387 lines
12 KiB
HTML
387 lines
12 KiB
HTML
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
|
|
"http://www.w3.org/TR/html4/loose.dtd">
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<title>Postfix IPv6 Support</title>
|
|
|
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
|
|
IPv6 Support</h1>
|
|
|
|
<hr>
|
|
|
|
<h2>Introduction</h2>
|
|
|
|
<p> Postfix 2.2 introduces support for the IPv6 (IP version 6)
|
|
protocol. IPv6 support for older Postfix versions was available as
|
|
an add-on patch. The section "<a href="#compat">Compatibility with
|
|
Postfix <2.2 IPv6 support</a>" below discusses the differences
|
|
between these implementations. </p>
|
|
|
|
<p> The main feature of interest is that IPv6 uses 128-bit IP
|
|
addresses instead of the 32-bit addresses used by IPv4. It can
|
|
therefore accommodate a much larger number of hosts and networks
|
|
without ugly kluges such as NAT. A side benefit of the much larger
|
|
address space is that it makes random network scanning impractical.
|
|
</p>
|
|
|
|
<p> Postfix uses the same SMTP protocol over IPv6 as it already
|
|
uses over the older IPv4 network, and does AAAA record lookups in
|
|
the DNS in addition to the older A records. Information about IPv6
|
|
can be found at http://www.ipv6.org/. </p>
|
|
|
|
<p> This document provides information on the following topics:
|
|
</p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="#platforms">Supported platforms</a>
|
|
|
|
<li><a href="#configuration">Configuration</a>
|
|
|
|
<li><a href="#limitations">Known limitations</a>
|
|
|
|
<li><a href="#compat">Compatibility with Postfix <2.2 IPv6 support</a>
|
|
|
|
<li><a href="#porting">IPv6 Support for unsupported platforms</a>
|
|
|
|
<li><a href="#credits">Credits</a>
|
|
|
|
</ul>
|
|
|
|
<h2><a name="platforms">Supported Platforms</a></h2>
|
|
|
|
<p> Postfix version 2.2 supports IPv4 and IPv6 on the following
|
|
platforms: </p>
|
|
|
|
<ul>
|
|
|
|
<li> AIX 5.1+
|
|
<li> Darwin 7.3+
|
|
<li> FreeBSD 4+
|
|
<li> Linux 2.4+
|
|
<li> NetBSD 1.5+
|
|
<li> OpenBSD 2+
|
|
<li> Solaris 8+
|
|
<li> Tru64Unix V5.1+
|
|
|
|
</ul>
|
|
|
|
<p> On other platforms Postfix will simply use IPv4 as it has always
|
|
done. </p>
|
|
|
|
<p> See <a href="#porting">below</a> for tips how to port Postfix
|
|
IPv6 support to other environments. </p>
|
|
|
|
<h2><a name="configuration">Configuration</a></h2>
|
|
|
|
<p> Postfix IPv6 support introduces two new main.cf configuration
|
|
parameters, and introduces an important change in address syntax
|
|
notation in match lists such as mynetworks or
|
|
debug_peer_list. </p>
|
|
|
|
<p> Postfix IPv6 address syntax is a little tricky, because there
|
|
are a few places where you must enclose an IPv6 address inside
|
|
"<tt>[]</tt>" characters, and a few places where you must not. It is
|
|
a good idea to use "<tt>[]</tt>" only in the few places where you
|
|
have to. Check out the postconf(5) manual whenever you do IPv6
|
|
related configuration work with Postfix. </p>
|
|
|
|
<ul>
|
|
|
|
<li> <p> Instead of hard-coding 127.0.0.1 and ::1 loopback addresses
|
|
in master.cf, specify "inet_interfaces = loopback-only" in main.cf.
|
|
This way you can use the same master.cf file regardless of whether
|
|
or not Postfix will run on an IPv6-enabled system. </p>
|
|
|
|
<li> <p> The first new parameter is called inet_protocols. This
|
|
specifies what protocols Postfix will use when it makes or accepts
|
|
network connections, and also controls what DNS lookups Postfix
|
|
will use when it makes network connections. </p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
/etc/postfix/main.cf:
