search

jeboehm / docker-mailserver

Docker Mailserver based on the famous ISPMail guide
MIT License
353 stars 92 forks source link

Configuring mta to allow relaying #244

Closed agittins closed 1 year ago

agittins commented 1 year ago

This is probably a bit outside of the project's anticipated scope, and is also really a support request, but hopefully the fix is something simple I am overlooking that's specific to the docker-mailserver config and not a generic postfix user error :-)

I have docker-mailserver up and running on a box handling multiple domains, which has been working well for years.

I now need to provide smtp relaying for a client's machine that I am hosting elsewhere. This is because the link the client box is on blocks outbound port 25 so can't deliver its mail directly. The client machine sends mail for two domains which belong to the client. I have configured that machine (which is running a plain postfix container) to relay all mail via my docker-mailserver's public IP on the submission port 587.

I have also added the public IP of the client's machine to the MYNETWORKS variable in .env

MYNETWORKS="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 [clientmachineipaddress]/32"

When the client machine attempts to send email, I see in the logs of my docker-mailserver:

postfix/submission/smtpd[117]: NOQUEUE: reject: RCPT from [[clientip]]: 554 5.7.1 <zzTestMailbox@[[clientdomain]]>: Sender address rejected: Access denied; from=<zzTestMailbox@[[clientdomain]]> to=<[[myemailaddress]]> proto=ESMTP helo=<postfix.[[clientdomain]]>

So then I created a mail user in the docker-mailserver management ui for a send-only address. That address has a domain part that belongs to my own server. I configured the client machine to authenticate as that user, and the mta logs show:

postfix/submission/smtpd[2144]: NOQUEUE: reject: RCPT from [[clientip]]: 553 5.7.1 <zzTestMailbox@[[clientdomain]]>: Sender address rejected: not owned by user [[sendonlyuser@mydomain]]; from=<zzTestMailbox@[[clientdomain]]> to=<[[myemailaddress]]> proto=ESMTP helo=<postfix.[[clientdomain]]>

I suspect that the mta config is locked down to prevent users using a from-address that doesn't belong to them which is fair, but I am not sure how to work around this.

I've clearly messed something up at some point because it was working about a week ago but seems to have stopped today. Perhaps I had got it working at some point and then added a config which broke it. After I ran into trouble I also pulled the latest mta image as I noticed there was a change in March re the mynetworks implementation, so I can add that to the number of variables I've fumbled with!

Output of postconf | grep restriction on the mta (except the proxy_read_maps):

smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,check_recipient_access mysql:/etc/postfix/mysql-recipient-access.cf
smtpd_relay_before_recipient_restrictions = ${{$compatibility_level} <level {3.6} ? {no} : {yes}}
smtpd_relay_restrictions = ${{$compatibility_level} <level {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}
smtpd_restriction_classes =
smtpd_sender_restrictions =

I'd expected that adding the IP to mynetworks ought to have done it since it's listed first in the recipient and relay restrictions, but I must be missing something. Any ideas?

I guess I could run another postfix mta in its own container with a basic relaying config locked to that IP, but I was hoping I wouldn't need to.

jeboehm commented 1 year ago

Hi @agittins add your second server's IP address to mynetworks, like you did before. After that you have to relay your mail to Port 25.

The submission port is always restricted to real users, requires authentication and checks for allowed sender addresses, this is why you want to use the other port.

If the firewall won't let you out on this port, I'ld recommend to use VPN between those servers, or map an additional port to 25 in your container configuration.

I run this setup for my own since the march update. :)

agittins commented 1 year ago

Ahh, of course. I didn't click that the submission port was more restrictive in that way.

That works perfectly, thanks! I have mapped an additional port on my main server to it's mta's port 25, and pointed my client's server to that new port. The mynetworks setting seems to be doing the trick there and the mail is flowing.

Thanks!

jeboehm commented 1 year ago

Awesome! You're welcome! :)