SMTP and IPv6
While Zimbra does not officialy supports IPv6, the underlying component to send and receive email, postfix, supports IPv6 for a long time. The process is therefore to modify the postfix config to enable IPv6. However Zimbra rewrites the various components configuration files, therefore you cannot edit them directly. You edit /opt/zimbra/conf/zmmta.cf and add the line in the mta section
POSTCONF inet_protocols all
like in the example below:
... POSTCONF virtual_transport LOCAL postfix_virtual_transport POSTCONF inet_protocols all RESTART mta ...
As s zimbra user, restart the mta:
zmmtactl restart
Additionally, we modified the MTA mynetworks parameter. This cannot be edited directly from the GUI. The GUI checks that you enter a valid IP address, but checks only for IPv4.
You can do that directly as the zimbra user:
zmprov modifyserver seine.avonsys.com zimbraMtaMyNetworks '127.0.0.0/8 x.x.x.x/x [::1]/128 [xxxx:xxxx:xxxx::x]/48'
Where [xxxx:xxxx:xxxx::x]/48 is your IPv6 network.
All is explained on Zimbra forum and on Zimbra Bugzilla
We then modified our MX record to point to our machine which will have both a A (IPv4) and AAAA (IPv6) record. Dual stack clients usually prefers IPv6 over IPv4.
The last part was to get the rDNS set up. Mail servers are using the reverse DNS to check there are linkage between the IP that sends email, the machine it claims to be and the domains used in the email itself. Basically, when a server receive a connection, the sender will identify itself via the EHLO or HELO command: 'HELO seine.avonsys.com'. The sender would be connecting from a specific IP: 2001:df0:67::129, the receiver check via the rDNS what hostname is associated with this IP.
dig -x 2001:df0:67::129 ;; QUESTION SECTION: ;9.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.6.0.0.0.f.d.0.1.0.0.2.ip6.arpa. IN PTR ;; ANSWER SECTION: 9.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.6.0.0.0.f.d.0.1.0.0.2.ip6.arpa. 604800 IN PTR seine.avonsys.com.
You can see the format of the rDNS for IPv6. You reverse the full IPv6 address (add the 0 where they should be):
2001:0df0:0067:0000:0000:0000:0000:0129
Now the issue, is that there are very little IPv6 enabled DNSBL. A DNS Blocking List, is a DNS which answers in codes in the range 127.0.0.x for any IP which is deemed unsafe to receive email from. First few DNSBL operators have IPv6, second, bind the popular DNS software is rarely used for such task as it is not optimized for this specific problem, instead people use rbldnsd which till recently was not IPv6 compatible, finally the sheer size of the database to store all these invalid IPs may be too much to handle (There are techniques to not consider all IPv6 addresses possible).
One such IPv6 DNSBL (and may be the first one) is VIRBL, at the moment we have no information on how to make it work with Zimbra for IPv6, but stay tuned.
A study by RIPE shows the level of SPAM on IPv6, but human sighting of SPAM on IPv6 tends to show that the SPAM does not originate from an IPv6 host, but from an IPv4 machine, and then relayed by a dual stack IPv4/IPv6 email server. Surely, things will change.
Overall, it is easy to configure a mail server on IPv6, relatively safe as the level of SPAM is not at the levels of SPAM on IPv4, and the second line of defense which are content based filters are not affected by the connected IP.
Now, we will gain experience on the practice of having SMTP over IPv6.
