docs: bind-smtp-network-interface.md - Add bridge network config advice#4330
docs: bind-smtp-network-interface.md - Add bridge network config advice#4330polarathene merged 11 commits intodocker-mailserver:masterfrom
bind-smtp-network-interface.md - Add bridge network config advice#4330Conversation
Added options to setup docker into using the same interface for outgoing traffic
georglauterbach
added
kind/improvement
georglauterbach
changed the title
bind-smtp-network-interface.md
|
I have added @polarathene as a reviewer on this one. It will probably take a few das for him to go through this, even if it is a small change. |
polarathene
left a comment
polarathene
left a comment
There was a problem hiding this comment.
Thanks for the contribution, I've provided feedback and will come back to this for a 2nd pass later. I'd appreciate a reproduction example if you can offer one, otherwise I'll sort it out before merging.
| === "Multiple IP hosts" | ||
|
|
||
| Sometimes containers use the first IP address from Docker host for outgoing traffic and verifications of rDNS (PTR) can occur for that IP address. | ||
| To force container to use specific IP address from host you can use following configuration in compose.yml |
There was a problem hiding this comment.
rDNS would be for a mail server receiving mail to verify the connecting MTA. From the context of DMS connecting to another mail server that checks rDNS:
- DMS (Postfix) greets the third-party MTA with "Hello from
mail.example.com - Third-party MTA resolves
mail.example.comto the connecting IP, and then IIRC also does rDNS to verify that IP resolves to a DNS record that resolves back to same IP DMS is connecting from.
So your main concern here is when DMS traffic routes through a public interface with an outbound IP that doesn't match the associated DNS. The container isn't really involved in that with a bridge network, so this description isn't right? It's more about routing the bridge network through the preferred host network interface.
This will need to be revised in that case if I've understood that correctly. You can try that or I'll provide a suggestion when I return to this PR again.
There was a problem hiding this comment.
Here is my config and environment. VPS with two IP's. I have sites on 203.161.53.206 and can't have there the PTR record. So I got another IP address 203.161.53.53 with proper PTR set.
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 203.161.53.206 netmask 255.255.255.0 broadcast 203.161.53.255
eth0:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 203.161.53.53 netmask 255.255.255.0 broadcast 203.161.53.255
In compose.yaml
ports:
- "203.161.53.53:587:587" # ESMTP (explicit TLS => STARTTLS)
- "203.161.53.53:993:993" # IMAP4 (implicit TLS)
In mailserver.env I have NETWORK_INTERFACE=eth0:0
With default bridge I get this warning when sending to mail-tester.com
mailserver | 2025-02-03T01:40:11.948379+01:00 mail postfix/smtp[1072]: warning: smtp_connect_addr: bind 203.161.53.53: Cannot assign requested address
mailserver | 2025-02-03T01:40:14.550576+01:00 mail postfix/smtp[1072]: 6D2A010B342: to=<[email protected]>, relay=reception.mail-tester.com[94.23.206.89]:25, delay=3.1, delays=0.03/0.02/1.8/1.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BBC929F61E)
On mail-tester I get 3 negative points due to
[SPF] zedologija.com does not allow your server 203.161.53.206 to use [email protected]
and on source there is raw message received by postfix and it has
Received: from server1.rsc-hosting.com (unknown [203.161.53.206]) from which it is finding this IP
Co-authored-by: Brennan Kinney <[email protected]>
Co-authored-by: Brennan Kinney <[email protected]>
Co-authored-by: Brennan Kinney <[email protected]>
There was a problem hiding this comment.
Thanks for this information. I'll apply the suggested changes in a moment.
Regarding this:
warning: smtp_connect_addr: bind 203.161.53.53: Cannot assign requested address
I see that you bound the IP via ports instead of the host_binding_ipv4 setting, which should be fine. However did you apply that smtp_bind_address Postfix setting as this page documents for host mode networking? (but you had a bridged network instead)
If so, it fails to bind to that IP because that is the host IP that the container has nothing to do with. It's assigned it's own private IP address on the bridge subnet, which has the container port mapped to the host IP + port (or for the default 0.0.0.0, the port on host has a listener bound for all host IP addresses).
I'll do a follow-up PR on this page to better clarify the distinction of required config between host vs bridged network modes 👍
Postfix will just emit that warning from failing to bind, but should still work unless the Postfix 3.7+ setting smtp_bind_address_enforce is enabled, which would prevent that. Instead for you, just avoid the smtp_bind_address change entirely 😎
polarathene
changed the title
bind-smtp-network-interface.mdbind-smtp-network-interface.md - Add bridge network config advice
|
I think I get what you wrote but it's been a while when I set it up, and I tried many things so it is a bit fuzzy what exactly I did. I just wanted to help others with similiar issue and share what worked for me to get that 10/10 on mail-tester.com. Let me know if I need to change/edit something or close PR... |
It's greatly appreciated thanks! We've had two users previously reach out about not being able to figure out the outbound IP seen by servers when they used bridged networking. No need to change anything or close the PR. I'll take it from here, thank you so much for contributing! ❤️ |
|
Documentation preview for this PR is ready! 🎉 Built with commit: 1e7dd3e |
3 participants
Description
Added info how to setup docker to use the same interface for outgoing traffic. Problem was that I was using single VPS for sites and mailserver. I got the additional IP address but all outgoing traffic from mailserver was going through the original IP. This network config makes the container use specified IP for outgoing traffic too.
Problem manifested as the mail-tester.com saw the original VPS IP address and failed on rDNS checks even when setup with suggestions from this part of page.
Fixes #
Type of change
Checklist
docs/)CHANGELOG.md