I’m IPv6 ready – are you?

Firstly for those wondering about Courier-IMAP / authlib / maildrop+authlib packages for Leonidas:  I’ve built them successfully – only a minor adjustment needed after all that –  and it’s available in the usual place. Enjoy, and let me know if there’s any bugs / issues.

(For a change I managed to get them out the door before someone emailed me asking where they were. Miracles happen! :-P)

I was quite surprised – and pleased – to check my website stats and find that my most frequent visitor is an IPv6 address:

IPv6 in AWStats for ThatFlemingGent
IPv6 in AWStats for ThatFlemingGent

(If only the GeoIP database had an idea about IPv6 netblock ownership…)

A good friend of mine is a network administrator for a fair size network – two AS’ under his control and a network covering the Australian eastern seaboard. He’s often tasked with finding additional IPv4 address space

Because IPv4 addressing is becoming scarce the registrars in many locales (APNIC in his and my case) set a high bar for new allocations to network service providers (must use 80% of existing allocation, justify new allocations for a max of a /22 last I heard) – and rightfully so. They’re not toffees and they are indeed becoming quite scarce, moreso with increasing takeup of internet-enabled mobile devices and broader broadband availability.

Yes, there are other options such as NAT (Network Address Translation) and name-based virtual hosting to mitigate many issues – but not all applications play nice behind NAT, Voice apps and some games being good examples – and port forwarding isn’t simple for the novice user.

IPv6, step up to the plate! Support in Linux has been around for aeons and it’s rock solid. If you’re already IPv6-enabled, you’re likely talking to me over it now[1]. It’s even on by default with “link-local” fe80:: class addressing ubiquitous on new installs (even if there’s a lot of frankly ordinary advice on turning it off!)

For Fedora, there’s a number of options for public IPv6 – the documents for the “initscripts” package show the basics of IPv6 quasi-native tunnelling and “6to4” tunnelling and are a good starting point

The latter is easier and a good option if you don’t have a nearby tunnel broker / point of presence like SiXXS, Hurricane Electric or a provider offering a Hexago-like service.

(Australia is a good example – the AARNet educational network offers such a service, as does Internode for it’s customers; Telstra may still do so but that’s it, with Hurricane Electric a higher-latency option down here. Other points of presence are just too distant to be useful)

Wolfgang Rupprecht has a Fedora-specific howto, which applies just as well for F11 or even RHEL/CentOS.

The aiccu package is in the Everything repository if you’re eyeing off a SiXXS tunnel connection.

The “go6” client from Hexago is another that hasn’t been packaged yet (to my knowledge and while I use it due to my provider’s use of their broker software I’m not really a fan)

HE.NET (Hurricane Electric) lets you use the standard tools, no extra apps needed (bless ’em!)

The simplest method? 6to4. It’s not as fast as full tunnelling or “native” direct IPv6, but it will get you “on the road” so to speak. Unfortunately NetworkManager currently gets in the way,  going from my testing, but on a headless gateway not using NM it works a charm:

  1. Make sure IPv6 is on in your network config: (NETWORKING_IPV6=”yes” in /etc/sysconfig/network)
  2. Tell the network the default IPv6 interface to use (set “IPV6_DEFAULTDEV=tun6to4” in the above file)
  3. Add the following lines to your network interface:
    • IPV6INIT=yes
    • IPV6TO4INIT=yes
  4. That’s about it – restart the network service and you should be rollin’.

It will use anycast to 192.88.99.1 (default anycast prefix host for 6to4) to find the nearest 6to4 broker and use it as the endpoint. Test by going to a site like www.kame.net (if you see an animated turtle, it’s working) and enjoy.

I’m moving servers next week (a Xen VPS with a fatter pipe) and rest assured it will be IPv6-aware!

[1]

[mfleming@qbert ~]$ host -t AAAA www.thatfleminggent.com
www.thatfleminggent.com has IPv6 address 2001:44b8:62:1b0::1

New courier-imap packages

Sam released 4.5.0 today (and maildrop 2.1.0, which I’m trying to package up now and having an interesting time tracking a compile problem with the db/gdbm stuff) – I’ve updated my packages for CentOS/RHEL and Fedora in the usual places

In fact I’ve installed the new package for F9 on my server already without a hitch (yet, touch wood) – in fact I’ve never had a problem since moving from qmail-pop3d in Ye Olden Dayes (there’s still a few large places here in .au using qmail-pop3d; I’ve often wondered why..)

On a tangentially related topic – is it just the onset of madness or is my repoview index going somewhat random? For about a week or more the main index is been VERY out of order for all repos (cf here for example ). The repository data looks fine and the RSS feed data is in perfect shape. I’m wondering if I’m alone here or this is a “bug”? I’d prefer not to waste too much of Konstantin’s time if it’s just me 🙂

So don’t be alarmed regarding the latter (as a user) – I’ve not stopped.

(UPDATE: maildrop 2.1.0 builds, but without db4 support. Happy to release it if people don’t mind using gdbm. Curse you, BezerkleyDB! :-))

Mike’s Mailer Cookbook: SMTP auth, SASL and MySQL

I’m putting this up here as both a reminder to myself and just in case it’s useful to others.

I serve my IMAP user credentials (Courier in my case) from a MySQL backend and know from experience that my users find it very convenient to use the same set of credentials when sending mail with SMTP AUTH.

Now I can extract details and add them to /etc/saslauthdb2 et. al but a) it’s a little too fiddly especially when you’ve got all the security bells and whistles turned on and b) it seems like needless replication, and I’m big fan of KISS theory in systems admin.

So why not use the Cyrus-SASL SQL plugin:

  • Install the SQL plugin – “yum install cyrus-sasl-sql”
  • (For postfix) Create an “smtpd.conf” file in /usr/lib(64)/sasl2″ containing something similar to the following:

pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: cram-md5 digest-md5
sql_engine: mysql
sql_hostnames: <my-db-server>
sql_user: <my-user-with-select-grant>
sql_passwd: <my-sql-password>
sql_database: <my-db-with-imap-creds?
sql_select: SELECT clear FROM passwd WHERE id = ‘%u@%r’ AND active = 1

  • Enable SMTP AUTH in  your config (Read The Fine Material for that)
  • Give it a test run with your MUA of choice.

I personally only offer CRAM/DIGEST (not plaintext LOGIN/PLAIN) because I’m paranoid – you mileage my vary; I also use the stock standard SQL schema that courier-authlib prefers and use user@domain (“%u” – user, “%r” SASL realm, commonly your domain) for virtual login names – adjust the sql_select statement above to suit your environment, and switch “clear” for “crypt” if you want to offer PLAIN / LOGIN instead.

I’ve been using this for what feels like forever but it’s cheap and has served me well; I’m always open to improvements though.