IPv6 + Socks Issues

get-help
1

is there a way to designate ips that we are using with socks as ipv4 only or ipv6 only? we are having instances where a mail with v6 mx is getting forwarded to the v4 socks ip and similarly a v4 mx getting forwarded to the v6 socks ip. We’re using sources.lua to build the egress ips.

Here is a sanitized excerpt of our sources.toml

[source.“ip-1”]
ehlo_domain=‘smtp-out01.our-domain.com
socks5_proxy_server = ‘192.168.0.20:2525’
socks5_proxy_source_address = ‘xxx.xxx.xxx.180’

[source.“ip-2”]
ehlo_domain=‘smtp-out01.our-domain.com
socks5_proxy_server = ‘192.168.0.20:2525’
socks5_proxy_source_address = ‘xxxx:xxxx:xxxx:xx::180’

[pool.“pool-1”]
[pool.“pool-1”.“ip-1”]
[pool.“pool-1”.“ip-2”]

3

the error in the transient failure was more or less “KumoMTA internal: failed to connect to any candidate hosts: connect to 52.xxx.xxx.xxx:25 and read initial banner: Skipping ip-2 because socks5_proxy_source_address xxx:xxx:xxx:xx::180 address family does not match the destination address family xxx.xxx.xxx.xxx:25”

4

but it generated a ton of transient failures instead of just picking the source address that matches the type

5

secondly - should we be using the kumo socks proxy or haproxy in production? i read the documentation a couple times through and it looks like we should be using the kumo socks but because it supports both i wasn’t 100% sure

6

KumoProxy is a Socks5 proxy that is specifically designed for use with email and it can definitely be used in production. We support HAProxy (Socks4) as well so you can use either.

7

And you can specifically skip ipv6 in shaping if you like.

8

is there any configuration i’ve missed that would allow the connections to go to the right place the first try though? wouldn’t skip_hosts skip ipv6 entirely instead of just for a specific ip

9

@faithful-ostrich how does the egress source code pick the right outbound ip? Would it be easier for it to choose correctly if my socks_proxy_server was ipv6 instead of ipv4 with a v6 source address?

10

The IP type won’t matter.
How it picks the I depends on how you have written the code.
This is a good place to start:

If you are writing it in Lua, you can use a tenant-to-pool assignment as in the sample on that page.
Not recommended, but the brute-force version is something like :

  'get_queue_config',
  function(domain_name, tenant, campaign, routing_domain)
  if domain_name == 'gmail.com' then
    mypool = "useThisPool"
  end
    return kumo.make_queue_config {
      egress_pool = mypool,
    }
  end```

This assumes you have a defined a pool called "usrThisPool" with at least one IP (source) configured.
11

If you are using the helpers, this is super simple.

12

Define sources ( IP addresses) and Pools in a sources.toml file

13

Note that you can only assign a message to a POOL, so to assign to an IP, you need a Pool of one IP

14

The next easiest thing to do is to assign the pool in a queues.toml file

15

IE:

[tenant.'default-tenant']
egress_pool = 'pool-1'
16

Easy peasy :slightly_smiling_face:

17

right, that’s how i have it built currently - and we’re currently ignoring all ipv6 temporarily because when we turn on our outbound v6 egress entry we start getting transient fails when a V6 mx gets sent to the v4 outbound socks and v4 mx gets sent to the v6 outbound socks

18

maybe i’m not asking right, but shouldn’t the software see that the address family for the particular MX should go to the socks proxy that is responsible for v6 address family?

19

like if we weren’t using socks, i just imagine it would work as intended and the v6 ip would be used to connect to v6 servers and vice versa for v4

20

as it stands right now i get a transienterror generated when it fails to connect to 365 v6 via the v4 proxy even if we have a v6 defined

21

now - could it be a quirk of how we’re defining the outbound proxies because both ip-1 and ip-2 are using the same ip:port combination?