I discovered, thanks to someone on the NetBSD mailing list, that I’d ended up on SpamHaus’s SBL-CSS list. After an initial panic/worry that I’d been compromised (I am pretty locked down, but there is some software I run that has that potential; I guess almost everything does) I was just about ready to let rip into Spamhaus for being unappointed internet police (which is kind of true) when I decided to get in touch with them on Twitter and they were actually really helpful.

It turned out they do actually cover my scenario in their docs (right at the bottom there is a note about Linode), but I either hadn’t noticed that bit or was looking in the wrong place.

Linode provided me with my own /64 straight away and then I “just” had to make use of that:

  • Added new DNS entries for a new domain pointing to a new ipv6 address
  • Updated my SPF DNS entry
  • Setup reverse DNS on Linode (which is a bit confusing as you can add multiple entries when you have a whole /64)
  • Edited /etc/postfix/main.cf and set myhostname to the new one
  • Just in case also /etc/myname
  • I had just been using ip6mode="autohost" in /etc/rc.conf, but had to go back to using a /etc/ifconfig.wm0 file and adding static inet and inet6 entries:

      inet6 2a01:7e00:e000:035b::1 prefixlen 64 alias

    I switched ip6mode to just host, but haven’t rebooted yet so that could be wrong. I just restarted the network and ifconfig shows both addresses - that’s good.

Hopefully that means I’m now sending mail from a “good” ipv6 address, although hard to know for sure as you need a ipv6 address to test against.

In an attempt to verify (by using CheckTLS’s TestSender) I realised I’d not actually got TLS setup properly for sending; I had sometime ago got around to using Let’s Encrypt for receiving, but never mentioned it here. All I really needed for sending was:

-o smtpd_tls_security_level=encrypt$
-o tls_preempt_cipherlist=yes$

Which I’d inadvertently left commented out in /etc/postfix/master.cf (after the submission and smtpd bit), although I tweaked some other bits in /etc/postfix/main.cf based on (the now out of date, but better than nothing) BetterCrypto guide.

As a result of that, I then ended up updating some TLS settings for my website (ciphers, TLS versions, DNSSEC, etc) to get my rating up; All futile really for a personal website, but oh well.