zokradonh / kopano-docker

Unofficial Kopano Docker images for all Kopano services.
MIT License
59 stars 37 forks source link

update docker-mailserver to 7.0.0 #448

Closed reneploetz closed 4 years ago

reneploetz commented 4 years ago

Fixes #445

Proposed Changes

Notes

reneploetz commented 4 years ago

Hi @reneploetz,

thank you very much for your pr. I have just a small comment which i made inline.

Not too sure about your IPv4 comment. Afair the Docker network is IPv4 only anyways so I don't think this setting will have any real influence.

I read the whole discussion in the upstream ticket again and I think you are right that POSTFIX_INET_PROTOCOLS will not help, but the underlying problem - users might accidently create an open relay - might still be present. I'm unable to verify this tough.

Based on the upstream discussion, the conditions are:

The problem appears to be that if you connect to the host system using the IPv6 address, then Docker will translate this address to IPv4 to allow external systems to connect to the container. The problem is that the translation is working like a NAT - Docker is replacing the source address (which is the external IP) with the IP of the Docker gateway. The gateway server might be a trusted network for postfix tough - so it might be allowed to sent mails without authentication and thus creating an open relay server if you connect via IPv6.

To mitigate this, the upstream tickets suggests to either enable IPv6 in docker or bind to IPv4 only as stated here: https://github.com/tomav/docker-mailserver/issues/1405#issuecomment-590115647 Upstream decided to post a warning for the PERMIT_DOCKER setting to make users aware of the issue.

But I feel that this discussion is probably better done in a separate ticket anyway. So I would suggest to merge this first and maybe think about what to do afterwards if you feel that there is something that should be done.

fbartels commented 4 years ago

Thanks again. Your pr has just been merged.