Open Relay via Ipv6 - Githubissues

anghenfil commented 1 year ago

Contribution guidelines

[X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

[X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
[X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
[X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Hey,

a few days ago I received a ton of bounced emails from qq.com and found out my server was sending spam mails from <a-random-name>@one-of-my-domains every few hours/days.

But it seems like the emails didn’t get send from an email account, since postfix reports the connection was from fd4d:6169:6c63:6f77::1, the gateway address from the mailcow docker network. I couldn't find any logs from other containers which would indicate a script was sending these mails. I'm not sure if there's maybe is a bug in mailcow?

Logs:

Postfix:

May 22 04:12:29 232961be80c2 postfix/smtpd[18947]: 796271E00190: client=unknown[fd4d:6169:6c63:6f77::1]
May 22 04:12:30 232961be80c2 postfix/cleanup[18967]: 796271E00190: message-id=<202305221012227097421@one-ofmy-domains>
May 22 04:12:33 232961be80c2 postfix/qmgr[375]: 796271E00190: from=<jimmy@one-ofmy-domains>, size=48850, nrcpt=1 (queue active)
May 22 04:12:37 232961be80c2 postfix/smtp[18968]: 796271E00190: to=<1756267751@qq.com>, relay=mx3.qq.com[203.205.219.57]:25, delay=12, delays=8.3/0.06/1.5/2.1, dsn=2.0.0, status=sent (250 OK: queued as.)
May 22 04:12:37 232961be80c2 postfix/qmgr[375]: 796271E00190: removed

Steps to reproduce:

I'm not sure, since I'm running a standardized mailcow setup, I'm not sure if this could affect other users or I made a misconfiguration / this coming from malware from another container or host system.

Which branch are you using?

master

Operating System:

archlinux, Linux version 6.1.28-1-lts

Server/VM specifications:

126 GB RAM, 12 cores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

none

Docker version:

23.0.6, build ef23cbc431

docker-compose version or docker compose version:

2.18.0

mailcow version:

2023-04b

Reverse proxy:

nginx

Logs of git diff:

diff --git a/docker-compose.yml b/docker-compose.yml
index 23bd308f..d42778d4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -582,36 +582,6 @@ services:
           aliases:
             - ofelia

-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge

diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index a445b60c..024a490c 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -198,3 +198,6 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks

 # DO NOT EDIT ANYTHING BELOW #
 # User overrides #
+
+myhostname = mail.anghenfil.de
+

Logs of iptables -L -vn:

iptables -L -vn
Chain INPUT (policy ACCEPT 2022 packets, 444K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2022  444K MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
18376 4688K MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
18660 4730K DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
18660 4730K DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
13752 3909K ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 1359 83607 DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
 1881  285K ACCEPT     0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 1347 82887 ACCEPT     0    --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
9661K 4261M ACCEPT     0    --  *      br-2d5365e33048  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
39049 2343K DOCKER     0    --  *      br-2d5365e33048  0.0.0.0/0            0.0.0.0/0           
  187 22667 ACCEPT     0    --  br-2d5365e33048 !br-2d5365e33048  0.0.0.0/0            0.0.0.0/0           
39049 2343K ACCEPT     0    --  br-2d5365e33048 br-2d5365e33048  0.0.0.0/0            0.0.0.0/0           
1072K  621M ACCEPT     0    --  *      br-f44bc79d4346  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 9177  551K DOCKER     0    --  *      br-f44bc79d4346  0.0.0.0/0            0.0.0.0/0           
 3328  189K ACCEPT     0    --  br-f44bc79d4346 !br-f44bc79d4346  0.0.0.0/0            0.0.0.0/0           
 9177  551K ACCEPT     0    --  br-f44bc79d4346 br-f44bc79d4346  0.0.0.0/0            0.0.0.0/0           
1109K 2650M ACCEPT     0    --  *      br-8b90e968da73  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 6526  392K DOCKER     0    --  *      br-8b90e968da73  0.0.0.0/0            0.0.0.0/0           
10025 1613K ACCEPT     0    --  br-8b90e968da73 !br-8b90e968da73  0.0.0.0/0            0.0.0.0/0           
 6526  392K ACCEPT     0    --  br-8b90e968da73 br-8b90e968da73  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  *      br-5a4e6f8729e3  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      br-5a4e6f8729e3  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br-5a4e6f8729e3 !br-5a4e6f8729e3  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br-5a4e6f8729e3 br-5a4e6f8729e3  0.0.0.0/0            0.0.0.0/0           
 1338  305K ACCEPT     0    --  *      br-2d9e00730d59  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    7   420 DOCKER     0    --  *      br-2d9e00730d59  0.0.0.0/0            0.0.0.0/0           
   31  4949 ACCEPT     0    --  br-2d9e00730d59 !br-2d9e00730d59  0.0.0.0/0            0.0.0.0/0           
    7   420 ACCEPT     0    --  br-2d9e00730d59 br-2d9e00730d59  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 2089 packets, 321K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  !br-8b90e968da73 br-8b90e968da73  0.0.0.0/0            172.24.0.3           tcp dpt:80
    0     0 ACCEPT     6    --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8000
    0     0 ACCEPT     6    --  !br-f44bc79d4346 br-f44bc79d4346  0.0.0.0/0            172.18.0.3           tcp dpt:80
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.6           tcp dpt:8983
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.9           tcp dpt:3306
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:8443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:8081
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
   12   720 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1881  285K DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
  187 22667 DOCKER-ISOLATION-STAGE-2  0    --  br-2d5365e33048 !br-2d5365e33048  0.0.0.0/0            0.0.0.0/0           
 3328  189K DOCKER-ISOLATION-STAGE-2  0    --  br-f44bc79d4346 !br-f44bc79d4346  0.0.0.0/0            0.0.0.0/0           
10025 1613K DOCKER-ISOLATION-STAGE-2  0    --  br-8b90e968da73 !br-8b90e968da73  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-5a4e6f8729e3 !br-5a4e6f8729e3  0.0.0.0/0            0.0.0.0/0           
   31  4949 DOCKER-ISOLATION-STAGE-2  0    --  br-2d9e00730d59 !br-2d9e00730d59  0.0.0.0/0            0.0.0.0/0           
  21M   11G RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      br-2d5365e33048  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      br-f44bc79d4346  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      br-8b90e968da73  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      br-5a4e6f8729e3  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      br-2d9e00730d59  0.0.0.0/0            0.0.0.0/0           
 880K  124M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  21M   11G RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of ip6tables -L -vn:

ip6tables -L -vn
Chain INPUT (policy ACCEPT 91242 packets, 412M bytes)
 pkts bytes target     prot opt in     out     source               destination         
91242  412M MAILCOW    0    --  *      *       ::/0                 ::/0                

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6132 6408K MAILCOW    0    --  *      *       ::/0                 ::/0                
 6962 6478K DOCKER-USER  0    --  *      *       ::/0                 ::/0                
 6962 6478K DOCKER-ISOLATION-STAGE-1  0    --  *      *       ::/0                 ::/0                
 3002 6205K ACCEPT     0    --  *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 3855  264K DOCKER     0    --  *      br-mailcow  ::/0                 ::/0                
  105  9718 ACCEPT     0    --  br-mailcow !br-mailcow  ::/0                 ::/0                
 3855  264K ACCEPT     0    --  br-mailcow br-mailcow  ::/0                 ::/0                
    0     0 ACCEPT     0    --  *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  ::/0                 ::/0                
    0     0 ACCEPT     0    --  docker0 !docker0  ::/0                 ::/0                
    0     0 ACCEPT     0    --  docker0 docker0  ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 54847 packets, 110M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:587
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::e  tcp dpt:587
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::e  tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:995

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  105  9718 DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-2d5365e33048 !br-2d5365e33048  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-f44bc79d4346 !br-f44bc79d4346  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-8b90e968da73 !br-8b90e968da73  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-5a4e6f8729e3 !br-5a4e6f8729e3  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-2d9e00730d59 !br-2d9e00730d59  ::/0                 ::/0                
1656K 2098M RETURN     0    --  *      *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-2 (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      br-mailcow  ::/0                 ::/0                
    0     0 DROP       0    --  *      docker0  ::/0                 ::/0                
    0     0 DROP       0    --  *      br-2d5365e33048  ::/0                 ::/0                
    0     0 DROP       0    --  *      br-f44bc79d4346  ::/0                 ::/0                
    0     0 DROP       0    --  *      br-8b90e968da73  ::/0                 ::/0                
    0     0 DROP       0    --  *      br-5a4e6f8729e3  ::/0                 ::/0                
    0     0 DROP       0    --  *      br-2d9e00730d59  ::/0                 ::/0                
50816   10M RETURN     0    --  *      *       ::/0                 ::/0                

