Attempted Reply/Send Failed from alias #192
Comments
|
While reading gmail.com's DMARC carefully I found out the following: dig TXT _dmarc.gmail.com +noall +answer
; <<>> DiG 9.10.6 <<>> TXT _dmarc.gmail.com +noall +answer
;; global options: +cmd
_dmarc.gmail.com. 111 IN TXT "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com"Do you see Now read again the message from Anonaddy:
See, |
|
It can be What does the notification email you receive say your authentication results are, or does it not contain them? |
We're not in control of Gmail's DMARC :) Or others... However, how can I test if it is that or not?
Could it be an IPv6 issue like "kinda mentioned" in anonaddy/anonaddy#310 ? |
|
Alright, there is a big problem with something inside this container. My eyes are turned to Rspamd but I couldn't test it. After enabling IPv6 for Docker, suddenly we can send emails through Anonaddy. What does it mean? Well, it means that something in the container is using IPv6 only where it shouldn't.
This is a important issue because yes, we should use IPv6 today but, we should not have IPv6 only. I will post this message in For those who'd need a quick get around like me until this issue is fixed, here is how I've activated IPv6 for Docker. Update {
"ipv6": true,
"fixed-cidr-v6": "fd01::/64",
"ip6tables": true
}Restart docker: systemctl restart dockerFor those using Traefik, you'll need to create a network for Traefik with IPv6 enabled: docker network create --ipv6 --subnet=fd01:1::/64 traefik |
|
Hi All, have had this problem and couldn't seem to figure it out for a while but I just fixed it and it works perfectly now with multiple domain names. The errors I was getting were not very helpful, but in the end it's pretty simple at least for me it was. I was getting the exact same email as above. It all came down to the SPF DNS record. DNS TXT RECORD NAME VALUE Where You should always already ave an spf record with you are telling it that not only the mx host is allowed to send email, but also your anonaddy server. Hope it helps. |
|
Question is, how should people do with mail services providers such as GMail, Outlook...? They can't modify an SPF record on a zone they don't own. |
|
I have tried both methods, IPv6 and adding the special SPF record. None of them worked. Is there a clear indication about what is the exact issue originating from this error message ? |
|
|
@spyesx I need to check again about IPv6, something seems to be not working right on my system. Would you like to share an obfuscated SPF, DMARC and TXT records you have for your domain ? |
|
My SPF or DMARC won't be useful since you're not sending an email to or from my domain :) Open a shell in your container then get a random IPv6, let's say Gmail $ dig +short AAAA gmail.com
2a00:1450:4002:411::2005From here you can ping this IPv6: ping -6 2a00:1450:4002:411::2005
PING 2a00:1450:4002:411::2005(2a00:1450:4002:411::2005) 56 data bytes
64 bytes from 2a00:1450:4002:411::2005: icmp_seq=1 ttl=114 time=19.9 ms
64 bytes from 2a00:1450:4002:411::2005: icmp_seq=2 ttl=114 time=19.9 msIf you can't ping, your container is not IPv6 ready. Therefore, when Rspamd (as I assume still now) will send a query to a DNS server to get the SPF record but it won't get any answer because it uses IPv6 only. This is the bug. If your container is not IPv6 ready... you won't go further. |
|
Okay now I get it. So it's more on Rspamd's side and it has an issue trying to do IPv6-only. My containers are definitely not ready for IPv6 since I do not use it yet on the host system. I firstly assumed that Rspamd needed to have an IPv6 address binded for it to work, but that it would not actively use it, which is not the case then here. I will need to search deeper on how to work around this problem. |
|
@spyesx I searched this repo and came across https://github.com/anonaddy/docker/blob/master/examples/rspamd/anonaddy.env By default, RSPAMD_ENABLE is not set. I checked in the container and there is no process running related to rspamd as well. Therefore, I think the problem does not come from rspamd with/without IPv6. Do you have RSPAMD_ENABLE set to "true"? |
|
First of all add this line to your .env file. It resolved multiple problems for me (replace with your domain names): I do have RSPAMD_ENABLE enabled and it works. Have you generated the DKIM key and added it to your DNS record? |
|
@GitTworn DKIM is enabled and active. I've looked at SANCTUM_STATEFUL_DOMAINS, but to be honest, it should not change anything since from what I understood, this variable controls something that is more likely related to Laravel's authentication mechanism. I tried it but as expected it did not change anything unfortunately. |
|
These are my templates and my install works great. I might state the obvious but...: In the DNS settings of that domain add an Now add an Adjust the file system paths as you like in the following; I like using Nginx Reverse Proxy Manager because it has a nice UI. In docker first create a docker network named: reverseproxy-nw for connecting the internal docker images so we dont have to expose ports to the outside world. Then run: Nginx Proxy Manager - compose file Then create a docker .env file in the correct location for anonaddy: anonaddy.env file Anonaddy compose file Create UserLog into a terminal of the anonaddy docker image and type: After that stay in the console and type: DNSNow edit your domain name DNS settings and add a Now first open port 8181 on your firewall to allow access to the reverse proxy manager UI. We are going to close it later. Also open the anonaddy email ports you need: Now log in to domain.com:8181 to log into Nginx Reverse Proxy Manager UI (google credentials). Change your password and create a reverse proxy host (revprox.domain.com) to point to the reverse proxy manager docker image: http://nginx-proxy-manager:8181. Make sure to generate a new ssl certificate. You can now close port 8181 on the firewall and log back in to the reverse proxy manager UI via the domain name https://revprox.domain.com. Add a reverse proxy host for Now you can send emails to you aliases and they will get forwarded. replyIf you want to reply from an email address that you are forwarding to, lets say you are forwarding to hello@john.com, you need to be able to edit the DNA settings of the domain john.com in order to allow the mail server (DNS MX record of john.com) to send/relay email using the mail server of domain.com (the mail server sending email for anonaddy). Because usually the mail server of the own domain john.com would be sending the email. You do that by editing a TXT record for john.com by using the 'include' parameter. I'm replying from, and forwarding my aliases to, a google managed account using my own domain name. This is what works for me... |
|
Hi all, |
|
I have IPv6 disabled system wide. It was bugging with my Docker install. AnonAddy does not depend on IPv6. |
Hmm, ok my docker install has run everything else just fine up until now, what did you exactly change with your docker to get anondaddy to run proberly? |
|
My exact steps are outlined above. |
|
That very much looks like my setup. The only thing I haven´t done like that is the SPF setup of the target domain to include the anondaddy domain.... |
|
What part is not 'running properly' in your case? |
|
When I try to reply to a anonaddy mail I get the "Attempted reply/send from alias has failed" error mail saying that my target domain must have a valid DMARC entry (which it has) and must permit the message to be sent (which I am just trying to find out wether the problem might be there). |
|
The targets DMARC is |
|
For me this was fixed with the last section of my "guide";
|
|
I changed that, but that did not do it for me. |
|
Just remember that, because these are DNS settings, they might take a while to propagate. |
|
I will wait some more, Maybe it will start working... |
|
Ehm, I think there is a problem with DNS in my install. It seems it cannot read the TXT entry for a custom domain. I am using the stock docker image and DNS inside it works. I have set google dns as resolver and checked that google DNS sees the TXT entry. It does but anonaddy doesn´t.... |
|
Outgoing firewall? My hosting provider blocked port 25 for example. I'm using a relay SMTP server. It has nothing to do with DNS I know. |
|
Seemed to be the DNS caching. That now worked... |
|
😀 that helps! |
|
@GitTworn Can you make an example with the following data ? Could you share what records should be for both domains ? (Maindomain.com and hiddendomain.com) Thanks a lot in advance. I still cannot get it to work. |
|
Maybe I am on to something. When I try to add custom domains it first complains that it does not find an MX record. After some time when the DNS info is propagated properly it will start complaining that there is no SPF record (so it did find the MX records all right) and that never stops. This happend for two domains now although I copy and pasted the SPF info from the custom domains page. Maybe the whole problem is that it cannot parse SPF info correctly for some reason. That would also explain that the alias thing fails as it would not be able to parse the SPF info of the target domain and error out... The TXT DNS for my domain reads: ;; ANSWER SECTION: |
|
I have been struggling with this issue for a day and I think I finally got it working. This is my TZ=Etc/UTC
PUID=1000
PGID=1000
APP_NAME=AppAddy
APP_ENV=production
APP_KEY=secret
APP_DEBUG=false
APP_LOG_LEVEL=debug
# The URL of the AnonAddy instance, can be anything you like e.g. https://aa.example.com, or just https://example.com, if using a non-standard port you must include it e.g. https://example.test:8000. Do not include a trailing slash '/'
APP_URL=https://app.example.com
LOG_CHANNEL=stack
DB_CONNECTION=mysql
# The from name to be used for outgoing email notifications from AnonAddy
MAIL_FROM_NAME=Rehan
# The from address to be used for outgoing email notifications from AnonAddy
MAIL_FROM_ADDRESS=mailer@example.com
MAIL_DRIVER=smtp
MAIL_HOST=mail.example.com
MAIL_PORT=25
MAIL_ENCRYPTION=tls
MAIL_EHLO_DOMAIN=mail.example.com
MAIL_VERIFY_PEER=true
# The SMTP FROM address to be used if the alias address cannot be, e.g. for a custom domain that is not verified for sending
ANONADDY_RETURN_PATH=bounces@example.com
# This allows you to receive emails as a catch-all at the apex domain e.g. *@example.com
ANONADDY_ADMIN_USERNAME=johndoe
ANONADDY_ENABLE_REGISTRATION=false
ANONADDY_DOMAIN=example.com
ANONADDY_HOSTNAME=mail.example.com
ANONADDY_DNS_RESOLVER=1.1.1.1
ANONADDY_ALL_DOMAINS=example.com
# Used for verifying custom domains, can be anything e.g. 64U64QcpgWHAZPyr4nN58kDGvwj9TkKMGyuXcjMFA7CdhTDy2f
#ANONADDY_SECRET=long-random-string
# Number of emails that can be forwarded through the service per hour by any one user
ANONADDY_LIMIT=200
# Monthly bandwidth limit, default 100MB
ANONADDY_BANDWIDTH_LIMIT=104857600
# Limit on how many new aliases can be created per hour, default 100
ANONADDY_NEW_ALIAS_LIMIT=100
# Limit on the number of additional usernames that can be added, default 10
ANONADDY_ADDITIONAL_USERNAME_LIMIT=10
# Fingerprint of the private key that you generated on the server to be used to sign encrypted forwarded emails
#ANONADDY_SIGNING_KEY_FINGERPRINT=
# This is only needed if you will be adding any custom domains. If you do not need it then leave it blank. ANONADDY_DKIM_SIGNING_KEY=/etc/opendkim/keys/example.com/default.private
#ANONADDY_DKIM_SIGNING_KEY=
#ANONADDY_DKIM_SELECTOR=default
SANCTUM_STATEFUL_DOMAINS=app.example.com
# Postfix
POSTFIX_DEBUG=false
POSTFIX_SMTPD_TLS=true
POSTFIX_SMTPD_TLS_CERT_FILE=/certs/example.com.fullchain.pem
POSTFIX_SMTPD_TLS_KEY_FILE=/certs/example.com.key.pem
POSTFIX_SMTP_TLS=true
# Rspmod
RSPAMD_ENABLE=true
RSPAMD_WEB_PASSWORD=abcI am not using the relay host and sending the emails directly from my IP. The current DNS setting I am using is: SPF DKIM DMARC This is my ---
version: '3.8'
secrets:
mariadb_root:
file: /docker-data/anonaddy/secrets/mariadb_root
mariadb:
file: /docker-data/anonaddy/secrets/mariadb
app_key:
file: /docker-data/anonaddy/secrets/app_key
anonaddy_secret:
file: /docker-data/anonaddy/secrets/anonaddy_secret
postfix_relayhost_password:
file: /docker-data/anonaddy/secrets/postfix_relayhost_password
cloudflare_api_token:
file: /docker-data/anonaddy/secrets/cloudflare_api_token
rspamd_password:
file: /docker-data/anonaddy/secrets/rspamd_password
networks:
inner-net:
driver: bridge
backplain:
external: true
services:
db:
image: mariadb:${DB_VERSION}
container_name: 'anonaddy-db'
command:
- "mysqld"
- "--character-set-server=utf8mb4"
- "--collation-server=utf8mb4_unicode_ci"
secrets:
- mariadb_root
- mariadb
networks:
- inner-net
environment:
MARIADB_ROOT_PASSWORD_FILE: /run/secrets/mariadb_root
MARIADB_DATABASE: ${MARIADB_DATABASE}
MARIADB_USER: ${MARIADB_USER}
MARIADB_PASSWORD_FILE: /run/secrets/mariadb
volumes:
- type: bind
source: /docker-data/anonaddy/mariadb
target: /var/lib/mysql
read_only: false
healthcheck:
