Skip to content

mailserver SPF failing - using wrong host interface? #1090

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dennorske opened this issue Jul 28, 2019 · 6 comments · Fixed by #1351
Closed

mailserver SPF failing - using wrong host interface? #1090

dennorske opened this issue Jul 28, 2019 · 6 comments · Fixed by #1351
Labels
type/question

Comments

@dennorske
Copy link

So I sent a test email to myself- google lets me know that the SPF failed in the "raw".
image

Although, my docker compose yml file is set to use another interface on my host:
image

Here is output of my networking using ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet ***.***.171.141  netmask 255.255.255.255  broadcast ***.***.171.141
        inet6 ***  prefixlen 64  scopeid 0x20<link>
        inet6 ***  prefixlen 64  scopeid 0x0<global>
        ether *** txqueuelen 1000  (Ethernet)
        RX packets 70014942  bytes 30920367324 (28.7 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 46620946  bytes 22712695429 (21.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet ***.***.182.99  netmask 255.255.255.255  broadcast ***.***.182.99
        ether 96:00:00:2a:87:8f  txqueuelen 1000  (Ethernet)

eth0:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet ***.***.182.60  netmask 255.255.255.0  broadcast ***.***.182.60
        ether 96:00:00:2a:87:8f  txqueuelen 1000  (Ethernet)

As you can see, they are separate interfaces on the same host.

why does SPF fail? The DNS records for MX and resolves to the correct IP, so i am a bit stuck here.
@dennorske
Copy link
Author

I managed to find out that docker is using IPtables to route the traffic to/from containers, and that it is using the default interface for outgoing packets.
(Source and workaround: https://medium.com/@havloujian.joachim/advanced-docker-networking-outgoing-ip-921fc3090b09)

The thing is, I strongly believe this should be implemented to Mailu's setup / config so that users can run multiple instances of it on the same server, even use separate IP('s) from the host main IP (Security aspects).

I am nowhere near familiar with setting up IPtables for this service, considering it is already attached to a network and that there are multiple containers involved. Any help would be of great appreciation

@dennorske
Copy link
Author

dennorske commented Jul 29, 2019
edited
Loading

okay so when you try to route over traffic from a subnet over to the correct interface, you end up getting this error when you try to log in to rainloop webmail.

front_1      | 2019/07/29 17:32:00 [info] 8#8: *44 upstream sent invalid response: "NO [AUTHENTICATIONFAILED] Authentication failed." while reading response from upstream, client: ***.**.182.60, server: 0.0.0.0:10143, login: "den@ducky.rocks", upstream: 192.168.203.2:143

However, if you go to the admin interface (/admin) you can log in with no issues..

Without the rule, all goes fine on webmail..

iptables -t nat -I POSTROUTING -p all -s 192.168.203.0/24 -j SNAT --to-source *.*.182.60

is what i used for routing.

@kaiyou
Copy link
Member

kaiyou commented Sep 5, 2019

You are almost there I believe :) indeed you need to use postrouting in iptables, which is also what I use in production (well, I use nftables but the idea is the same).

So, you now simply need to add a -o <outgoing_eth> to your rule, so that you do not snat traffic internal to Mailu (which is what causes authentication failures).

@dennorske
Copy link
Author

dennorske commented Oct 3, 2019
edited
Loading

Got it working, you are right! :)

Thanks for the help

I hope the above i did and documented can be of help for future users.

@josephhernandezphd
Copy link

will you post your example? I have been struggling with the correct rules

@kaiyou
Copy link
Member

kaiyou commented Feb 1, 2020

Something in the line of:
-t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to <your mx ip>

@kaiyou kaiyou mentioned this issue Feb 7, 2020
Merged
2 tasks
bors bot added a commit that referenced this issue Feb 8, 2020
@bors @kaiyou
Merge #1351
7c8852b 
1351: Add some faq entries r=mergify[bot] a=kaiyou

## What type of PR?

Documentation

## What does this PR do?

Add missing faq entries

### Related issue(s)
- Closes: #853 
- Closes: #897 
- Closes: #1090 
- Closes: #1315

## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.


Co-authored-by: kaiyou <pierre@jaury.eu>
@bors bors bot closed this as completed in #1351 Feb 8, 2020
@bors bors bot closed this as completed in 770d09b Feb 8, 2020
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/question
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add some faq entries kaiyou/Mailu
3 participants
@kaiyou @dennorske @josephhernandezphd