Outgoing connections on port 25 / 587 / 143 blocked over IPv6?

September 13, 2014 31.5k views
sherbers
By:
sherbers

I just moved my servers, including my mailserver to the new ams3 region because of ipv6. i configured postfix to use ipv6 and i recieved my first email over ipv6 without a problem.

But when i try to send mail over ipv6 to other mailserver that support ipv6 like gmail.com the connection times out.

I then used netcat to test it and found that three mail relevant ports seem to be blocked for outgoing connections. SSH works fine.

nc -vz [ipv6-address] 25
nc: connect to [ipv6-address] port 25 (tcp) failed: Connection timed out
nc -vz [ipv6-address] 587
nc: connect to [ipv6-address] port 587 (tcp) failed: Connection timed out
nc -vz [ipv6-address] 143
nc: connect to [ipv6-address] port 143 (tcp) failed: Connection timed out

nc -vz [ipv6-address] 22
Connection to [ipv6-address] 22 port [tcp/ssh] succeeded

Are these ports really blocked? If yes, why?

3 comments
Log In to Comment
10 Answers
jonathan October 13, 2014

Hi there; I was in touch with support about this a few months back and I didn't realise it was still blocked.

The response was:

... the changes you need to make are in /etc/gai.conf

Look for the list of precedences that are commented out.

The last value simply needs to be uncommented and the 10 changed to a 100

This will de-prioritize IPv6 NS lookups and allow IPv4 to take priority.

Eventually we will remove the block on IPv6 SMTP, but for now it will remain in place.

http://serverfault.com/questions/93717/setting-ipv4-as-preferred-protocol-over-ipv6
http://askubuntu.com/questions/32298/prefer-a-ipv4-dns-lookups-before-aaaaipv6-lookups

Or, to put it another way:

Backup!

nano /etc/gai.conf

make the appropriate lines look like this

precedence ::ffff:0:0/96  100

Reboot, test, enjoy, let me know if it works :)

Reply
  • sherbers October 13, 2014

    I prefered telling postfix to send mail over IPv4 but recieve mail over IPv4 and IPv6 which works fine. My other services can also still use IPv6 this way.

    • frogger December 31, 2018

      Which means your IPv6 is still half broken, if you can't send an email with it. This is a lousy 'solution'.

  • garson January 15, 2015

    Hey - I wanted to thank you for sharing this. I have been trying to solve this issue all day and finally someone directed me to your post and I fixed it. I really wish Digital Ocean would publicize this

  • maywald April 15, 2016

    it works. I doun't realy get the point - but it works...thanks:-)

  • rebentify September 16, 2016

    Thank you so much for showing this solution. I spent a very stressful night trying to get SMTP to work with IPv6 enabled (needed it fixed by the next day) and this is what finally did it.

  • Huckleberry July 14, 2017

    THIS

    Thanks so much for posting. Saved my bacon twice. At one point, I'd pulled out all my hair trying to get SMTP to work. This was THE issue, no IPv6 support by default on DO, with google SMTP using IPv6. You can see how that'd be an issue.

  • iMaker August 3, 2017

    Not working for me

  • Pridit January 30, 2018

    Absolute legend mate, been pulling my hair out all day over this. Reached out to support for them to misconstrue it as wanting IPv6 support, but as I eventually came to the conclusion of what specifically was happening this popped up right away.

  • guysilva101 October 24, 2018

    This edit works like a charm. thanks mate

  • frogger December 31, 2018

    This is a really lousy 'fix' which just breaks IPv6. I want to use IPv6, not avoid it.

GeraldH July 25, 2016

Just checked if this is still the case in 07/2016 and it unfortunately is:
Outgoing connections are blocked on the following ports:
25/tcp filtered smtp
109/tcp filtered pop2
110/tcp filtered pop3
143/tcp filtered imap
465/tcp filtered smtps
587/tcp filtered submission
933/tcp filtered unknown
995/tcp filtered pop3s

I'm in the FRA1 (Frankfurt) Datacenter. I hope this gets changed sometime soon. Other than this I'm really happy with DO but their IPv6 support really sucks big time (the no real v6 subnet and only 16IPs thing being the other big v6 problem).

Reply
sherbers September 14, 2014

I got that from the support, for anyone that is interested:

Hello,

Sorry for the confusion. At this time we've blocked SMTP by default on IPv6. Currently we suggest using IPv4 droplet for outgoing SMTP access.

The reason behind this is that it's a new feature on DigitalOcean and we're easing into the roll out of SMTP support. This is definitely something we are looking into and hope to support soon, though we have not estimate on when this may be available at this time.

We appreciate your understanding on this. Please let us know if you have any questions.

Reply
josemarcoslopez November 16, 2014
[deleted]
Reply
michaelff0faa47 February 2, 2016

Is this still the case?

The whole reason I am investigating using Digital Ocean (In conjunction with Forge) is to make life easier. If IPv6 is blocked by default this kind of defeats the point in not having to dig around configuration files - something I don't really want to have to do in an ideal world. Hence checking this service out.

Reply
Zivci July 17, 2017

You can give priority to IPv4 addresses over IPv6 so that you can continue to send out email without disabling IPv6. You would do that by editing the Droplet's /etc/gai.conf file and removing the comment (#) from the following line:

Default Configuration: #precedence ::ffff:0:0/96 100

Configuration with Priority to IPv4: precedence ::ffff:0:0/96 100

Reply
  • vladgroznov August 11, 2017

    Thanks,
    Works for me,

    change /etc/gai.conf and restart server

    resolve problem:

    • gmail sends mails too long and my nginx stuck without response
bukmopbl4 October 3, 2017

Works for me,

  1. change /etc/gai.conf and restart server
    precedence ::ffff:0:0/96 100

  2. https://www.google.com/accounts/DisplayUnlockCaptcha !!!

  3. https://www.google.com/settings/security/lesssecureapps
    Configured firewall for outgoing icmp traffic for ipv4 and ipv6

Reply
fgabrieli November 27, 2017

I've just uncommented the line which says:

precedence ::ffff:0:0/96 100

but i still get from "netstat -n" :

tcp 0 1 45.55.175.XXX:45020 173.194.208.108:465 SYN_SENT

seems to me it is being blocked, do you know if this still works?

Reply
sujeitoculto February 1, 2018

Hy, for who can't send emails.

Try:

Backup!

nano /etc/gai.conf

and uncomment

precedence ::ffff:0:0/96 100

Reboot, test, and change NETWORK MX, add GMAIL MX.

Reply
  • ctomyanlearn March 19, 2018

    Hello, I still cannot send email from my Digital Ocean droplet :(

    I have enabled ipv6, uncomment above link, rebooted, opened port 465 and 587 using ufw allow out. When I try telnet smtp.zoho.com 465 , my droplet still cannot connect and still cannot send email.. any idea and tips?

  • ohdavey November 25, 2018

    Hello, Which service do you have to reboot after changing /etc/gai.conf?

ctomyanlearn March 19, 2018
Reply
Have another answer? Share your knowledge.