I recently encountered a problem sending email to a domain that uses Google mail. Thankfully I got a bounce message from my local Postfix with a little bit of detail.
550-5.7.1 [2xxx:xxxx:xxxx:xxxx::2] Gmail has detected that this message does not
550-5.7.1 meet IPv6 sending guidelines regarding PTR records and authentication
550-5.7.1 . For more information, go to
550 5.7.1 https://support.google.com/mail/?p=IPv6AuthError
The message and the linked page weren't very helpful apart from pointing to something to do with IPv6 PTR records. But see that IP address ending in ::2? That's the address my mail server tried to send the mail from, and it's the wrong one - it should end in ::1. The address ending in ::2 doesn't have a PTR record, so that must be the problem.
Why was it rejected? Mailservers perform several checks when receiving incoming mail, to ensure the mail really comes from the server it claims it does. (Spoofing another server used to be a common spam technique.) They look up the PTR record of the sending server's IP address and make sure it matches the server's claimed domain name. They also look up that domain name and ensure it resolves to the sending server's IP address. Since I messed that up, Google rejected my mail.
Where does the ::2 address come from? It's a different address configured on the same server. The server, like many servers, has a whole /64 address range assigned to it by the network, but normally only uses the ::1 address from that range. Apparently at some point I was experimenting with multiple addresses and a different one ended up being the default. I could just remove the unnecessary ::2 address and call it a day, but it's not rare to have multiple IPv6 addresses and I'll definitely run into the same problem again in the future if I rely on that. So I had to find out how to tell Postfix which local address to use when sending mail.
This was trivial, but for some reason hard to find via a web search, so I hope that posting it here will make it a little bit more discoverable.
To force Postfix to send mail from a particular IP address, you simply have to set it in /etc/postfix/main.cf:
smtp_bind_address6=2xxx:xxxx:xxxx:xxxx::1and then run postfix reload
smtp_bind_address_enforce=yes
The equivalent option for IPv4 is called smtp_bind_address (not smtp_bind_address4). You can find more options in man 5 postconf. smtp_bind_address_enforce tells Postfix to hold mail in the queue if it can't bind to the requested address for some reason (instead of picking some other address). Since I know now that sending mail from the wrong address doesn't work anyway, I set it to yes.
At first I tried allocating another IPv6 address just for email, like xxxx::3. But after sending a few test messages to Gmail and watching the Postfix logs, I realized it couldn't work.
The problem is that a mail server's DNS records have to be very consistent with each other in order for mail to be accepted by other servers. The server needs to have a DNS name, which points to its IPv4 and IPv6 addresses, and both those addresses have to point back to the DNS name. To make it work out, I'd have to rename the server to something other than social.immibis.com, or make it so social.immibis.com points to the mail address, or get another IPv4 address (which costs money). Some people on the internet choose the third option, which is why you sometimes encounter webservers whose reverse DNS names start with mail, but I chose to just leave both on the same primary ::1 address.