docker-mailserver: Unable to use secure authentication for dovecot and postfix

πŸ“ Preliminary Checks

  • I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.

πŸ‘€ What Happened?

Unable to use secure method to authenticate for imap/pop and postfix.

πŸ‘Ÿ Reproduction Steps

Use the example compose file. Add use sarit to the system.

πŸ‹ DMS Version

12.1.0

πŸ’» Operating System and Architecture

AWS t2.small Linux ip-172-31-23-120 4.9.0-19-amd64 #1 SMP Debian 4.9.320-2 (2022-06-30) x86_64 GNU/Linux

βš™οΈ Container configuration files

version: '2'

services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    container_name: mailserver
    # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
    hostname: mail.elcolie.com
    environment:
      - SSL_TYPE=letsencrypt
    volumes:
      - ./docker-data/certbot/certs/:/etc/letsencrypt
    ports:
      - "25:25"
      - "143:143"
      - "465:465"
      - "587:587"
      - "993:993"
    volumes:
      - ./docker-data/dms/mail-data/:/var/mail/
      - ./docker-data/dms/mail-state/:/var/mail-state/
      - ./docker-data/dms/mail-logs/:/var/log/mail/
      - ./docker-data/dms/config/:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro
    environment:
      - ENABLE_RSPAMD=1
      - ENABLE_CLAMAV=1
      - ENABLE_FAIL2BAN=1
      - ENABLE_POP3=1
    cap_add:
      - NET_ADMIN # For Fail2Ban to work
    restart: always

I can’t send an email. image

thunderbird image

docker

mailserver | Aug 7 08:54:00 mail postfix/smtps/smtpd[1024]: connect from ppp-171-97-99-32.revip8.asianet.co.th[171.97.99.32] mailserver | Aug 7 08:54:00 mail postfix/smtps/smtpd[1024]: lost connection after EHLO from ppp-171-97-99-32.revip8.asianet.co.th[171.97.99.32] mailserver | Aug 7 08:54:00 mail postfix/smtps/smtpd[1024]: disconnect from ppp-171-97-99-32.revip8.asianet.co.th[171.97.99.32] ehlo=1 commands=1

Then try SSL/TLS image

thunderbird sending forever image

But docker got connection and then close

mailserver    | Aug  7 08:55:47 mail postfix/smtps/smtpd[1391]: connect from ppp-171-97-99-32.revip8.asianet.co.th[171.97.99.32]
mailserver    | Aug  7 08:55:55 mail postfix/postscreen[1405]: CONNECT from [182.43.254.122]:55648 to [172.20.0.2]:25
mailserver    | Aug  7 08:55:55 mail postfix/postscreen[1405]: PREGREET 11 after 0.1 from [182.43.254.122]:55648: EHLO User\r\n
mailserver    | Aug  7 08:55:56 mail postfix/postscreen[1405]: DISCONNECT [182.43.254.122]:55648

Currently that one is work. smtp. image

imap image

So this docker is not secure at all.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 18 (8 by maintainers)

Most upvoted comments

Try add new email account to thunderbird image

success image

imap image

I am be able to fetch email through secure connection. βœ…

smtp image

thunderbird is sending and stale container

mailserver  | Aug  8 09:37:13 mail postfix/smtps/smtpd[1444]: connect from scanner-05.ch1.censys-scanner.com[162.142.125.217]
mailserver  | Aug  8 09:37:14 mail postfix/smtps/smtpd[1444]: Anonymous TLS connection established from scanner-05.ch1.censys-scanner.com[162.142.125.217]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
mailserver  | Aug  8 09:37:14 mail postfix/smtps/smtpd[1204]: SSL_accept error from ppp-115-87-200-92.revip4.asianet.co.th[115.87.200.92]: lost connection
mailserver  | Aug  8 09:37:14 mail postfix/smtps/smtpd[1204]: lost connection after CONNECT from ppp-115-87-200-92.revip4.asianet.co.th[115.87.200.92]
mailserver  | Aug  8 09:37:14 mail postfix/smtps/smtpd[1204]: disconnect from ppp-115-87-200-92.revip4.asianet.co.th[115.87.200.92] commands=0/0
mailserver  | Aug  8 09:37:14 mail postfix/smtps/smtpd[1444]: lost connection after EHLO from scanner-05.ch1.censys-scanner.com[162.142.125.217]
mailserver  | Aug  8 09:37:14 mail postfix/smtps/smtpd[1444]: disconnect from scanner-05.ch1.censys-scanner.com[162.142.125.217] ehlo=1 commands=1
mailserver  | Aug  8 09:37:42 mail postfix/smtps/smtpd[1204]: connect from ppp-115-87-200-92.revip4.asianet.co.th[115.87.200.92]

smpt 465 SSL image

Thunderbird sending screen and stale. container

mailserver  | Aug  8 09:38:48 mail postfix/smtpd-amavis/smtpd[1084]: timeout after END-OF-MESSAGE from localhost[127.0.0.1]
mailserver  | Aug  8 09:38:48 mail postfix/smtpd-amavis/smtpd[1084]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 commands=4
mailserver  | Aug  8 09:39:04 mail postfix/smtps/smtpd[1204]: connect from ppp-115-87-200-92.revip4.asianet.co.th[115.87.200.92]

