IPv6 on Digital Ocean is crippled


Warren GuyWarren Guy
2 June 2015

I currently manage around 15 Linux servers in my personal capacity, all now virtualised "in the cloud", with the majority currently at either Linode or Digital Ocean. Recently I began sending email for the first time from a server at Digital Ocean, and noticed consistent delays in delivery. I'm sending email via a smarthost on another server for delivery, and on inspection, it appeared that the Digital Ocean machine is unable to connect to the smarthost via IPv6, and so times out and retries on IPv4. On further inspection, I discovered I was unable to connect to any IPv6 address on the Internet on either port 25 or 587.

On raising a support ticket with Digital Ocean, I learned that this is a deliberate practice by Digital Ocean. In fact, all common email related ports are blocked: 25 (SMTP); 109 (POP2); 110 (POP3); 143 (IMAP); 465 (SMTPS); 587 (SMTP submission); 993 (IMAPS); and 995 (POP3S). I've reproduced my communication with Digital Ocean support here verbatim:

TL;DR — Digital Ocean blocks outgoing port 25 and 587 on IPv6 due to spam blacklists listing entire /64s and their unwillingness to allocate /64s to users. No explanation is offered as to why the other ports are also blocked. There are no current plans to change this policy. I provide a band-aid solution for Postfix at the end of the post.

Support Request Posted on 06/01/15 at 22:05 UTC

Hi,

I'm unable to initiate outgoing connections on port 25 to any host on IPv6. It appears that this is being blocked within your network.

root@apps:~# tcptraceroute6 soyuz.guy.net.au 25 traceroute to soyuz.guy.net.au (2600:3c00::f03c:91ff:feae:71c6) from 2a03:b0c0:1:d0::3c1:1001, port 25, from port 53965, 30 hops max, 60 bytes packets 1 * * * 2 * * * ^C 6% completed...

root@apps:~# tcptraceroute6 soyuz.guy.net.au 443 traceroute to soyuz.guy.net.au (2600:3c00::f03c:91ff:feae:71c6) from 2a03:b0c0:1:d0::3c1:1001, port 443, from port 53963, 30 hops max, 60 bytes packets 1 2a03:b0c0:1:d0:ffff:ffff:ffff:fff1 (2a03:b0c0:1:d0:ffff:ffff:ffff:fff1) 0.377 ms 0.319 ms 0.294 ms 2 2a03:b0c0:1::601 (2a03:b0c0:1::601) 0.342 ms 0.316 ms 0.521 ms 3 2001:7f8:4::8dff:1 (2001:7f8:4::8dff:1) 2.366 ms 1.380 ms 1.221 ms ...


REPLY from Jacob Atkins Posted on 06/01/15 at 22:18 UTC

Hi there,

Thanks so much for contacting us regarding SMTP on IPv6. At this time we've blocked SMTP by default. We suggest using an IPv4 droplet to gain SMTP access.

The reason behind this is that it's a new feature on DigitalOcean and we're easing into the roll out of the feature. We appreciate your understanding on this. Please let us know if you have any questions.

Thank you, DigitalOcean Support


REPLY from Warren Guy Posted on 06/01/15 at 22:22 UTC

Thanks for your response, although I don't understand the policy. It seems IPv6 has been available on DO for about a year, and IPv6 nor email over IPv6 is hardly novel. Is this something that is being or due to be reviewed in the very near future? It seems like a somewhat absurd policy for a server host to block outgoing SMTP at all.


REPLY from Jacob Atkins Posted on 06/01/15 at 22:33 UTC

Hey,

Thanks for getting back to us.

The main reason is due to how Blacklists handle IPv6 addresses, in the event of a spam report. Rather than listing only one address Blacklists will list the full /64 subnet of address that the spam report came from.

Until we have the volume to either grant all of our users a /64 address space, or Blacklists stop listing in this manner. We have picked to block SMTP traffic over IPv6 to prevent one user from crating issues for everyone.

I do apologize for any issues this might create.

Let us know if you have any other questions!

Regards, Jacob Platform Support Specialist


REPLY from Warren Guy Posted on 06/02/15 at 00:04 UTC

I also notice that port 587 is blocked. Port 587 would seem to be irrelevant to spam blacklists. Is this also intentional, or is this a fault?

Also I'm not sure what you mean by "the volume to ... grant all of our users a /64 address space". Do you mean until you have sufficient IPv6 address space allocated? From a quick glance, I can identify three /32s and two /48s which would allow you to allocate in the order of 12,885,032,960 /64 subnets (or about three times the entire IPv4 address space worth of IPv6 /64s).

It's worth noting that Linode (amongst others) allows users to automatically allocate multiple /64s per VM, and allocates /48s on specific request. It's disappointing that your IPv6 offering so far appears to be token only. I would appreciate it if you could elaborate on whether you have any plans to change your policy, or if you specifically have NO plans to change your policy.


REPLY from Jdonnell Posted on 06/02/15 at 00:18 UTC

Hi there!

Thank you for getting back to us on this. To be honest I'm not certain of why we block 587 as well as you noted outgoing mail traffic goes over port 25. I suppose just the way things landed, that meeting happened a bit before my time here admittedly.

As for the /64, basically since IPv6 RBLs list entire /64's at once, we keep SMTP blocked because one customer spamming would have a wealth of clients listed on an RBL. Since there are, to my knowledge, zero e-mail services that work over IPv6 only with exception to those that exist purely to prove a point, in combination with the annoying fact that Gmail so consistently marks e-mail over IPv6 as spam regardless of how properly configured, there just isn't much in it for us right now to enable it.

Given the reality of IPv4 shortage and the slowly increasing IPv6 adoption worldwide I'm sure we would both agree that our current stance is not likely to remain as reasonable as it is now, and we're not the kind of people who won't revisit these things later when it makes more sense. We surely will. That's just where we're at right now. Feedback is always appreciated, of course.

If I can be of any further assistance, please be sure to let me know.

Kind Regards, Jarland Platform Support Specialist


REPLY from Warren Guy Posted on 06/02/15 at 00:32 UTC

Thanks for your reply. Can you advise if there is any other port blocking or other measures that apply to IPv6 that do not apply to IPv4 that I should be aware of?

To be honest, I don't think Digital Ocean's current stance is reasonable even now. It's not really the point that there are no serious IPv6-only mail services. It makes the service unpredictable and therefore unreliable. I had to spend time looking in to why emails originating on this server were taking so long to be delivered (via an SMTP smarthost). Now to address the problem, I have to modify my configuration to use only IPv4 for sending email. It is a small pain but still something extra I have to be aware of and care about.

Blocking critical internet services is not what I expect from a hosting provider.


REPLY from Jdonnell Posted on 06/02/15 at 01:27 UTC Hi there!

Thank you for getting back to us on this. Certainly we do appreciate the feedback. Like I said, we're not the kind of people who are not willing to revisit these things. We aim to be nothing but friendly :)

We've taken your feedback directly to our network engineers.

If I can be of any further assistance, please be sure to let me know.

Kind Regards, Jarland Platform Support Specialist


REPLY from Warren Guy Posted on 06/02/15 at 01:42 UTC

Thanks Jarland. Just one more thing. could you please answer the first point of my last message? That is, could you advise if anything other than port 25 and 587 is blocked?


REPLY from Jdonnell Posted on 06/02/15 at 02:18 UTC

Hi there!

Thank you for getting back to me on this. My apologies for overlooking that question previously. We do block a bit more than just the SMTP ports on IPv6. The ports are 25, 109, 110, 143, 465, 587, 993, 995. So SMTP, POP, and IMAP.

If I can be of any further assistance, please be sure to let me know.

Kind Regards, Jarland Platform Support Specialist

I can only conclude that Digital Ocean has no interest in supporting IPv6 now or in the near future, and offers it as a token service only. In the email use case, a Digital Ocean server ('droplet') with IPv6 is actually worse than an IPv4 only server. Worse, as I stated in the support thread, it makes the service unpredictable and therefore unreliable.

To be fair, Digital Ocean is probably still a good choice for simple web hosting, as I don't see them blocking any common web services any time soon. But for anything beyond that, and especially if you intend to make use of IPv6, another provider that doesn't make it policy to deliberately block common Internet services might be a safer bet.

Postfix solution:

The simplest solution to this problem in Postfix is to add smtp_bind_address 0.0.0.0 (or the IPv4 address of your server) to your main.cf file (in /etc/postfix on Debian/Ubuntu). Alternatively, if like me, you are sending via a smarthost anyway, you could specify your smarthost by IPv4 address instead of hostname in the relayhost variable in main.cf.

Updated 2 June to add three new messages to the support thread, and elaborate on which ports exactly are blocked.

TAGS: SysAdmin, spam, RBL, SMTP, IPv6, Digital Ocean, Linode, Postfix

Next post: The Global DNS Tester returns
Previous post: Planet SysAdmin is a sausage-fest

Related posts:


View all posts