Outgoing connections on port 25 / 587 / 143 blocked over IPv6?

September 13, 2014 8.3k views

I just moved my servers, including my mailserver to the new ams3 region because of ipv6. i configured postfix to use ipv6 and i recieved my first email over ipv6 without a problem.

But when i try to send mail over ipv6 to other mailserver that support ipv6 like the connection times out.

I then used netcat to test it and found that three mail relevant ports seem to be blocked for outgoing connections. SSH works fine.

nc -vz [ipv6-address] 25
nc: connect to [ipv6-address] port 25 (tcp) failed: Connection timed out
nc -vz [ipv6-address] 587
nc: connect to [ipv6-address] port 587 (tcp) failed: Connection timed out
nc -vz [ipv6-address] 143
nc: connect to [ipv6-address] port 143 (tcp) failed: Connection timed out

nc -vz [ipv6-address] 22
Connection to [ipv6-address] 22 port [tcp/ssh] succeeded

Are these ports really blocked? If yes, why?

1 comment
5 Answers

Just checked if this is still the case in 07/2016 and it unfortunately is:
Outgoing connections are blocked on the following ports:
25/tcp filtered smtp
109/tcp filtered pop2
110/tcp filtered pop3
143/tcp filtered imap
465/tcp filtered smtps
587/tcp filtered submission
933/tcp filtered unknown
995/tcp filtered pop3s

I'm in the FRA1 (Frankfurt) Datacenter. I hope this gets changed sometime soon. Other than this I'm really happy with DO but their IPv6 support really sucks big time (the no real v6 subnet and only 16IPs thing being the other big v6 problem).

I got that from the support, for anyone that is interested:


Sorry for the confusion. At this time we've blocked SMTP by default on IPv6. Currently we suggest using IPv4 droplet for outgoing SMTP access.

The reason behind this is that it's a new feature on DigitalOcean and we're easing into the roll out of SMTP support. This is definitely something we are looking into and hope to support soon, though we have not estimate on when this may be available at this time.

We appreciate your understanding on this. Please let us know if you have any questions.

Hi there; I was in touch with support about this a few months back and I didn't realise it was still blocked.

The response was:

... the changes you need to make are in /etc/gai.conf

Look for the list of precedences that are commented out.

The last value simply needs to be uncommented and the 10 changed to a 100

This will de-prioritize IPv6 NS lookups and allow IPv4 to take priority.

Eventually we will remove the block on IPv6 SMTP, but for now it will remain in place.

Or, to put it another way:


nano /etc/gai.conf

make the appropriate lines look like this

precedence ::ffff:0:0/96  100

Reboot, test, enjoy, let me know if it works :)

  • I prefered telling postfix to send mail over IPv4 but recieve mail over IPv4 and IPv6 which works fine. My other services can also still use IPv6 this way.

  • Hey - I wanted to thank you for sharing this. I have been trying to solve this issue all day and finally someone directed me to your post and I fixed it. I really wish Digital Ocean would publicize this

  • it works. I doun't realy get the point - but it works...thanks:-)

  • Thank you so much for showing this solution. I spent a very stressful night trying to get SMTP to work with IPv6 enabled (needed it fixed by the next day) and this is what finally did it.

Is this still the case?

The whole reason I am investigating using Digital Ocean (In conjunction with Forge) is to make life easier. If IPv6 is blocked by default this kind of defeats the point in not having to dig around configuration files - something I don't really want to have to do in an ideal world. Hence checking this service out.

  • Just tested it and it is still the case. Probably as long as DO in not issuing full /64 IPv6 adresses. Because mail blacklists often list the whole /64 for a spam host and thus possible affecting a lot of droplets.

Have another answer? Share your knowledge.