On 12/21/22 06:02, Jaroslaw Rafa wrote: > Dnia 21.12.2022 o godz. 13:21:06 Samer Afach pisze: >> Thank you for the explanation. I will follow up on this and >> hopefully I'll find a way to solve this problem properly without >> obfuscation of incoming IP addresses. Seems like, worst case >> scenario, I just have to disable relaying of emails altogether and >> that'll solve the problem, at least until a better solution is >> available. > > Do any other containers on your machine relay mail through your Postfix? > > If no, you can safely allow relaying mail from localhost only. > > If yes, do all these containers seem to connect from address 172.30.0.1 or > is this address used only by haproxy, and other containers connect from > different 172.30.* addresses? > > If all containers are using 172.30.0.1 address, you must reconfigure Docker > networking so that each container uses its own IP address from Postfix point > of view (I don't know how as I don't use Docker, but it is certainly > possible). If it is already the case, you don't need to do anything. > > Then, you have to fiddle somehow with smtp_*_restrictions so to allow > relaying mail from other hosts in 172.30.* subnet, but reject relaying from > 172.30.0.1 (or just set explicitly mynetworks= to all IP addresses of the > containers that will relay mail). Just an idea, can't think of detailed > configuration settings now.
An alternative, which I prefer, is to require all submission to be on port 465 (over TLS) and require SASL authentication on that port. Port 25 would then be for receiving email only. I prefer using client certificates for authentication, and having the secret keys injected when launching the containers (they would not be in the images). -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature