search

mjl- / mox

modern full-featured open source secure mail server for low-maintenance self-hosted email
https://www.xmox.nl
MIT License
3.36k stars 89 forks source link

local delivery issue #183

Open lesion opened 1 week ago

lesion commented 1 week ago

hi there, first of all thanks for this great software, I've an issue with an uncommon setup, we run mox behind a NAT and we are having some issue only with local delivery. Is there a way to force mox to deliver email to its own managed domains directly? thanks for your support

mjl- commented 1 week ago

hi @lesion, is it the spf check that is causing trouble?

the following has been known to happen: your outgoing connections to your own mx host (to its public ip) would be routed back to mox. instead of the connection to your public ip appearing to come from that public ip, the route may NAT it in a way that it appears to come from the router's internal/private ip, which of course isn't listed in your domain's spf record. an spf fail can be a reason for a message to be rejected. your messages should also have dkim signatures, which should still pass, but for first-time sending the spf fail can still make the delivery suspicious enough to be rejected. a solution could be to change the spf check to allow private IPs (as used in NATs) for incoming messages from domains that the mox instance is hosting.

i don't think bypassing the regular delivery mechanisms is a good idea for domains hosted on the mox instance. quite some functionality is happening in the smtp delivery path (e.g. rate limiting, junk filtering, alias processing). not delivering as usual would mean that functionality would have to be implemented again in that new special self-delivery path.

but it may be better to take a step back: what issue exactly are you having with local delivery? perhaps there are some error logs that show what's going on?

lesion commented 1 week ago

yep, the issue was spf check

a solution could be to change the spf check to allow private IPs (as used in NATs) for incoming messages from domains that the mox instance is hosting.

yep, this could be nice for IPs and NATIPs settings

i don't think bypassing the regular delivery mechanisms is a good idea for domains hosted on the mox instance. quite some functionality is happening in the smtp delivery path (e.g. rate limiting, junk filtering, alias processing). not delivering as usual would mean that functionality would have to be implemented again in that new special self-delivery path.

I see. btw, I solved with a lower level solution, not so clean but it is working as expected:

LOCAL_MACHINE_IP=192.168.200.23
PUBLIC_IP=1.2.3.4

# route traffic directed to public ip directly to our own ip
iptables -t nat -A OUTPUT -d  $PUBLIC_IP -p tcp --dport 25 -j DNAT --to-destination $LOCAL_MACHINE_IP

# change source ip to our public so spf check is happy
iptables -t nat -A POSTROUTING -d $LOCAL_MACHINE_IP -p tcp --dport 25 -j SNAT --to-source $PUBLIC_IP

thanks, feel free to close this