People sending me e-mails, me replying to them only to find out that their mailserver is blocking my mailserver for weird reasons, forcing me to reconfigure my mailserver so I can get through with their mailserver which immediately blocks me again for "abusive behaviour". Well, sorry, fan of my blog. You'll never get my reply I guess. Also dear mailbox.org: your laziness wrt throwing blacklists in your server config is excluding small servers. You are NOT helping with decentralising e-mail.
@jwildeboer They're doing this to the GrapheneOS mail server too. GrapheneOS has over 250k users. Our mail server is already configured to only send email via IPv4 because we're aware many providers blacklist based on /64 or even /48 blocks. We don't use our mail server's IPv6 address to send email. mailbox.org has explicitly told us they're blocking based on the IPv6 /64 block for our website (grapheneos.org), not even our mail server. If we removed support for IPv6 from our website, it'd work.
@jwildeboer on my mailserver I got a notification that my IP was listed in Uceprotect L2 (which is a whole IPv4 /16 subnet from Hetzner). The only way to get a whitelist exception was to pay a subscription.
L1 (IP address itself) was still OK.
To sum up. My mailserver, which has been running since 14 years, continuously updated and maintained, well respected by hotmail, google, outlook, yahoo and many more, yes, even t-online!, is blocked by mailbox.org because they don't like my IPv6 address based on a Spamhaus blacklist that tries to educate providers to follow their rules wrt IPv6. Le sigh.
And before you ask: yes, my mailserver supports DKIM, DMARC, SPF, accepts only modern ciphers for TLS communications, has a working PTR record in DNS. Spamhaus just hates the fact that I have my mailserver running to OVH, who don't give me a /64 for my IPv6 which they deem to be reason to block me in their CSS blocklist, which mailbox.org uses on all their servers.
@jwildeboer The entire idea of the RFC is that you don’t spam routing tables, block lists etc. by something more fine grained than a /64. That’s why they say a /64 is a user. Would you also complain to Spamhaus is OVH puts you behind NAT and you share an IP with someone sending spam? Because this is basically the IPv6-equivalent of NAT.
Spamhaus just shrugs and tells me to STFU and find a better provider as they won't change their policy. "NOTE: If your allocation is smaller than /64, we cannot remove it from CSS, and the situation needs to be corrected with the provider prior to requesting removal." https://check.spamhaus.org/listed/?searchterm=2001:41d0:305:2100::548c
Mailbox.org just shrugs and tells me to read what Spamhaus is telling me.
But if I use IPv4, mailbox.org happily accepts my mails. From the very same server. So I guess they just don't want IPv6 traffic?
@jwildeboer On the /64 they are correct, anything else than interco/p2p network should be /64 (and ideally your ISP should provide you a /56 if following the standard)
@jwildeboer Because your ISP is giving you something smaller than /64 ? Usually on filter/detection on IPv6 we don't keep more details than the /64 as there are just too many (same reason than DFZ BGP router would drop any route smaller than /48 in IPv6)
@jwildeboer@kedare OVH charging to upgrade to a /64 is a bit like when TLS certs used to cost money. An infrastructure provider hampering adoption of a technology because they think there's money to be made doing so
@jwildeboer@kedare Nope - Spamhaus is punishing you because OVH does not follow the standard and is not assigning you the full /64 subnet that they should.
FYI, Hetzner does assign a whole /64 Subnet to each server and Cloud-VM.
We assign only a single IPv6 address to each VM, where the customer does not have root privileges. The larger deployments get their own VPC with their own 64.
@antondollmaier@jwildeboer To avoid 💩 IPv6 (or no IPv6 at all) from ISP, I ended up getting my own ASN and my own /48 at the end, much less troubles (and not that hard to do)
@jwildeboer We already configured our mail server to only send emails via IPv4 but we still accept emails via IPv6. mailbox.org is still blocking our emails because we still have an AAAA record for accepting emails. We've contacted them about it and they said that it's going to be blocked even if we remove the AAAA record for our mail server because discuss.grapheneos.org (domain we're sending email for) and grapheneos.org have AAAA records on their blacklist. It doesn't make any sense...
Add comment