Exim slow on my ipv6 connection

M

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
Hi,

I have a strange issue: whenever I send email from my home it is really slow. Please see the following:

Code: 
root@raspberrypi:/home/pi# date && telnet xxxx:xxxx::xx 587
Fri 18 Nov 15:36:45 CET 2016
Trying xxxx:xxxx::xx...
Connected to xxxx:xxxx::xx.
Escape character is '^]'.
220 vps.host.nl ESMTP Exim 4.87 Fri, 18 Nov 2016 15:37:05 +0100
quit
221 vps.host.nl closing connection
Connection closed by foreign host.

So: I execute the command at 15:36:45 and it takes 40 seconds before the server responds with the greeting!

When I do it on ipv4

Code: 
root@raspberrypi:/home/pi# date && telnet xx.xx.xx.xx 587
Fri 18 Nov 15:37:29 CET 2016
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
220 vps.host.nl ESMTP Exim 4.87 Fri, 18 Nov 2016 15:37:30 +0100
quit
221 vps.host.nl closing connection
Connection closed by foreign host.

This is near-instant.

So at first I thought it was an issue with ipv6 & Exim however when I do this from my work IT WORKS on ipv6!

Code: 
matthijs@MATTHIJS_PC:~$ date && telnet xxxx:xxxx::xx 587
Fri Nov 18 15:37:11 STD 2016
Trying xxxx:xxxx::xx...
Connected to xxxx:xxxx::xx.
Escape character is '^]'.
220 vps.host.nl ESMTP Exim 4.87 Fri, 18 Nov 2016 15:37:11 +0100
quit
221 vps.host.nl closing connection
Connection closed by foreign host.

When I ping from home to my vps with ipv6 I get replies of 7ms so my connection is fine. Anybody an idea what is happening here?
 
Well i honestly don't, but if from two different connections you have two different results, the common point (the server) shoudln't be the problem, more likely your home ISP have some issue on the IPv6.

Just a guess anyway :)

Best regards
 
Well yes, that is an option however when I go to smtp.gmail.com (throug ipv6) it is quick so.... my connection should be fine?
I've also added the IP address of the client to my firewall (CSF) but that has no effect.
 
Well that just prevent that the IP get banned :)

It may be routes related, where are you living and where the server is?

Best regards
 
SeLLeRoNe said:
Well that just prevent that the IP get banned :)

It may be routes related, where are you living and where the server is?

Best regards
Click to expand...

I'm in the Netherlands and my server is also in the Netherlands. My IPv6 connection goes through a tunnel from Hurricane Electric, but that endpoint is also in the Netherlands.

ikkeben said:
Try for both a traceroute so you can see if different network route from home to gmail ipv6 and from home to your DA server ipv6
Click to expand...

To my server
Code: 
Tracing route to mail.xxx.nl [xxxx:xxxx::xx]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  2001:xx:xx:xx::1
  2    10 ms     9 ms     9 ms  xxx-1.tunnel.tserv11.ams1.ipv6.he.net [xx:xx:xx:xx::1]
  3     7 ms     4 ms    15 ms  ve213.core1.ams1.he.net [2001:xx:0:xx::1]
  4     6 ms    10 ms     7 ms  ams-ix-gw2.xx.net [2001:xx:1::xx:673:1]
  5     8 ms     9 ms     8 ms  2a03:xx::2:21
  6     7 ms     6 ms     7 ms  2a03:xx::2:25
  7     7 ms     6 ms     6 ms  vps.xxxx.nl [xxx:xxx::xx]

Trace complete.

And to the gmail server

Code: 
Tracing route to gmail-smtp-msa.l.google.com [2a00:1450:4013:c02::6c]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  2001:xx:xx:xx::1
  2    10 ms     9 ms     9 ms  xx-1.tunnel.tserv11.ams1.ipv6.he.net [2001:xx:xx:xx::1]
  3     4 ms    18 ms     3 ms  ve213.core1.ams1.he.net [2001:xx:0:xx::1]
  4     5 ms    10 ms     4 ms  amsix-router.google.com [2001:7f8:1::a501:5169:1]
  5     5 ms     6 ms     5 ms  2001:4860:0:f8a::3
  6     9 ms     5 ms     5 ms  2001:4860::8:0:87b0
  7     9 ms     9 ms     8 ms  2001:4860::22:4000:c8fc
  8     8 ms     8 ms     9 ms  2001:4860:0:1::339
  9     *        *        *     Request timed out.
 10     9 ms     9 ms     8 ms  2a00:1450:4013:c02::6c

Trace complete.