test: ["CMD", "/usr/local/bin/healthcheck.sh", "--connect"]
interval: 5s
timeout: 5s
retries: 10
start_period: 10s
restart: 'unless-stopped'
redis:
image: redis:alpine
container_name: 'anonaddy-redis'
networks:
- inner-net
environment:
TZ: Etc/UTC
volumes:
- type: bind
source: /docker-data/anonaddy/redis
target: /data
read_only: false
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
interval: 1s
timeout: 3s
retries: 10
start_period: 2s
restart: 'unless-stopped'
cert-manager:
image: rehanone/auto-cert-manager:${CERT_MANAGER_VERSION}
container_name: 'anonaddy-cert-manager'
secrets:
- cloudflare_api_token
environment:
DOMAINS: example.com,*.example.com
EMAIL: ${CERT_MANAGER_EMAIL}
CERTBOT_PLUGIN: ${CERT_MANAGER_CERTBOT_PLUGIN}
CLOUDFLARE_API_TOKEN_FILE: /run/secrets/cloudflare_api_token
PROPAGATION_SECONDS: ${CERT_MANAGER_PROPAGATION_SECONDS}
DEBUG: true
STAGING: ${CERT_MANAGER_STAGING}
volumes:
- type: bind
source: /docker-data/anonaddy/tls/letsencrypt
target: /etc/letsencrypt
read_only: false
- type: bind
source: /docker-data/anonaddy/tls/certs
target: /certs
read_only: false
- type: bind
source: /docker-data/anonaddy/tls/log
target: /var/log/letsencrypt
read_only: false
restart: 'unless-stopped'
app:
image: anonaddy/anonaddy:${APP_VERSION}
container_name: 'anonaddy-app'
labels:
- traefik.enable=true
- traefik.http.routers.anonaddy-app.rule=Host(`app.example.com`)
- traefik.http.routers.anonaddy-app.entrypoints=websecure
- traefik.http.routers.anonaddy-app.tls=true
- traefik.http.routers.anonaddy-app.tls.certresolver=le-resolver
- traefik.http.routers.anonaddy-app.middlewares=security-headers@file
- traefik.http.routers.anonaddy-app.service=anonaddy-app
- traefik.http.services.anonaddy-app.loadbalancer.server.scheme=http
- traefik.http.services.anonaddy-app.loadbalancer.server.port=8000
- traefik.http.routers.anonaddy-rspamd.rule=Host(`rspamd-admin.example.com`)
- traefik.http.routers.anonaddy-rspamd.entrypoints=websecure
- traefik.http.routers.anonaddy-rspamd.tls=true
- traefik.http.routers.anonaddy-rspamd.tls.certresolver=le-resolver
- traefik.http.routers.anonaddy-rspamd.middlewares=security-headers@file
- traefik.http.routers.anonaddy-rspamd.service=anonaddy-rspamd
- traefik.http.services.anonaddy-rspamd.loadbalancer.server.scheme=http
- traefik.http.services.anonaddy-rspamd.loadbalancer.server.port=11334
secrets:
- mariadb
- app_key
- anonaddy_secret
- postfix_relayhost_password
- rspamd_password
networks:
- inner-net
- backplain
environment:
DB_HOST: db
DB_DATABASE: ${MARIADB_DATABASE}
DB_USERNAME: ${MARIADB_USER}
DB_PASSWORD_FILE: /run/secrets/mariadb
REDIS_HOST: redis
APP_KEY_FILE: /run/secrets/app_key
ANONADDY_SECRET_FILE: /run/secrets/anonaddy_secret
POSTFIX_RELAYHOST_PASSWORD_FILE: /run/secrets/postfix_relayhost_password
RSPAMD_WEB_PASSWORD_FILE: /run/secrets/rspamd_password
volumes:
- type: bind
source: /docker-data/anonaddy/tls/certs
target: /certs
read_only: true
- type: bind
source: /docker-data/anonaddy/app-data
target: /data
read_only: false
env_file:
- ./anonaddy.env
ports:
- "25:25/tcp"
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
restart: 'unless-stopped'The APP_VERSION=latest
# DB Section
DB_VERSION=10.5
MARIADB_DATABASE=anonaddy
MARIADB_USER=anonaddy
CERT_MANAGER_VERSION=latest
CERT_MANAGER_PROPAGATION_SECONDS=220
CERT_MANAGER_STAGING=false
CERT_MANAGER_EMAIL="someone@sombody.com"
CERT_MANAGER_CERTBOT_PLUGIN=cloudflareI did not make any other changes that are related to IPv6. I hope this will be helpful for others trying to setup using this docker image. I am using traefik in a separate container but I left the labels in there just as a example. You can safely remove it. |
|
Hmmm now it has stopped complaining that the SPF is not there but that the CNAME domainkey record is not found (which of course is there). Something seems to go terribly wrong with DNS querying... |
|
On my side it is working great. It definitely has to do with DNS. I was tinkering with it for days until it worked. The documentation is not great (verbose enough) on that point. |
It could just be a case of DNS caching. Remember, it could take up to 24 hours for full propagation of DNS changes. |
Yes indeed, but suddenly it recognizes the SPF Records but not the CNAME which I setup at the same time. Don´t know what the problem is there and it does not explain the alias send fail. |
|
Something is broken the way anonaddy handles DNS queries. It will not find the CNAME entry for my custom domain althought it´s definitely set right. Is there some log file with detailed information? The Log File of the Docker Container does not tell me much. |
|
I found the logs (feeling stupid for missing them in storage). I get an "error":"dns_get_record(): DNS Query failed". |
|
Has anyone a fix for that now ? I spend 4 hours yesterday trying to fix it but I cannot find what is going wrong |
|
I wasn´t able to fix it and finally switched to simplelogin, which was a bit of a pain to setup but now works flawlessly. |
|
@crazy-max May I ask you to please check this issue a bit ? We really don't know what could be wrong with our configurations. |
|
Hello guys! I spent a few hours today trying to dig the issue and I finally understood why it was not working. Root causeAs defined in https://github.com/anonaddy/anonaddy/blob/ad77a6ccf90a974408370df9e574356ff2a04fef/app/Console/Commands/ReceiveEmail.php#L156 , AnonAddy checks whether the headers Second problemEven after enabled Rspamd, the messages would still not get delivered. I then explored the Rspamd dashboard to understand why. After seeing the messages, they would not have the DMARC_POLICY_ALLOW tag attached to them. As per the default Rspamd config in this repo, the header After setting the Rspamd logs to a more verbose option, I figured out that since I'm running my mailserver also in containers, they are (obviously) in a local network which Rspamd does not like by default. I tried again, and eureka, it works! So, TL;DR: SolutionUpdate your docker-compose as the following: I will create a PR in the following days to fix the issue. |
|
@Zegorax , Thanks for investigating this issue and providing such a detailed analysis! Cannot wait to see the fix applied in a PR. |
|
Pull request has been created in #207. It will need an approval from the maintainers. |
|
😞 I just upgraded to the last version of this image. We can't send or reply from any alias anymore. It was working well for me since #192 (comment) The DMARC record did not change for ages but let's control it: ➜ ~ dig +short TXT _dmarc.DOMAIN.TLD
"v=DMARC1; p=quarantine; adkim=s"The DMARC record looks correct to me. Tracing the issue leads me here too: https://github.com/anonaddy/anonaddy/blob/master/app/Console/Commands/ReceiveEmail.php#L156 if ($verifiedRecipient?->can_reply_send) {
// Check if the Dmarc allow or spam headers are present from Rspamd
if (! $this->parser->getHeader('X-AnonAddy-Dmarc-Allow') || $this->parser->getHeader('X-AnonAddy-Spam')) {
// Notify user and exit
$verifiedRecipient->notify(new SpamReplySendAttempt($recipient, $this->senderFrom, $this->parser->getHeader('X-AnonAddy-Authentication-Results')));
exit(0);
}So I simply trace the variables: Log::info([
'can_reply_send' => $verifiedRecipient?->can_reply_send,
'X-AnonAddy-Dmarc-Allow' => $this->parser->getHeader('X-AnonAddy-Dmarc-Allow'),
'X-AnonAddy-Spam' => $this->parser->getHeader('X-AnonAddy-Spam'),
'In-Reply-To' => $this->parser->getHeader('In-Reply-To')
]);I tried with the following configurations (removing and creating all containers each time):
So now, Rspamd or not... we can't send emails anymore? Captain? An idea? 😛 |
|
Alright... finally found out that the milter's configuration is missing. Even when I added it in a custom Postfix conf, following the doc to Override Postfix main configuration. +milter_default_action = accept
+smtpd_milters = inet:127.0.0.1:11332
+non_smtpd_milters = $smtpd_milters
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}Now it works but a question remains. I didn't dive into the code enough to answer. If the configuration allows a |
|
#207 should fix this issue by setting |
Even when I set that env, it still doesn't work for me |
Hi guys, I'm receiving the same email as anonaddy/anonaddy/issues/310 from my self-hosted instance.
I just upgraded to the last docker image with Rspamd, I send emails from gmail to anonaddy in order to reply to an email received earlier. As far as I know, gmail has a proper dmarc record.
/etc/rspamd/local.d/milter_headers.confis present in the container and looks correct.rspamadm configdump -mresult is:is there anything I can provide to help?
The text was updated successfully, but these errors were encountered: