来自主机

时间:2016-09-15 18:04:49

标签: networking docker postfix-mta

我正在尝试设置一些容器来管理我的VPS上的个人电子邮件。

我为后缀服务器设置了TLS加密。设置SPF以检测伪造的电子邮件时,我发现报告的IP不一样,具体取决于是否使用加密

收到某些发件人的电子邮件时:

Received: from zproxy.mydomain.com (zproxy110.mydomain.com [137.**.**.**])
    by localhost (Postfix) with ESMTP id 5250459F

从我的GMail帐户接收电子邮件(启用TLS)时:

Received: from mail-lf0-x241.google.com (dockerhost [172.18.0.1])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (No client certificate requested)
    by localhost (Postfix) with ESMTPS id 2EDEF59F

从其他网络接收电子邮件时:

Received: from cabale.usenet-fr.net (dockerhost [172.18.0.1])
    by localhost (Postfix) with ESMTP id 834F8520

看起来报告的IP是基于...... 随机的Docker主机的IP,使用IP 172.18.0.1。除了本身就是一个问题,它也会影响SPF,因为来自Google的电子邮件被标记为SoftFail,因为不允许使用IP。

我无法理解为什么有些服务器(总是)报告dockerhost IP,有些则没有。这与我最初的TLS加密无关。

这是我的master.cnf文件:

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/postfix-cert.pem
smtpd_tls_key_file = /etc/ssl/private/postfix-cert.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination check_policy_service unix:private/policy-spf
myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = /etc/mailname, 11687faae091, localhost.localdomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_gid_maps = static:5000
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtpd_tls_mandatory_exclude_ciphers = aNULL,MD5,RC4
smtpd_tls_mandatory_ciphers = high
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtp_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtp_tls_mandatory_exclude_ciphers = aNULL,MD5,RC4
policy-spf_time_limit = 3600s

我的main.cnf文件:

smtp       inet  n       -       n       -       -       smtpd
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn
    argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
    user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R
    user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
    ${user} ${extension}

mailman    unix  -       n       n       -       -       pipe flags=FR
    user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
    ${user}
dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -a ${recipient}
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
policy-spf  unix  -       n       n       -       -       spawn
    user=nobody argv=/usr/bin/policyd-spf

这种行为来自何处以及如何修补它以便报告的IP是实际的?

编辑:好的,我刚从其他提供商处测试过,看起来加密可能与它无关:

Received: from o1.30e.fshared.sendgrid.net (o1.30e.fshared.sendgrid.net [167.89.55.41])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))

1 个答案:

答案 0 :(得分:1)

这是当前(2016-10-10)Docker版本中的已知错误: userland代理用于将容器端口绑定到主机端口,但具有您遇到的不一致性。我自己也有同样的问题。

参考文献:

相关问题
最新问题