Skip to content

Configuring PERMIT_DOCKER=network allows use as open relay with IPv6 enabled on host but disabled in Docker #1405

Closed
Closed
Configuring PERMIT_DOCKER=network allows use as open relay with IPv6 enabled on host but disabled in Docker#1405
Assignees
georglauterbach
@Rillke

Description

@Rillke
Rillke
opened on Feb 21, 2020

Configuring PERMIT_DOCKER=network allows use as open relay

What was the behaviour observed?

Configuring PERMIT_DOCKER=network allowed the an external IP to send E-Mail to an external address.

What was the expected behaviour?

Only E-Mail from valid (SPF checks passing) external hosts are accepted.

Steps to reproduce:

  1. Configure the mail container:
  • DKIM not configured
  • ENABLE_SRS=0
  • PERMIT_DOCKER=network
  • HOSTNAME=mail
  • DOMAINNAME=DOMAINNAME.com
  • CONTAINER_NAME=mail
  1. Get that image:
tvial/docker-mailserver                          latest              4b4724934af6        2 weeks ago         544MB

  1. Start the container based on it with docker-compose up.

  2. Run telnet on an arbitrary host (not even in your host's network) that allows outgoing connections on port 25:

$ telnet DOMAINNAME.com 25
Trying 2c23:xxx:xx:1021:xxx:873c:0:1...
Connected to DOMAINNAME.com.
Escape character is '^]'.
220 mail.DOMAINNAME.com ESMTP Postfix (Debian)
EHLO mail.DOMAINNAME.com
250-mail.DOMAINNAME.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <[email protected]>
250 2.1.0 Ok
RCPT TO: <[email protected]>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: test

Test message.
.
250 2.0.0 Ok: queued as ECAB5243619
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
  1. Pling qulong. [email protected] just got email.

Container logs:

mail    | Feb 21 01:05:34 mail postfix/master[1007]: daemon started -- version 3.1.12, configuration /etc/postfix
mail    | Feb 21 01:07:12 mail postfix/postscreen[1361]: cache btree:/var/lib/postfix/postscreen_cache full cleanup: retained=0 dropped=0 entries
mail    | Feb 21 01:07:12 mail postfix/postscreen[1361]: CONNECT from [172.25.0.1]:45636 to [172.25.0.2]:25
mail    | Feb 21 01:07:12 mail postfix/postscreen[1361]: WHITELISTED [172.25.0.1]:45636
mail    | Feb 21 01:07:12 mail postfix/smtpd[1362]: connect from unknown[172.25.0.1]
mail    | Feb 21 01:07:12 mail opendmarc[213]: ignoring connection from [172.25.0.1]
mail    | Feb 21 01:09:06 mail postfix/smtpd[1362]: ECAB5243619: client=unknown[172.25.0.1]
mail    | Feb 21 01:09:09 mail postfix/submission/smtpd[1811]: warning: hostname zgXXXXX-XXX.XXXXXX.com does not resolve to address 19X.XXX.XX5.29: Name or service not known
mail    | Feb 21 01:09:09 mail postfix/submission/smtpd[1811]: connect from unknown[19X.XXX.XX5.29]
mail    | Feb 21 01:09:09 mail postfix/submission/smtpd[1811]: disconnect from unknown[19X.XXX.XX5.29] ehlo=1 quit=1 commands=2
mail    | Feb 21 01:09:31 mail postfix/cleanup[1802]: ECAB5243619: message-id=<>
mail    | Feb 21 01:09:31 mail opendkim[206]: ECAB5243619: can't determine message sender; accepting
mail    | Feb 21 01:09:31 mail postfix/qmgr[1010]: ECAB5243619: from=<[email protected]>, size=244, nrcpt=1 (queue active)
mail    | Feb 21 01:09:32 mail postfix/smtpd[1904]: connect from localhost[127.0.0.1]
mail    | Feb 21 01:09:32 mail postfix/smtpd[1904]: B2161243662: client=localhost[127.0.0.1]
mail    | Feb 21 01:09:32 mail postfix/cleanup[1802]: B2161243662: message-id=<[email protected]>
mail    | Feb 21 01:09:32 mail postfix/qmgr[1010]: B2161243662: from=<[email protected]>, size=723, nrcpt=1 (queue active)
mail    | Feb 21 01:09:32 mail amavis[1012]: (01012-01) Passed BAD-HEADER-7 {RelayedOutbound,Quarantined}, LOCAL [172.25.0.1]:45636 <[email protected]> -> <[email protected]>, quarantine: j/badh-juwrtxl8uFt9, Queue-ID: ECAB5243619, mail_id: juwrtxl8uFt9, Hits: 2.743, size: 294, queued_as: B2161243662, 1101 ms
mail    | Feb 21 01:09:32 mail postfix/smtp[1897]: ECAB5243619: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=46, delays=44/0.01/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B2161243662)
mail    | Feb 21 01:09:32 mail postfix/qmgr[1010]: ECAB5243619: removed
mail    | Feb 21 01:09:38 mail postfix/smtp[1905]: Anonymous TLS connection established to redirect.ovh.net[213.186.33.5]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
mail    | Feb 21 01:09:38 mail postfix/smtp[1905]: B2161243662: to=<[email protected]>, relay=redirect.ovh.net[213.186.33.5]:25, delay=5.5, delays=0.01/0.01/5.4/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 2FF13AD)
mail    | Feb 21 01:09:38 mail postfix/qmgr[1010]: B2161243662: removed
mail    | Feb 21 01:09:39 mail postfix/smtpd[1362]: disconnect from unknown[172.25.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

Compose configuration:

version: '2'
services:
  mail:
    image: tvial/docker-mailserver:latest
    hostname: ${HOSTNAME}
    domainname: ${DOMAINNAME}
    container_name: ${CONTAINER_NAME}
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - ./config/:/tmp/docker-mailserver/
      - certs:/etc/letsencrypt/live
    env_file:
      - .env
      - env-mailserver
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
    restart: always
    networks:
      mail:
        aliases:
          - mailgate
          - mail.DOMAINNAME.com

networks:
  mail:

volumes:
  maildata:
  mailstate:
  maillogs:
  certs:
    external:
      name: some_name_where_certs_are_stored

# vim: tabstop=2 softtabstop=0 expandtab shiftwidth=2 smarttab

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions