solaris 8+
  * Tru64Unix V5.1+

On other platforms Postfix will simply use IPv4 as it has always done.

See "IPv6 Support for unsupported platforms" for tips to port Postfix IPv6
support to other environments.

CCoonnffiigguurraattiioonn

Postfix IPv6 support introduces two new main.cf configuration parameters, and
introduces an important change in address syntax notation in match lists such
as mynetworks or debug_peer_list.

Postfix IPv6 address syntax is a little tricky, because there are a few places
where you must enclose an IPv6 address inside "[]" characters, and a few places
where you must not. It is a good idea to use "[]" only in the few places where
you have to. Check out the postconf(5) manual whenever you do IPv6 related
configuration work with Postfix.

  * Instead of hard-coding 127.0.0.1 and ::1 loopback addresses in master.cf,
    specify "inet_interfaces = loopback-only" in main.cf. This way you can use
    the same master.cf file regardless of whether or not Postfix will run on an
    IPv6-enabled system.

  * The first new parameter is called inet_protocols. This specifies what
    protocols Postfix will use when it makes or accepts network connections,
    and also controls what DNS lookups Postfix will use when it makes network
    connections.

        /etc/postfix/main.cf:
            # You must stop/start Postfix after changing this parameter.
            inet_protocols = all        (enable IPv4, and IPv6 if supported)
            inet_protocols = ipv4       (enable IPv4 only)
            inet_protocols = ipv4, ipv6 (enable both IPv4 and IPv6)
            inet_protocols = ipv6       (enable IPv6 only)

    The default is compile-time dependent: "all" when Postfix is built on a
    software distribution with IPv6 support, "ipv4" otherwise.

    Note 1: you must stop and start Postfix after changing the inet_protocols
    configuration parameter.

    Note 2: on older Linux and Solaris systems, the setting "inet_protocols =
    ipv6" will not prevent Postfix from accepting IPv4 connections.

    For an unsupported test option to build Postfix without IPv6 support, see
    the NO_IPV6 option in the INSTALL document.

  * The other new parameter is smtp_bind_address6. This sets the local
    interface address for outgoing IPv6 SMTP connections, just like the
    smtp_bind_address parameter does for IPv4:

        /etc/postfix/main.cf:
            smtp_bind_address6 = 2001:240:587:0:250:56ff:fe89:1

  * If you left the value of the mynetworks parameter at its default (i.e. no
    mynetworks setting in main.cf) Postfix will figure out by itself what its
    network addresses are. This is what a typical setting looks like:

        % postconf mynetworks
        mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [fe80::]/10 [2001:
        240:587::]/64

    If you did specify the mynetworks parameter value in main.cf, you need to
    update the mynetworks value to include the IPv6 networks the system is in.
    Be sure to specify IPv6 address information inside "[]", like this:

        /etc/postfix/main.cf:
            mynetworks = ...IPv4 networks... [::1]/128 [2001:240:587::]/64 ...

NNOOTTEE:: wwhheenn ccoonnffiigguurriinngg PPoossttffiixx mmaattcchh lliissttss ssuucchh aass mmyynneettwwoorrkkss oorr
ddeebbuugg__ppeeeerr__lliisstt,, yyoouu mmuusstt ssppeecciiffyy IIPPvv66 aaddddrreessss iinnffoorrmmaattiioonn iinnssiiddee ""[[]]"" iinn tthhee
mmaaiinn..ccff ppaarraammeetteerr vvaalluuee aanndd iinn ffiilleess ssppeecciiffiieedd wwiitthh aa ""//ffiillee//nnaammee"" ppaatttteerrnn..
IIPPvv66 aaddddrreesssseess ccoonnttaaiinn tthhee ""::"" cchhaarraacctteerr,, aanndd wwoouulldd ootthheerrwwiissee bbee ccoonnffuusseedd wwiitthh
aa ""ttyyppee::ttaabbllee"" ppaatttteerrnn..

KKnnoowwnn LLiimmiittaattiioonnss

  * Postfix SMTP clients before version 2.8 try to connect over IPv6 before
    trying IPv4. With more recent Postfix versions, the order of IPv6 versus
    IPv4 outgoing connection attempts is configurable with the
    smtp_address_preference parameter.

  * Postfix versions before 2.6 do not support DNSBL (DNS blocklist) lookups
    for IPv6 client IP addresses.

  * IPv6 does not have class A, B, C, etc. networks. With IPv6 networks, the
    setting "mynetworks_style = class" has the same effect as the setting
    "mynetworks_style = subnet".

  * On Tru64Unix and AIX, Postfix can't figure out the local subnet mask and
    always assumes a /128 network. This is a problem only with
    "mynetworks_style = subnet" and no explicit mynetworks setting in main.cf.

CCoommppaattiibbiilliittyy wwiitthh PPoossttffiixx <<22..22 IIPPvv66 ssuuppppoorrtt

Postfix version 2.2 IPv6 support is based on the Postfix/IPv6 patch by Dean
Strik and others, but differs in a few minor ways.

  * main.cf: The inet_interfaces parameter does not support the notation "ipv6:
    all" or "ipv4:all". Use the inet_protocols parameter instead.

  * main.cf: Specify "inet_protocols = all" or "inet_protocols = ipv4, ipv6" in
    order to enable both IPv4 and IPv6 support.

  * main.cf: The inet_protocols parameter also controls what DNS lookups
    Postfix will attempt to make when delivering or receiving mail.

  * main.cf: Specify "inet_interfaces = loopback-only" to listen on loopback
    network interfaces only.

  * The lmtp_bind_address and lmtp_bind_address6 features were omitted. Postfix
    version 2.3 merged the LMTP client into the SMTP client, so there was no
    reason to keep adding features to the LMTP client.

  * The SMTP server now requires that IPv6 addresses in SMTP commands are
    specified as [ipv6:ipv6address], as described in RFC 2821.

  * The IPv6 network address matching code was rewritten from the ground up,
    and is expected to be closer to the specification. The result may be
    incompatible with the Postfix/IPv6 patch.

IIPPvv66 SSuuppppoorrtt ffoorr uunnssuuppppoorrtteedd ppllaattffoorrmmss

Getting Postfix IPv6 working on other platforms involves the following steps:

  * Specify how Postfix should find the local network interfaces. Postfix needs
    this information to avoid mailer loops and to find out if mail for user@
    [ipaddress] is a local or remote destination.

    If your system has the getifaddrs() routine then add the following to your
    platform-specific section in src/util/sys_defs.h:

        #ifndef NO_IPV6
        # define HAS_IPV6
        # define HAVE_GETIFADDRS
        #endif

    Otherwise, if your system has the SIOCGLIF ioctl() command in /usr/include/
    */*.h, add the following to your platform-specific section in src/util/
    sys_defs.h:

        #ifndef NO_IPV6
        # define HAS_IPV6
        # define HAS_SIOCGLIF
        #endif

    Otherwise, Postfix will have to use the old SIOCGIF commands and get along
    with reduced IPv6 functionality (it won't be able to figure out your IPv6
    netmasks, which are needed for "mynetworks_style = subnet". Add this to
    your platform-specific section in src/util/sys_defs.h:

        #ifndef NO_IPV6
        # define HAS_IPV6
        #endif

  * Test if Postfix can figure out its interface information.

    After compiling Postfix in the usual manner, step into the src/util
    directory and type "mmaakkee iinneett__aaddddrr__llooccaall". Running this file by hand should
    produce all the interface addresses and network masks, for example:

        % make
        % cd src/util
        % make inet_addr_local
        [... some messages ...]
        % ./inet_addr_local
        [... some messages ...]
        ./inet_addr_local: inet_addr_local: configured 2 IPv4 addresses
        ./inet_addr_local: inet_addr_local: configured 4 IPv6 addresses
        168.100.189.2/255.255.255.224
        127.0.0.1/255.0.0.0
        fe80:1::2d0:b7ff:fe88:2ca7/ffff:ffff:ffff:ffff::
        2001:240:587:0:2d0:b7ff:fe88:2ca7/ffff:ffff:ffff:ffff::
        fe80:5::1/ffff:ffff:ffff:ffff::
        ::1/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

    The above is for an old FreeBSD machine. Other systems produce slightly
    different results, but you get the idea.

If none of all this produces a usable result, send email to the postfix-
users@postfix.org mailing list and we'll try to help you through this.

CCrreeddiittss

The following information is in part based on information that was compiled by
Dean Strik.

  * Mark Huizer wrote the original Postfix IPv6 patch.

  * Jun-ichiro 'itojun' Hagino of the KAME project made substantial
    improvements. Since then, we speak of the KAME patch.

  * The PLD Linux Distribution ported the code to other stacks (notably USAGI).
    We speak of the PLD patch. A very important feature of the PLD patch was
    that it can work with Lutz Jaenicke's TLS patch for Postfix.

  * Dean Strik extended IPv6 support to platforms other than KAME and USAGI,
    updated the patch to keep up with Postfix development, and provided a
    combined IPv6 + TLS patch. Information about his effort can be found on
    Dean Strik's Postfix website at http://www.ipnet6.org/postfix/.

  * Wietse Venema took Dean Strik's IPv6 patch, merged it into Postfix 2.2, and
    took the opportunity to eliminate all IPv4-specific code from Postfix that
    could be removed. For systems without IPv6 support in the kernel and system
    libraries, Postfix has a simple compatibility layer, so that it will use
    IPv4 as before.