Poll on SMTP over IPv6 Usage

Noel Butler noel.butler at ausics.net
Wed Feb 19 23:44:59 CET 2014 

Hi Gert,

On Wed, 2014-02-19 at 10:54 +0100, Gert Doering wrote:

> Hi,
> 
> On Wed, Feb 19, 2014 at 02:45:33PM +1000, Noel Butler wrote:
> > We block only by IP from whatever spam source is used (4, or 6), and
> > rbldnsd handles ipv6 nicely (albeit in /64's - fair enough too, since
> > most end users get that, typically), so your MTA's query would get a
> > response from your DNSBL if it has an entry. 
> 
> Blocking by /64 by default is likely to get collateral damage.  Enough
> people do shared subnets with multiple customers in the same /64 - while
> I won't recommend it, it is *done*, and blocking the whole /64 because
> you have seen SPAM from a single IP out of it is hurting the wrong
> people.
> 


But, since pretty much every end user gets a /64 (I accept some web
hosts and vps services do not work that way - including one of my vps
providers), blocking a /64 would be identical to blocking a single IPv4
address with NAT, so should be overall, no worse than what we've been
doing for decades.

I would prefer it if rbldnsd allowed smaller, or even singular, but it
does not, and the reasoning that was given was fair enough, it only
allows a single IPv6 address if it is an exclusion, you may know this
already, but for others, as an eg to take out fdid:c01d:1ce:ab/64   but
allow real mail server  fdid:c01d:1ce:ab::10you use

    fdid:c01d:1ce:ab
    !fdid:c01d:01ce:ab00:0000:0000:0000:0010
It accepts no other approaches

(note: If I block an IPv6 address in postfix's access files, I usually
only block singular, unless I end up with a few addresses in same /64,
then I'll change to /64 and clear out the singles)


> And yes, I've seen that in the wild, Ironport reputation for a very
> well-behaved machine going down the drain because of "bad neighbourhood".
> 


ironport  *shudders*  I never let external orgs decide who I can trust,
what's that saying... "trust is earned, not bought"

Cheers


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20140220/80587dc5/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20140220/80587dc5/attachment.bin

More information about the ipv6-ops mailing list