Current example configuration will transform anonaddy in openrelay on hosts with ipv6

[slurdge]

After struggling for a while with https://github.com/anonaddy/anonaddy/issues/443 , I found that if you have a host with ipv6, but not configured in docker, then the current examples configuration will transform anonaddy in open relay. What happens:

• External connection is made with ipv6 on port 25 (on which docker listens to).
• There no ipv6 for the internal image, so docker does address translation (a bit like NAT) and rewrite the source address as a local one
• The configuration takes local address as trusted, and does not verify the destination

I think it's normal behaviour for Postfix to trust local addresses, as this is how it communicates with Anonaddy. However I believe it would be best to:

• Put a warning in the documentation/examples about this problem
• Change the examples to listen to 0.0.0.0:25 instead of 25. People who have a real ipv6 for their containers would be able to adapt quite easily the configuration.

[yurividal]

Thats a very good insight. I chgecked my VPS and indeed it was open for ipv6 on 25. Just changed my docker-compose.

[crazy-max]

@slurdge Thanks for your feedback, that's a good point. What's your /etc/docker/daemon.json config and also output of docker info please. I ask this because before enabling IPv6 you MUST disable the userland-proxy in your daemon.json config to not create an open relay:

{
  "userland-proxy": false
}

Also in your compose configuration if you have a specified the networks top-level element, you should check the enable_ipv6 field.

I agree that we should have a note about IPv6 in the README. Contrib welcome.

[slurdge]

Hey @crazy-max ,

cat /etc/docker/daemon.json
{
    "data-root": "/var/lib/docker",
    "dns": [
        "a.b.c.d",
        "e.f.g.h"
    ],
    "dns-search": [
        "invalid"
    ],
    "hosts": [
        "unix:///var/run/docker.sock",
        ""
    ],
    "storage-driver": "overlay2",
    "log-driver": "json-file",
    "log-opts": {"max-size": "50m", "max-file": "3"}
}

docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 50
  Running: 32
  Paused: 0
  Stopped: 18
 Images: 160
 Server Version: 23.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.10.0-22-amd64
 Operating System: Debian GNU/Linux 11 (bullseye)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.759GiB
 Name: pck.yt
 ID: IW43:UDCL:BO2U:FFBK:RNK5:OJIF:ORTI:LX3T:DSGG:TW7M:KDIO:AWRN
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

I wasn't aware of the userland-proxy option. I guess that I can remove enable_ipv6 for the network to the same effect. I used the binding to 0.0.0.0 because that's what I knew.

I can create a PR but which solution seems the best to you ?

[crazy-max]

Ok so experimental ipv6 is not enabled in your dockerd config.

I was looking at other dockerized mail apps and found this issue https://github.com/mailcow/mailcow-dockerized/issues/4220. Looks like this was an issue with docker compose but you should not be impacted with 2.17.2.

Also found https://mailu.io/2.0/faq.html#how-to-make-ipv6-work which also says to disable userland-proxy when enabling ipv6 (with dockerd experimental ipv6 or through docker-ipv6nat container). But again you don't have any of those set up on your side so I still wonder how you could be impacted.

Does setting enable_ipv6: false in your compose file works?

[slurdge]

I think my issue is more related to https://github.com/docker-mailserver/docker-mailserver/issues/1405 Basically, from my understanding, if you take default docker & docker compose config, and if you are on an ipv6 host, if you listen to a port then docker will listen on both ipv4 and ipv6 for the same port, but will rewrite the ipv6 packet to an ipv4 packet with a private address.

I believe this happens whether you enable ipv6 or not. To prove it, you can try the following command in an ipv6 capable host:

docker run -it -p 3000:3000 --rm bash:4.4 -c "nc -vvl 3000"

and you will see that docker is indeed listening on ::3000

So I can try to put enable_ipv6: false in my compose instead of having the bind to the ipv4, to see if it has the same effect.

[polarathene]

Ello, I just responded to a recent comment on the referenced issue: https://github.com/docker-mailserver/docker-mailserver/issues/1405#issuecomment-1539254443

If you allow IPv6 connections from your host, then disabling userland-proxy should prevent the problem as advised earlier. There's a few other behaviours that change there that I'm aware of which might affect you if your containers try to interact with other containers indirectly through the host IP.

Alternatively, just configure a IPv6 ULA network. This is similar to IPv4 private networks that docker creates for you and will enable IPv6 on those networks with containers getting their own private IPv6 address assigned. This will now be an IPv6 gateway IP instead, if you need that to match the remote client IPv6 address, then you need to enable the daemon setting ip6tables: true, which currently still requires experimental: true as well.

Finally for your network, if it's created via the compose config, use enable_ipv6: true (and define an IPv6 ULA subnet like fd00:feed:face:f00d::/64), otherwise when you create the network with docker network create include the --ipv6 + --subnet fd00:feed:face:f00d::/64 option.

Be sure to run systemctl daemon-reload && systemctl restart docker after updating /etc/docker/daemon.json. And for docker compose, force-recreate containers may be necessary (docker compose down && docker compose up -d or docker compose up -d --force-recreate). When a client connects over IPv6 now, their IP should persist into the container instead of being replaced with the docker gateway IP.

[crazy-max]

@polarathene Thanks for your feedback! Closing since this should be addressed in your environment.