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
1656K 2098M RETURN     0    --  *      *       ::/0                 ::/0                

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 2190 packets, 138K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 185K 9688K DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 207 packets, 10674 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 54 packets, 3591 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1555 packets, 95873 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  499 35911 MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           
   16  2240 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
   55  4683 MASQUERADE  0    --  *      !br-2d5365e33048  172.21.0.0/16        0.0.0.0/0           
  108  8120 MASQUERADE  0    --  *      !br-f44bc79d4346  172.18.0.0/16        0.0.0.0/0           
 2236  134K MASQUERADE  0    --  *      !br-8b90e968da73  172.24.0.0/16        0.0.0.0/0           
   16  2240 MASQUERADE  0    --  *      !br-5a4e6f8729e3  172.20.0.0/16        0.0.0.0/0           
   22  2609 MASQUERADE  0    --  *      !br-2d9e00730d59  172.23.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  6    --  *      *       172.24.0.3           172.24.0.3           tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       172.17.0.2           172.17.0.2           tcp dpt:8000
    0     0 MASQUERADE  6    --  *      *       172.18.0.3           172.18.0.3           tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  6    --  *      *       172.22.1.6           172.22.1.6           tcp dpt:8983
    0     0 MASQUERADE  6    --  *      *       172.22.1.9           172.22.1.9           tcp dpt:3306
    0     0 MASQUERADE  6    --  *      *       172.22.1.10          172.22.1.10          tcp dpt:8443
    0     0 MASQUERADE  6    --  *      *       172.22.1.10          172.22.1.10          tcp dpt:8081
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     0    --  br-2d5365e33048 *       0.0.0.0/0            0.0.0.0/0           
    1    60 RETURN     0    --  br-f44bc79d4346 *       0.0.0.0/0            0.0.0.0/0           
  566 33960 RETURN     0    --  br-8b90e968da73 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     0    --  br-5a4e6f8729e3 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     0    --  br-2d9e00730d59 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       6    --  !br-8b90e968da73 *       0.0.0.0/0            127.0.0.1            tcp dpt:8085 to:172.24.0.3:80
    0     0 DNAT       6    --  !docker0 *       0.0.0.0/0            127.0.0.1            tcp dpt:8005 to:172.17.0.2:8000
    0     0 DNAT       6    --  !br-f44bc79d4346 *       0.0.0.0/0            127.0.0.1            tcp dpt:8080 to:172.18.0.3:80
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.6:8983
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.9:3306
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:8443 to:172.22.1.10:8443
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:8081 to:172.22.1.10:8081
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
   14   840 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 308 packets, 25556 bytes)
 pkts bytes target     prot opt in     out     source               destination         
13593 1015K DOCKER     0    --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 14 packets, 1092 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 40 packets, 3216 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 241 packets, 19296 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   95  8548 MASQUERADE  0    --  *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0                
    2   320 MASQUERADE  0    --  *      !docker0  fd00:dead:beef:c0::/80  ::/0                
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:587

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  br-mailcow *       ::/0                 ::/0                
    0     0 RETURN     0    --  docker0 *       ::/0                 ::/0                
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::e]:587

DNS check:

docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254
151.101.193.69
151.101.1.69
151.101.65.69
151.101.129.69

anghenfil commented 1 year ago

Seems like it's an open relay via IPv6. Any idea why?

anghenfil commented 1 year ago

I - at least temporary - fixed it by re-enabling the ipv6nat container. Seems like the migration to the intern docker ipv6nat caused the open relay

gthb96 commented 1 year ago

Does it indicate an open relay here too? I am also running stock mailcow setup on latest version (IPv4/native IPv6) For me it says "not an open relay" and as far as I know mine is not sending spam.

anghenfil commented 1 year ago

If you used a web service to check the result's maybe wrong, the most common ones only check via ipv4 afaik.

I checked manually via telnet from my local computer:

telnet your.mailhost.com 25

Type EHLO mailhost.com, and then press Enter.

Type MAIL @.***>, and then press Enter.

Type RCPT @.***> and then press Enter.

Type DATA, and then press Enter.

Type Subject: Test and then press Enter.

Press Enter again.

A blank line is needed between the Subject: field and the message body.

Type This is a test message, and then press Enter.

Type a period ( . ), and then press Enter.

To disconnect from the SMTP server, type QUIT, and then press Enter.

