Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Running mailu without docker's iptables creates an open relay #332
When disabling iptables in docker, its forwarding proxy process takes over. This creates the situation that every incoming connection on port 25 seems to come from the local network (docker's 172.17.x.x) and is accepted.
IMHO there should be some mechanism to check for that situation and refuse service in such cases, but right now I'm at loss what that could look like.
yea this is a worrying security issue, for the past month or so ive had a bunch of IPs trying to brute force access to the mailserver via port 25, there was a whole block of about 20 IPs in ukraine at 91.200.12.x, one of them had a hostname walkerj.ex.com, which i followed the domain (ex.com) back to another IP in canada which seemed to be a command and control for ransomware also seems to be a massive hoard of domains some good ones too, i run everything behind a separate firewall so i can see what is going on
yesterday morning at about 05:00 i got so many port scans my internet literally started to lag, with them originating from israel, germany and china, i was able to block all the IPs which appeared to be port scanning but then today going over the logs i can now see the docker internal IP now doing some weird port scanning, i assume its down to this, sure enough if i shut down all the containers for mailu, the port scanning from the docker IP stops
im assuming the only sollution to this would be to try and install iptables on the host, start again with the containers and delete all the volumes
Well, I think you misunderstood the issue. Portscans and authentication bruteforce is common and actually pretty normal on the internet (at least for portscans). It's my opinion only, but I don't think you should spend too much energy trying to track them down (I personally get hundreds bruteforce attempts per day).
That being said, the current issue is in your configuration: you should not have the Docker proxy enabled except in a testing setup. It is not a supported Docker setup and not one that will play well with many images, including Mailu. The recommended solution is to enable the Docker iptables configuration in your
This issue will be resolved when the default config does not pose a risk for people still running a Docker proxy, or when the documentation states clearly enough that there is a risk of open relay.