|
|
# You must stop/start Postfix after changing this parameter.
|
|
inet_protocols = ipv4 (DEFAULT: enable IPv4 only)
|
|
inet_protocols = all (enable IPv4, and IPv6 if supported)
|
|
inet_protocols = ipv4, ipv6 (enable both IPv4 and IPv6)
|
|
inet_protocols = ipv6 (enable IPv6 only)
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<p> By default, Postfix uses IPv4 only, because most systems aren't
|
|
attached to an IPv6 network. </p>
|
|
|
|
<ul>
|
|
|
|
<li> <p> On systems with combined IPv4/IPv6 stacks, attempts to
|
|
deliver mail via IPv6 would always fail with "network unreachable",
|
|
and those attempts would only slow down Postfix. </p>
|
|
|
|
<li> <p> Linux kernels don't even load IPv6 protocol support by
|
|
default. Any attempt to use it would fail immediately. </p>
|
|
|
|
</ul>
|
|
|
|
<p> Note 1: you must stop and start Postfix after changing the
|
|
inet_protocols configuration parameter. </p>
|
|
|
|
<p> Note 2: if you see error messages like the following, then
|
|
you're running Linux and need to turn on IPv6 in the kernel: see
|
|
http://www.ipv6.org/ for hints and tips. Unlike other systems,
|
|
Linux does not have a combined stack for IPv4 and IPv6, and IPv6
|
|
protocol support is not loaded by default. </p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
postconf: warning: inet_protocols: IPv6 support is disabled: Address family not supported by protocol
|
|
postconf: warning: inet_protocols: configuring for IPv4 support only
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<p> Note 3: on older Linux and Solaris systems, the setting
|
|
"inet_protocols = ipv6" will not prevent Postfix from
|
|
accepting IPv4 connections. Postfix will present the client IP
|
|
addresses in IPv6 format, though. In all other cases, Postfix always
|
|
presents IPv4 client IP addresses in the traditional dotted quad
|
|
IPv4 format. </p>
|
|
|
|
<li> <p> The other new parameter is smtp_bind_address6.
|
|
This sets the local interface address for outgoing IPv6 SMTP
|
|
connections, just like the smtp_bind_address parameter
|
|
does for IPv4: </p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
/etc/postfix/main.cf:
|
|
smtp_bind_address6 = 2001:240:587:0:250:56ff:fe89:1
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<li> <p> If you left the value of the mynetworks parameter at its
|
|
default (i.e. no mynetworks setting in main.cf) Postfix will figure
|
|
out by itself what its network addresses are. This is what a typical
|
|
setting looks like: </p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
% postconf mynetworks
|
|
mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [fe80::]/10 [2001:240:587::]/64
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<p> If you did specify the mynetworks parameter value in
|
|
main.cf, you need update the mynetworks value to include
|
|
the IPv6 networks the system is in. Be sure to specify IPv6 address
|
|
information inside "<tt>[]</tt>", like this: </p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
/etc/postfix/main.cf:
|
|
mynetworks = ...<i>IPv4 networks</i>... [::1]/128 [2001:240:587::]/64 ...
|
|
</pre>
|
|
</blockquote>
|
|
|
|
</ul>
|
|
|
|
<p> <b> NOTE: when configuring Postfix match lists such as
|
|
mynetworks or debug_peer_list, you must specify
|
|
IPv6 address information inside "<tt>[]</tt>" in the main.cf parameter
|
|
value and in files specified with a "<i>/file/name</i>" pattern.
|
|
IPv6 addresses contain the ":" character, and would otherwise be
|
|
confused with a "<i>type:table</i>" pattern. </b> </p>
|
|
|
|
<h2><a name="limitations">Known Limitations</a></h2>
|
|
|
|
<ul>
|
|
|
|
<li> <p> The order of IPv6/IPv4 outgoing connection attempts is
|
|
not yet configurable. Currently, IPv6 is tried before IPv4. </p>
|
|
|
|
<li> <p> Postfix currently does not support DNSBL (real-time
|
|
blackhole list) lookups for IPv6 client IP addresses; currently
|
|
there are no blacklists that cover the IPv6 address space. </p>
|
|
|
|
<li> <p> IPv6 does not have class A, B, C, etc. networks. With IPv6
|
|
networks, the setting "mynetworks_style = class" has the
|
|
same effect as the setting "mynetworks_style = subnet".
|
|
</p>
|
|
|
|
<li> <p> On Tru64Unix and AIX, Postfix can't figure out the local
|
|
subnet mask
|
|
and always assumes a /128 network. This is a problem only with
|
|
"mynetworks_style = subnet" and no explicit mynetworks
|
|
setting in main.cf. </p>
|
|
|
|
</ul>
|
|
|
|
<h2> <a name="compat">Compatibility with Postfix <2.2 IPv6 support</a>
|
|
</h2>
|
|
|
|
<p> Postfix version 2.2 IPv6 support is based on the Postfix/IPv6 patch
|
|
by Dean Strik and others, but differs in a few minor ways. </p>
|
|
|
|
<ul>
|
|
|
|
<li> <p> main.cf: The inet_interfaces parameter does not support
|
|
the notation "ipv6:all" or "ipv4:all". Use the
|
|
inet_protocols parameter instead. </p>
|
|
|
|
<li> <p> main.cf: Specify "inet_protocols = all" or
|
|
"inet_protocols = ipv4, ipv6" in order to enable both IPv4
|
|
and IPv6 support. </p>
|
|
|
|
<li> <p> main.cf: The inet_protocols parameter also controls
|
|
what DNS lookups Postfix will attempt to make when delivering or
|
|
receiving mail. </p>
|
|
|
|
<li> <p> main.cf: Specify "inet_interfaces = loopback-only"
|
|
to listen on loopback network interfaces only. </p>
|
|
|
|
<li> <p> The lmtp_bind_address and lmtp_bind_address6
|
|
features were omitted. The Postfix LMTP client will be absorbed
|
|
into the SMTP client, so there is no reason to keep adding features
|
|
to the LMTP client. </p>
|
|
|
|
<li> <p> The SMTP server now requires that IPv6 addresses in SMTP
|
|
commands are specified as [ipv6:<i>ipv6address</i>], as
|
|
described in RFC 2821. </p>
|
|
|
|
<li> <p> The IPv6 network address matching code was rewritten from
|
|
the ground up, and is expected to be closer to the specification.
|
|
The result may be incompatible with the Postfix/IPv6 patch.
|
|
</p>
|
|
|
|
</ul>
|
|
|
|
<h2><a name="porting">IPv6 Support for unsupported platforms</a></h2>
|
|
|
|
<p> Getting Postfix IPv6 working on other platforms involves the
|
|
following steps: </p>
|
|
|
|
<ul>
|
|
|
|
<li> <p> Specify how Postfix should find the local network interfaces.
|
|
Postfix needs this information to avoid mailer loops and to find out
|
|
if mail for <i>user@[ipaddress]</i> is a local or remote destination. </p>
|
|
|
|
<p> If your system has the getifaddrs() routine then add
|
|
the following to your platform-specific section in
|
|
src/util/sys_defs.h: </p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
#ifndef NO_IPV6
|
|
# define HAS_IPV6
|
|
# define HAVE_GETIFADDRS
|
|
#endif
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<p> Otherwise, if your system has the SIOCGLIF ioctl()
|
|
command in /usr/include/*/*.h, add the following to your
|
|
platform-specific section in src/util/sys_defs.h: </p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
#ifndef NO_IPV6
|
|
# define HAS_IPV6
|
|
# define HAS_SIOCGLIF
|
|
#endif
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<p> Otherwise, Postfix will have to use the old SIOCGIF commands
|
|
and get along with reduced IPv6 functionality (it won't be able to
|
|
figure out your IPv6 netmasks, which are needed for "mynetworks_style
|
|
= subnet". Add this to your platform-specific section in
|
|
src/util/sys_defs.h: </p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
#ifndef NO_IPV6
|
|
# define HAS_IPV6
|
|
#endif
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<li> <p> Test if Postfix can figure out its interface information. </p>
|
|
|
|
<p> After compiling Postfix in the usual manner, step into the
|
|
src/util directory and type "<b>make inet_addr_local</b>".
|
|
Running this file by hand should produce all the interface addresses
|
|
and network masks, for example: </p>
|
|
|
|
<blockquote>
|
|
<pre>
|
|
% make
|
|
% cd src/util
|
|
% make inet_addr_local
|
|
[... some messages ...]
|
|
% ./inet_addr_local
|
|
[... some messages ...]
|
|
./inet_addr_local: inet_addr_local: configured 2 IPv4 addresses
|
|
./inet_addr_local: inet_addr_local: configured 4 IPv6 addresses
|
|
168.100.189.2/255.255.255.224
|
|
127.0.0.1/255.0.0.0
|
|
fe80:1::2d0:b7ff:fe88:2ca7/ffff:ffff:ffff:ffff::
|
|
2001:240:587:0:2d0:b7ff:fe88:2ca7/ffff:ffff:ffff:ffff::
|
|
fe80:5::1/ffff:ffff:ffff:ffff::
|
|
::1/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
</pre>
|
|
</blockquote>
|
|
|
|
<p> The above is for an old FreeBSD machine. Other systems produce
|
|
slightly different results, but you get the idea. </p>
|
|
|
|
</ul>
|
|
|
|
<p> If none of all this produces a usable result, send email to the
|
|
postfix-users@postfix.org mailing list and we'll try to help you
|
|
through this. </p>
|
|
|
|
<h2><a name="credits">Credits</a></h2>
|
|
|
|
<p> The following information is in part based on information that
|
|
was compiled by Dean Strik. </p>
|
|
|
|
<ul>
|
|
|
|
<li> <p> Mark Huizer wrote the original Postfix IPv6 patch. </p>
|
|
|
|
<li> <p> Jun-ichiro 'itojun' Hagino of the KAME project made
|
|
substantial improvements. Since then, we speak of the KAME patch.
|
|
</p>
|
|
|
|
<li> <p> The PLD Linux Distribution ported the code to other stacks
|
|
(notably USAGI). We speak of the PLD patch. A very important
|
|
feature of the PLD patch was that it can work with Lutz Jaenicke's
|
|
TLS patch for Postfix. </p>
|
|
|
|
<li> <p> Dean Strik extended IPv6 support to platforms other than
|
|
KAME and USAGI, updated the patch to keep up with Postfix development,
|
|
and provided a combined IPv6 + TLS patch. Information about his
|
|
effort can be found on Dean Strik's Postfix website at
|
|
http://www.ipnet6.org/postfix/. </p>
|
|
|
|
<li> <p> Wietse Venema took Dean Strik's IPv6 patch, merged it into
|
|
Postfix 2.2, and took the opportunity to eliminate all IPv4-specific
|
|
code from Postfix that could be removed. For systems without IPv6
|
|
support in the kernel and system libraries, Postfix has a simple
|
|
compatibility layer, so that it will use IPv4 as before. </p>
|
|
|
|
</ul>
|
|
|
|
</body>
|
|
|
|
</html>
|