Google rejects all mail from SBS 2008 based on IPv6 security

We are a small business running Exchange 2007 on SBS 2008. We have Qwest DSL and are using a Cisco Linksys E4200 wireless router as our firewall. Server system updates have been applied. IPv6 is implemented using the "6to4" scheme ("2002" address). This might be the origin of our problem.

For the past several weeks (don't know exactly when it started) every email sent from our system to a gmail address is bounced with the following "explanation:" #550-5.7.1 [2002:d8a0:4c56:0:29da:6406:31c0:58e4 16] The sender does not 550-5.7.1 meet basic ipv6 sending guidelines of authentication and rdns 550-5.7.1 resolution of sending ip. Please review 550 5.7.1 more information. gx9si17870082pac.301 - gsmtp ##

The referenced support document advises the following:

Additional guidelines for IPv6

    The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. Otherwise, mail will be marked as spam or possibly rejected.
    The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam.

We did not have the SPF record, so I created the requisite text record in our hosted DNS record that passes all checks. I created a PTR record for the IPv6 server address on the local system but our domain host (Network Solutions) does not have an obvious way to do that in their user interface for domain management.

Oddly, every time I make any kind of change to the DNS record of the local system or on the domain host, Google accepts our email for a few hours then the rejections start again. I submitted a support form to Google but have received no answer; I have read that this is all too common.

Web research also resulted in a suggestion that IPv6 be mostly disabled on the local system by creating or setting a registry key, "DisabledComponents," to 0xffffffff. Tried this, but it was an unqualified disaster. User profiles were unavailable, VPN became unusable, and I had to log in using Safe Mode to restore the old registry setting which reversed the damage.

My web searches have revealed that many mail system managers are encountering this problem but I have found no solutions for my system. I know that this is not strictly an Exchange compatibility problem because many of the related online posts regard Postfix servers. If you have found a way around this problem that applies to my server environment I'd love to hear from you.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NW_AdminAuthor Commented:
Thank you, Stu29. This could provide some relief. I'll make some changes tonight and post results tomorrow.
Just to throw in there, in most cases you need to speak to your ISP to create public PTR records. This assumes that you are leasing the IP address space from the ISP.
On the other hand, if you owned your IP subnet independent from any ISP (such as having acquired it from a governing body such as ARIN), then it would likely be up to you to have publicly accessible DNS servers for the PTR records.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

NW_AdminAuthor Commented:
I had previously applied the registry hack to prefer IPv4. I disabled the IPhelper service and disabled IPv6 on the network adapter. Rebooted the server, and this time when it came back I was able to log in properly and there was no collateral damage as before.

Email to gmail addresses is now accepted but that has been the case every time I've made any change to our network settings, whether on the the local system or on the domain host. If messages to gmail are still flowing tomorrow morning I will consider this case closed and award points accordingly.

Thank you, and good night.
NW_AdminAuthor Commented:

If I obtained a native IPv6 subnet as you suggest, should I create the PTR record at the domain host (in this case Network Solutions) or would it be sufficient to create them on the local server?

Also, would you agree that creating PTR records for 6to4 subnets is the wrong strategy for the long term? I have read of compatibility problems between the 6to4 addressing scheme and native IPv6 networks.
NW_AdminAuthor Commented:
We have gone an entire day without an email bounce-back from gmail. I consider this problem solved.

To recap, I took the following steps:

1. Applied Microsoft Fix It 50410 (found here to my server to prefer IPv4 over IPv6. You would think that should be enough, but it is not. I had actually taken this step before I started this thread. Resist the temptation to "disable all IPv6 components." That completely trashed my SBS 2008 system (see my original comment).

2. Disabled the IPhelper service.

3. Disabled IPv6 on the server network interfaces.

Thank you stu29 and others who have contributed in the past.
NW_AdminAuthor Commented:
The link provided by stu29 lead me to the answer to my problem but it had a lot of extraneous speculation and some outright wrong conclusions. It was however the only comment that helped, and my problem was fixed, so stu29 gets the nod.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.