这让我疯了,但出于某种原因,我无法从外面访问某些端口。我几乎检查了所有可能的设置,但我不知道为什么这不起作用。我不知道在哪里解决这个问题(Ubuntu防火墙与Docker vs. Dovecot vs. Postfix),我真的希望你们能帮助我。
仅供参考:mycooldomain.com只是我域名的占位符,目前我不想分享。
我会为帮助我解决这个问题的人买一瓶啤酒! :)
简介
在我的根服务器上,我正在运行以下docker邮件服务器容器(https://github.com/tomav/docker-mailserver/),它暴露了几个端口(143,25,587,993)。容器运行dovecot(IMAP)和后缀(SMTP)。
TL;博士
我在docker容器中运行上述邮件服务器(dovecot,postfix),只能连接到一个端口(143 - IMAP)。其他端口25,587和993无法从外部访问 - 仅可从主机直接访问。 Docker正确公开它们并正确地列在iptables中。容器中的日志(dovecot,postfix)在请求进入时没有显示任何反应(没有被拒绝的请求或类似的东西),所以我认为它们永远不会到达容器中的服务。其他docker容器端口(例如我的web服务器:80,443)。
以下是详细信息:
我可以直接从主机连接到每个端口(让我们测试IMAP安全端口):
mastix@localhost:~$ telnet mail.mycooldomain.com 993
Trying xxx.xxx.xxx.xxx…
Connected to mail.mycooldomain.com.
Escape character is '^]'.
220 mail.mycooldomain.com ESMTP Postfix (Ubuntu)
但不是来自我的本地机器:
mastixmc$ telnet mail.mycooldomain.com 993
Trying xxx.xxx.xxx.xxx…
telnet:connect to address xxx.xxx.xxx.xxx: Operation timed out
telnet: Unable to connect to remote host
docker-compose ps告诉我他们暴露且绑定正确无误:
110/tcp,
0.0.0.0:143-143/tcp,
0.0.0.0:25->25/tcp, 4190/tcp,
0.0.0.0:587->587/tcp,
0.0.0.0:993->993/tcp, 995/tcp
netstat -ntlp告诉我同样的事情:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::587 :::* LISTEN -
tcp6 0 0 :::143 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::25 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN -
tcp6 0 0 :::2332 :::* LISTEN -
tcp6 0 0 :::993 :::* LISTEN -
我可以访问我的网络服务器(80/443)和不安全的IMAP(143) - 我将来不会允许这样做。但是所有其他端口都无法访问。
我甚至设置UFW(虽然不需要)以确保Ubuntu不会阻止任何内容:
Added user rules (see 'ufw status' for running firewall):
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 25/tcp
ufw allow 587/tcp
ufw allow 143/tcp
ufw allow 993/tcp
查看日志(Dovecot,Postfix)时,我看不到任何信息,因此看起来请求无法到达服务。
我 DID NOT 触摸以下Docker / UFW设置:
的/ etc /默认/ UFW
DEFAULT_FORWARD_POLICY="DROP"
DID NOT 更改泊坞窗引擎中的iptables = false。
这是iptables -L调用,你可以清楚地看到DOCKER链正确添加规则(我的ufw规则也在那里):
Chain INPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:http
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:imaps
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:submission
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:imap2
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:smtp
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
[...]
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT udp -- anywhere anywhere udp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:2332
ACCEPT udp -- anywhere anywhere udp dpt:2332
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT udp -- anywhere anywhere udp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT udp -- anywhere anywhere udp dpt:imap2
所以一切看起来都对我不错。
更新#1:
来自docker host的nmap(针对mycooldomain.com):
PORT STATE SERVICE
25/tcp filtered smtp
80/tcp filtered http
143/tcp filtered imap
443/tcp filtered https
587/tcp filtered submission
993/tcp filtered imaps
来自我本地机器的nmap(针对mycooldomain.com):
PORT STATE SERVICE
80/tcp open http
143/tcp open imap
443/tcp open https
如您所见,端口未打开,因此我无法从远程连接到端口25,587和993.
更新#2:
所以我已经停止了所有容器并打开了一个简单的python HTTP服务器:
sudo python -m SimpleHTTPServer 993
也无法访问此端口。所以我用端口8080 =>打开了同一台服务器成功。
看起来Ubuntu或我的主机是阻止端口993!我目前正在与提供根服务器的人联系。
我已经在项目中提出了一个问题(https://github.com/tomav/docker-mailserver/issues/602),但他们也无法帮助我。
非常感谢您提前,
格尔茨,
的Sascha
答案 0 :(得分:2)
我修好了......或者至少是我的主人。有另一个硬件防火墙阻止某些端口。他们必须启用某个"邮件服务器"防火墙规则集,允许运行邮件服务器。
感谢您的帮助和提示!!!
格尔茨,
的Sascha