-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
question: Why does SMTP_ONLY=1
still allow to receive mail locally?
#3974
Comments
Please note that this response was created using generative AI, leveraging previously available information from the repository. This information may be helpful. However, it is our strong recommendation that you carefully consider the information before blindly applying it. Based on the information provided and the context from the sources, it seems like you're encountering an issue with sending emails from your Docker Mailserver setup, specifically getting a "554 5.7.1: Client host rejected: Access denied" error. This error typically indicates a problem with the SMTP authentication or the configuration that controls which clients are allowed to send emails. Given that you've set The logs indicate that the client host is rejected due to access being denied. This could be due to several reasons, including but not limited to:
Given the complexity of email server configurations and the potential for small misconfigurations to cause significant issues, here are a few steps to troubleshoot and potentially resolve your issue:
If after trying these steps you're still facing issues, providing more detailed logs, configuration files, and any specific changes you've made to the default configuration could help in diagnosing the problem more accurately. This comment was generated by Glime. |
Just to understand exactly what you are referring to: you want a send-only mail server, but your instance is receiving and saving e-mail, right? |
This is not clear enough. The DMS account that is sending mail is storing a copy locally in the container/volume? Or you have sent mail to DMS for this account and it received it? To prevent receiving mail, just don't expose the port 25 for the container. No MX DNS record should resolve to that host anyway since you don't want mail delivered there. You should still have a mail server somewhere that receives mail for that domain however, and DNS TXT records like for SPF that authorize your DMS server to send mail for that domain.
|
if [[ ${SMTP_ONLY} -ne 1 ]]; then | |
_register_setup_function '_setup_dovecot' | |
_register_setup_function '_setup_dovecot_sieve' | |
_register_setup_function '_setup_dovecot_dhparam' | |
_register_setup_function '_setup_dovecot_quota' | |
_register_setup_function '_setup_spam_subject' | |
_register_setup_function '_setup_spam_to_junk' | |
_register_setup_function '_setup_spam_mark_as_read' | |
fi |
docker-mailserver/target/scripts/startup/setup.d/postfix.sh
Lines 71 to 83 in ad5d101
# Dovecot feature integration | |
# TODO: Alias SMTP_ONLY=0 to DOVECOT_ENABLED=1? | |
if [[ ${SMTP_ONLY} -ne 1 ]]; then | |
__postfix__log 'trace' 'Configuring Postfix with Dovecot integration' | |
# /etc/postfix/vmailbox is created by: scripts/helpers/accounts.sh:_create_accounts() | |
# This file config is for Postfix to verify a mail account exists before accepting | |
# mail arriving and delivering it to Dovecot over LMTP. | |
if [[ ${ACCOUNT_PROVISIONER} == 'FILE' ]]; then | |
postconf 'virtual_mailbox_maps = texthash:/etc/postfix/vmailbox' | |
fi | |
postconf 'virtual_transport = lmtp:unix:/var/run/dovecot/lmtp' | |
fi |
SASL auth on Postfix could be disabled (but in your case it's not and you'd probably want to keep it that way):
docker-mailserver/target/scripts/startup/setup.d/postfix.sh
Lines 22 to 42 in ad5d101
__postfix__log 'trace' "Configuring SASLauthd" | |
if [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && [[ ! -f /etc/postfix/sasl/smtpd.conf ]]; then | |
cat >/etc/postfix/sasl/smtpd.conf << EOF | |
pwcheck_method: saslauthd | |
mech_list: plain login | |
EOF | |
fi | |
# User has explicitly requested to disable SASL auth: | |
# TODO: Additive config by feature would be better. Should only enable SASL auth | |
# on submission(s) services in master.cf when SASLAuthd or Dovecot is enabled. | |
if [[ ${ENABLE_SASLAUTHD} -eq 0 ]] && [[ ${SMTP_ONLY} -eq 1 ]]; then | |
# Default for services (eg: Port 25); NOTE: This has since become the default: | |
sed -i -E \ | |
's|^smtpd_sasl_auth_enable =.*|smtpd_sasl_auth_enable = no|g' \ | |
/etc/postfix/main.cf | |
# Submission services that are explicitly enabled by default: | |
sed -i -E \ | |
's|^ -o smtpd_sasl_auth_enable=.*| -o smtpd_sasl_auth_enable=no|g' \ | |
/etc/postfix/master.cf | |
fi |
Managed domains (should not apply to you unless using virtual aliases)
This part of our setup script will inform Postfix that it manages the mail domains (via lookup at virtual_mailbox_domains
config setting) in postfix-accounts.cf
and postfix-virtual.cf
config files if they exist.
docker-mailserver/target/postfix/main.cf
Lines 102 to 106 in ad5d101
# Postfix lookup tables for verifying valid users and managed mail domains: | |
# Populated during startup in: scripts/helpers/postfix.sh | |
virtual_mailbox_domains = /etc/postfix/vhost | |
# Populated during startup in: scripts/helpers/aliases.sh | |
virtual_alias_maps = texthash:/etc/postfix/virtual |
docker-mailserver/target/scripts/startup/setup.d/postfix.sh
Lines 48 to 50 in ad5d101
# scripts/helpers/postfix.sh:_create_postfix_vhost() | |
__postfix__log 'trace' 'Setting up Postfix vhost' | |
_create_postfix_vhost |
docker-mailserver/target/scripts/helpers/postfix.sh
Lines 40 to 82 in ad5d101
# Collects domains from configs (DATABASE_) into TMP_VHOST | |
function _vhost_collect_postfix_domains() { | |
local DATABASE_ACCOUNTS='/tmp/docker-mailserver/postfix-accounts.cf' | |
local DATABASE_VIRTUAL='/tmp/docker-mailserver/postfix-virtual.cf' | |
local DOMAIN UNAME | |
# Extract domains from mail accounts: | |
if [[ -f ${DATABASE_ACCOUNTS} ]]; then | |
while IFS=$'|' read -r MAIL_ACCOUNT _; do | |
# It is expected valid lines have the format local-part@domain-part: | |
DOMAIN=$(cut -d '@' -f 2 <<< "${MAIL_ACCOUNT}") | |
echo "${DOMAIN}" >>"${TMP_VHOST}" | |
done < <(_get_valid_lines_from_file "${DATABASE_ACCOUNTS}") | |
fi | |
# TODO: Consider if virtual aliases should be configured to the same vhost file: | |
# https://github.com/docker-mailserver/docker-mailserver/issues/2813#issuecomment-1272394563 | |
# Extract domains from virtual alias config: | |
# Aliases may have the forms: 'local-part@domain-part', only 'local-part', or '@domain-part' (wildcard catch-all) | |
if [[ -f ${DATABASE_VIRTUAL} ]]; then | |
while read -r ALIAS_FIELD _; do | |
UNAME=$(cut -d '@' -f 1 <<< "${ALIAS_FIELD}") | |
DOMAIN=$(cut -d '@' -f 2 <<< "${ALIAS_FIELD}") | |
# Only add valid domain-parts found: | |
# The '@' is optional for an alias key (eg: "user1 other@domain.tld"), | |
# but cut with -f2 would output the same value as it would -f1 when '@' is missing. | |
[[ ${UNAME} != "${DOMAIN}" ]] && echo "${DOMAIN}" >>"${TMP_VHOST}" | |
done < <(_get_valid_lines_from_file "${DATABASE_VIRTUAL}") | |
fi | |
_vhost_ldap_support | |
} | |
# Add DOMAINNAME (not an ENV, set by `helpers/dns.sh`) to vhost. | |
# NOTE: `setup-stack.sh:_setup_ldap` has related logic: | |
# - `main.cf:mydestination` setting removes `$mydestination` as an LDAP bugfix. | |
# - `main.cf:virtual_mailbox_domains` uses `/etc/postfix/vhost`, but may | |
# conditionally include a 2nd table (ldap:/etc/postfix/ldap-domains.cf). | |
function _vhost_ldap_support() { | |
[[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]] && echo "${DOMAINNAME}" >>"${TMP_VHOST}" | |
} |
Internal addresses and deliveries
Internally Postfix recognizes the DMS FQDN (from the hostname
container config) as what it should present for HELO/EHLO greeting (the FQDN of the mail server, not the sender address domain) to use when sending mail.
docker-mailserver/target/postfix/main.cf
Lines 15 to 18 in ad5d101
# Take the following concerns into consideration if adjusting `mydestination`: | |
# https://github.com/docker-mailserver/docker-mailserver/pull/3264#pullrequestreview-1396816109 | |
# https://github.com/docker-mailserver/docker-mailserver/pull/3264#issuecomment-1518993555 | |
mydestination = $myhostname, localhost.$mydomain, localhost |
docker-mailserver/target/scripts/startup/setup.d/postfix.sh
Lines 13 to 15 in ad5d101
__postfix__log 'trace' 'Applying hostname and domainname' | |
postconf "myhostname = ${HOSTNAME}" | |
postconf "mydomain = ${DOMAINNAME}" |
When you have configured this to be separate from the actual mail domains your accounts used (not a "bare domain" as per our docs FAQ entry), this mail.example.com
hostname is better distinguished as for internal system mail.
We implicitly create /etc/aliases
with an alias for the system root
user to your POSTMASTER
ENV address:
docker-mailserver/target/scripts/helpers/aliases.sh
Lines 33 to 50 in ad5d101
function _handle_postfix_aliases_config() { | |
_log 'trace' 'Configuring root alias' | |
echo "root: ${POSTMASTER_ADDRESS}" >/etc/aliases | |
local DATABASE_ALIASES='/tmp/docker-mailserver/postfix-aliases.cf' | |
[[ -f ${DATABASE_ALIASES} ]] && cat "${DATABASE_ALIASES}" >>/etc/aliases | |
_adjust_mtime_for_postfix_maincf | |
postalias /etc/aliases | |
} | |
# Other scripts should call this method, rather than the ones above: | |
function _create_aliases() { | |
_handle_postfix_virtual_config | |
_handle_postfix_regexp_config | |
_handle_postfix_aliases_config | |
} |
Our startup process runs this DNS helper script that derives the HOSTNAME
(overrides) and DOMAINNAME
(if not a bare domain, truncates the 1st left-side DNS label from the FQDN, mail.example.com
=> example.com
). If the POSTMASTER
ENV is not configured, it implicitly infers one for that /etc/aliases
entry above to use:
docker-mailserver/target/scripts/startup/variables-stack.sh
Lines 52 to 54 in ad5d101
VARS[POSTMASTER_ADDRESS]="${POSTMASTER_ADDRESS:=postmaster@${DOMAINNAME}}" | |
VARS[REPORT_RECIPIENT]="${REPORT_RECIPIENT:=${POSTMASTER_ADDRESS}}" | |
VARS[REPORT_SENDER]="${REPORT_SENDER:=mailserver-report@${HOSTNAME}}" |
There are some recurring tasks internally that will send mail to that address, or send mail as the root
user at your mail.example.com
hostname address, which should deliver locally. As you can see above there is also some inferred default addresses for reports. This should all be internal.
If mail fails to deliver, Postfix may attempt to notify you by sending a mail to your account locally, which may be what you're seeing. You did not share the contents of the mail stored, are you sure it's a copy, or was there extra information included about delivery faliure?
SMTP_ONLY=1
with a send-only address store a local copy of mail?
SMTP_ONLY=1
with a send-only address store a local copy of mail?SMTP_ONLY=1
still allow to receive mail locally?
This issue has become stale because it has been open for 20 days without activity.
|
This issue was closed due to inactivity. |
Subject
I would like to configure a not documented mail server use case
Description
Hello,
While setting up a standard setup of docker-mailserver with intention to use this as an email sending only I found a problem.
After the setup accordingly to the documentation It worked but there was an issue that the email that was set to be sending only was saving copy on local mailbox. After trying to turn server into send only mode with help of issue #3477 that didn't helped I had decided to turn off local account with help of resolved issue #3472. Unfortunately solution proposed as solution in #3472 that was mentioned in FAQ section of documentation did not resolve the problem.
Otherwise server is working fine, configuration was done accordingly to the documentation and score on mail-tester.com was 9.5/10.
As went through the thread of connected related issues I had noticed that most of them are occurring between 2019 and 2023 so I tried with different releases (:13.x, :latest. :edge) hoping that this problem was patched unfortunately with the same result.
I'm not sure if this is a bug or not documented well option, as I had noticed few issues were filed around similar problem.
Please see logs and yaml below
The text was updated successfully, but these errors were encountered: