question: Why does SMTP_ONLY=1 still allow to receive mail locally?

[MateuszBeru]

Subject

I would like to configure a not documented mail server use case

Description

Hello,
While setting up a standard setup of docker-mailserver with intention to use this as an email sending only I found a problem.
After the setup accordingly to the documentation It worked but there was an issue that the email that was set to be sending only was saving copy on local mailbox. After trying to turn server into send only mode with help of issue #3477 that didn't helped I had decided to turn off local account with help of resolved issue #3472. Unfortunately solution proposed as solution in #3472 that was mentioned in FAQ section of documentation did not resolve the problem.

Otherwise server is working fine, configuration was done accordingly to the documentation and score on mail-tester.com was 9.5/10.

As went through the thread of connected related issues I had noticed that most of them are occurring between 2019 and 2023 so I tried with different releases (:13.x, :latest. :edge) hoping that this problem was patched unfortunately with the same result.

I'm not sure if this is a bug or not documented well option, as I had noticed few issues were filed around similar problem.

Please see logs and yaml below

services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:edge
    container_name: main
    hostname: mail.hostname.com
    ports:
      - "25:25"    # SMTP  (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
      - "143:143"  # IMAP4 (explicit TLS => STARTTLS)
      - "465:465"  # ESMTP (implicit TLS)
      - "587:587"  # ESMTP (explicit TLS => STARTTLS)
      - "993:993"  # IMAP4 (implicit TLS)
    volumes:
      - ./docker-data/dms/mail-data/:/var/mail/
      - ./docker-data/dms/mail-state/:/var/mail-state/
      - ./docker-data/dms/mail-logs/:/var/log/mail/
      - ./docker-data/dms/config/:/tmp/docker-mailserver/
      - ./docker-data/dms/sasl-data/sasl:/etc/postfix/sasl
      - /etc/localtime:/etc/localtime:ro
      - /ymls/nginx/docker-data/acme-companion/certs/:/etc/letsencrypt/live/:ro
    restart: always
    stop_grace_period: 1m
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0
    environment:
      - SSL_TYPE=letsencrypt
      - LETSENCRYPT_HOST=mail.hostname.com
      - SMTP_ONLY=1
      - SMTP_USERNAME=info
      - SMTP_DOMAIN=mail.hostname.com
      - SMTP_PASSWORD=yvj0ufb@avy3MCP8hze
      - ENABLE_SASLAUTHD=1
      - SASLAUTHD_MECHANISMS=

2024-04-09T16:36:20.193026+02:00 direct postfix/submission/smtpd[652]: connect from static.111.111.111.111.clients.your-server.de[222.222.222.222]
2024-04-09T16:36:20.438185+02:00 direct postfix/submission/smtpd[652]: Anonymous TLS connection established from static.111.111.111.111.clients.your-server.de[222.222.222.222]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
2024-04-09T16:36:20.609177+02:00 direct postfix/submission/smtpd[652]: NOQUEUE: reject: RCPT from static.111.111.111.111.clients.your-server.de[222.222.222.222]: 554 5.7.1 <static.111.111.111.111.clients.your-server.de[222.222.222.222]>: Client host rejected: Access denied; from=<info@mail.hostname.com> to=<test@testmail.anotherhost.com> proto=ESMTP helo=<DESKTOP-OSIMTIL>
2024-04-09T16:36:20.668553+02:00 direct postfix/submission/smtpd[652]: lost connection after RCPT from static.111.111.111.111.clients.your-server.de[222.222.222.222]
2024-04-09T16:36:20.668660+02:00 direct postfix/submission/smtpd[652]: disconnect from static.111.111.111.111.clients.your-server.de[222.222.222.222] ehlo=2 starttls=1 mail=1 rcpt=0/1 commands=4/5

2024-04-09T17:21:22.383897+02:00 direct postfix/submission/smtpd[638]: >>> START Client host RESTRICTIONS <<<
2024-04-09T17:21:22.383901+02:00 direct postfix/submission/smtpd[638]: generic_checks: name=permit_sasl_authenticated
2024-04-09T17:21:22.383909+02:00 direct postfix/submission/smtpd[638]: generic_checks: name=permit_sasl_authenticated status=0
2024-04-09T17:21:22.383912+02:00 direct postfix/submission/smtpd[638]: generic_checks: name=reject
2024-04-09T17:21:22.383926+02:00 direct postfix/submission/smtpd[638]: NOQUEUE: reject: RCPT from static.111.111.111.111.clients.your-server.de[222.222.222.222]: 554 5.7.1 <static.111.111.111.111.clients.your-server.de[222.222.222.222]>: Client host rejected: Access denied; from=<info@mail.hostname.com> to=<test@testmail.anotherhost.com> proto=ESMTP helo=<DESKTOP-OSIMTIL>

[glime-ai]

Please note that this response was created using generative AI, leveraging previously available information from the repository. This information may be helpful. However, it is our strong recommendation that you carefully consider the information before blindly applying it.