Best anghenfil

Am 23. Mai 2023 19:34:00 MESZ schrieb gthb96 @.***>:

Does it indicate an open relay here too? I am also running stock mailcow setup on latest version (IPv4/native IPv6) For me it says "not an open relay" and as far as I know mine is not sending spam.

-- Reply to this email directly or view it on GitHub: https://github.com/mailcow/mailcow-dockerized/issues/5242#issuecomment-1559872830 You are receiving this because you authored the thread.

Message ID: @.***>

CrazyLinuxNerd commented 1 year ago

Just tested this on my mailcow, and:

Trying (ipv6)... Connected to (server). Escape character is '^]'. 220 (server) ESMTP Postcow ehlo (domain) 250-(server) 250-PIPELINING 250-SIZE 524288000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING mail from: jake@(my domain server 1) 250 2.1.0 Ok rcpt to: jake@(my domain at another server) 554 5.7.1 <jake@(domain): Relay access denied quit 221 2.0.0 Bye`

gthb96 commented 1 year ago

If you used a web service to check the result's maybe wrong, the most common ones only check via ipv4 afaik. I checked manually via telnet from my local computer: telnet your.mailhost.com 25 Type EHLO mailhost.com, and then press Enter. Type MAIL @.>, and then press Enter. Type RCPT @.> and then press Enter. Type DATA, and then press Enter. Type Subject: Test and then press Enter. Press Enter again. A blank line is needed between the Subject: field and the message body. Type This is a test message, and then press Enter. Type a period ( . ), and then press Enter. To disconnect from the SMTP server, type QUIT, and then press Enter. Best anghenfil Am 23. Mai 2023 19:34:00 MESZ schrieb gthb96 @.>: … Does it indicate an open relay here too? I am also running stock mailcow setup on latest version (IPv4/native IPv6) For me it says "not an open relay" and as far as I know mine is not sending spam. -- Reply to this email directly or view it on GitHub: #5242 (comment) You are receiving this because you authored the thread. Message ID: @.>

Yes, I wanted to know if the website also tells it. I believe it is open relay for you but I'm still curious if mxtoolbox recognizes it for IPv6

rpasing commented 1 year ago

I have the same issue using Mailcow on Arch Linux. It is actually a bug in the Docker package of Arch Linux, as far as my research has been going. I created both a bug report for Docker: https://github.com/moby/moby/issues/45459 and also a bug report for Arch Linux: https://bugs.archlinux.org/task/78506

As you see, the interest in those bug reports is until now non-existing. Maybe you can help raising the awareness. I do think though that it's not an error in Mailcow, it's a general error in the ip6tables creation of Docker under Arch Linux.

Edit: In addition to the information provided in those 2 bug reports, the problem why we have an open relay in Mailcow due to this is the following: If the ip6tables forwarding rules for port 25 are missing, then ip6 port 25 will still be reachable from the outside: The (partially) existing ip6tables rules do open the port, and then we have that userland Docker proxy running on the host, which by default is responsible for routing loopback-traffic into the containers. That docker-proxy will accept this outside connection, and forward it into the mailcow containers. From there, it will look like a connection from the host, and not from the outside anymore. And by default, mailcow accepts internal connections without authorization.

DerLinkman commented 1 year ago

You are using Archlinux as your Operating System.

As it seems to be a Docker on Arch Linux problem it's not a mailcow issue then.

Please report bugs for mailcow only on supported OS seen here: https://docs.mailcow.email/prerequisite/prerequisite-system/#supported-os as those are tested and supported by us directly.

As mentioned in this docs page other OS Systems might work but are not officially tested.

strowi commented 6 months ago

For anyone else stumbling here.. on a default docker-24.0.7 (Ubuntu) with IPv6 disabling the userland-proxy via /etc/docker/daemon.json -> { "userland-proxy": false } solved the problem.

Only got aware of this because of the *@qq.com" mails, most blacklist/open relay tests i tried still only tested ipv4.

mailcow / mailcow-dockerized

Open Relay via Ipv6 #5242

Contribution guidelines

I've found a bug and checked that ...

Description

Logs:

Steps to reproduce:

Which branch are you using?

Operating System:

Server/VM specifications:

Is Apparmor, SELinux or similar active?

Virtualization technology:

Docker version:

docker-compose version or docker compose version:

mailcow version:

Reverse proxy:

Logs of git diff:

Logs of iptables -L -vn:

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Logs of ip6tables -L -vn -t nat:

DNS check: