Context

When another mailserver attempts to send an email to the one set up with this docker compose set up over IPv6, the mail will be incorrectly processed by SPF protection.

Expected Behavior

The SPF check is run against the originating IPv6 address

Actual Behavior

The SPF check is run against the IPv4 gateway that docker is using to proxy the IPv6 connection (172.20.0.1 is the gateway):

Mar 28 08:18:20 mailserver postfix/smtpd[16668]: connect from unknown[172.20.0.1]
Mar 28 08:18:20 mailserver policyd-spf[16674]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=<email removed>>;ip=172.20.0.1;r=<UNKNOWN>
Mar 28 08:18:20 mailserver postfix/smtpd[16668]: NOQUEUE: reject: RCPT from unknown[172.20.0.1]: 550 5.7.23 <<email removed>>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=<email removed>;ip=172.20.0.1;r=<UNKNOWN>; from=<<email removed>> to=<<email removed>> proto=ESMTP helo=<<domain removed>>>
Mar 28 08:18:20 mailserver postfix/smtpd[16668]: disconnect from unknown[172.20.0.1] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6

Possible Fix

There is an upstream issue to implement the same IPv6 NAT rules as IPv4: moby/moby#25407.
I don't think that this is fixable in docker-mailserver itself at this current time without going far outside of the scope of a mailserver.

Workaround

I have got SPF with IPv6 to work correctly using robbertkl/docker-ipv6nat which configures the ip6tables to do NAT like docker currently does for iptables, and with a small tweak to the docker-compose.yml (And a bump to version 2.1):

networks:
  default:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: fd00:0123:4567::/48
          gateway: fd00:0123:4567::1

This returns the correct result:

Mar 28 11:11:44 mailserver postfix/smtpd[978]: connect from <domain removed>[<ipv6 address removed>]
Mar 28 11:11:44 mailserver policyd-spf[986]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=<ipv6 address removed>; helo=<domain removed>; envelope-from=<email removed>; receiver=<UNKNOWN> 

Steps to Reproduce

1. Configure docker-mailserver on a server with an IPv6
2. Send an email from another server that will use IPv6 to connect to the original server and ensure SPF is configured.
3. SPF failure

Discussion

Mostly I'm posting this issue here as a note that there doesn't seem to be any progress on the upstream issue, so perhaps a warning in the Readme, or similar, may be required because:

1. Launching this project on a server with IPv6 will listen for IPv6 connections that won't work as docker will listen on both IPv4 & IPv6 when forwarding ports
2. It is possible to entirely miss this case as most mail servers use IPv4 and I only happened to notice this after another mail server I had configured manually reported an undelivered mail to me.