Hi,
On 2022-04-04 08:57, christ...@degenkolb.net wrote:
In setting up a milter on a postfix daemon running in docker container
I stumbled upon the following problem.
postfix trows fatal errors if it can't resolve the DNS name of a
milter due to the milter (also running as a docker container) being
offline although default_action for this milter is set to "accept".
I have the following setup:
- postfix 3.4.14 from https://mailcow.email/ (should be this
https://packages.debian.org/buster/postfix package)
- with smtpd_milters = inet:rspamd:9900,
{inet:mymilter:40000,connect_timeout=3s,default_action=accept}
- a docker container mymilter with the run command "docker run -d
--name mymilter--network-alias mymilter --network
mailcowdockerized_mailcow-network --restart unless-stopped
mymilter:latest"
- mymilter listens on port 40000 as a milter
Everything runs normal as long as the mymilter container is online.
If I stop mymilter postfix refuses to accept smtp connections with for
example the following errors.
Mar 31 15:43:43 14bc2104d36b postfix/smtpd[382]: fatal: host/service
mymilter/40000 not found: Name or service not known
Mar 31 15:43:44 14bc2104d36b postfix/master[348]: warning: process
/usr/lib/postfix/sbin/smtpd pid 382 exit status 1
Mar 31 15:43:44 14bc2104d36b postfix/master[348]: warning:
/usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
If I replace mymilter in smtpd_milters with an IP address of the
docker container and stop the container the default_action=accept is
honored.
As far as I can tell the network-alias gets removed from dockers
internal DNS server on container stop which triggers the postfix fatal
error.
However shouldn't a failed DNS request also evoke the default policy
of "accept" for this milter?
Is this a postfix bug or am I missing something? Can I somehow add
"DNS not Working" to the "it's Ok"-List for this milter?
I found a workaround for this problem. It's not pretty but it works(TM).
Add a "static" IP from the docker network to the container run command
via --ip a.b.c.d and use this in the smtpd_milters like so in my case
docker run -d --name mymilter--network-alias mymilter --network
mailcowdockerized_mailcow-network --ip 172.22.1.100 --restart
unless-stopped mymilter:latest
and
smtpd_milters = inet:rspamd:9900,
{inet:172.22.1.100:40000,connect_timeout=3s,default_action=accept}
To get a valid IP do a "docker inspect <docker_network_name>" and check
for free IP space.
Now postfix honors the default_action=accept if the milter container is
stopped since no DNS lockup is involved.
With Wietse release (see other mail in this thread) to be trickling down
to the distributions in some distant future this can be changed back to
using the docker internal DNS names.
regards
Christian
