mailcow / mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕
https://mailcow.email
GNU General Public License v3.0
9.09k stars 1.19k forks source link

Incomplete IPv6 support with security implications #202

Closed mkuron closed 7 years ago

mkuron commented 7 years ago

Docker translates all incoming IPv6 connections to IPv4. Due to this, all incoming IPv6 connections appear to be IPv4 connections coming from 172.22.1.1 from the perspective of the services (Dovecot, Postfix).

This has a few security-relevant consequences:

Furthermore, Postfix cannot deliver outgoing emails via IPv6 because Docker's protocol translation only works for incoming connections.

This is not directly a problem of Mailcow (in fact, IPv6 worked on the standalone non-dockerized Mailcow), but rather a consequence of that its Docker containers are not set up in an IPv6-aware fashion. It is not clear to me how this can be fixed (as far as I am aware, Docker doesn't do NAT for IPv6 like it does for IPv4, so that whole port-exposing mechanism doesn't exist), but as it is security-relevant, it should be fixed soon. Perhaps docker-ipv6nat could be integrated into Mailcow-dockerized.

mkuron commented 7 years ago

203 was merged