• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

How are new users supposed to pass the certification?

Started by kasperd, February 08, 2013, 02:06:49 PM

Previous topic - Next topic

kasperd

Quote from: kcochran on February 08, 2013, 01:17:58 PMDue to an increase in email abuse, new non-BGP tunnels now have SMTP blocked by default.  If you are a Sage, you can re-enable SMTP by visiting the tunnel details page for that specific tunnel and selecting the 'Unblock SMTP' option under the Advanced tab.
Since reaching sage level in the certification requires the ability to send and receive email over IPv6, it sounds like new users are going to run into a deadlock. Maybe you have thought about this problem already, but it isn't clear from the update what new users are really supposed to be doing.

kcochran


kasperd

Quote from: kcochran on February 08, 2013, 02:08:17 PMThere's a hole permitting that.
So, users are expected to setup mail in a way, that can exchange emails over IPv6 with the HE servers, but not with the rest of the world?

That means users cannot use their primary domain for the certification test, as it would leave their domain broken for a period of time. But they can use a subdomain, which I suppose users should be doing anyway, since it is good practice to verify that the setup works, before using it on your primary domain.

kcochran

Broken how?  If they tried sending via v6, they'd just get blocked, and their MTA would move on to the next address.  If someone's trying them, they'd get blocked, and move onto the next address.  SMTP is actually one of the better protocols in handling this kind of thing.

This isn't the sort of thing we wanted to wind up doing, but we also have to act responsibly to the rest of the world too.  With the larger number of v6 enabled MXs, the spammers would eventually hit on using v6.  So we have to keep from being part of the problem.  And if someone's planning on using their tunnel for receiving mail service, Sage should be trivial.

kasperd

Quote from: kcochran on February 08, 2013, 04:38:27 PMSMTP is actually one of the better protocols in handling this kind of thing.
The SMTP protocol does indeed allow for a lot of resilience. But there are also broken SMTP implementations around. For example, are you supposed to try all the IP addresses for an MX record before you proceed to the next, or do you just try one IP address for each MX record? If all the MX records were dual stack, I wouldn't be surprised if some implementations would only try IPv6 on each of them and then proceed to the next MX on failures rather than switching to IPv4.