In this article you will learn how to set-up Zimbra in dual-stack IP mode.
Prerequisite
First install Zimbra using ipv4 only mode. You can check the current Zimbra IP mode by running the following command as the user`zimbra`:
zmprov gs `zmhostname` zimbraIPMode
Then verify if all entries required all present in /etc/hosts file. Here is an example:
127.0.0.1 localhost.localdomain localhost :: 1 localhost.localdomain localhost 10.0.0.181 mail3.zimbra.tech mail3 2603:c020:400d:567e:aa22:ab12:1234:2a34 mail3.zimbra.tech mail3
Please make sure the localhost entries are as above for both ip4 and ip6 on your system before continuing!
In this example the server name is mail3.zimbra.tech, replace above example with your own domain name. For ip4 the server address for (mail3) your server can be the external IP or the LAN IP if you are in a NAT environment. For ip6 the server address for (mail3) your server should be the external IP in 99% of the cases.
Enable Zimbra in dual stack mode
Run the following command as the user zimbra:
sudo su - zimbra zmprov ms `zmhostname` zimbraIPMode both /opt/zimbra/libexec/zmiptool
zmiptool can take a bit of time. If zmiptool does not return any error, restart the Zimbra using:
zmcontrol restart
In case zmiptool does return errors, fix them before restarting Zimbra.
Update zimbraMailTrustedIP
After adding ip6 make sure to update the zimbraMailTrustedIP setting see: https://wiki.zimbra.com/wiki/Secopstips#Log_the_correct_origination_IP
Enclose zimbraMailTrustedIP in square brackets (eg. [1a01:2300:1f1:3:0:0:ffa:123]) the ipv6 address getting enclosed in zimbraMailTrustedIP should be in long format divided into 8 parts separated by colon. (eg. 1a01:2300:1f1:3::ffa:123 should be written like [1a01:2300:1f1:3:0:0:ffa:123]). The IPv6 addresses can be copy/pasted directly from mailbox.log.
Gotchas
If you use DNSMASQ or any other DNS cache on the Zimbra system, you need to restart DNSMASQ after changing /etc/hosts file using:
systemctl restart dnsmasq
It should be noted that AFAIK there are no RBLs for IPv6-land (and likely never will be, due to the size of the pool, which is kind of obvious if you think about it…).
As such, the only way to combat spam from IPv6 land apart from content analysis is to use post screen and hard-enforce SPF and DKIM rules (and thus make sure every domain you host has those configured correctly).
Maybe somebody who actually has an IPV6-enabled mailserver can comment on the amount of spam they get these days?
Unfortunately it is not possible to configure Zimbra completely dualstack, because only the setting ‘zimbraMailTrustedIP’ supports IPv6 addresses, while the setting ‘zimbraHttpThrottleSafeIPs’ does not.
Speaking wearing my hat as an administrator running a dualstacked mail server for 20+ years:
There are (common) RBLs with proper IPv6 support (for years already).
Thinking about the huge amount of IPv6 addresses in literal IP addresses is unfortunately IPv4-only mindset, but does not pay attention to the IPv6 address and subnet design.
For IPv6 a common blocking size at RBLs is a /64 subnet – or, if the provider documents it publicly in e.g. an RDAP/WHOIS database, another smaller or larger prefix. Note that a /64 is the minimum size recommented for subnets by the Regional Internet Registries, such as e.g. RIPE, ARIN. Blocking a /64 subnet should usually not affect more than one customer, which sounds acceptable for spam senders.
Regarding spam on IPv6-enabled mail servers: While there is indeed spam nowadays as well, it usually comes mostly from huge cloud providers such as Google or Outlook freemail accounts, way less from abused self-managed mail servers. But this is actually not different than for IPv4-only mail servers, because also there Google and Outlook freemail accounts are a large source of spam which needs to be catched using content-filters, not on an IP source address base.