I discovered, thanks to someone on the NetBSD mailing list, that I’d ended up on SpamHaus’s SBL-CSS list. After an initial panic/worry that I’d been compromised (I am pretty locked down, but there is some software I run that has that potential; I guess almost everything does) I was just about ready to let rip into Spamhaus for being unappointed internet police (which is kind of true) when I decided to get in touch with them on Twitter and they were actually really helpful.
It turned out they do actually cover my scenario in their docs (right at the bottom there is a note about Linode), but I either hadn’t noticed that bit or was looking in the wrong place.
Linode provided me with my own /64 straight away and then I “just” had to make use of that:
- Added new DNS entries for a new domain pointing to a new ipv6 address
- Updated my SPF DNS entry
- Setup reverse DNS on Linode (which is a bit confusing as you can add multiple entries when you have a whole /64)
- Edited
/etc/postfix/main.cf
and setmyhostname
to the new one - Just in case also
/etc/myname
-
I had just been using
ip6mode="autohost"
in/etc/rc.conf
, but had to go back to using a/etc/ifconfig.wm0
file and adding staticinet
andinet6 entries
:inet 178.79.141.136 inet6 2a01:7e00:e000:035b::1 prefixlen 64 alias
I switched
ip6mode
to justhost
, but haven’t rebooted yet so that could be wrong. I just restarted the network andifconfig
shows both addresses - that’s good.
Hopefully that means I’m now sending mail from a “good” ipv6 address, although hard to know for sure as you need a ipv6 address to test against.
In an attempt to verify (by using CheckTLS’s TestSender) I realised I’d not actually got TLS setup properly for sending; I had sometime ago got around to using Let’s Encrypt for receiving, but never mentioned it here. All I really needed for sending was:
-o smtpd_tls_security_level=encrypt$
-o tls_preempt_cipherlist=yes$
Which I’d inadvertently left commented out in /etc/postfix/master.cf
(after the submission
and smtpd
bit), although I tweaked some other bits in /etc/postfix/main.cf
based on (the now out of date, but better than nothing) BetterCrypto guide.
As a result of that, I then ended up updating some TLS settings for my website (ciphers, TLS versions, DNSSEC, etc) to get my rating up; All futile really for a personal website, but oh well.