New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix swarm smtp auth #563
Fix swarm smtp auth #563
Conversation
Note afterwards: if it is not preferred to trust all containers in this network, there is the possibility to set up separate network overlays for different tasks. It should be possible to set up a "trusted" network for authentication related authentication. Nevertheless, XCLIENT should reflect a network range and not a single IP. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the following is more suitable:
smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }} {{ POD_ADDRESS_RANGE }}
Personally, I would like to refrain from using So I think, in any standard code we should use Any comments are welcome! |
I think RELAYHOSTS is too similar to RELAYHOST, which was a bit confusing to me ;-). Beyond the name of the variable itself, there are other places in the code where this is needed. I started a branch (swarm-vip) on my fork to prepare this and also to update the swarm documentation accordingly. I propose to first find all placeswhere we need to update the code (at least dovecot, postfix and rspamd) and then see if we can/need mutualize with kubernetes |
Excuse my English. I really meant to say I don't think we should support all the different implementation's variables. Keep our own set of variables and the startup files from docker-compose, docker-compose for swarm and kubernetes have to make sure those variables are assigned accordingly. So this pull request makes sure that Then, as a general comment and probably off-topic for this PR, I would like to suggest to use the
3 inline |
Hi, I suggest that we use the same POD_ADDRESS_RANGE variable in the other parts of Mailu code where it seems necessary for swarm deployment. I wouldn't be surprised that it is needed anyway for kubernetes.. On a side note, It seems that we might not need a range but rather a single IP. At least on my setup, this is the case: the logs of smtp &imap show that the originator IP is always 10.0.1.4, which is not the front service neither the front containers... By inspecting the mailu_default network, I found this IP under the name "mailu_default-endpoint". But I don't know how to resolve this IP from within mailu code, otherwise we could have another approach and set the FRONT_ADDRESS to this mailu_default-endpoint (only whan under swarm mode of course)... |
If you run a repository search,
Are you still using |
I will change it to POD_ADDRESS_RANGE as it seems accepted elsewhere. After the build errors on @ofthesun9. What is you intention on using the |
dnsrr workaround will not be needed anymore, see #604 |
RELAYNETS is set in .env as the Docker network. This change will allow all instances on that network to authenticate. This will allow more replications of front to authenticate correctly. (Swarm and most probably Kubernets)
8427266
to
321571c
Compare
@ofthesun9. Please re-evaluate your review. |
Duplicated (but more complete) in PR #604 |
XCLIENT check was done against
FRONT_ADDRESS
, which is resolved instart.py
from thefront
hostname. In Swarm mode this would resolve to the single VIP of all instances inside thefront
service.Consequently, instances of
front
would try to authenticate using their individual IP != VIP. This would fail.This PR allows XCLIENT from anywhere inside the docker network, as defined as
RELAYNETS
in.env
.Using the correct
docker-compose.yml
settings, authentication is now working in Swarm mode. Issue #530 could be closed.I would also like to make reference to Kubernets PR #559, which could also make good use of this change. In
configmap.yaml
, the current setting would allow only for a singlefont
instance. (Replication: 1)Tested send/receive in both
docker-compose up
anddocker stack deploy
.