Docker-mailserver: Make some use case examples that reproducibly work

Additionally,
If I run with SPOOF_PROTECTION=1, I got the following error when sending email:

mail    | Sep  5 05:05:05 mail postfix/submission/smtpd[16690]: connect from unknown[172.23.0.1]
mail    | Sep  5 05:05:05 mail postfix/submission/smtpd[16690]: Anonymous TLS connection established from unknown[172.23.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
mail    | Sep  5 05:05:05 mail postfix/submission/smtpd[16690]: NOQUEUE: reject: RCPT from unknown[172.23.0.1]: 553 5.7.1 <[email protected]>: Sender address rejected: not owned by user [email protected]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<2.1.168.192.in-addr.arpa>

When SPOOF_PROTECTION=0, I can successfully send emails. However, this seems to be a security problem.
All of the set environment variables are:

    - ENABLE_CLAMAV=0
    - ONE_DIR=1
    - ENABLE_FAIL2BAN=1
    - SSL_TYPE=letsencrypt
    - SPOOF_PROTECTION=1
    - ENABLE_SRS=1

Thank you for taking the time to write this and sorry that you ran into so many problems. I think one of your problems is "work on my Mac". For some reason (long before my time) docker-mailserver was built for Linux hosts. The tests only work on Linux. There is nothing that deliberately excludes Mac or Windows hosts, but (as you noticed) they are not fully supported and some problems are unfortunately to be expected.

E-mail is complex. Most of the options in the .env file should be covered in the README and there are comments for all of them, but you need to know what they do. Most should have sensible defaults though, so the only ones you really must change are the ones in the top where you configure your host.

Just to give some perspective I had the opposite experience. When I tried docker-mailserver on a Linux host I was up and running in well below 10 minutes. Compared with setting up a full mail server stack from scratch that is really awesome, it saved me at least a day, probably two. Plus now I can move the whole stack between servers easily.

If you want to help out by improving the support for running on Mac or by making the documentation better, please submit a pull request! This is a community effort after all.

@erik-wramner Thanks for the reply.

It is not that I do not want to help. The problem is that I still have not get comfortable results yet. Specifically, SPOOF_PROTECTION=1 does not work for me and I have no idea how to fix it.

First of all I'm not at all sure that fail2ban works on a Mac host. It needs to use host networking to interact with the firewall and I very much doubt that it is compatible. It may work, but I would be surprised.

Second, I don't remember exactly what SPOOF_PROTECTION does, but have you updated your DNS entries with DKIM keys? I don't think you mentioned it above and it is part of the short installation guide in the readme.

@erik-wramner
I only did exactly what I described. I disabled fail2ban but it still does not work.

In .env it says that

# empty => (not recommended, but default for backwards compatability reasons)
#           Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address.
#           See also https://en.wikipedia.org/wiki/Email_spoofing
# 1 => (recommended) Mail spoofing denied. Each user may only send with his own or his alias addresses.
#       Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
SPOOF_PROTECTION=

So I assume that it would be a good practice to set SPOOF_PROTECTION=1.

For DKIM, In the documentation it says that
Now the keys are generated, you can configure your DNS server by just pasting the content of config/opendkim/keys/domain.tld/mail.txt in your domain.tld.hosts zone.

However, I am not sure what exactly this means. Does it mean that I have to go to the company website that manages my domains? And what exactly to do? This is what I have tried (the website is in Chinese so I am not sure if the translation is accurate):
Create a resolution record:
Record type: TXT
Main record: mail._domainkey
Record value:

( "v=DKIM1; h=sha256; k=rsa; "
      "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG6b8/BgftnqyTnC30RvoEiN1BhCxP...+A0fA0SN/c9"
      "bP7yYSOOfeRWWDmi4rpbdsorzrUcnfDLTm8oTlRETYc3pGaDXk3kuVnJ4P5O9bxiCXR/Zs7t8/ywuBwcc...+vStduBTy6MJ+DenY438frqaa1p0lKwIDAQAB" )  ; ----- DKIM key mail for mydomain.org

Only these three options can be set. But it still does not work.

When I check https://github.com/tomav/docker-mailserver/wiki/Installation-Examples, the instruction is even more confusing. Do I need to run my own DNS server with bind9 to run a mailserver?? Probably not. So, I am not sure if it is the right direction to go. Additionally, it only says adding some text to a file. But it does not explain what that translates to the settings on the company website.

DKIM is used to ensure that only the owner of a domain can serve mail for the domain. Anyone can check the DNS records, which only the owner of the domain can change, to get the key and verify that the messages sent are indeed from a mail server for the domain and not from a spammer. But you are right, it was just a guess. You don't need to run bind, but you do need to have access to your DNS server (hosted or local) to configure MX records and in this case a TXT record.

However, I have found your error. It is in the error message:

553 5.7.1 <[email protected]>: Sender address rejected: not owned by user [email protected]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<2.1.168.192.in-addr.arpa>

It says that you are logged in as [email protected], but you are trying to send the message from [email protected]. You don't own that address, so the e-mail is rejected. In other words you need to fix the Python program so that it uses the correct from address. Read up on smtplib.

Good luck!

@erik-wramner
Unfortunately, this does not solve the problem.

mail    | Sep  5 19:26:09 mail postfix/submission/smtpd[990]: connect from unknown[172.23.0.1]
mail    | Sep  5 19:26:09 mail postfix/submission/smtpd[990]: Anonymous TLS connection established from unknown[172.23.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
mail    | Sep  5 19:26:09 mail postfix/submission/smtpd[990]: NOQUEUE: reject: RCPT from unknown[172.23.0.1]: 553 5.7.1 <[email protected]>: Sender address rejected: not owned by user [email protected]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<2.1.168.192.in-addr.arpa>

And I indeed have [email protected] account created.

Well, you are still not sending as the right user. This time you are trying to send as unknown and unknown should not send as [email protected]. You need to either login as [email protected] and send as that account or (more likely) login as [email protected] and send as [email protected]. You need to fix your Python code, the server does the right thing here.

See send-privacy-email.txt in this repo for an example. It says EHLO, then logs in, then says MAIL FROM and the sender, then further down you have the From mail header. Your Python code must produce something like that where the sender in MAIL FROM matches the sender in From and also matches the user you login with.

@erik-wramner
The Python code was correctly setup and I logged in as [email protected] and sent from [email protected].

However, I once created something in file config/postfix-virtual.cf which looks like [email protected] [email protected]. This seems to be a file for aliases. After removing this file, it runs correctly. No sure why alias creates a problem. The email was never sent from my gmail account anyway, even when SPOOF_PROTECTION=0.

@erik-wramner

This time I tried to run docker-mailserver on a cloud Ubuntu machine with the same settings. However, I cannot get the email delivered and get the following error message:

mail    | Sep  6 00:44:26 mail postfix/submission/smtpd[1029]: 8799733A4: client=x4db6e817.dyn.telefonica.de[77.182.232.23], sasl_method=PLAIN, [email protected]
mail    | Sep  6 00:44:27 mail postfix/sender-cleanup/cleanup[1070]: 8799733A4: replace: header MIME-Version: 1.0 from x4db6e817.dyn.telefonica.de[77.182.232.23]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<2.1.168.192.in-addr.arpa>: Mime-Version: 1.0
mail    | Sep  6 00:44:27 mail postfix/sender-cleanup/cleanup[1070]: 8799733A4: message-id=<>
mail    | Sep  6 00:44:27 mail postfix/sender-cleanup/cleanup[1070]: 8799733A4: replace: header MIME-Version: 1.0 from x4db6e817.dyn.telefonica.de[77.182.232.23]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<2.1.168.192.in-addr.arpa>: Mime-Version: 1.0
mail    | Sep  6 00:44:27 mail opendkim[194]: 8799733A4: DKIM-Signature field added (s=mail, d=mydomain.com)
mail    | Sep  6 00:44:27 mail postfix/qmgr[961]: 8799733A4: from=<[email protected]>, size=909, nrcpt=1 (queue active)
mail    | Sep  6 00:44:27 mail postfix/smtpd[1078]: warning: cannot load 1024-bit DH parameters from file /etc/postfix/dhparams.pem -- using compiled-in defaults
mail    | Sep  6 00:44:27 mail postfix/smtpd[1078]: warning: TLS library problem: error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: DH PARAMETERS:
mail    | Sep  6 00:44:27 mail postfix/smtpd[1078]: connect from localhost[127.0.0.1]
mail    | Sep  6 00:44:27 mail postfix/smtpd[1078]: 45E903581: client=localhost[127.0.0.1]
mail    | Sep  6 00:44:27 mail postfix/cleanup[1079]: 45E903581: message-id=<[email protected]>
mail    | Sep  6 00:44:27 mail postfix/qmgr[961]: 45E903581: from=<[email protected]>, size=1791, nrcpt=1 (queue active)
mail    | Sep  6 00:44:27 mail amavis[478]: (00478-01) Passed BAD-HEADER-7 {RelayedOpenRelay,Quarantined}, [77.182.232.23]:63868 [77.182.232.23] <[email protected]> -> <[email protected]>, quarantine: 9/badh-9UmR7NLCC9A6, Queue-ID: 8799733A4, mail_id: 9UmR7NLCC9A6, Hits: -, size: 1405, queued_as: 45E903581, 123 ms
mail    | Sep  6 00:44:27 mail postfix/smtp[1076]: 8799733A4: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1, delays=0.9/0.01/0/0.12, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 45E903581)
mail    | Sep  6 00:44:27 mail postfix/qmgr[961]: 8799733A4: removed
mail    | Sep  6 00:44:27 mail postfix/smtp[1082]: connect to mx3.qq.com[2001:df6:f400::2808]:25: Cannot assign requested address
mail    | Sep  6 00:44:57 mail postfix/smtp[1082]: connect to mx3.qq.com[203.205.219.57]:25: Connection timed out
mail    | Sep  6 00:45:27 mail postfix/smtp[1082]: connect to mx2.qq.com[203.205.219.58]:25: Connection timed out
mail    | Sep  6 00:45:27 mail postfix/smtp[1082]: connect to mx2.qq.com[2001:df6:f400::2808]:25: Cannot assign requested address
mail    | Sep  6 00:45:57 mail postfix/smtp[1082]: 45E903581: to=<[email protected]>, relay=none, delay=90, delays=0.01/0.02/90/0, dsn=4.4.1, status=deferred (connect to mx1.qq.com[58.251.110.111]:25: Connection timed out)

It seems that a linux server is not really easier.

Well, running on Linux you are up and running, right? No need to fiddle with the commands and change things, it just works? It won't teach you to debug mail delivery.

In this case the mail server has accepted your e-mail and is trying to deliver it. It is working quite hard on that, trying three servers (mx1, mx2 and mx3.qq.com) with ipv6 and ipv4. In all cases it fails to connect. If it can't connect to the mail server for qq.com it cannot deliver e-mail to it. The last line in the log says that that it will try again later.

Perhaps you have a firewall that limits outgoing traffic? Or the qq.com servers are down or not open to the Internet?

Either way docker-mailserver is working correctly here.

@erik-wramner
Thanks for the info. It seems the cloud service Alicloud banned the use of port 25 to connect to the outside world, which is quite shocking to me. A cloud server not able to send emails?? They claim that I can use port 465 to connect to other SMTP servers. Any idea how to configure that? Or should I just give up?

Give up or find another cloud provider. You can't have a functional mail server that is not allowed to use port 25. Most mail servers require authentication on port 465 and you can't authenticate to a foreign server. It won't work.

@erik-wramner
But is it possible to configure docker-mailserver somehow to make
connect to mx3.qq.com[203.205.219.57]:25
become
connect to mx3.qq.com[203.205.219.57]:465

It seems that most mail servers, including smtp.gmail.com, allow you to connect via port 465.

$ telnet smtp.gmail.com 465
Trying 64.233.189.109...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
^CConnection closed by foreign host.

And It seems that a lot large cloud services ban the use of port 25.

As I wrote it won't work, the ports don't do the same thing. Port 465 is for internal users who can authenticate. Port 25 is for external servers that send mail without authentication to the internal users. If Postfix tries to connect to another server on port 465 it will get a connection, but it will not be able to forward messages as it cannot login.

If you could work around this by simply using port 465 instead, don't you think the spammers would have done that? And then the cloud providers would have blocked 465 as well.

@erik-wramner
It is not just a workaround; it is what the cloud provider tells me to do so it must work. Also, others have success stories, just not with docker-mailserver.

I should make it clear that the provider blocks outgoing connection on port 25 but not incoming connection. Additionally, I am not sure why authentication is involved. I connect to my domain using port 587 and get authenticated there. Then, mail.mydomain.com receive my message and tries to send it to smtp.qq.com. The only problem is that it cannot connect to smtp.qq.com via port 25. Why does my mail server need to login at smtp.qq.com? With what account? qq.com is a server I have no control of.

A reason for asking users to use port 465 might be that encryption on port 465 is normally enforced, while it is optional on port 25.

Well, I'm skeptical but good luck. If you can find a solution for Postfix then it will probably work with docker-mailserver. Postfix is one of the leading mail servers, so if there are success stories as you say perhaps you can get instructions for Postfix and implement them. As far as I know port 465 is reserved for authenticated mail submission and this is a dead end, but I have been wrong before.

I should make it clear that the provider blocks outgoing connection on port 25 but not incoming connection.

This is common, it's to prevent sending out spam, either intentionally or compromised server such as exposing an Open Relay.

Additionally, I am not sure why authentication is involved. I connect to my domain using port 587 and get authenticated there. Then, mail.mydomain.com receive my message and tries to send it to smtp.qq.com.

You're authenticating on 587 to submit mail to an MSA, this will send it out. An MTA can relay e-mail and use port 25 with no authentication. Think of it as someone login to website to buy things with your linked details(eg credit card) and not needing to provide any password or pin to place order. Port 25 doesn't care much for who you claim to be, so someone could have your server send an e-mail and try impersonate an valid identity/service to scam a user afaik.

