HelioHost Posted December 20, 2024 Posted December 20, 2024 Username: N/A, Server: N/A, Main Domain: N/AHi there, Yes, we experience IPv6 connectivity issues with a customer host hosted by Helio, but only from certain IPv6 blocks. We believe this is caused by a routing problem, or some IP level filtering (firewall) either at Heliohost, or your ISP/peering provider (which appears to be Hurricane Electric / he.net). However, level 3/4 networking is not our area of expertise, hence we asked our mutual customer to bring us in contact with you. Mailhardener monitors email infrastructure, one of the features we offer is monitoring TLS certificates of our customer's SMTP services. One of our customers approached us that Mailhardener is not showing the TLS status of the inbound (MX) SMTP service for their domain vonitsanet.gr. After investigating we found that the SMTP service couldn't be reached over IPv6 from within our data center. However, we can successfully connect to this host over IPv6 from within our offices. It is not uncommon for our IP-addresses to be blocked. SMTP TLS inspection (connecting periodically, but not actually sending an email) often triggers false positives with firewalls or other security appliances. However, the customer stated that there should be no IP-based filtering in place for their SMTP host. Mailhardener performs hundreds of thousands of TLS inspections on a daily basis, many of those via IPv6, and apart from this one customer we have not received complaints about the inspection not working. Traceroute output seems to confirm that the problem is not on our side, but again, level 3/4 networking is not our area of expertise. So we might be wrong here. - Customer domain: vonitsanet.gr - Inbound (MX) SMTP host: 2001:470:1:1ee::3004 (reverse-DNS: morty.heliohost.org) - IPv6 block of Mailhardener hosts: 2a01:7c8:bb0d:15f::1/120 (can't connect, timeout) - IPv6 of Mailhardener offices: 2a02:a467:8ea2:1:1483:a947:53ab:xxxx (can connect) Comparing the traceroute output from our offices (that can connect) to the traceroute from our data center (that cannot connect) the route appears to stop somewhere between Hurricane Electric (he.net) and Heliohost. This makes us believe it is some sort of IP-based filtering problem, or possibly some peering/routing issue such as BGP. Maybe you can make more sense of it. Traceroute from our office (which can connect to the SMTP host over IPv6): office:~$ traceroute -6 -T morty.heliohost.org traceroute to morty.heliohost.org (2001:470:1:1ee::3004), 30 hops max, 80 byte packets ?1? 2a02-a467-8ea2-1--1.fixed6.kpn.net (2a02:a467:8ea2:1::1) 0.585 ms? 0.697 ms? 0.803 ms ?2? 2001:67c:2502:f100::2:12 (2001:67c:2502:f100::2:12)? 2.592 ms 2.607 ms? 2.696 ms ?3? * * * ?4? * * * ?5? * * * ?6? * e0-31.core2.man1.he.net (2001:470:0:431::2)? 14.107 ms * ?7? e0-33.core2.dub1.he.net (2001:470:0:410::2)? 18.412 ms? 18.378 ms * ?8? * * * ?9? * * * 10? * * * 11? * * * 12? e0-50.core4.fmt1.he.net (2001:470:0:439::2)? 139.530 ms 141.011 ms? 142.786 ms 13? e0-35.core2.fmt1.he.net (2001:470:0:691::2)? 138.614 ms 138.009 ms? 137.802 ms 14? morty.heliohost.org (2001:470:1:1ee::3004)? 135.059 ms 136.968 ms? 135.052 ms Traceroute from host within Mailhardener data center (cannot connect to SMTP host over IPv6) server:~$traceroute -6 -T morty.heliohost.org traceroute to morty.heliohost.org (2001:470:1:1ee::3004), 30 hops max, 80 byte packets ?1? gw.ams05.transip.net (2a01:7c8:bb0d::1)? 2.026 ms? 0.550 ms 0.560 ms ?2? 2a01:7c8:f:1000::22 (2a01:7c8:f:1000::22)? 1.942 ms 2a01:7c8:f:1000::16 (2a01:7c8:f:1000::16)? 1.924 ms 2a01:7c8:f:1000::22 (2a01:7c8:f:1000::22)? 1.899 ms ?3? 2a01:7c8:f:1000::4 (2a01:7c8:f:1000::4)? 0.488 ms 2a01:7c8:f:1000::2 (2a01:7c8:f:1000::2)? 0.485 ms 2a01:7c8:f:1000::6 (2a01:7c8:f:1000::6)? 1.878 ms ?4? ae25-r2.ams0.transip.net (2a01:7c8:f:c0c::1)? 0.632 ms? 0.688 ms? 0.689 ms ?5? r1-a0.e1.ams7.transip.net (2a01:7c8:f:c00::2)? 1.852 ms r2-a0.e1.ams8.transip.net (2a01:7c8:f:c02::1)? 1.809 ms? 1.869 ms ?6? xe-1-5-1-0.a01.amstnl07.nl.bb.gin.ntt.net (2001:728:0:5000::14c9)? 28.144 ms transip.nikhef.ip6.openpeering.nl (2a02:10:1:1::69:1)? 1.454 ms xe-1-5-1-0.a01.amstnl07.nl.bb.gin.ntt.net (2001:728:0:5000::14c9) 27.735 ms ?7? * * * ?8? * * * ?9? e0-31.core2.man1.he.net (2001:470:0:431::2)? 10.369 ms? 10.990 ms e0-33.core2.dub1.he.net (2001:470:0:410::2)? 15.385 ms 10? * * * 11? * * * 12? * * * 13? * * * 14? e0-50.core4.fmt1.he.net (2001:470:0:439::2)? 138.175 ms * 144.719 ms 15? e0-35.core2.fmt1.he.net (2001:470:0:691::2)? 138.455 ms 138.035 ms e0-50.core4.fmt1.he.net (2001:470:0:439::2)? 155.381 ms 16? * * e0-35.core2.fmt1.he.net (2001:470:0:691::2)? 137.654 ms 17? * * * 18? * * * 19? * * * 20? * * * 21? * * * 22? * * * 23? * * * 24? * * * 25? * * * 26? * * * 27? * * * 28? * * * 29? * * * 30? * * * Traceroute gives identical output for TCP, UDP or ICMP probing. Hopefully we can work together here in finding the root-cause of the problem. If you need any information, or need us to perform certain tests from our side, then please contact me directly via leon@mailhardener.com or just reply to this email. Kind regards, L?on Melis support engineer mailhardener.com On 20-12-2024 04:50, HelioHost Support wrote: > Hello Leon, > > We heard from one of our users that mailhardener.com > is?having difficulty accessing our servers > via IPv6 from certain?internet connections, but it works from other > internet connections. Would you like to try to figure out what is > going on? > > HelioHost Support > https://heliohost.org > https://helionet.org
Krydos Posted December 20, 2024 Posted December 20, 2024 Yeah, none of the mailhardener IPv6 are blocked in our firewalls, and disabling the firewall entirely doesn't allow us to ping your IPv6 either. It must be he.net blocking your IP for some reason. We'll try asking them about it.
Recommended Posts