New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mailu deploy openly relaying non-authenticated email #1099
Comments
So it seems like it's back! One possible issue mentioned on the chat yesterday was NAT masquerading. Here's a snippet from the source of a relayed email;
indicating that postfix on the smtp instance is receiving the emails straight from the docker gateway and not passing through front. Docker instance IP's: Snippet of tcpdumping the veth interface for front on Docker host, which to me indicates that the all three instances are participating in the delivery flow:
|
After a long time of pondering what could be wrong I finally found that firewalld(on Centos7 atleast) and Docker does not play nice with each other, as per moby/moby#16137 After disabling firewalld ( Closing issue. |
After successfully running mailu for a couple of weeks a botnet detected that my stack was openly relaying any email thrown at it. The server is behind a router (asus AC68u with asuswrt-merlin firmware), thus traffic coming from the internet is NATed to the internal server. I've run a custom setup postfix+dovecot instance previously under this network configuration, so therefore I think that the network translations should be going correctly, but I haven't gotten the time(/figured out) how to verify that yet. (Would it be wise to tcpdump this?)
When I test against https://www.appmaildev.com/ everything passes except for RBL. (Sorry, some bug with my screenshot taking application so I can't attach an image)
Running swaks yields authentication required:
Testing against https://mxtoolbox.com/diagnostic.aspx:
My configuration files,
There are some tweaks I've had to do as I'm running an apache front reverse proxying on the host as I have some other legacy stuff I had to quickly migrate over, it should only be load balancing for the roundcube instance and all other changes shouldn't affect the stack in such a way that it should be open to relaying external networks but I figured it's worth mentioning in case there's something I'm misunderstanding wrt this.
I've got no problem deep diving into containers and network troubleshooting but as I'm a huge jack of all trades I've run out of ideas where to look. Tips are greatly appreciated, thanks.
The text was updated successfully, but these errors were encountered: