fix: Only listen on 127.0.0.1 for the Dovecot quota-status service#3057
Conversation
georglauterbach
added
service/dovecot
kind/improvement
| inet_listener { | ||
| port = 65265 | ||
| # You can choose any port you want | ||
| address = localhost |
There was a problem hiding this comment.
Could localhost here potentially resolve to an IPv6 address? Would it be better to use 127.0.0.1?
There was a problem hiding this comment.
if the docker-container is set up properly, that shouldn't be the case.
but i also don't see any reason against changing it, so i will.
There was a problem hiding this comment.
well, technically, other components are using localhost to connect. so unless any of them have a non-standard way of resolving localhost or prefers ipv4 over ipv6 (or vice-versa), using localhost, dovecot will use the same as the other applications.
then again, the day anyone starts turning of ipv4 addresses for the loopback interface is probably far in the future.
yogo1212
force-pushed
the
dovecot_quota_localhost
branch
from
0850299 to
8683d53
Compare
Out of curiosity, why are you using host networking with this image? Is there an issue with a bridge network at all? |
|
@polarathene hi :-) i encountered deliverability issues with providers like gmail, outlook, and icloud. it has nothing to do with docker-mailserver, per se but with docker itself. if ipv6nat had been part of the configuration template, maybe i would've rolled with it. |
|
Thanks for sharing 👍
I am aware, and looked into this regarding a recent-ish IPv6 issue, but didn't get around to posting a response. The good news is support is improving (albeit rather slowly). While experimenting with Docker support, I did find a bug, which has since been fixed but I'm not sure if it's made it to a public release yet. If you want to use container networking with IPv6, make sure you have the following in {
"ip6tables": true,
"experimental" : true,
"userland-proxy": true
}You'll need to restart the daemon if it's running, not just reload it. The above enables the Then you need to configure a network for your container, in networks:
# Overrides the `default` compose generated network, avoids needing to attach to each service:
default:
enable_ipv6: true
# An IPv4 subnet is implicitly configured, IPv6 needs to be specified:
ipam:
config:
- subnet: fd00:cafe:babe::/48I don't see any issue for IPv6 NAT with ULA addresses for internal routing like that. I might not know IPv6 well enough though, but unless I'd explicitly want an IPv6 address for a container to be publicly reachable, I prefer the NAT config above. Then my server with it's public IPv6 address can be reached, and be compatible with the containers without all those containers being reachable publicly 🤔 |
polarathene
changed the title
127.0.0.1 for the Dovecot quota-status service
|
@polarathene nice, good info - thanks! my previous attempts with the bridge failed - likely because i didn't know about the |
see #1438 and #3057 (with #3057 (comment)) for reference. Superseeds #3061
3 participants
Description
Docker-Mailserver has dovecot listen on port 65265 for any address. When using host networking, that isn't necessarily desirable. Fix existing indentation.
Type of change
Checklist:
Fairly confident.
And a test.
Not sure it's worth it.
docs/)The docs don't mention the port. All existing code already uses localhost.
Not sure it's worth it.