mailserver SPF failing - using wrong host interface?

[dennorske]

So I sent a test email to myself- google lets me know that the SPF failed in the "raw".

Although, my docker compose yml file is set to use another interface on my host:

Here is output of my networking using ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet ***.***.171.141  netmask 255.255.255.255  broadcast ***.***.171.141
        inet6 ***  prefixlen 64  scopeid 0x20<link>
        inet6 ***  prefixlen 64  scopeid 0x0<global>
        ether *** txqueuelen 1000  (Ethernet)
        RX packets 70014942  bytes 30920367324 (28.7 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 46620946  bytes 22712695429 (21.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet ***.***.182.99  netmask 255.255.255.255  broadcast ***.***.182.99
        ether 96:00:00:2a:87:8f  txqueuelen 1000  (Ethernet)

eth0:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet ***.***.182.60  netmask 255.255.255.0  broadcast ***.***.182.60
        ether 96:00:00:2a:87:8f  txqueuelen 1000  (Ethernet)

As you can see, they are separate interfaces on the same host.

why does SPF fail? The DNS records for MX and resolves to the correct IP, so i am a bit stuck here.

[dennorske]

I managed to find out that docker is using IPtables to route the traffic to/from containers, and that it is using the default interface for outgoing packets.
(Source and workaround: https://medium.com/@havloujian.joachim/advanced-docker-networking-outgoing-ip-921fc3090b09)

The thing is, I strongly believe this should be implemented to Mailu's setup / config so that users can run multiple instances of it on the same server, even use separate IP('s) from the host main IP (Security aspects).

I am nowhere near familiar with setting up IPtables for this service, considering it is already attached to a network and that there are multiple containers involved. Any help would be of great appreciation

[dennorske]

okay so when you try to route over traffic from a subnet over to the correct interface, you end up getting this error when you try to log in to rainloop webmail.

front_1      | 2019/07/29 17:32:00 [info] 8#8: *44 upstream sent invalid response: "NO [AUTHENTICATIONFAILED] Authentication failed." while reading response from upstream, client: ***.**.182.60, server: 0.0.0.0:10143, login: "den@ducky.rocks", upstream: 192.168.203.2:143

However, if you go to the admin interface (/admin) you can log in with no issues..

Without the rule, all goes fine on webmail..

iptables -t nat -I POSTROUTING -p all -s 192.168.203.0/24 -j SNAT --to-source *.*.182.60

is what i used for routing.

[kaiyou]

You are almost there I believe :) indeed you need to use postrouting in iptables, which is also what I use in production (well, I use nftables but the idea is the same).

So, you now simply need to add a -o <outgoing_eth> to your rule, so that you do not snat traffic internal to Mailu (which is what causes authentication failures).

[dennorske]

Got it working, you are right! :)

Thanks for the help

I hope the above i did and documented can be of help for future users.

[josephhernandezphd]

will you post your example? I have been struggling with the correct rules

[kaiyou]

Something in the line of:
-t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to <your mx ip>