I recently noticed that gmail users were unable to send email to my docker-mailserver instance. Messages were being bounced back with this message
450 4.7.25 Client host rejected: cannot find your hostname, [172.23.0.1]
In the docker logs:
CONNECT from [172.23.0.1]:32968 to [172.23.0.1]:25
PASS OLD [172.23.0.1]:32968
connect from unknown[172.23.0.1]
Anonymouse TLS connection established from unknown[172.23.0.1]...
NOQUEUE: reject: RCPT from unknown[172.23.0.1]: 450 4.7.25 Client host rejected: cannot find your hostname, [172.23.0.1]
disconnect from unknown[172.23.0.1]...
172.23.0.1 is the docker gateway address to the docker network. What was weird is that other mail services, like yahoo, were sending mail correctly and the logs were showing CONNECT from the correct external IP:
CONNECT from [170.249.216.138]:39102 to [172.23.0.3]:25
PASS OLD [170.249.216.138]:39102
connect from atl.slvit.us[170.249.216.138]
Anonymous TLS connection established from atl.slvit.us[170.249.216.138]...
prepend Received-SPF: Pass (mailfrom)...
...
It took some googling before I found out what was happening. The diagnostics were done by @Rillke in a comment in #1405, which I quote:
Compose created an IPv4 network, since IPv6 is not enabled for Docker on that host. When another host connects to the host running the container using IPv6, the Docker Proxy translates IPv6 to IPv4 and inserts itself/its Gateway as Source IP Address, essentially doing NAT.
The first thing I did was to enable IPv6 and assign an IPv6 address to the container. But to my surprise, it was showing connections from the docker gateway's IPv6 address, instead of the external IPv6 address. That is to say, it seems like the IPv6 implementation is broken in docker (as usual).
CONNECT from [2001:db8:1::1:0:1]:32968 to [2001:db8:1::1:0:2]:25
PASS OLD [2001:db8:1::1:0:1]:32968
connect from unknown[2001:db8:1::1:0:1]
Anonymouse TLS connection established from unknown[2001:db8:1::1:0:1]...
NOQUEUE: reject: RCPT from unknown[2001:db8:1::1:0:1]: 450 4.7.25 Client host rejected: cannot find your hostname, [2001:db8:1::1:0:1]
disconnect from unknown[2001:db8:1::1:0:1]...
The only solution workaround that worked for me was @Rillke's:
As an interim solution I bound port 25 to the public IPv4 interface instead of any interface. If my host wants to send email, it has to authenticate now, but that's okay.
ports:
- - "25:25"
+ - "the_IP_v4:25:25"
This closes port 25 on the VPS's IPv6 address and works around the problem. Now, seeing as:
- The only requirement to reproduce this is to have a server with IPv6 (pretty common)
- The result is silently not receiving emails from gmail and other big services (very serious)
- Docker is not likely to fix their IPv6 implementation anytime soon (unfortunately)
... I am proposing making the README and docker-compose.yml explicit about putting the server's external IP address in the ports section. I'd be happy to PR it.
I recently noticed that gmail users were unable to send email to my docker-mailserver instance. Messages were being bounced back with this message
In the docker logs:
172.23.0.1is the docker gateway address to the docker network. What was weird is that other mail services, like yahoo, were sending mail correctly and the logs were showing CONNECT from the correct external IP:It took some googling before I found out what was happening. The diagnostics were done by @Rillke in a comment in #1405, which I quote:
The first thing I did was to enable IPv6 and assign an IPv6 address to the container. But to my surprise, it was showing connections from the docker gateway's IPv6 address, instead of the external IPv6 address. That is to say, it seems like the IPv6 implementation is broken in docker (as usual).
The only
solutionworkaround that worked for me was @Rillke's:This closes port 25 on the VPS's IPv6 address and works around the problem. Now, seeing as:
... I am proposing making the README and docker-compose.yml explicit about putting the server's external IP address in the ports section. I'd be happy to PR it.