---

Based on the information provided and the context from the sources, it seems like you're encountering an issue with sending emails from your Docker Mailserver setup, specifically getting a "554 5.7.1: Client host rejected: Access denied" error. This error typically indicates a problem with the SMTP authentication or the configuration that controls which clients are allowed to send emails.

Given that you've set SMTP_ONLY=1, this disables Dovecot and other services related to local mailboxes, as mentioned in the Forward-Only Mail Server with LDAP Authentication documentation. However, your issue seems to be related to SMTP authentication or client restrictions rather than local mailbox handling.

The logs indicate that the client host is rejected due to access being denied. This could be due to several reasons, including but not limited to:

• Misconfiguration of SASL authentication settings.
• Incorrect permit_sasl_authenticated settings in Postfix.
• IP address of the client not being allowed to relay emails.

Given the complexity of email server configurations and the potential for small misconfigurations to cause significant issues, here are a few steps to troubleshoot and potentially resolve your issue:

1. Verify SASL Authentication Configuration: Ensure that SASL authentication is correctly configured. Since you have ENABLE_SASLAUTHD=1 without specifying SASLAUTHD_MECHANISMS, make sure that the default mechanism aligns with your authentication setup. Refer to the Authenticating with LDAP documentation if you're using LDAP for authentication.

2. Check Client Host Restrictions: The error message suggests that the client host is being rejected. Review your Postfix configuration related to client restrictions, specifically in the smtpd_recipient_restrictions setting. You might need to adjust this to allow your client host to send emails.

3. Review Fail2Ban Settings: Although not directly mentioned, ensure that Fail2Ban has not inadvertently banned your client IP address. You can check and unban IPs using the commands provided in the FAQ section.

4. Consult the Docker Mailserver Issues and Discussions: Since you've mentioned that similar issues have been filed, it might be helpful to revisit those discussions or even open a new issue detailing your specific problem for more targeted advice from the community.

If after trying these steps you're still facing issues, providing more detailed logs, configuration files, and any specific changes you've made to the default configuration could help in diagnosing the problem more accurately.

This comment was generated by Glime.

[georglauterbach]

Just to understand exactly what you are referring to: you want a send-only mail server, but your instance is receiving and saving e-mail, right?

[polarathene]

While setting up a standard setup of docker-mailserver with intention to use this as an email sending only I found a problem.
After the setup accordingly to the documentation It worked but there was an issue that the email that was set to be sending only was saving copy on local mailbox.

This is not clear enough. The DMS account that is sending mail is storing a copy locally in the container/volume? Or you have sent mail to DMS for this account and it received it?

To prevent receiving mail, just don't expose the port 25 for the container. No MX DNS record should resolve to that host anyway since you don't want mail delivered there. You should still have a mail server somewhere that receives mail for that domain however, and DNS TXT records like for SPF that authorize your DMS server to send mail for that domain.

SMTP_ONLY=1 disables Dovecot service (mail can still be received by Postfix on port 25 if you allow it)

SMTP_ONLY=1 is effectively ENABLE_DOVECOT=0 for the most part. There's no official support yet for an alternative account provider, so you configure Postfix with mail accounts manually like you've done through referenced links providing guidance.

docker-mailserver/target/scripts/start-mailserver.sh

Lines 46 to 54 in ad5d101

	if [[ ${SMTP_ONLY} -ne 1 ]]; then
	_register_setup_function '_setup_dovecot'
	_register_setup_function '_setup_dovecot_sieve'
	_register_setup_function '_setup_dovecot_dhparam'
	_register_setup_function '_setup_dovecot_quota'
	_register_setup_function '_setup_spam_subject'
	_register_setup_function '_setup_spam_to_junk'
	_register_setup_function '_setup_spam_mark_as_read'
	fi

docker-mailserver/target/scripts/startup/setup.d/postfix.sh

Lines 71 to 83 in ad5d101

	# Dovecot feature integration
	# TODO: Alias SMTP_ONLY=0 to DOVECOT_ENABLED=1?
	if [[ ${SMTP_ONLY} -ne 1 ]]; then
	__postfix__log 'trace' 'Configuring Postfix with Dovecot integration'
	# /etc/postfix/vmailbox is created by: scripts/helpers/accounts.sh:_create_accounts()
	# This file config is for Postfix to verify a mail account exists before accepting
	# mail arriving and delivering it to Dovecot over LMTP.
	if [[ ${ACCOUNT_PROVISIONER} == 'FILE' ]]; then
	postconf 'virtual_mailbox_maps = texthash:/etc/postfix/vmailbox'
	fi
	postconf 'virtual_transport = lmtp:unix:/var/run/dovecot/lmtp'
	fi

SASL auth on Postfix could be disabled (but in your case it's not and you'd probably want to keep it that way):

docker-mailserver/target/scripts/startup/setup.d/postfix.sh

Lines 22 to 42 in ad5d101

	__postfix__log 'trace' "Configuring SASLauthd"
	if [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && [[ ! -f /etc/postfix/sasl/smtpd.conf ]]; then
	cat >/etc/postfix/sasl/smtpd.conf << EOF
	pwcheck_method: saslauthd
	mech_list: plain login
	EOF
	fi
	# User has explicitly requested to disable SASL auth:
	# TODO: Additive config by feature would be better. Should only enable SASL auth
	# on submission(s) services in master.cf when SASLAuthd or Dovecot is enabled.
	if [[ ${ENABLE_SASLAUTHD} -eq 0 ]] && [[ ${SMTP_ONLY} -eq 1 ]]; then
	# Default for services (eg: Port 25); NOTE: This has since become the default:
	sed -i -E \
	's|^smtpd_sasl_auth_enable =.*|smtpd_sasl_auth_enable = no|g' \
	/etc/postfix/main.cf
	# Submission services that are explicitly enabled by default:
	sed -i -E \
	's|^ -o smtpd_sasl_auth_enable=.*| -o smtpd_sasl_auth_enable=no|g' \
	/etc/postfix/master.cf
	fi

---

Managed domains (should not apply to you unless using virtual aliases)

This part of our setup script will inform Postfix that it manages the mail domains (via lookup at virtual_mailbox_domains config setting) in postfix-accounts.cf and postfix-virtual.cf config files if they exist.

docker-mailserver/target/postfix/main.cf

Lines 102 to 106 in ad5d101

	# Postfix lookup tables for verifying valid users and managed mail domains:
	# Populated during startup in: scripts/helpers/postfix.sh
	virtual_mailbox_domains = /etc/postfix/vhost
	# Populated during startup in: scripts/helpers/aliases.sh
	virtual_alias_maps = texthash:/etc/postfix/virtual

docker-mailserver/target/scripts/startup/setup.d/postfix.sh

Lines 48 to 50 in ad5d101

	# scripts/helpers/postfix.sh:_create_postfix_vhost()
	__postfix__log 'trace' 'Setting up Postfix vhost'
	_create_postfix_vhost

docker-mailserver/target/scripts/helpers/postfix.sh

Lines 40 to 82 in ad5d101

	# Collects domains from configs (DATABASE_) into TMP_VHOST
	function _vhost_collect_postfix_domains() {
	local DATABASE_ACCOUNTS='/tmp/docker-mailserver/postfix-accounts.cf'
	local DATABASE_VIRTUAL='/tmp/docker-mailserver/postfix-virtual.cf'
	local DOMAIN UNAME
	# Extract domains from mail accounts:
	if [[ -f ${DATABASE_ACCOUNTS} ]]; then
	while IFS=$'|' read -r MAIL_ACCOUNT _; do
	# It is expected valid lines have the format local-part@domain-part:
	DOMAIN=$(cut -d '@' -f 2 <<< "${MAIL_ACCOUNT}")
	echo "${DOMAIN}" >>"${TMP_VHOST}"
	done < <(_get_valid_lines_from_file "${DATABASE_ACCOUNTS}")
	fi
	# TODO: Consider if virtual aliases should be configured to the same vhost file:
	# https://github.com/docker-mailserver/docker-mailserver/issues/2813#issuecomment-1272394563
	# Extract domains from virtual alias config:
	# Aliases may have the forms: 'local-part@domain-part', only 'local-part', or '@domain-part' (wildcard catch-all)
	if [[ -f ${DATABASE_VIRTUAL} ]]; then
	while read -r ALIAS_FIELD _; do
	UNAME=$(cut -d '@' -f 1 <<< "${ALIAS_FIELD}")
	DOMAIN=$(cut -d '@' -f 2 <<< "${ALIAS_FIELD}")
	# Only add valid domain-parts found:
	# The '@' is optional for an alias key (eg: "user1 other@domain.tld"),
	# but cut with -f2 would output the same value as it would -f1 when '@' is missing.
	[[ ${UNAME} != "${DOMAIN}" ]] && echo "${DOMAIN}" >>"${TMP_VHOST}"
	done < <(_get_valid_lines_from_file "${DATABASE_VIRTUAL}")
	fi
	_vhost_ldap_support
	}
	# Add DOMAINNAME (not an ENV, set by `helpers/dns.sh`) to vhost.
	# NOTE: `setup-stack.sh:_setup_ldap` has related logic:
	# - `main.cf:mydestination` setting removes `$mydestination` as an LDAP bugfix.
	# - `main.cf:virtual_mailbox_domains` uses `/etc/postfix/vhost`, but may
	# conditionally include a 2nd table (ldap:/etc/postfix/ldap-domains.cf).
	function _vhost_ldap_support() {
	[[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]] && echo "${DOMAINNAME}" >>"${TMP_VHOST}"
	}

---

Internal addresses and deliveries

Internally Postfix recognizes the DMS FQDN (from the hostname container config) as what it should present for HELO/EHLO greeting (the FQDN of the mail server, not the sender address domain) to use when sending mail.

docker-mailserver/target/postfix/main.cf

Lines 15 to 18 in ad5d101

	# Take the following concerns into consideration if adjusting `mydestination`:
	# https://github.com/docker-mailserver/docker-mailserver/pull/3264#pullrequestreview-1396816109
	# https://github.com/docker-mailserver/docker-mailserver/pull/3264#issuecomment-1518993555
	mydestination = $myhostname, localhost.$mydomain, localhost

docker-mailserver/target/scripts/startup/setup.d/postfix.sh

Lines 13 to 15 in ad5d101

	__postfix__log 'trace' 'Applying hostname and domainname'
	postconf "myhostname = ${HOSTNAME}"
	postconf "mydomain = ${DOMAINNAME}"

When you have configured this to be separate from the actual mail domains your accounts used (not a "bare domain" as per our docs FAQ entry), this mail.example.com hostname is better distinguished as for internal system mail.

We implicitly create /etc/aliases with an alias for the system root user to your POSTMASTER ENV address:

docker-mailserver/target/scripts/helpers/aliases.sh

Lines 33 to 50 in ad5d101

	function _handle_postfix_aliases_config() {
	_log 'trace' 'Configuring root alias'
	echo "root: ${POSTMASTER_ADDRESS}" >/etc/aliases
	local DATABASE_ALIASES='/tmp/docker-mailserver/postfix-aliases.cf'
	[[ -f ${DATABASE_ALIASES} ]] && cat "${DATABASE_ALIASES}" >>/etc/aliases
	_adjust_mtime_for_postfix_maincf
	postalias /etc/aliases
	}
	# Other scripts should call this method, rather than the ones above:
	function _create_aliases() {
	_handle_postfix_virtual_config
	_handle_postfix_regexp_config
	_handle_postfix_aliases_config
	}

Our startup process runs this DNS helper script that derives the HOSTNAME (overrides) and DOMAINNAME (if not a bare domain, truncates the 1st left-side DNS label from the FQDN, mail.example.com => example.com). If the POSTMASTER ENV is not configured, it implicitly infers one for that /etc/aliases entry above to use:

docker-mailserver/target/scripts/startup/variables-stack.sh

Lines 52 to 54 in ad5d101

	VARS[POSTMASTER_ADDRESS]="${POSTMASTER_ADDRESS:=postmaster@${DOMAINNAME}}"
	VARS[REPORT_RECIPIENT]="${REPORT_RECIPIENT:=${POSTMASTER_ADDRESS}}"
	VARS[REPORT_SENDER]="${REPORT_SENDER:=mailserver-report@${HOSTNAME}}"

There are some recurring tasks internally that will send mail to that address, or send mail as the root user at your mail.example.com hostname address, which should deliver locally. As you can see above there is also some inferred default addresses for reports. This should all be internal.

If mail fails to deliver, Postfix may attempt to notify you by sending a mail to your account locally, which may be what you're seeing. You did not share the contents of the mail stored, are you sure it's a copy, or was there extra information included about delivery faliure?

[github-actions]

This issue has become stale because it has been open for 20 days without activity.
This issue will be closed in 10 days automatically unless:

• a maintainer removes the meta/stale label or adds the stale-bot/ignore label
• new activity occurs, such as a new comment

[github-actions]

This issue was closed due to inactivity.