I discovered, thanks to someone on the NetBSD mailing list, that I’d ended up on SpamHaus’s SBL-CSS list. After an initial panic/worry that I’d been compromised (I am pretty locked down, but there is some software I run that has that potential; I guess almost everything does) I was just about ready to let rip into Spamhaus for being unappointed internet police (which is kind of true) when I decided to get in touch with them on Twitter and they were actually really helpful.
Linode provided me with my own /64 straight away and then I “just” had to make use of that:
- Added new DNS entries for a new domain pointing to a new ipv6 address
- Updated my SPF DNS entry
- Setup reverse DNS on Linode (which is a bit confusing as you can add multiple entries when you have a whole /64)
myhostnameto the new one
- Just in case also
I had just been using
/etc/rc.conf, but had to go back to using a
/etc/ifconfig.wm0file and adding static
inet 220.127.116.11 inet6 2a01:7e00:e000:035b::1 prefixlen 64 alias
host, but haven’t rebooted yet so that could be wrong. I just restarted the network and
ifconfigshows both addresses - that’s good.
Hopefully that means I’m now sending mail from a “good” ipv6 address, although hard to know for sure as you need a ipv6 address to test against.
In an attempt to verify (by using CheckTLS’s TestSender) I realised I’d not actually got TLS setup properly for sending; I had sometime ago got around to using Let’s Encrypt for receiving, but never mentioned it here. All I really needed for sending was:
-o smtpd_tls_security_level=encrypt$ -o tls_preempt_cipherlist=yes$
Which I’d inadvertently left commented out in
/etc/postfix/master.cf (after the
smtpd bit), although I tweaked some other bits in
/etc/postfix/main.cf based on (the now out of date, but better than nothing) BetterCrypto guide.
As a result of that, I then ended up updating some TLS settings for my website (ciphers, TLS versions, DNSSEC, etc) to get my rating up; All futile really for a personal website, but oh well.