Question

Outgoing connections on port 25 / 587 / 143 blocked over IPv6?

Posted September 13, 2014 35.3k views

I just moved my servers, including my mailserver to the new ams3 region because of ipv6. i configured postfix to use ipv6 and i recieved my first email over ipv6 without a problem.

But when i try to send mail over ipv6 to other mailserver that support ipv6 like gmail.com the connection times out.

I then used netcat to test it and found that three mail relevant ports seem to be blocked for outgoing connections. SSH works fine.

nc -vz [ipv6-address] 25
nc: connect to [ipv6-address] port 25 (tcp) failed: Connection timed out
nc -vz [ipv6-address] 587
nc: connect to [ipv6-address] port 587 (tcp) failed: Connection timed out
nc -vz [ipv6-address] 143
nc: connect to [ipv6-address] port 143 (tcp) failed: Connection timed out

nc -vz [ipv6-address] 22
Connection to [ipv6-address] 22 port [tcp/ssh] succeeded

Are these ports really blocked? If yes, why?

Add a comment
sherbers
By:
sherbers
Add a comment
3 comments

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
9 answers
jonathan October 13, 2014

Hi there; I was in touch with support about this a few months back and I didn’t realise it was still blocked.

The response was:

… the changes you need to make are in /etc/gai.conf

Look for the list of precedences that are commented out.

The last value simply needs to be uncommented and the 10 changed to a 100

This will de-prioritize IPv6 NS lookups and allow IPv4 to take priority.

Eventually we will remove the block on IPv6 SMTP, but for now it will remain in place.

http://serverfault.com/questions/93717/setting-ipv4-as-preferred-protocol-over-ipv6
http://askubuntu.com/questions/32298/prefer-a-ipv4-dns-lookups-before-aaaaipv6-lookups

Or, to put it another way:

Backup!

nano /etc/gai.conf

make the appropriate lines look like this

precedence ::ffff:0:0/96  100

Reboot, test, enjoy, let me know if it works :)

Reply Report
GeraldH July 25, 2016

Just checked if this is still the case in 07/2016 and it unfortunately is:
Outgoing connections are blocked on the following ports:
25/tcp filtered smtp
109/tcp filtered pop2
110/tcp filtered pop3
143/tcp filtered imap
465/tcp filtered smtps
587/tcp filtered submission
933/tcp filtered unknown
995/tcp filtered pop3s

I’m in the FRA1 (Frankfurt) Datacenter. I hope this gets changed sometime soon. Other than this I’m really happy with DO but their IPv6 support really sucks big time (the no real v6 subnet and only 16IPs thing being the other big v6 problem).

Reply Report
sherbers September 14, 2014

I got that from the support, for anyone that is interested:

Hello,

Sorry for the confusion. At this time we’ve blocked SMTP by default on IPv6. Currently we suggest using IPv4 droplet for outgoing SMTP access.

The reason behind this is that it’s a new feature on DigitalOcean and we’re easing into the roll out of SMTP support. This is definitely something we are looking into and hope to support soon, though we have not estimate on when this may be available at this time.

We appreciate your understanding on this. Please let us know if you have any questions.

Reply Report
josemarcoslopez November 16, 2014
[deleted]
Reply Report
michaelff0faa47 February 2, 2016

Is this still the case?

The whole reason I am investigating using Digital Ocean (In conjunction with Forge) is to make life easier. If IPv6 is blocked by default this kind of defeats the point in not having to dig around configuration files - something I don’t really want to have to do in an ideal world. Hence checking this service out.

Reply Report
Zivci July 17, 2017

You can give priority to IPv4 addresses over IPv6 so that you can continue to send out email without disabling IPv6. You would do that by editing the Droplet’s /etc/gai.conf file and removing the comment (#) from the following line:

Default Configuration: #precedence ::ffff:0:0/96 100

Configuration with Priority to IPv4: precedence ::ffff:0:0/96 100

Reply Report
bukmopbl4 October 3, 2017

Works for me,

  1. change /etc/gai.conf and restart server
    precedence ::ffff:0:0/96 100

  2. https://www.google.com/accounts/DisplayUnlockCaptcha !!!

  3. https://www.google.com/settings/security/lesssecureapps
    Configured firewall for outgoing icmp traffic for ipv4 and ipv6

Reply Report
fgabrieli November 27, 2017

I’ve just uncommented the line which says:

precedence ::ffff:0:0/96 100

but i still get from “netstat -n” :

tcp 0 1 45.55.175.XXX:45020 173.194.208.108:465 SYN_SENT

seems to me it is being blocked, do you know if this still works?

Reply Report
sujeitoculto February 1, 2018

Hy, for who can’t send emails.

Try:

Backup!

nano /etc/gai.conf

and uncomment

precedence ::ffff:0:0/96 100

Reboot, test, and change NETWORK MX, add GMAIL MX.

Reply Report
  • ctomyanlearn March 19, 2018

    Hello, I still cannot send email from my Digital Ocean droplet :(

    I have enabled ipv6, uncomment above link, rebooted, opened port 465 and 587 using ufw allow out. When I try telnet smtp.zoho.com 465 , my droplet still cannot connect and still cannot send email.. any idea and tips?

    Reply Report
  • ohdavey November 25, 2018

    Hello, Which service do you have to reboot after changing /etc/gai.conf?

    Reply Report
ctomyanlearn March 19, 2018
Reply Report
Submit an Answer

Looking for something else?

Ask a new question Search for more help