Documentation preview for this PR is ready! 🎉

Built with commit: effff50

It should be possible to configure your Docker host to support IPv6 NAT and I think that will resolve the issue experienced. If anyone can confirm that I am happy to revise the docs here with that approach.

If I hadn't started actively using my mail server I would definitely check it and validate but it's impossible for me to risk missing some mails right now.

Background info seems relevant still. I'd rather not drop that. The alternative fix and additional issue to reference is good though +1

It should be possible to configure your Docker host to support IPv6 NAT and I think that will resolve the issue experienced. If anyone can confirm that I am happy to revise the docs here with that approach.

It might be possible, but the current documentation will fail to give that. So it should at least carry a big warning "this IPv6 NAT approach is only theoretically interesting as it is practically useless for mail reception".

So it should at least carry a big warning "this IPv6 NAT approach is only theoretically interesting as it is practically useless for mail reception".

Docs state that IPv6 will connect, but mail will fail SPF check (which causes rejection, at least if not authenticated IIRC?):

If your container host supports IPv6, then docker-mailserver will automatically accept IPv6 connections by way of the docker host's IPv6.
However, incoming mail will fail SPF checks because they will appear to come from the IPv4 gateway that docker is using to proxy the IPv6 connection

Referenced issue #2927 shows:

Client host rejected: cannot find your hostname, [172.23.0.1]

And another related issue (with another user already configured with IPv6 advice I gave) had that same error (but with an IP that wasn't a private address). It's possible that this PR which made it to the v11.2.0 release is another failure point being experienced, and thus the current docs are outdated as they don't account for that?

I've assigned myself to look into it. I'm currently focused on overhauling the test suite so that we can improve test coverage for issues like this, especially with DNS and more real-world style mail delivery. After that I'll try to reproduce and go from there.

Docs state that IPv6 will connect, but mail will fail SPF check (which causes rejection, at least if not authenticated IIRC?):

Correct.

If your container host supports IPv6, then docker-mailserver will automatically accept IPv6 connections by way of the docker host's IPv6.
However, incoming mail will fail SPF checks because they will appear to come from the IPv4 gateway that docker is using to proxy the IPv6 connection

That is only correct if you use the stock configuration. If you enable robbertkl/ipv6nat per instructions, you will get the the address of the IPv6 gateway.

And another related issue (with another user already configured with IPv6 advice I gave) had that same error (but with an IP that wasn't a private address).

I haven't experienced the issue with the rejected public address, only private (both IPv4 as you wrote and IPv6 with robbertkl/ipv6nat). Hope this helps.

If you enable robbertkl/ipv6nat per instructions, you will get the the address of the IPv6 gateway.

Since Docker supports IPv6 NAT via /etc/docker/daemon.json with ip6tables: true and experimental: true, this should replace the need for that extra container. I have heard that there is some minor differences, but I don't think they'd affect DMS differently. If we can resolve the issue the docs can be updated to suggest official support by Docker instead.

The quoted docs may only apply to stock configuration but they do describe the reason IPv6 is problematic out of the box, so I still see value in keeping that in the docs.

I haven't experienced the issue with the rejected public address, only private (both IPv4 as you wrote and IPv6 with robbertkl/ipv6nat). Hope this helps.

So even with that container setup and providing proper IPv6 NAT, you don't receive mail? But no errors like others are seeing? Do you have any other logs that communicate failures?

So even with that container setup and providing proper IPv6 NAT, you don't receive mail? But no errors like others are seeing? Do you have any other logs that communicate failures?

I'm not sure what would proper IPv6 NAT mean in this case. Any configuration of IPv6 I found via web search and tried thus far, be it via daemon.json or via docker-compose.yml, resulted only in rejections. Either the rejected address was a private IPv4 address of the gateway or the private IPv6 address of the gateway. Therefore, I guess I haven't been able to get "proper NAT" working.

I'm not sure what would proper IPv6 NAT mean in this case.

I meant that it was supported instead of the container seeing an IPv4 address it should be an IPv6 one. I think it can be a bit more problematic if there are other containers routing the traffic though. With reverse-proxies for example, they handle this fine, but if a container they bridge needs the external IP, they need to provide it via a separate header IIRC, as otherwise they get the wrong IP (internal container IP).

It would be helpful if there's a simple config + steps that I can try reproduce with when I get the time to investigate.

Either the rejected address was a private IPv4 address of the gateway or the private IPv6 address of the gateway.

Oh, I misread your previous statement about public. Most reports are with the private address being rejected. I thought you were saying you weren't seeing that in your logs 😅

In that case, it's very much likely caused by this PR. I think if you revert that change, it may fix the problem. If you try this and it does fix it for you, please let us know.

It would be helpful if there's a simple config + steps that I can try reproduce with when I get the time to investigate.

Sure, reset Docker config to default (i.e. remove daemon.json and restart the service) and then follow the IPv6 instructions from Docker-Mailserver docs. That should be enough.

In that case, it's very much likely caused by this PR. I think if you revert that change, it may fix the problem. If you try this and it does fix it for you, please let us know.

I believe this is the case. However, that PR is correct in its thinking so I don't want to revert it.

The container receiving the connection via IPv6 should see the public IPv6 of the sending side and not the private IPv4/IPv6 address of the gateway. The problem is that it doesn't happen and I have no idea whether this is due to incorrect configuration of Docker or robbertkl/ipv6nat. Either way, the documentation should mention the issue exists.

As is, this PR can not be merged as maintainers decided it removes information still relevant. Since IPv6 is just an awfu.. complex protocol, this needs more work.

Moreover, this seems to have stalled, which I absolutely dislike, but I also understand it in this case.. so, @polarathene, what would you do now? I would like to do something about this PR - otherwise it will continue to rot.

@polarathene, what would you do now? I would like to do something about this PR - otherwise it will continue to rot.

• I've been swamped, and need to prioritize other tasks in DMS backlog atm. If I can look into it this month I will.
• Still relevant to keep open as a reminder / todo. Alternatively an issue can be opened and reference this PR if you want to close it instead. So long as the concern is visible to be aware that it needs attention is all I care about right now.

Closing in favor if #3244 which superseeds this PR.