RFC 6409 defined the MSA distinction from an MTA afaik. This way, if your server was to send out emails on port 25, as long as they're only being allowed to be sent by those who can authenticate an address to send as, you're at a far lower risk of being a bad user of port 25 to send out mail. Some services will unblock the port upon request, like Vultr VPS, and if you were to use it for spam, they would block it again and perhaps penalize you for breaking their terms you agree to.

The only problem is that it cannot connect to smtp.qq.com via port 25. Why does my mail server need to login at smtp.qq.com?

Some servers will act as a smarthost, they may have established a good reputation for delivering mail. So they cannot just send out(relay) whatever they receive on port 25 as it has higher chance of being spam. If it was being delivered directly to a qq email address, it'd be received on port 25 I believe.

You're choosing to relay through qq, perhaps to send under a qq email address? That would be verifying it is you. Otherwise, you're verifying that you've got the OK to relay through their mail server(MTA), which helps them reduce bad actors(spammers). In that case, you are authenticating with different username/password than what your MSA(your own docker-mailserver instance) receives from a user/service wanting to send email through port 587/465.

With what account? qq.com is a server I have no control of.

You'd need to look into the website or contact someone there. There should be information on how to setup an account for relaying or authenticating as your own qq account to send email from that address on behalf of your server. Google has such a document here.

A reason for asking users to use port 465 might be that encryption on port 465 is normally enforced, while it is optional on port 25.

Originally, port 465 was intended as encrypted only transport variant of port 25. STARTTLS arrived around the same time to just use port 25 and ask if the other end of the connection was ok to use encryption and establish a secure connection if it was.

The MX records don't allow for indicating when port 25 or 465 should be used, and since the idea was to be able to send email to anyone, it didn't make much sense to have both ports for that, so they decided to dismiss port 465. Others like Microsoft Outlook though had adopted it by then and treated it as a submission port(you send your email over 465 securely, and then it can be relayed to other servers on port 25 once it reaches the mail server). Others apparently did the same, so email clients supported it, as did various email services as a way to connect and submit email to be relayed.

Back in 2018, RFC 8314 came around, and they decided to make port 465 official for what it was being unofficially used by in some places. 587 was the standard port for that, requiring authentication, and with STARTTLS it was similar in being able to provide a secure connection, but not always as not everyone wrote software that behaved properly, risking leaking passwords, while others facilitating the connection(Some American and Thailand ISPs for example) were found to be tampering with the communication, removing the STARTTLS request to force no encryption even when it'd be supported. It can be avoided, but requires more effort/support with things like MTA-STS or DANE.

Alternatively, one can just prefer implicit TLS with port 465. No STARTTLS involved, so it's much like HTTPS afaik, which should allow for better support. This is a secure port 587, not port 25 now.

It seems the cloud service Alicloud banned the use of port 25 to connect to the outside world, which is quite shocking to me. A cloud server not able to send emails??

As stated, it's quite common. Some providers afaik don't do such, but then the IP assigned to your VPS may be associated to spammers(not sure how much that matters as I would think the IP might also be taken into consideration with the DNS A record, if the domain name has changed?), it is something services like SendGrid pride themselves in for deliverability as they claim very good reputation and relationships with big email providers like Outlook, Gmail, Yahoo.

Some services should let you request port 25 to be opened, this includes Alicloud(Alibaba Cloud?), but they have additional restrictions:

To send emails on an Alibaba Cloud ECS instance, we recommend that you use port 465 provided by a third-party mail service provider.

Before applying, you must agree to use TCP port 25 only for communicating with and sending emails through a third-party SMTP server. If Alibaba Cloud detects that you are using the IP address you requested to directly send emails over SMTP, Alibaba Cloud has the right to permanently disable TCP port 25.

So... in both cases, even if you get port 25 approved for use. They do not want you delivering email directly to users. You are required to send to a relay that will do that on your behalf. For this you would connect to a service like SendGrid, MailJet, Gmail or QQ if they do that, it's quite natural for them to want to require authentication to use their service, just like you can find when using an API from a third-party service.

They claim that I can use port 465 to connect to other SMTP servers. Any idea how to configure that? Or should I just give up?

As mentioned earlier in this response, you'll need to go with a relay, you're not directly sending it to any mailbox/address(which afaik is only over port 25). Someone needed to do this recently, and had success. You need to enable wrapper mode, although I think you might be able to provide smtps as a value instead of 465 for the port, and it may work?(that is how support for port 465 has been setup currently afaik, and enables this option)

This issue was closed due to one or more of the following reasons:

1. Age
2. Contributor inactivity
3. The issue seems to be resolved

If you think this happened by accident, or feel like this issue was not actually resolved, please feel free to re-open it. If there is an issue you could resolve in the meantime, please open a PR based on the current master branch so we can review it.