So, yes different routes can have different effects, if I can ping to my server with ~6ms delay.
 
I cannot contact my server on that port, but as I can also not contact the gmail smtp server I assume this port is blocked by my provider.
 
Lol that's very strange, that is the default SSL port, block it is like prevent users to use encrypted connections, you may want to contact your provider (or even change it because of that!)
 
Ah I'm sorry, it IS trying to connect but (as seen in the exim log) my telnet connection is rejected due to certificate issues.

However, it is still "slow" on ipv6 and "fast" on ipv4. Strange....
 
I see, well, you may want to use Lets Encrypt to have the server certificate for SSL connection.

This shuould do the trick for you:
Code: 
/usr/local/directadmin/custombuild/build letsnecrypt
/usr/local/directadmin/scripts/letsencrypt.sh request $HOSTNAME 4096

Beside that (which is just an improovment), what about connection on port 25? Can we have your server IP to test it?

Best regards
 
Yes I have certificated, just that my telnet doesn't specify the correct protocol it wants to use. However I don't think that is the problem as on 587 with starttls the certificate exchange is done later in the process. And as both connection attempts are "slow" I thunk we can rule-out that as a problem.

And sure here are the IP's:

IPv6: 2a05:e1c0::38
IPv4: 91.218.127.50

edit:
And just to confirm my SSL please see: https://ssl-tools.net/mailservers/mattie-systems.nl
 
Last edited:
Sorry, i've asked before think xD I don't have IPv6 on my servers, i'll ping Zeiter for his help.

Meanwhile, just as matter of curiosity, i think you're using custom chiper because you're having green light on the protocols while i still got apparently one which is not good (ECDHE_RSA_WITH_RC4_128_SHA), would you mind to share yours?

Thanks

Best regards
 
SeLLeRoNe said:
Sorry, i've asked before think xD I don't have IPv6 on my servers, i'll ping Zeiter for his help.

Meanwhile, just as matter of curiosity, i think you're using custom chiper because you're having green light on the protocols while i still got apparently one which is not good (ECDHE_RSA_WITH_RC4_128_SHA), would you mind to share yours?

Thanks

Best regards
Click to expand...

There you go:

exim.conf
Code: 
openssl_options = +no_sslv2 +no_sslv3
tls_require_ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

dovecot.conf
Code: 
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
Hello,

Tested IPv6:

Code: 
[work@server ~]$ time telnet 2a05:e1c0::38 25
Trying 2a05:e1c0::38...
Connected to 2a05:e1c0::38.
Escape character is '^]'.
220 vps.mattie-systems.nl ESMTP Exim 4.87 Mon, 21 Nov 2016 13:55:04 +0100
^]
telnet> Connection closed.


real    0m0.773s
user    0m0.001s
sys     0m0.000s


[work@server ~]$ time telnet 2a05:e1c0::38 25
Trying 2a05:e1c0::38...
Connected to 2a05:e1c0::38.
Escape character is '^]'.
220 vps.mattie-systems.nl ESMTP Exim 4.87 Mon, 21 Nov 2016 13:55:06 +0100
^]
telnet> Connection closed.


real    0m0.697s
user    0m0.000s
sys     0m0.001s
[work@server ~]$

Tested IPv4:

Code: 
[work@server ~]$ time telnet 91.218.127.50 25
Trying 91.218.127.50...
Connected to 91.218.127.50.
Escape character is '^]'.
220 vps.mattie-systems.nl ESMTP Exim 4.87 Mon, 21 Nov 2016 13:54:50 +0100
^]
telnet> Connection closed.


real    0m0.964s
user    0m0.000s
sys     0m0.004s


[work@server ~]$ time telnet 91.218.127.50 25
Trying 91.218.127.50...
Connected to 91.218.127.50.
Escape character is '^]'.
220 vps.mattie-systems.nl ESMTP Exim 4.87 Mon, 21 Nov 2016 13:54:53 +0100
^]
telnet> Connection closed.


real    0m0.715s
user    0m0.000s
sys     0m0.007s
[work@server ~]$

Traceroute:

