Docker opens ports publicly

mailcow / mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕

https://mailcow.email

GNU General Public License v3.0

8.8k stars 1.17k forks source link

Docker opens ports publicly #4014

Closed thorus90 closed 3 years ago

thorus90 commented 3 years ago

When you start with the docker-compose currently provided docker opens port to the external interface which aren't needed in my eyes, even bypassing normal iptables rules in the INPUT Chain.

I disabled these right now by:

-A DOCKER-USER -p tcp --dport 8443 -i eth0 -j DROP
-A DOCKER-USER -p tcp --dport 8080 -i eth0 -j DROP
-A DOCKER-USER -p tcp --dport 5222 -i eth0 -j DROP
-A DOCKER-USER -p tcp --dport 5269 -i eth0 -j DROP
-A DOCKER-USER -p tcp --dport 4190 -i eth0 -j DROP
-A DOCKER-USER -p tcp --dport 5443 -i eth0 -j DROP

8080 and 8443 because I use an reverse proxy for handling SSL Termination and further securing.

5222, 5269 and 5443 is for XMPP which I don't use ( as I guess many others user also ). 4190 for sieve, which doesn't need to be accessed externally (correct?).

I don't know if and how easy it would be to solve these issues by docker, but it could be stated in the documentation to block these ports specifically if you don't use XMPP.

Thanks!

tonymmm1 commented 3 years ago

Disabling ports is quite easy for docker-compose projects. Just read the containers ports: section and comment out the lines.

tonymmm1 commented 3 years ago

      volumes:
        - ./data/web:/web:ro,z
        - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
        - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
        - ./data/conf/nginx/:/etc/nginx/conf.d/:z
        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/:z
          #ports:
              # - "${HTTPS_BIND:-:}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
              #- "${HTTP_BIND:-:}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"

tonymmm1 commented 3 years ago

Is what I do in my project since I run it behind a reverse proxy. Same applies for any or all docker-compose projects. https://docs.docker.com/compose/networking/

andryyy commented 3 years ago

You can simply bind them to 127.0.0.1 or remove the ports completely.

If you don't run XMPP, there will no service be bound to these ports. They are just open sockets without service.

Please also read the docs about setting up a reverse proxy. We mention 127.0.0.1 there (or whereever you need to bind).

dragoangel commented 3 years ago

Sieve can and must be accessible externally, it part of dovecote. Why not close then imap port? 😲 It also public. You can manage sieve over sogo or over this port directly, for example thunderbird have sieve plugin which use this port and allow write rules in TB.

drohhyn commented 3 years ago

I just had problems with my server: the ports should be used by my own xmpp installation, but where blocked by mailcow, despite I had not configured xmpp for any domain. So I would vote for SKIP_XMPP contrary to what the FAQ says. At least, there should be the info about open ports. I've created a PR for the docs.