Subject

Other

Description

I was testing and haven't have issues with the server, I can send email and receive emails . I tried sending an email from my iCloud account and I can see in the logs of my server that the email reached my server, but it was rejected by my docker mail server. 'Recipient address rejected: Delayed by Postgrey;'

Here are the full logs:

Aug 22 19:57:31 smtp policyd-spf[7115]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=17.58.38.56; helo=ms11p00im-qufo17281901.me.com; envelope-from=mypersonal@icloud.com; receiver=<UNKNOWN> 

action=greylist, reason=early-retry (173s missing), client_name=ms11p00im-qufo17281901.me.com, client_address=17.58.38.56/32, sender=mypersonal@icloud.com, recipient=email@mydomain.com

action=greylist, reason=early-retry (173s missing), client_name=ms11p00im-qufo17281901.me.com, client_address=17.58.38.56/32, sender=mypersonal@icloud.com, recipient=email@mydomain.com

action=greylist, reason=early-retry (173s missing), client_name=ms11p00im-qufo17281901.me.com, client_address=17.58.38.56/32, sender=mypersonal@icloud.com, recipient=email@mydomain.com

action=greylist, reason=early-retry (173s missing), client_name=ms11p00im-qufo17281901.me.com, client_address=17.58.38.56/32, sender=mypersonal@icloud.com, recipient=email@mydomain.com

Aug 22 19:57:31 smtp postfix/smtpd[7104]: NOQUEUE: reject: RCPT from ms11p00im-qufo17281901.me.com[17.58.38.56]: 450 4.2.0 <email@mydomain.com>: Recipient address rejected: Delayed by Postgrey; from=<mypersonal@icloud.com> to=<email@mydomain.com> proto=ESMTP helo=<ms11p00im-qufo17281901.me.com>

The email was received correctly after 20 mins

This issue was closed due to inactivity.

As a first step, could you help narrow the configuration down to a minimal reproduction? I've not used Traefik.

• I assume we can drop the IMAP config (Dovecot) for now to focus on just the port 465 issue (Postfix submission)
• Is haproxy important? Can you elaborate what that is doing?
• Are we able to rule out the acme.json support for now?
  • Technically we can try with the acme.json first and ignore Traefik + haproxy changes to confirm the cert is working correctly. We have tests that check this, but they don't perform any mail submission, but they do test establishing TLS connection is successful (including for port 465).
  • We have some self-signed certs (and variants with a self-signed root CA instead of LetsEncrypt) used for testing with mail.example.test / example.test here. Those also include an acme.json. I suppose Traefik would need to be configured to use those as well, but a bit more tricky to setup trust for the self-signed root CA. Don't worry about this too much, it's just an idea a better controlled reproduction environment.

I don't have much time myself to dig into this, and that's probably the case for others too. So it'd be best to minimize the compose.yaml to focus on the core issue with port 465.

It should be possible to reduce down to this, plus whatever extra Traefik config with labels is needed? Do you have a traefik service also configured for compose.yaml for easier reproduction?

  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:12.1
    container_name: mailserver
    hostname: mail.domain.com
    # You should be able to reproduce without needing any other volumes (just `postfix-accounts.cf` and overrides needed)
    volumes:
      - ${DOCKER_VOLUMES_FOLDER}/dms/config/:/tmp/docker-mailserver/
      - ${DOCKER_VOLUMES_FOLDER}/traefik/acme.json:/etc/letsencrypt/acme.json:ro
    # skip env file, since that's not helping identify minimum environment settings
    environment:
      - SSL_TYPE=letsencrypt
      # You shouldn't need SSL_DOMAIN (docs are a bit outdated regarding that)
      # - SSL_DOMAIN=domain.com # using wildcard cert
    # What is the minimum labels needed here to reproduce the port 465 issue with traefik?
    labels:
      - "traefik.enable=true"
    networks:
      proxy:
        ipv4_address: 172.25.0.12

# No healthcheck or other service settings needed

Try the following (localhost should be fine as-is):

# Test the connection directly on DMS (and maybe also against the traefik container):
# Success should have `Verification: OK` in output
docker exec -it mailserver sh -c 'timeout 1 openssl s_client -connect localhost:465'

Extra options you can add to the end of that command:

• -CAfile /path/to/ca.file if using custom CA instead of LetsEncrypt (if running in a container, this path must exist in the container)
• -servername mail.example.test if testing FQDN (eg: openssl request to traefik, this provides SNI for it to route). Adjust to your actual configured hostname for DMS.

You could use the cert files I linked with the -CAfile and -servername options for mail.example.test, but as mentioned this may be extra hassle to setup correctly (either adding to containers / host trust stores). Since you've got Dovecot IMAP working successfully, it'd seem the issue is with Postfix.

With your setup, does this also produce the TLS error when it runs the openssl command in the DMS container? If it does that is helpful, if it doesn't, it should when going through Traefik (you'll likely need the -servername option).

<details> <summary>Ignore this (misunderstanding)</summary>

EDIT: This is bad advice 😅 (trusting client IPs like Traefik, shouldn't be related to authenticating trust over port 465)

Another option for testing could be related to the Postfix network trust. You configured this explicitly for Dovecot above, but I don't see similar done for Postfix. (EDIT: My mistake, dovecot was haproxy trust, not client trust)

We have support for that with PERMIT_DOCKER, but be careful here as when the host can be reached by IPv6 IP, it can route to Docker IPv4 via the bridge gateway allowing to bypass trust. Either disable IPv6 access to the host, or configure an IPv6 ULA network for docker (see our :edge docs, IPv6 page was rewritten for v13 release).

Note that PERMIT_DOCKER doesn't look like it was implemented properly IMO. You could try PERMIT_DOCKER=host for now, or maybe mynetworks directly via postfix-main.cf override to whitelist the network addresses you do want to trust explicitly. Our main.cf default defines the following:

https://github.com/docker-mailserver/docker-mailserver/blob/f28fce9cc432f1f447bd963d9e54e44bcf2c27dd/target/postfix/main.cf#L17

However since Feb 2022 the default of PERMIT_DOCKER was changed to none which empties that entirely:

https://github.com/docker-mailserver/docker-mailserver/blob/f28fce9cc432f1f447bd963d9e54e44bcf2c27dd/target/scripts/startup/setup.d/networking.sh#L45-L48

AFAIK, this shouldn't need to change. Authenticating over port 465 should provide the trust, while whitelisting clients from IPs or entire subnets bypasses that. It's possible that this is why Dovecot is working for you on IMAP? (**EDIT: Nevermind that's haproxy specific)

</details>

📝 Preliminary Checks

• [X] I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.

👀 What Happened?

Hello, after having carefully followed every step reported in #3063 I still do not manage in any way running implicit TLS SMTP meanwhile implicit imap works, wondering how to interpret these logs I get

👟 Reproduction Steps

Use DMS behind Traefik reverse proxy

🐋 DMS Version

v12.1.0

💻 Operating System and Architecture

Linux sbserver 5.15.0-83-generic #92-Ubuntu SMP Mon Aug 14 09:30:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

⚙️ Container configuration files

dovecot config override:


haproxy_trusted_networks = 172.25.0.2, 32
haproxy_timeout = 3 secs
service imap-login {
  inet_listener imaps {
    haproxy = yes
    ssl = yes
    port = 10993
  }
}

postfix-master

submission/inet/smtpd_upstream_proxy_protocol=haproxy
submissions/inet/smtpd_upstream_proxy_protocol=haproxy

postfix-main

postscreen_upstream_proxy_protocol = haproxy

mailserver: image: ghcr.io/docker-mailserver/docker-mailserver:latest restart: always container_name: mailserver hostname: mail.domain.com env_file: mailserver.env volumes: - ${DOCKER_VOLUMES_FOLDER}/dms/mail-data/:/var/mail/ - ${DOCKER_VOLUMES_FOLDER}/dms/mail-state/:/var/mail-state/ - ${DOCKER_VOLUMES_FOLDER}/dms/mail-logs/:/var/log/mail/ - ${DOCKER_VOLUMES_FOLDER}/dms/config/:/tmp/docker-mailserver/ - /etc/localtime:/etc/localtime:ro - ${DOCKER_VOLUMES_FOLDER}/traefik/acme.json:/etc/letsencrypt/acme.json:ro

cap_add:
  - NET_ADMIN
stop_grace_period: 1m
environment:
  - SSL_TYPE=letsencrypt
  - SSL_DOMAIN=gmichele.com # using wildcard cert

healthcheck:
  test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
  timeout: 3s
  retries: 0

labels:
  - "traefik.enable=true"
  - "traefik.tcp.routers.smtp.rule=HostSNI(`*`)"
  - "traefik.tcp.routers.smtp.entrypoints=smtp"
  - "traefik.tcp.routers.smtp.service=smtp"
  - "traefik.tcp.services.smtp.loadbalancer.server.port=25"
  - "traefik.tcp.services.smtp.loadbalancer.proxyProtocol.version=1"
  - "traefik.tcp.routers.smtp-ssl.rule=HostSNI(`*`)"
  - "traefik.tcp.routers.smtp-ssl.tls=false"
  - "traefik.tcp.routers.smtp-ssl.entrypoints=smtp-ssl"
  - "traefik.tcp.routers.smtp-ssl.service=smtp-ssl"
  - "traefik.tcp.services.smtp-ssl.loadbalancer.server.port=465"
  - "traefik.tcp.services.smtp-ssl.loadbalancer.proxyProtocol.version=1"
  - "traefik.tcp.routers.imap-ssl.rule=HostSNI(`*`)"
  - "traefik.tcp.routers.imap-ssl.entrypoints=imap-ssl"
  - "traefik.tcp.routers.imap-ssl.service=imap-ssl"
  - "traefik.tcp.services.imap-ssl.loadbalancer.server.port=10993"
  - "traefik.tcp.services.imap-ssl.loadbalancer.proxyProtocol.version=2"
  - "traefik.tcp.routers.sieve.rule=HostSNI(`*`)"
  - "traefik.tcp.routers.sieve.entrypoints=sieve"
  - "traefik.tcp.routers.sieve.service=sieve"
  - "traefik.tcp.services.sieve.loadbalancer.server.port=4190"

networks:
  proxy:
    ipv4_address: 172.25.0.12

### 📜 Relevant log output

```Text
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: disconnect from traefik.proxy[172.25.0.2] commands=0/0
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:27:27 mail postfix/smtps/smtpd[415654]: disconnect from traefik.proxy[172.25.0.2] commands=0/0
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: disconnect from traefik.proxy[172.25.0.2] commands=0/0
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: disconnect from traefik.proxy[172.25.0.2] commands=0/0
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:27:28 mail postfix/smtps/smtpd[415654]: disconnect from traefik.proxy[172.25.0.2] commands=0/0
Sep 23 12:42:20 mail postfix/smtps/smtpd[417225]: connect from traefik.proxy[172.25.0.2]
Sep 23 12:42:20 mail postfix/smtps/smtpd[417225]: SSL_accept error from traefik.proxy[172.25.0.2]: -1
Sep 23 12:42:20 mail postfix/smtps/smtpd[417225]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
Sep 23 12:42:20 mail postfix/smtps/smtpd[417225]: lost connection after CONNECT from traefik.proxy[172.25.0.2]
Sep 23 12:42:20 mail postfix/smtps/smtpd[417225]: disconnect from traefik.proxy[172.25.0.2] commands=0/0

### Improvements to this form?

_No response_

This pull request has become stale because it has been open for 20 days without activity. This pull request will be closed in 10 days automatically unless:

• a maintainer removes the meta/stale label or adds the stale-bot/ignore label
• new activity occurs, such as a new comment

Description

I want to set up DKIM, so people won't spoof my email. I read the documentation on DKIM, DMARC & SPF but I'm not getting it.

What DNS records I need to add? What do I need to modify in my docker ?

This issue was closed due to inactivity.

This issue has become stale because it has been open for 20 days without activity. This issue will be closed in 10 days automatically unless:

• a maintainer removes the meta/stale label or adds the stale-bot/ignore label
• new activity occurs, such as a new comment