docker-mailserver: [BUG] More than 20s delay before postfix server responds

Bug Report

Context

I configured my mail server, and it worked perfectly for some time. But recently it started to become slow when sending email (more than 20s of delay before I could see any log of “postfix/smtps/smtpd[1848]: connect from …”).

What is affected by this bug?

Unknown

When does this occur?

Always

Behavior

Actual Behavior

When using telnet to connect the server from other containers, it shows the following text immediately (1080 is the port I configured for my containers to send email):

root@6493e8fbdc1e:/var/www/html# telnet 172.17.0.5 1080
Trying 172.17.0.5...
Connected to 172.17.0.5.
Escape character is '^]'.

But it takes more than 20s for the mail server to respond:

220 mail.gilatod.art ESMTP

And print the log:

 mailserver  Aug 31 05:59:17 mail postfix/smtps/smtpd[2981]: connect from unknown[172.17.0.4]
 mailserver  Aug 31 05:59:17 mail opendmarc[359]: ignoring connection from [172.17.0.4]

I changed DNS nameserver multiple times, but it didn’t work. Also, I suspect that there is no reason for postfix server to do reverse resolve for my container’s ip since it has already been contained in mynetworks.

Expected Behavior

The server should respond immediately just like before.

Your Environment

version: 10.1.2
available RAM: 8GB
Docker version: 19.03.23

Environment Variables

- OVERRIDE_HOSTNAME=mail.gilatod.art
- POSTMASTER_ADDRESS=admin@gilatod.art
- PERMIT_DOCKER=connected-networks
- ENABLE_SPAMASSASSIN=1
- SPAMASSASSIN_SPAM_TO_INBOX=1
- SPOOF_PROTECTION=1
- ENABLE_CLAMAV=1
- ENABLE_POSTGREY=1
- ENABLE_FAIL2BAN=1
- ENABLE_SASLAUTHD=0
- ONE_DIR=0
- DMS_DEBUG=0
- SSL_TYPE=letsencrypt

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 300
disable_vrfy_command = yes
dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893
header_checks = pcre:/etc/postfix/maps/header_checks.pcre
inet_interfaces = all
inet_protocols = all
insiders_only = check_sender_access hash:/tmp/docker-mailserver/insiders, reject
mailbox_size_limit = 0
message_size_limit = 2048000000
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = gilatod.art
myhostname = mail.gilatod.art
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 172.0.0.0/8
non_smtpd_milters = $dkim_milter
policyd-spf_time_limit = 3600
postscreen_bare_newline_action = enforce
postscreen_dnsbl_action = ignore
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net b.barracudacentral.org*2 bl.spameatingmonkey.net dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_upstream_proxy_protocol = haproxy
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 150
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 10
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
smtpd_milters = $dkim_milter,$dmarc_milter
smtpd_recipient_limit = 50
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:localhost:65265, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, check_recipient_access hash:/tmp/docker-mailserver/protected_destinations
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_restriction_classes = insiders_only
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = unionmap:{ texthash:/etc/postfix/virtual, hash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre, pcre:/etc/postfix/regexp }
smtpd_sender_restrictions = permit_mynetworks, reject_authenticated_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated, reject_unknown_sender_domain
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_chain_files = /etc/letsencrypt/live/mail.gilatod.art/privkey.pem /etc/letsencrypt/live/mail.gilatod.art/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtputf8_enable = no
tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
virtual_alias_maps = texthash:/etc/postfix/virtual
virtual_mailbox_domains = /etc/postfix/vhost
virtual_mailbox_limit = 2048000000
virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp

user-patches.sh:

echo "socks     inet  n       -       n       -       -       smtpd    
    -o syslog_name=postfix/smtps                                 
    -o content_filter=smtp-amavis:[127.0.0.1]:10026" >> /etc/postfix/master.cf

amavis.cf:

$inet_socket_port = [10024, 10026];

$interface_policy{'10026'} = 'BYPASS';

$policy_bank{'BYPASS'} = {  # mail originating from @mynetworks
  originating => 1,
  bypass_spam_checks_maps      => [1],  # don't spam-check internal mail
  bypass_banned_checks_maps    => [1],  # don't banned-check internal mail
  bypass_virus_checks_maps     => [1],
  bypass_header_checks_maps    => [1]
};

$policy_bank{'ORIGINATING'} = {
  # don't perform spam/virus/header check.
  bypass_spam_checks_maps => [1],
  bypass_virus_checks_maps => [1],
  bypass_header_checks_maps => [1],

  # allow sending any file names and types
  bypass_banned_checks_maps => [1],
};

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 17 (8 by maintainers)

Most upvoted comments

Previously I added dns: 8.8.8.8 for my container in docker-compose.yml, not sure why this did not work.

Docker’s DNS is the wild west of DNS. Your issue seems to be DNS resolution on the host. Now that we figured it out, you can dig deeper there. Glad we could help you 😃

I will close this as this is not an issue with DMS 😄

georglauterbach on Sep 1, 2021

Yes, I wanted to open an issue as reminder for v11 milestone. But hadn’t time to do it yet 😉

casperklein on Aug 31, 2021