search

dirtsimple / poste.io

poste.io mail server, but with IP management and custom webmail plugins
153 stars 28 forks source link

different outgoing servers #17

Closed rafaello9 closed 3 years ago

rafaello9 commented 3 years ago

Greetings!

I have not used poste.io before and now I am doing everything for the first time. Please answer my question.

Here are my configs

/etc/hostname mx.mydomain.com

/etc/hosts

127.0.0.1 localhost
178.21.11.32 mx.mydomain.com
193.124.201.33 snd1.mydomain.com

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:3f:94:66 brd ff:ff:ff:ff:ff:ff
    altname enp0s6
    altname ens6
    inet 178.21.11.32/24 brd 178.21.11.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 193.124.201.33/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe3f:9466/64 scope link
       valid_lft forever preferred_lft forever

/root/docker-compose.yml

version: "2.3"
services:
  poste:
    image: dirtsimple/poste.io
    restart: always
    network_mode: host
    hostname: mx.mydomain.com
    volumes:
      - /root/poste/:/data
      - /etc/localtime:/etc/localtime:ro
    environment:
      - "LISTEN_ON=178.21.11.32 193.124.201.33"
      - "SEND_ON=178.21.11.32 193.124.201.33"
      - "HTTP_PORT=8080" 
      - "HTTPS_PORT=4433"

/root/Data/outbound-hosts.yml

default:
  helo: mx.mydomain.com
  ip: 178.21.11.32

snd1.algapro.ru:
  helo: snd1.mydomain.com
  ip: 193.124.201.33

If you telnet to snd1.mydomain.com (193.124.201.33), then mx.mydomain.com responds

# telnet 193.124.201.33 25
Trying 193.124.201.33...
Connected to 193.124.201.33.
Escape character is '^]'.
220 mx.mydomain.com ESMTP Haraka ready
.....
quit

Also, if you send a letter through the snd1.mydomain.com server (193.124.201.33), then you can see in the message headers what mx.mydomain.com receives, and then snd1.mydomain.com

Delivered-To: tukxxxx@xxxxx.com
Return-path: <bounce@snd1.mydomain.com>
Authentication-Results: ....... smtp.helo=mx.mydomain.com;

My question is this. If I send via the snd1.mydomain.com server, then how do I get smtp.helo = snd1.mydomain.com in the email headers? Accordingly, to telnet, so that

220 snd1.mydomain.com ESMTP Haraka ready

but not so

220 mx.mydomain.com ESMTP Haraka ready

thanks !!!

pjeby commented 3 years ago

So, the HELO setting is for outbound mail only: when you send a message out for the specified domain, it will use the specified IP and it will send a HELO message to the other server with the specified host. That's all it does. There is no attempt at masking the identity of the host on incoming connections, as there is only one TLS certificate for incoming connections, so even if you make it a multi-host certificate to cover the other inbound hostnames, you cannot mask the fact that the domains are related on the inbound side.

With regard to the specifics of what you posted, there seem to be some inconsistencies, e.g. snd1.algapro.ru vs snd1.mydomain.com, and I'm uncertain of your MX records or reverse DNS. (Some systems use reverse DNS in their records, and one reason for allowing HELO customization is to allow matching it to the reverse DNS for the sending IP.)

rafaello9 commented 3 years ago

there seem to be some inconsistencies, e.g. snd1.algapro.ru vs snd1.mydomain.com

This is really just a mechanical typo. Of course there will be snd1.mydomain.com

default:
  helo: mx.mydomain.com
  ip: 178.21.11.32

snd1.mydomain.com:
  helo: snd1.mydomain.com
  ip: 193.124.201.33

I guarantee that all DNS records are correct! Here is the output of the dig commands:

#dig -x 193.124.201.33
.........
;; ANSWER SECTION:
33.201.124.193.in-addr.arpa. 86400 IN   PTR     snd1.mydomain.com.

#dig snd1.mydomain.com MX
.........
;; ANSWER SECTION:
snd1.mydomain.com.        86400   IN      MX      10 snd1.mydomain.com.

So, the HELO setting is for outbound mail only: when you send a message out for the specified domain, it will use the specified IP and it will send a HELO message to the other server with the specified host.