smtp 587 STARTTLS βœ… image

container

mailserver  | Aug  8 09:41:26 mail postfix/submission/smtpd[661]: connect from ppp-115-87-200-92.revip4.asianet.co.th[115.87.200.92]
mailserver  | Aug  8 09:41:26 mail postfix/submission/smtpd[661]: Anonymous TLS connection established from ppp-115-87-200-92.revip4.asianet.co.th[115.87.200.92]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
mailserver  | Aug  8 09:41:26 mail postfix/submission/smtpd[661]: CBE178343F: client=ppp-115-87-200-92.revip4.asianet.co.th[115.87.200.92], sasl_method=PLAIN, sasl_username=sarit@elcolie.com
mailserver  | Aug  8 09:41:26 mail postfix/sender-cleanup/cleanup[667]: CBE178343F: message-id=<db52b419-cb2a-55b1-d994-27ab17a2ae5e@elcolie.com>
mailserver  | Aug  8 09:41:26 mail postfix/sender-cleanup/cleanup[667]: CBE178343F: replace: header MIME-Version: 1.0 from ppp-115-87-200-92.revip4.asianet.co.th[115.87.200.92]; from=<sarit@elcolie.com> to=<foggygiga@gmail.com> proto=ESMTP helo=<[192.168.1.99]>: MIME-Version: 1.0
mailserver  | Aug  8 09:41:26 mail opendkim[411]: CBE178343F: no signing table match for 'sarit@elcolie.com'
mailserver  | Aug  8 09:41:26 mail opendkim[411]: CBE178343F: no signature data
mailserver  | Aug  8 09:41:26 mail postfix/qmgr[552]: CBE178343F: from=<sarit@elcolie.com>, size=382, nrcpt=1 (queue active)
mailserver  | Aug  8 09:41:26 mail postfix/submission/smtpd[661]: disconnect from ppp-115-87-200-92.revip4.asianet.co.th[115.87.200.92] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
mailserver  | Aug  8 09:41:27 mail postfix/smtpd-amavis/smtpd[670]: connect from localhost[127.0.0.1]
mailserver  | Aug  8 09:41:27 mail postfix/smtpd-amavis/smtpd[670]: 03D0083442: client=localhost[127.0.0.1]
mailserver  | Aug  8 09:41:27 mail postfix/cleanup[672]: 03D0083442: message-id=<db52b419-cb2a-55b1-d994-27ab17a2ae5e@elcolie.com>
mailserver  | Aug  8 09:41:27 mail postfix/qmgr[552]: 03D0083442: from=<sarit@elcolie.com>, size=556, nrcpt=1 (queue active)
mailserver  | Aug  8 09:41:27 mail amavis[571]: (00571-01) Passed CLEAN {RelayedOpenRelay}, [115.87.200.92]:57345 [115.87.200.92] <sarit@elcolie.com> -> <foggygiga@gmail.com>, Queue-ID: CBE178343F, Message-ID: <db52b419-cb2a-55b1-d994-27ab17a2ae5e@elcolie.com>, mail_id: wxEulvH-yrpF, Hits: -, size: 348, queued_as: 03D0083442, 98 ms
mailserver  | Aug  8 09:41:27 mail postfix/smtp-amavis/smtp[668]: CBE178343F: to=<foggygiga@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.24, delays=0.13/0.01/0/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 03D0083442)
mailserver  | Aug  8 09:41:27 mail postfix/qmgr[552]: CBE178343F: removed
mailserver  | Aug  8 09:41:27 mail dovecot: imap-login: Login: user=<sarit@elcolie.com>, method=PLAIN, rip=115.87.200.92, lip=192.168.224.2, mpid=679, TLS, session=<miC8KmYCAuBzV8hc>
mailserver  | Aug  8 09:41:27 mail postfix/smtp[673]: Trusted TLS connection established to gmail-smtp-in.l.google.com[74.125.200.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
mailserver  | Aug  8 09:41:27 mail dovecot: imap-login: Login: user=<sarit@elcolie.com>, method=PLAIN, rip=115.87.200.92, lip=192.168.224.2, mpid=686, TLS, session=<zU7CKmYCBeBzV8hc>
mailserver  | Aug  8 09:41:28 mail postfix/smtp[673]: 03D0083442: to=<foggygiga@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.200.27]:25, delay=1.6, delays=0.01/0.02/0.72/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK  1691487688 lb12-20020a170902fa4c00b001b8922e82e3si6861496plb.297 - gsmtp)
mailserver  | Aug  8 09:41:28 mail postfix/qmgr[552]: 03D0083442: removed

smtp 587 SSL. No need to check. I got secure connection already.

@polarathene Thank you very much. I have secure connection for send/receive now. You are awesome πŸ‘

+1
elcolie on Aug 8, 2023

I connected to your server and indeed, STARTTLS isn’t offered for 143/587. Is there any reverse proxy/firewall in place?

Please try to connect within the container:

docker exec -it mailserver nc localhost 587

The server should response with something similar to: 220 mail.elcolie.com.

Then enter ehlo foo. Now the server should list its features. Verify if β€œSTARTTLS” is included.

Enter quit to exit.

+1
casperklein on Aug 7, 2023
Read more comments on GitHub
← docker-mailserver: Unable to receive mails
docker-mailserver: Using Let's encrypt certs obtained with Caddy, not working so far →