Code: 
[root@server ~]# traceroute -I 91.218.127.50
traceroute to 91.218.127.50 (91.218.127.50), 30 hops max, 60 byte packets
 1  v340.router1.dcga.ams.transip.net (95.170.86.220)  0.407 ms  0.392 ms  0.388 ms
 2  ibgp.router2.dcga.ams.transip.net (87.253.141.250)  0.385 ms  0.385 ms  0.382 ms
 3  serverius.serverius.nl-ix.net (193.239.117.58)  6.396 ms  6.124 ms  6.050 ms
 4  185.8.179.21 (185.8.179.21)  4.007 ms  4.017 ms  4.337 ms
 5  185.8.179.25 (185.8.179.25)  2.742 ms * *
 6  vps.mattie-systems.nl (91.218.127.50)  3.117 ms  3.000 ms  3.041 ms
[root@server ~]#
[root@server ~]#
[root@server ~]# traceroute6 -I 2a05:e1c0::38
traceroute to 2a05:e1c0::38 (2a05:e1c0::38), 30 hops max, 80 byte packets
 1  v340.router1.dcga.ams.transip.net (2a01:7c8:aaac::2)  61.231 ms  61.232 ms  61.228 ms
 2  ams-ix-gw2.serverius.net (2001:7f8:1::a505:673:1)  3.190 ms  3.351 ms  3.373 ms
 3  2a03:3f40::2:21 (2a03:3f40::2:21)  3.583 ms  3.633 ms  3.634 ms
 4  2a03:3f40::2:25 (2a03:3f40::2:25)  3.479 ms * *
 5  vps.mattie-systems.nl (2a05:e1c0::38)  3.811 ms  3.814 ms  3.857 ms
[root@server ~]#

What do I miss?
 
Tested IPV6 from another location:

Code: 
[root@server2]# time telnet 2a05:e1c0::38 25
Trying 2a05:e1c0::38...
Connected to 2a05:e1c0::38.
Escape character is '^]'.
220 vps.mattie-systems.nl ESMTP Exim 4.87 Mon, 21 Nov 2016 14:01:25 +0100
^]
telnet> Connection closed.


real    0m0.811s
user    0m0.002s
sys     0m0.000s


[root@server2]# time telnet 2a05:e1c0::38 25
Trying 2a05:e1c0::38...
Connected to 2a05:e1c0::38.
Escape character is '^]'.
220 vps.mattie-systems.nl ESMTP Exim 4.87 Mon, 21 Nov 2016 14:01:26 +0100
^]
telnet> Connection closed.


real    0m0.868s
user    0m0.000s
sys     0m0.002s
[root@server2]#

Tested IPv4:

Code: 
[work@server2]$ time telnet 91.218.127.50 25
Trying 91.218.127.50...
Connected to 91.218.127.50.
Escape character is '^]'.
220 vps.mattie-systems.nl ESMTP Exim 4.87 Mon, 21 Nov 2016 14:00:17 +0100
^]
telnet> Connection closed.


real    0m0.745s
user    0m0.001s
sys     0m0.001s


[work@server2]$ time telnet 91.218.127.50 25
Trying 91.218.127.50...
Connected to 91.218.127.50.
Escape character is '^]'.
220 vps.mattie-systems.nl ESMTP Exim 4.87 Mon, 21 Nov 2016 14:00:20 +0100
^]
telnet> Connection closed.


real    0m0.537s
user    0m0.002s
sys     0m0.000s
[work@server2]$
 
Thanks Alex, can you try on port 587 aswell please?

Do you have any idea on why the user may experience a slow response like that (and apparently you don't)?

Best regards
 
The same:

Code: 
[work@server]$ time telnet 2a05:e1c0::38 587
Trying 2a05:e1c0::38...
Connected to 2a05:e1c0::38.
Escape character is '^]'.
220 vps.mattie-systems.nl ESMTP Exim 4.87 Mon, 21 Nov 2016 18:19:33 +0100
^]
telnet> Connection closed.


real    0m0.509s
user    0m0.003s
sys     0m0.000s


[work@server]$ time telnet 2a05:e1c0::38 587
Trying 2a05:e1c0::38...
Connected to 2a05:e1c0::38.
Escape character is '^]'.
220 vps.mattie-systems.nl ESMTP Exim 4.87 Mon, 21 Nov 2016 18:19:36 +0100
^]
telnet> Connection closed.


real    0m0.493s
user    0m0.000s
sys     0m0.001s
[work@server]$
 
You must log in or register to reply here.
Back
Top