docker-mailserver: [HELP] Messages bounced because of SPF Fail

Bug Report

Context

The from address of emails will be changed to ex. bounces+1214782-a240-steven=ikl.sh@[redacted] (my domain is ikl.sh, the account is steven, the redacted domain is where the email should be coming from)

If the website has SPF set to fail, the message does not make it to the inbox. If SPF fail is not set, the message will make it to the inbox. Example of a domain when this is the case: C9F86164FAC: from=<132ikl+caf_=132=ikl.sh@gmail.com>, size=5420, nrcpt=1 (queue active) (email from 132ikl@gmail to account 132 on my domain)

What is affected by this bug?

Emails from domains with SPF set to fail do not make it to the inbox

When does this occur?

This seems to happen on and off, and I am not sure what the common factor is. However, if you restart the container it does not solve the problem.

How do we replicate the issue?

I have no idea. I have provided my envvars and docker-compose config so you can hopefully get some idea as to why this is happening.

Behavior

Actual Behavior

Emails are changed to a weird bounces address, causing them to fail SPF. This causes emails from domains set with SPF hard fail to not make it to the inbox.

Expected Behavior

Emails from field use the proper address, meaning SPF passes. At the very least, it would be permissible if emails that failed SPF would still make it into the inbox, but this wouldn’t seem to be actually fixing the issue.

Your Environment

  • version: v8.0.1
  • available RAM: total: 985Mi, available at time of report: 244Mi
  • Docker version: v20.10.1

Important note: I am not using a relay set up. It seems all previous issues with this problem have been. I am forwarding multiple ports, however these are all completely unrelated to SMTP. (Specifically, ports 22, 8008, 8448, and 8071-8074)

Environment Variables

HOSTNAME=mail
DOMAINNAME=ikl.sh
CONTAINER_NAME=mail

DMS_DEBUG=0
ONE_DIR=0
SPOOF_PROTECTION=1
ENABLE_SRS=0
ENABLE_CLAMAV=0
ENABLE_FAIL2BAN=0
POSTSCREEN_ACTION=enforce
SSL_TYPE=letsencrypt
REPORT_RECIPIENT=0
REPORT_INTERVAL=daily
POSTFIX_INET_PROTOCOLS=all
ENABLE_SPAMASSASSIN=0
SPAMASSASSIN_SPAM_TO_INBOX=1
MOVE_SPAM_TO_JUNK=1
SA_TAG=2.0
SA_TAG2=6.31
SA_KILL=6.31
SA_SPAM_SUBJECT=***SPAM*****
ENABLE_FETCHMAIL=0
FETCHMAIL_POLL=300
DOVECOT_MAILBOX_FORMAT=maildir
ENABLE_POSTGREY=0
POSTGREY_DELAY=300
POSTGREY_MAX_AGE=35
POSTGREY_TEXT=Delayed by Postgrey
POSTGREY_AUTO_WHITELIST_CLIENTS=5
ENABLE_SASLAUTHD=0
SRS_SENDER_CLASSES=envelope_sender
RELAY_PORT=25

This is a fresh config from v8.0.0, however I have been experiencing this bug on and off since before that. All other environmental vars are blank.

Relevant Stack Traces

# BEGIN
Feb  2 23:16:53 mail postfix/smtpd[1906]: connect from unknown[172.18.0.1]
Feb  2 23:16:53 mail postfix/smtpd[1906]: Anonymous TLS connection established from unknown[172.18.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb  2 23:16:54 mail policyd-spf[1946]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=bounces+1214782-a240-steven=ikl.sh@[redacted];ip=172.18.0.1;r=<UNKNOWN>
Feb  2 23:16:54 mail postfix/smtpd[1906]: NOQUEUE: reject: RCPT from unknown[172.18.0.1]: 550 5.7.23 <steven@ikl.sh>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=bounces+1214782-a240-steven=ikl.sh@[redacted];ip=172.18.0.1;r=<UNKNOWN>; from=<bounces+1214782-a240-steven=ikl.sh@[redacted]> to=<steven@ikl.sh> proto=ESMTP helo=<o7.sendgrid.[redacted]>
Feb  2 23:16:54 mail postfix/smtpd[1906]: lost connection after RCPT from unknown[172.18.0.1]
# END

docker-compose.yml:

version: '3.8'

services:
  watchtower:
    restart: always
    image: v2tec/watchtower:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
  mailserver:
    image: docker.io/mailserver/docker-mailserver:latest
    hostname: ${HOSTNAME}
    domainname: ${DOMAINNAME}
    container_name: ${CONTAINER_NAME}
    env_file: mailserver.env
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - /etc/letsencrypt:/etc/letsencrypt:ro
      - ./config/:/tmp/docker-mailserver/${SELINUX_LABEL}
    restart: always
    cap_add: [ "NET_ADMIN", "SYS_PTRACE" ]

volumes:
  maildata:
  mailstate:
  maillogs:

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 24 (11 by maintainers)

Most upvoted comments

The only thing that looks odd to me is:

MASQUERADE all -- !127.0.0.1 0.0.0.0/0

Afaik that means: If Source IP != localhost, then replace source IP with the IP address of the outgoing network interface.

Remove -A POSTROUTING ! -s 127.0.0.1/32 -j MASQUERADE and check if you now can see any public IPs in the logs.

+1
casperklein on Feb 6, 2021
Read more comments on GitHub
← docker-mailserver: generate-dkim-config fails silently
docker-mailserver: HELP: Simple Setup Does not work →