I would recommend a "divide and conquer" or "separation of concerns"
approach.
On Fri, 23 Dec 2022, Samer Afach wrote:
[...]
Btw, the relays happened because I actively changed mynetworks_style to
subnet, forgetting and not checking that all incoming connections will come
from the gateway of docker subnet. Still under research to identify how that
works.
There have been suggestions on the email list that I could start the
containers locally to do the experiments. Maybe I'm missing something, but
isn't the primary problem that I need to identify connection sources with the
PROXY protocol? How will I do that if I can't produce remote connections?
Let's take that at face value. You have containers. Therefore you need a
shim container for testing, containing netcat (nc), ssh and tcpdump (or
its command line replacement).
I don't care whether you don't have ssh on the container which normally
carries your mail. That'd be great if you set your containers up without
ssh access; but that's for another day. This shim container doesn't need
postfix, so don't install it if you feel pious. (SSH is just an arbitrary
suggestion, if you have another way to get shell access inside the
container feel free to do that instead.)
Set this container up exactly as you would set up the postfix container in
terms of networking and location / residence within your network.
Set up nc to listen on port 25 inside the container in lieu of postfix.
Observe nc via ssh (for application sense), and tcpdump (for netflow
sense).
Maybe you'll get tired of pretending to be an SMTP server (by manually
typing / cutting & pasting what the server would say into the ssh
session). In that case, use something like expect to pipe traffic into the
ssh session.
In fact, you don't need an smtp server to send traffic to your shim
container, you can telnet to its public address and do it yourself.
You can conduct your exploration of SMTP / application level concerns in a
separate environment which is not exposed to the internet; construction of
that environment is not discussed here.
--
Fred Morris, internet plumber
