bug report: TLS library problem about docker-mailserver HOT 9 CLOSED

(connect to alt2.gmail-smtp-in.l.google.com[2404:6800:4003:c00::1a]:25: Cannot assign requested address

Try with IPv4 only. Maybe an IPv6 isssue?

For the other issues: Try to disable fail2ban (if enabled) and check if a connection is possible afterwards.

from docker-mailserver.

Thanks @casperklein ! It works now!

I changed both POSTFIX_INET_PROTOCOLS and DOVECOT_INET_PROTOCOLS to ipv4 and now I can send and receive emails as before.

About roundcube error this was misconfiguration of container network.

Now I'm going to uncomment fail2ban and other modules one by one. Closing this ticket. Thanks a lot!!!

from docker-mailserver.

env_file: mailserver.env

You have a config issue, this is not helpful. Neither is the full file copy/paste, please only share what you actually changed from defaults.

I assume you've configured TLS based on information from our docs, so please share how you've done so with ENV.

IMAP Error: Login failed for [email protected] against mail.mydomain.com from 172.24.0.1. Could not connect to mail.mydomain.com:143: Connection refused

I can see from here that you have an IP 172.24.0.1, this is coming from outside that docker network and being routed through the gateway IP, you want to avoid that where possible.

   cap_add:
     - NET_ADMIN
     - SYS_PTRACE

Where are you seeing the SYS_PTRACE? have we still got that documented somewhere? You shouldn't need that AFAIK. Since you have NET_ADMIN, do you also have Fail2Ban enabled?

That's only going to cause problems for you right now, you don't want your local troubleshooting to be affected by F2B blocking your client(s) connections from failures. This will be more likely with that gateway IP issue if all clients now share the same internal IP instead of their real IP, since any failure from any client will then ban access to everyone.

from docker-mailserver.

OK, I created new docker-compose.yaml:

services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    container_name: mailserver
    hostname: mail.mydomain.com
    ports:
      - '25:25' # SMTP  (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
      - '143:143' # IMAP4 (explicit TLS => STARTTLS)
      - '465:465' # ESMTP (implicit TLS)
      - '587:587' # ESMTP (explicit TLS => STARTTLS)
      - '993:993' # IMAP4 (implicit TLS)
    volumes:
      - ./docker-data/dms/mail-data/:/var/mail/
      - ./docker-data/dms/mail-state/:/var/mail-state/
      - ./docker-data/dms/mail-logs/:/var/log/mail/
      - ./docker-data/dms/config/:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro
      - /etc/letsencrypt:/etc/letsencrypt
    restart: always
    stop_grace_period: 1m
    environment:
      - SSL_TYPE=letsencrypt
      - PERMIT_DOCKER=network
      - ENABLE_FAIL2BAN=0
      - ENABLE_POSTGREY=0
      - ENABLE_CLAMAV=0
      - ENABLE_SPAMASSASSIN=0
      - SPOOF_PROTECTION=0
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0

Now I'm able to connect from Apple Mail, and I can read my messages, but I cannot send and receive messages.
Here is what I got in logs when I try to send an email:

connect frommydomain.com[xxx.xxx.xxx.xxx]
Anonymous TLS connection established from mydomain.com[xxx.xxx.xxx.xxx]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
NOQUEUE: reject: RCPT from mydomain.com[xxx.xxx.xxx.xxx]: 554 5.7.1 <mydomain.com[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied; from=<[email protected]> to=<other_user@other_domain.com> proto=ESMTP helo=<smtpclient.apple>

If I try to log in with rouncube (which is running in other container, that's why I put PERMIT_DOCKER=network) I'm still getting:

IMAP Error: Login failed for [email protected] against mail.mydomain.com from 172.24.0.1. Could not connect to mail.mydomain.com:143: Connection refused

Also I found that

SSL_accept error from mydomain.com[xxx.xxx.xxx.xxx]: -1

comes from Monit. I turned Monit off for now.

Where are you seeing the SYS_PTRACE?

I saw some examples in other issues. And I forgot to remove it.

from docker-mailserver.

Now I'm able to connect from Apple Mail, and I can read my messages, but I cannot send and receive messages.

What did you change differently to get your TLS connection to work correctly?

Can you try on port 465? This is pure TLS like HTTPS, skips the STARTTLS thing which complicates it a little bit.

If you can connect to the Dovecot ports to retrieve mail, then it might be an issue with sending mail for Postfix to deliver. Postfix delegates auth to Dovecot, and without LDAP/SASLAuthd involved this shouldn't be any different for login logic 🤔

If I try to log in with roundcube (which is running in other container, that's why I put PERMIT_DOCKER=network) I'm still getting

Try PERMIT_DOCKER=connected-networks option instead? That will use any networks that are connected to the DMS container.

PERMIT_DOCKER=network presently should allow for any network in the entire 172.16.0.0/12 subnet (that should cover your 172.24.0.1 too). PERMIT_DOCKER has some bugs though that need to be resolved: #3478

You shouldn't need either though AFAIK. These ENV are to establish trust without credentials. For authenticated ports where you're expected to provide your username and password, when those are valid it should be sufficient AFAIK. PERMIT_DOCKER bypasses some security restrictions, intended for trusted clients, although I'm not sure of scenarios where you should need it in real deployments.

At least with Postfix (ports 587/465/25) I'm aware of those restrictions being relaxed for PERMIT_DOCKER. I'm not sure if we relax them much for Dovecot ports (110,143,993,995,4190).

NOQUEUE: reject: RCPT from mydomain.com[xxx.xxx.xxx.xxx]: 554 5.7.1 <mydomain.com[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied; from=<[email protected]> to=<other_user@other_domain.com> proto=ESMTP helo=<smtpclient.apple>

Which port were you trying to send mail through? 587?

The user you've used for login and are sending from, is it configured in DMS via setup email add [email protected] password-here?

IMAP Error: Login failed for [email protected] against mail.mydomain.com
Could not connect to mail.mydomain.com:143: Connection refused

So Apple Mail can connect successfully to mail.mydomain.com:143 and retrieve your mail but for some reason not the Roundcube container running on the same VPS as DMS? Is the failed login for the same user?

- ./docker-data/dms/mail-state/:/var/mail-state/

Perhaps try without this volume? Temporarily comment it out and docker compose up --force-recreate afterwards.

Also I found that
SSL_accept error from mydomain.com[xxx.xxx.xxx.xxx]: -1
comes from Monit. I turned Monit off for now.

How is that related to DMS?

Your TLS certificate should be for mail.mydomain.com, matching the hostname FQDN you configured for DMS. Mail accounts like [email protected] do not need to have a TLS certificate, for mail servers they will check TLS against the mail server being connected to, so you must make sure you have correct certificate configured for DMS to use with connections.

from docker-mailserver.

What did you change differently to get your TLS connection to work correctly?

I'm not using mailserver.env file. Differences in .env file was:

• OVERRIDE_HOSTNAME=mail.mydomain.com
• LOG_LEVEL=debug
• PERMIT_DOCKER=network
• ENABLE_FAIL2BAN=1

Can you try on port 465? This is pure TLS like HTTPS, skips the STARTTLS thing which complicates it a little bit.

I can't connect to 465 port with Apple Mail. It works on 993.

# ufw status verbose

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
25                         ALLOW IN    Anywhere
465                        ALLOW IN    Anywhere
587                        ALLOW IN    Anywhere
995                        ALLOW IN    Anywhere
143                        ALLOW IN    Anywhere
993                        ALLOW IN    Anywhere

also

# ss -tulpn | grep :465

tcp   LISTEN 0      4096                             0.0.0.0:465        0.0.0.0:*    users:(("docker-proxy",pid=47555,fd=4))

# ps aux | grep 47555

root       47555  0.0  0.0 1229748 3284 ?        Sl   Mar05   0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 465 -container-ip 172.26.0.2 -container-port 465

# docker ps -q | xargs -n 1 docker inspect --format '{{ .Name }} {{range .NetworkSettings.Networks}} {{.IPAddress}}{{end}}' | sed 's#^/##';

mailserver  172.26.0.2
roundcube_nginx  172.24.0.4
roundcube_mail  172.24.0.3
roundcube_db  172.24.0.2

It seams that this port is open and DMS listen on it.

