feat: do not bind SMTP client sockets to public addresses#932
Merged
Conversation
Contributor
Author
|
Draft because I still want to add some docs. |
link2xt
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
j-g00da
approved these changes
Apr 22, 2026
ccclxxiii
approved these changes
Apr 22, 2026
missytake
approved these changes
Apr 22, 2026
Contributor
missytake
left a comment
missytake
left a comment
There was a problem hiding this comment.
Thanks for the extensive documentation!
(If anyone wants to check: https://staging.chatmail.at/doc/relay/932/reverse_dns.html )
This change reverts 06560dd Main reason for using the same address for sending as the one used in DNS is to pass FCrDNS (forward-confirmed reverse DNS) checks: IP address used by SMTP client should resolve to the domain which in turn resolves to the same IP. chatmail relays don't do check reverse DNS for incoming connections, but other email servers may do and reject email if the check does not pass. Most chatmail relays only have one IP address per address family, so this configuration does not change anything. For chatmail relays that have multiple addresses and only publishing one IP to DNS, source address used for outgoing SMTP connections should be the public IP. This can be ensured by configuring the source address in the routing table, e.g. with the `src` argument to `ip route add/change/replace` command. Solving this by binding SMTP client address on the application level prevents chatmail relays from configuring alternative routes. Besides, some chatmail relays are NATed and NAT is responsible for translating the address to the public one, in which case using `smtp_bind_address_enforce` will result in unnecessarily deferring all mails.
link2xt
force-pushed
the
link2xt/dont-bind-src-addr
branch
from
7ab6d2a to
bbd42c0
Compare
Contributor
Author
|
Updated the documentation a bit to mention IP reputation which is apparently the main reason for floating IP. |
Contributor
Author
|
Merged it already because it seems unlikely that we decide the approach of using routing table for multi-homed setups does not work. Worst case we can revert it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change reverts 06560dd
Main reason for using the same address for sending as the one used in DNS is to pass FCrDNS
(forward-confirmed reverse DNS) checks:
IP address used by SMTP client should resolve
to the domain which in turn resolves to the same IP. chatmail relays don't do check reverse DNS
for incoming connections,
but other email servers may do and reject email
if the check does not pass.
Most chatmail relays only have one IP address per address family, so this configuration does not change anything.
For chatmail relays that have multiple addresses
and only publishing one IP to DNS,
source address used for outgoing SMTP connections
should be the public IP.
This can be ensured by configuring the source
address in the routing table,
e.g. with the
srcargumentto
ip route add/change/replacecommand.Solving this by binding SMTP client address
on the application level prevents chatmail relays
from configuring alternative routes.
Besides, some chatmail relays are NATed
and NAT is responsible for translating the address to the public one, in which case using
smtp_bind_address_enforcewill result in unnecessarily deferring all mails.