Reject email from docker container to postfix

Discussion in 'Installation/Configuration' started by francoisPE, Apr 26, 2022.

  1. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Hello,
    My config is ubuntu 20.04 with ispconfig 3.2.8p1
    I run Docker with zulip inside

    Zulip is sending email from contzainer ip 172.18.0.3
    But, my postfix conf refuses it :

    Code:
    Apr 26 22:25:14 ns postfix/submission/smtpd[991667]: NOQUEUE: filter: RCPT from unknown[172.18.0.3]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<1ea9e5170a90>
    Apr 26 22:25:14 ns postfix/submission/smtpd[991667]: NOQUEUE: reject: RCPT from unknown[172.18.0.3]: 450 4.1.1 <[email protected]>: Recipient address rejected: unverified address: connect to 127.0.0.1[127.0.0.1]:10025: Connection refused; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<1ea9e5170a90>
    
    I check server setting : upload_2022-4-26_22-59-8.png
    I would like to keep that setting for security reason.

    So, I think it should be possible to whitelist that local ip for postfix ?
    I use postscreen but I am not sure that postcreen whitelist is the right way ?

    What do you advice ?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Is postfix listening on port 10025? It should have a service definition in master.cf.
    This won't help the issue in your logs, the reason it was rejected has nothing to do with the client ip.
    Similarly, postscreen is not rejecting the message, so nothing you whitelist in postscreen can help.
     
  3. francoisPE

    francoisPE Active Member HowtoForge Supporter

    I dig
    Code:
    grep -r 10025 /etc/postfix/*
    /etc/postfix/main.cf:address_verify_virtual_transport = smtp:[127.0.0.1]:10025
    /etc/postfix/main.cf:address_verify_transport_maps = static:smtp:[127.0.0.1]:10025
    
    and
    Code:
    netstat -tunelp | grep master
    tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      0          201275     98388/master
    tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      0          201281     98388/master
    tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      0          201260     98388/master
    tcp6       0      0 :::587                  :::*                    LISTEN      0          201276     98388/master
    tcp6       0      0 :::465                  :::*                    LISTEN      0          201282     98388/master
    tcp6       0      0 :::25                   :::*                    LISTEN      0          201261     98388/master
    ...
    That part of code is missing in master.cf...
    Code:
    127.0.0.1:10025 inet n - n - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_end_of_data_restrictions=
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtp_send_xforward_command=yes
            -o disable_dns_lookups=yes
            -o address_verify_virtual_transport=$virtual_transport
            -o address_verify_transport_maps=$transport_maps
    
    Thanks a lot for your help :)
     
  4. francoisPE

    francoisPE Active Member HowtoForge Supporter

    it seems to be amavis ?
    This should be a setup from ispconfig ?
    I don't understand I have that :
    upload_2022-4-27_11-58-33.png

    May be something missing in install.
    I check
     
  5. francoisPE

    francoisPE Active Member HowtoForge Supporter

    I did that

    Code:
    php -q update.php
    and now it is solved !
    Don't know why it was not in, right first time ?
     
  6. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Due to all postfix calls, fail2ban banned my ip.
    I unban it.
    but now I would like to add 'ignoreip'
    In /etc/fail2ban/jail.local
    section [postfix]
    I want to add
    ignoreip = 172.18.0.0/28

    is that correct ?
    does it unban 172.18.0.3 in case of future issue with postfix ?
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That is the correct item to add in order to whitelist the client; you also need to ensure it is the "postfix" jail that is matching.
    It ignores future log entries from that cidr range; simply restarting fail2ban might unban it.
     
  8. francoisPE

    francoisPE Active Member HowtoForge Supporter

    No sure to understand what you mean ?
     
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If you add your ignoreip to see postfix jail, but it is eg. postfix-sasl which is matching and blocking, you will still get blocked. You can see the name of the jail that matched in fail2ban.log.
     

Share This Page