Dear postfix experts:
I think I'm getting to the end of this problem. I was able to use
haproxy to relay connections to my docker container with correct source
information (and I'm seeing the correct IP addresses in the logs of
postfix/dovecot). I would appreciate it if you could take a look at my
settings before going public and changing the MX records back to this
server.
How I tested: I was actively blocking/unblocking firewalls,
starting/stopping containers (start, test, stop), and in every step, I
ran swaks, with one of these configurations (in fact, I'm planning to
automate these tests and run them periodically, what a nice tool this
turned out to be):
swaks --to a...@example.com --from=b...@example.com --server
mail.example.com:587 --tls
swaks --to a...@example.com --from=b...@example.com --server
mail.example.com:465 --tlsc
swaks --to a...@example.com --from=b...@example.com --server
mail.example.com:25 --tls
swaks --to a...@example.com --from=b...@example.com --server mail.example.com:25
I was consistently getting the result "Access denied" in swaks, which I
hope means that no relaying is possible anymore. Meanwhile, I succeeded
in sending messages with Thunderbird with proper authentication.
Email relaying was only possible when sending emails with swaks through
localhost (even though it's going through the proxy in localhost), i.e.:
swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:587 --tls
swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:465
--tlsc
swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:25 --tls
swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:25
Does this constitute proof that relaying isn't possible anymore?
There are three components to the configuration I added for this, each
for one port:
1. Port 25
in master.cf:
```
10024 inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
```
and in main.cf:
```
postscreen_upstream_proxy_protocol = haproxy
```
2. Port 587 for strict STARTTLS:
```
10587 inet n - n - - smtpd
-o syslog_name=postfix/haproxy_submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_upstream_proxy_protocol=haproxy
```
3. Port 465 for strict wrapper mode:
```
10465 inet n - n - - smtpd
-o syslog_name=postfix/haproxy_smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_upstream_proxy_protocol=haproxy
```
The other standard ports (25, 465 and 587) without proxying are
unreachable from the outside.
And finally, `postconf -n` (I fixed the issues indicated in the email
chain after having read their documentation):
```
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
debug_peer_level = 6
debug_peer_list = 0.0.0.0/0
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
maillog_file = /dev/stdout
message_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = example.com
mynetworks_style = subnet
myorigin = localmail.example.com
non_smtpd_milters = inet:docker-email-opendkim:12301
postscreen_upstream_proxy_protocol = haproxy
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
smtp_tls_cert_file = /shared-keys/mail.example.com/fullchain.pem
smtp_tls_key_file = /shared-keys/mail.example.com/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks, reject
smtpd_helo_restrictions = reject_invalid_helo_hostname,
smtpd_milters = inet:docker-email-opendkim:12301
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/sender_access, permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination, reject_invalid_hostname,
reject_unknown_recipient_domain, reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client
b.barracudacentral.org, reject_rbl_client zen.spamhaus.org,
reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org, permit
smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks
reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = /shared-socks/auth_dovecot
smtpd_sasl_type = dovecot
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /shared-keys/mail.example.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /shared-keys/mail.example.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_transport = lmtp:inet:docker-email-dovecot:10024
virtual_uid_maps = static:5000
```
I would really appreciate your input on this. Have a great day.
Cheers,
Sam
