IPv6 Implementation, DKIM/SPF for slowb.ro and a new DNS host

Migrating to support IPv6 is something that I've wanted to do for a while. But it has never been a priority as Australia does not support IPv6 (or any type of "fast" internet, but lets not get started on that). As I'm basically the only one who uses my "services" it kinda doesn't affect me. But nice to have none the less.

Here is my game plan:

  • Figure out all my non-local services
  • Move all services to listen on IPv6 and IPv4.
  • Confirm all services still reachable on ipv4
  • Update DNS

Simple enough right?

Services:

  • Tor Relay (Tor)
  • Mail (Postfix/Dovecot)
  • Web (NGINX)
  • XMPP (Ejabber)

DNS Hoster

I was getting a very sweet deal from my previous DNS host Zerigo.net. They then changed their plan structure so it was better for enterprise customers and not so great for people hosting 1 or 2 domains. The free plan being: 10 records per domain, excluding NS records. After one year of paid, and then dropping down to the free plan. I could never enable SPF/DKIM/IPv6 as I never had enough free record spots. I carried on, but always keeping an eye out for a quality DNS host. (If you know of quality free DNS hosts please drop me a link in the comments). I read an article on how to distance yourself from managed/FiveEyes/hosted services. Usually they are the same thing but he had a DNS service I'd never heard of.

They have an amazing free plan. Host upto 50 domains, with unlimited (correct me if I am wrong) records per domain.
Finding out about a long standing company which prides itself on Layer 2 backbone infrastructure and a free DNS service? Sign me up!

Fast forward an hour and I've delegated my domain and there has been 0 downtime.

Enabling IPv6

If you were wondering how to enable it for yourself, it takes next to no time to enable. It takes longer to test. Check out the links for yourself if you wish.

My only suggestion is to update your SPF record before restarting postfix with your IPv6 address especially if have hard fail (discard) on.

  • ejabber IPv6 Forum link

  • Change 0.0.0.0 to :: and the linux kernel will forward ipv4:port -> ipv6:port

  • Tor Relay IPv6 Wiki

  • Duplicate ORport and DRport with IPv6 address

  • Postfix IPv6 Readme (No HTTPS?!?!?)

  • Set inet_protocols = all and specify a specific IPv6 address (if you want)

  • Change all 127.0.0.1 hardcoded variables to localhost specifically in /etc/postfix/master.cf. I had an issue only after a server reboot. Postfix was still queuing emails when I added ipv6, but there was an issue as I hardcoded 127.0.0.1 in my master.cf file. No mail was being forwarded to Clamav. Even though it was listening on both :::10025 and 127.0.0.1:10025 apparently hardcoding that value just through everthing out the door!

  • Dovecot IPv6 mailman

  • Should have read the dovecot.conf file. Update listen = *, ::

  • Nginx

  • Add a new listen [ipv6:address:here]:port;

  • Don't forget to add ssl like I did!

Enabling DKIM/SPF/DMARC

Here is a great tutorial on implementing SPF, DKIM, and DMARC on a Postfix/Dovecot Instance. https://words.bombast.net/?p=208

Hiccups Implementing postfix DKIM/SPF/DMARC:

  • Double DKIM signing

I only had one bug where I was signing my mail twice, or Double DKIM. This is due to your mail leaving the queue for spam checking and coming back and getting signed before and after.

The simple fix for this is to add no_milters to your master.cf file for spamassassin (Assuming you followed the same tutorial above and added DKIM/DMARC to milters)

Full example:

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Conclusion

All in all its been very easy implementing SPF, DKIM, DMARC and IPv6. If I had multiple domains and possibly multiple VPS' I would probably setup my own DNS service using bind. But until that time. Hurricane Electric is an amazing service that I am very glad I found.