Try PERMIT_DOCKER=connected-networks option instead?

Changed PERMIT_DOCKER=connected-networks, restarted DMS (with docker-compose down) but I still can't connect. Still getting:

IMAP Error: Login failed for [email protected] against mail.mydomain.com from 172.24.0.1. Could not connect to mail.mydomain.com:143: Connection refused

Which port were you trying to send mail through? 587?

Yes. But I found that autoconfig of Apple Mail was set "Authentication" to none. I changed it to password and now I'm getting different error:

325378135E: to=<[email protected]>, relay=none, delay=61, delays=0.06/0.01/61/0, dsn=4.4.1, status=deferred (connect to alt2.gmail-smtp-in.l.google.com[2404:6800:4003:c00::1a]:25: Cannot assign requested address)

I don't know if this is related but I found also this:

mail opendkim[636]: F075D8135B: no signing table match for '[email protected]'
mail opendkim[636]: F075D8135B: no signature data

The user you've used for login and are sending from, is it configured in DMS via setup email add [email protected] password-here?

Yes.

So Apple Mail can connect successfully to mail.mydomain.com:143 and retrieve your mail but for some reason not the Roundcube container running on the same VPS as DMS? Is the failed login for the same user?

Yes, I have only one user for now.

Perhaps try without this volume?

I commented

# - ./docker-data/dms/mail-state/:/var/mail-state/

but still getting Connection refused

How is that related to DMS?

Monit is tying to connect with DMS. But I turned it off for now and after everything works I'll tun it on and if I still get errors, I'll let you know.

Your TLS certificate should be for mail.mydomain.com, matching the hostname FQDN you configured for DMS.

Yes I have correct certificate for mail.mydomain.com and hostname = mail.mydomain.com.

from docker-mailserver.

Changed PERMIT_DOCKER=connected-networks, restarted DMS (with docker-compose down) but I still can't connect. Still getting:

You are trying to send mail to another MTA (Gmail) via DMS from your VPS on port 25.

This is often blocked (as our docs explain), you will probably need to look at our relay host docs to route mail through a service like SendGrid (DMS supports port 587 for relay host feature, not 465 yet).

Yes. But I found that autoconfig of Apple Mail was set "Authentication" to none. I changed it to password and now I'm getting different error:

Yes, that is another common config mistake for users.

from docker-mailserver.

You are trying to send mail to another MTA (Gmail) via DMS from your VPS on port 25.

Perhaps you are talking about this log:
325378135E: to=<[email protected]>, relay=none, delay=61, delays=0.06/0.01/61/0, dsn=4.4.1, status=deferred (connect to alt2.gmail-smtp-in.l.google.com[2404:6800:4003:c00::1a]:25: Cannot assign requested address)

As I can see from the docs:
Outbound traffic on this port is often blocked by service providers (eg: VPS, ISP) to prevent abuse by spammers. If the port cannot be unblocked, you will need to relay outbound mail through a service to send on your behalf.
I need to use relay host if my port 25 is blocked by service provider. But my port 25 is not blocked. I've been using it with my previous email stack. Which is the same as DMS but not dockerized. So I should be able to use port 25 with DMS.

What about that error when I'm trying to connect with Apple Mail:
325378135E: to=<[email protected]>, relay=none, delay=61, delays=0.06/0.01/61/0, dsn=4.4.1, status=deferred (connect to alt2.gmail-smtp-in.l.google.com[2404:6800:4003:c00::1a]:25: Cannot assign requested address)
I'm still unable to use DMS to send emails.

I still can't connect to DMS with Roundcube:
IMAP Error: Login failed for [email protected] against mail.mydomain.com from 172.24.0.1. Could not connect to mail.mydomain.com:143: Connection refused
even with PERMIT_DOCKER=connected-networks

from docker-mailserver.

Close

from docker-mailserver.