But the way you say it does not work for me. I am using mailwizz script to send messages. In mailwizz, I created a delivery server and specified the connection parameters snd1.mydomain.com there - 193.124.201.33. And if I send a message through the snd1.mydomain.com server, then the headers in the received message still contain smtp.helo = mx.mydomain.com

Delivered-To: tukxxxx@xxxxx.com
Return-path: <bounce@snd1.mydomain.com>
Authentication-Results: ....... smtp.helo=mx.mydomain.com;

Please tell me where did I go wrong? How can I make the helo match the one listed in /root/Data/outbound-hosts.yml for outbound messages?

pjeby commented 3 years ago

The outbound IP and HELO is determined by the login domain of the user account that authorized the sending. It is not based on what IP you send mail into.

rafaello9 commented 3 years ago

The outbound IP and HELO is determined by the login domain of the user account that authorized the sending.

I did everything as you say. In the script mailwizz created a delivery server with the following parameters:

hostname: 193.124.201.33
smtp user name: admin@snd1.mydomain.com
passwd: xxxxxxx

where admin@snd1.mydomain.com and xxxxxxx are the poste email account and password created in the admin panel. snd1.mydomain.com is a poste virtual domain created in the admin panel.

After that, I sent a test message. And here is the result, the headers of the received message:

Return-path: <bounce@snd1.mydomain.com>
Authentication-Results: mxs.mail.ru; spf=pass (mx231.i.mail.ru: domain of snd1.mydomain.com designates 193.124.201.33 as permitted sender) smtp.mailfrom=bounce@snd1.mydomain.com smtp.helo=mx.mydomain.com;
     dkim=pass header.d=snd1.mydomain.com
Received-SPF: pass (mx231.i.mail.ru: domain of snd1.mydomain.com designates 193.124.201.33 as permitted sender) client-ip=193.124.201.33; envelope-from=bounce@snd1.mydomain.com; helo=mx.mydomain.com;
Received: from snd1.mydomain.com ([193.124.201.33]:36566 helo=mx.mydomain.com)
    by mx231.i.mail.ru with esmtp (envelope-from <bounce@snd1.mydomain.com>)
    id 1mYqGC-0002kQ-9A
    for voxxxxx@bk.ru; Fri, 08 Oct 2021 16:50:04 +0300
.......
Received: from localhost (Unknown [127.0.0.1])
    by mx.mydomain.com (Haraka) with ESMTPSA id AAE88C47-231B-4862-9A6C-02709E10E581.1
    envelope-from <bounce@snd1.mydomain.com> (authenticated bits=0)
    (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256);
    Fri, 08 Oct 2021 13:50:03 +0000

That is, helo = mx.mydomain.com is still present in the headers.

Tell me what am I doing wrong? How to make sure that for each domain specified in the /root/Data/outbound-hosts.yml list there is its own helo, which is registered there? How to remove helo = mx.mydomain.com if sending is not from the default domain?

pjeby commented 3 years ago

So, it looks like the IP address is being selected at least. Can you check the haraka-smtp log for lines of the form Setting outbound HELO = and see what they say? That should at least confirm my plugin is setting the values for haraka to use.

rafaello9 commented 3 years ago

I searched but couldn't find. Where is the haraka-smtp log file located?

#cd /root/poste
#grep -rl 'Setting outbound HELO'

result is empty

pjeby commented 3 years ago

You need to look in the container's data volume, under the log directory.

pjeby commented 3 years ago

Also, from checking my own logs, I see that it's haraka-submission that will show this line, not haraka-smtp. If that line is there then the server should be sending the appropriate HELO -- I can confirm it does this on my installation by checking Google's received headers, which show the helo after Received: from, with the IP and reverse lookup in parentheses after it, and that it shows different data for different envelope-from domains.

rafaello9 commented 3 years ago

I found the logs and found an error. Here is the error text:

2021-10-09 21:39:05.949630500  2021-10-09T18:39:05.949Z [DEBUG] [-] [outbound_ips] loading /data/outbound-hosts.yml
2021-10-09 21:39:05.950562500  2021-10-09T18:39:05.950Z [ERROR] [-] [outbound_ips] Error using /data/outbound-hosts.yml: ENOENT: no such file or directory, open '/data/outbound-hosts.yml'
2021-10-09 21:39:05.950758500  2021-10-09T18:39:05.950Z [INFO] [-] [outbound_ips] Setting outbound HELO = mx.mydomain.com, IP = 193.124.201.33 (default)

I specified the parameters of the docker-compose.yml file above. The outbound-hosts.yml file is located at /root/poste/data/outbound-hosts.yml Can't figure out why haraka doesn't see the outbound-hosts.yml file

pjeby commented 3 years ago

Your volume configuration maps /root/poste to /data, so it should be /root/poste/outbound-hosts.yml.

rafaello9 commented 3 years ago

Now it works as it should! Thanks to!