search

foxcpp / maddy

✉️ Composable all-in-one mail server.
https://maddy.email
GNU General Public License v3.0
4.95k stars 239 forks source link

No usable MXs when sending to IPv6-only domain #631

Closed cuihaoleo closed 10 months ago

cuihaoleo commented 10 months ago

Describe the bug

Hi, I set up a maddy instance in a podman container. Everything looks good so far. When I test my server with https://email-security-scans.org/, it always fails with IPv6 test. I believe I have setup IPv6 access properly.

One of the failed email addresses is measurement@v6-mail.measurement.email-security-scans.org. Relevent logs:

[debug] remote: trying        {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","remote_server":"mail-v6.measurement.email-security-scans.org."}
[debug] mx_auth.mtasts: MTA-STS error        {"err":"mtasts: no policy"}
remote: cannot use MX        {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","reason":"no address associated with the host","remote_server":"mail-v6.measurement.email-security-scans.org.","tls_err":null}

And I can confirm that the container can resolve and connect to the v6-only MX server:

$ sudo podman exec maddy nslookup -type=MX v6-mail.measurement.email-security-scans.org
Server:         185.12.64.1
Address:        185.12.64.1:53

Non-authoritative answer:
v6-mail.measurement.email-security-scans.org    mail exchanger = 10 mail-v6.measurement.email-security-scans.org

$ sudo podman exec maddy nslookup -type=AAAA mail-v6.measurement.email-security-scans.org
Server:         185.12.64.1
Address:        185.12.64.1:53

Non-authoritative answer:
Name:   mail-v6.measurement.email-security-scans.org
Address: 2a06:d1c0:dead:3::86

$ sudo podman exec maddy nc 2a06:d1c0:dead:3::86 25
220 mail.measurement.email-security-scans.org ESMTP Postfix

Steps to reproduce

Send an email to measurement@v6-mail.measurement.email-security-scans.org. It will fail.

Log files

With debug yes, IP/domain names redacted:

submission: incoming message        {"msg_id":"045b14e1","sender":"myemail@mydomain.com","src_host":"[192.168.31.119]","src_ip":"XXX.XXX.XXX.XXX:57870","username":"myemail@mydomain.com"}
[debug] smtp/pipeline: sender myemail@mydomain.com matched by domain rule 'mydomain.com'        {"msg_id":"045b14e1"}
[debug] smtp/pipeline: initializing state for check.authorize_sender: (0x400013b080)        {"msg_id":"045b14e1"}
[debug] normalized names        {"auth":"myemail@mydomain.com","from":"myemail@mydomain.com","msg_id":"045b14e1"}
[debug] authorized emails        {"msg_id":"045b14e1","ok":true,"preparedEmail":["myemail@mydomain.com"]}
[debug] smtp/pipeline: global rcpt modifiers: measurement@v6-mail.measurement.email-security-scans.org => [measurement@v6-mail.measurement.email-security-scans.org]        {"msg_id":"045b14e1"}
[debug] smtp/pipeline: per-source rcpt modifiers: measurement@v6-mail.measurement.email-security-scans.org => [measurement@v6-mail.measurement.email-security-scans.org]        {"msg_id":"045b14e1"}
[debug] smtp/pipeline: recipient measurement@v6-mail.measurement.email-security-scans.org matched by default rule (clean = measurement@v6-mail.measurement.email-security-scans.org)        {"msg_id":"045b14e1"}
[debug] smtp/pipeline: per-rcpt modifiers: measurement@v6-mail.measurement.email-security-scans.org => [measurement@v6-mail.measurement.email-security-scans.org]        {"msg_id":"045b14e1"}
[debug] smtp/pipeline: tgt.Start(myemail@mydomain.com) ok, target = queue:remote_queue        {"msg_id":"045b14e1"}
submission: RCPT ok        {"msg_id":"045b14e1","rcpt":"measurement@v6-mail.measurement.email-security-scans.org"}
[debug] autobuffer: keeping the message in RAM (read 13 bytes, got EOF)        
[debug] normalized names        {"auth":"myemail@mydomain.com","from":"myemail@mydomain.com","msg_id":"045b14e1"}
[debug] authorized emails        {"msg_id":"045b14e1","ok":true,"preparedEmail":["myemail@mydomain.com"]}
[debug] modify.dkim: signed        {"domain":"mydomain.com"}
[debug] smtp/pipeline: delivery.Body ok, Delivery object = *msgpipeline.delivery        {"msg_id":"045b14e1"}
submission: accepted        {"msg_id":"045b14e1"}
[debug] queue: starting delivery for 045b14e1        
[debug] queue: waiting on delivery semaphore for 045b14e1        
[debug] queue: delivery semaphore acquired for 045b14e1        
[debug] queue: using message ID = 045b14e1-651e2d3a        {"msg_id":"045b14e1"}
[debug] queue: target.Start OK        {"msg_id":"045b14e1"}
[debug] remote: opening new connection        {"cache_ignored":false,"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a"}
[debug] submission: reset        
[debug] mx_auth.mtasts: MTA-STS error        {"err":"mtasts: no policy","msg_id":"045b14e1-651e2d3a"}
[debug] remote: trying        {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","remote_server":"mail-v6.measurement.email-security-scans.org."}
[debug] mx_auth.mtasts: MTA-STS error        {"err":"mtasts: no policy"}
remote: cannot use MX        {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","reason":"no address associated with the host","remote_server":"mail-v6.measurement.email-security-scans.org.","tls_err":null}
[debug] queue: delivery.AddRcpt measurement@v6-mail.measurement.email-security-scans.org failed: no address associated with the host        {"msg_id":"045b14e1"}
[debug] queue: delivery.Abort (no accepted receipients)        {"msg_id":"045b14e1"}
[debug] queue: errors: map[measurement@v6-mail.measurement.email-security-scans.org:no address associated with the host]        {"msg_id":"045b14e1"}
queue: delivery attempt failed        {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1","rcpt":"measurement@v6-mail.measurement.email-security-scans.org","reason":"no address associated with the host","smtp_code":451,"smtp_enchcode":"5.4.0","smtp_msg":"No usable MXs, last err: no address associated with the host","target":"remote","tls_err":null}
[debug] queue: delay: 15m0s * 1.25 ^ (1 - 1)        {"msg_id":"045b14e1"}
queue: will retry        {"attempts_count":{"measurement@v6-mail.measurement.email-security-scans.org":1},"msg_id":"045b14e1","next_try_delay":"14m59.999962199s","rcpts":["measurement@v6-mail.measurement.email-security-scans.org"]}
[debug] imapsql: sending external update        {"key":2,"type":0}

Configuration file

Almost the default one:

## Maddy Mail Server - default configuration file (2022-06-18)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddy subcommands.
#
# See tutorials at https://maddy.email for guidance on typical
# configuration changes.

# ----------------------------------------------------------------------------
# Base variables

$(hostname) = mx.mydomain.com
$(primary_domain) = mydomain.com
$(local_domains) = $(primary_domain)

tls file /certs/fullchain.pem /certs/privkey.pem
debug yes

# ----------------------------------------------------------------------------
# Local storage & authentication

# pass_table provides local hashed passwords storage for authentication of
# users. It can be configured to use any "table" module, in default
# configuration a table in SQLite DB is used.
# Table can be replaced to use e.g. a file for passwords. Or pass_table module
# can be replaced altogether to use some external source of credentials (e.g.
# PAM, /etc/shadow file).
#
# If table module supports it (sql_table does) - credentials can be managed
# using 'maddy creds' command.

auth.pass_table local_authdb {
    table sql_table {
        driver sqlite3
        dsn credentials.db
        table_name passwords
    }
}

# imapsql module stores all indexes and metadata necessary for IMAP using a
# relational database. It is used by IMAP endpoint for mailbox access and
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddy.

storage.imapsql local_mailboxes {
    driver sqlite3
    dsn imapsql.db
}

# ----------------------------------------------------------------------------
# SMTP endpoints + message routing

hostname $(hostname)

table.chain local_rewrites {
    optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
    optional_step static {
        entry postmaster postmaster@$(primary_domain)
    }
    optional_step file /data/aliases
}

msgpipeline local_routing {
    # Insert handling for special-purpose local domains here.
    # e.g.
    # destination lists.example.org {
    #     deliver_to lmtp tcp://127.0.0.1:8024
    # }

    destination postmaster $(local_domains) {
        modify {
            replace_rcpt &local_rewrites
        }

        deliver_to &local_mailboxes
    }

    default_destination {
        reject 550 5.1.1 "User doesn't exist"
    }
}

smtp tcp://[::]:25 {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections.
        all rate 20 1s
        all concurrency 10
    }

    dmarc yes
    check {
        require_mx_record
        dkim
        spf
    }

    source $(local_domains) {
        reject 501 5.1.8 "Use Submission for outgoing SMTP"
    }
    default_source {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.1.1 "User doesn't exist"
        }
    }
}

submission tcp://[::]:587 {
    limits {
        # Up to 50 msgs/sec across any amount of SMTP connections.
        all rate 50 1s
    }

    auth &local_authdb

    source $(local_domains) {
        check {
            authorize_sender {
                prepare_email &local_rewrites
                user_to_email identity
            }
        }

        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            modify {
                dkim $(primary_domain) $(local_domains) default
            }
            deliver_to &remote_queue
        }
    }
    default_source {
        reject 501 5.1.8 "Non-local sender domain"
    }
}

target.remote outbound_delivery {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections
        # for each recipient domain.
        destination rate 20 1s
        destination concurrency 10
    }
    mx_auth {
        dane
        mtasts {
            cache fs
            fs_dir mtasts_cache/
        }
        local_policy {
            min_tls_level encrypted
            min_mx_level none
        }
    }
}

target.queue remote_queue {
    target &outbound_delivery

    autogenerated_msg_domain $(primary_domain)
    bounce {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
        }
    }
}

# ----------------------------------------------------------------------------
# IMAP endpoints

imap tls://[::]:993 {
    auth &local_authdb
    storage &local_mailboxes
}

Environment information

Running in a podman container. Full command:

podman run
        --rm \
        -d \
        --replace \
        --name maddy \
        --security-opt label=type:unconfined_t \
        -e MADDY_HOSTNAME=mx.mydomain.com \
        -e MADDY_DOMAIN=mydomain.com \
        -v /srv/pods/maddy/data:/data \
        -v /etc/letsencrypt/live/mx.mydomain.comfullchain.pem:/certs/fullchain.pem:ro \
        -v /etc/letsencrypt/live/mx.mydomain.com/privkey.pem:/certs/privkey.pem:ro \
        --net=dualstack \
        -p 25:25 \
        -p 587:587 \
        -p 993:993 \
        foxcpp/maddy:0.7

The network dualstack is created with:

$ podman network create --disable-dns --driver=bridge --ipv6 dualstack