-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature request: adding whitelisting for 192.168.0.0 #3815
Comments
I've raised this to @georglauterbach before to consider Your approach with a
In the meantime, a more direct fix could be considered. I'm not really in support of adding subnets by default when they imply trust as that conflicts with |
|
Hardcoding a specific ip range in the default config is probably not a good idea. I'm sure I'm not the only one running dms with a custom bridge/network config. networks:
network:
driver: bridge
driver_opts:
com.docker.network.bridge.name: bridge-mail
enable_ipv6: true
ipam:
config:
- subnet: 10.10.0.0/24
- subnet: fd10::/64
Can you elaborate on how these emails are created/sent (ie. tools, hosts, containers, domains, etc.)? |
I am also using a custom IP range I order to have a custom DNS server running and resolving stuff |
I do not want to propose whitelisting private networks by default. I merely pointing out that rspamd has a mechanism to whitelist networks. In my case we have a number of servers in the local network at 192.168.0.0/ These servers send emails to the central email server DMS based. Because these servers use an intermal MTA (they are linux), and these MTA's do not use dmarc and spf and what not, the emails are marked as spam by rspamd spf rules.
There are multiple way to approach this, but I would like a variable for sure in ENV . |
I'm struggling with the idea of an ENV. I'd recommend using the |
Right, makes sense as configurable value. I didn't realize that reading the initial comment 😁
For these setups I've been using postfix configured as satellite with a (opt. external) service account. The required config and resource usage is minimal. |
It is proposed to integrate using the
The feature would likely be adapted (separate feature work) to also support providing your own IP address list / subnets for trust, and updating the various services related configs.
For the types of changes it's meant to support it seems fine.
I'm reluctant towards heavy reliance on ENV (not just this request but in general), config files exist for a reason and often the justification for ENV is convenience to avoid creating files. If all the ENV serves is storing a config to store elsewhere by creating a file or swapping a setting, I'd like a good reason a config file or override (like When an ENV is more like an enum, such as
This is due to implementation of rspamd. It is configured as a Postfix milter by updating docker-mailserver/target/scripts/startup/setup.d/security/rspamd.sh Lines 147 to 155 in ed1e1eb
Milters will process mail before they're added to the postfix queue, potentially rejecting the mail, etc. A bit different from Amavis + SpamAssassin which is configured as a content filter, which waits until mail is queued, redirects it and processes, then sends it back to Postfix to process and deliver again. Regardless of spam solution however both are running not only on port 25, but also submission ports 587 and 465. I actually thought Amavis was configured to not apply there, but I guess there are valid use-cases where you'd still want anti-spam/anti-virus filtering handled on the submission(s) ports (prevent malware spread internally within an organization). So trusting networks/clients can work. There are other ways to have rules based on sender address / domain, or just opt-out on the entire service port, but that's more involved to handle. |
I must really be careful and precise when communicating with developers. For me a variable and env are meant generally and loosely, but for you they are different and specific things. So lets try that. I do not care if the DMS admin uses and ENV of config file. I just want a way to configure functionality and do not have enough insight on the inner workings of those. So I would like a way to configure:
These two can be different networks in practice. So the configuration cannot be the same variable. I would like to be able to configure in some way: So we need more different items, you cant just use internal_networks for all three and have the same functionality Hope that makes sense. |
Your fastest route to what you want is identifying the network trust or related config settings for each service, what format they expect and providing those manually. If you're not comfortable with that because of a lack of familiarity with anything in DMS, you can ask us, otherwise for us the next fastest route that meets your needs is to add a docs page with that same information and guidance.
Avoiding spam could be done by subnet, or probably also by port such as the submission(s) ports 587 and 465 where opt-out there is more relevant. For Amavis+SpamAssassin it's a simple opt-out, but rspamd is mixed in with the other milters AFAIK, we could treat with custom settings in Postfix Getting more specific config support into DMS as you want is going to depend on someone putting the time into it, and getting it through review. I have other priorities right now that I've been putting off for weeks, so I'm not available for this. Just providing guidance for anyone that would tackle it. |
This comment was marked as duplicate.
This comment was marked as duplicate.
@polarathene what do you reckon on how we should proceed here? An additional ENV like The OP of this issue could also use set-common-option local_addrs "192.168.0.0/16" This is a solution for Rspamd only, though. Ideally, we should configure all services through one centralized option. #3478 is related here. If you ask me, we could
|
I have very low bandwidth available right now to provide much input on this.
Personally, I'd have an easier time when I can go over pragmatic use-cases and the manual config updates required to support those, with justification for why DMS should add another feature. From the above comment use-case, all I see is the existing trusted clients (
This only highlights the My question is what is
I can get behind anti-spam only on port 25, but would like more context for the separate subnet toggle. |
I agree. We should only provide basic configuration options and leave advanced configurations (like you referred to above) to our users. My intention here is to
I proposed an implementation in #3478 (comment); I don't need to you to go over it now, you're low on time already. I just want to clarify whether we're on the same page here to avoid me starting to really work on that only for it to be rejected at a later point because we haven't talked about it enough. My proposal, in short: replace |
As mentioned in the other issue. If others see value in it, especially maintainers then I won't block on that 👍 |
Sounds like a good plan ! off topic
I had a very bad issue with this, maybe it's a bug more global. Let me explain
Conclusion: custom whitelisting is important Patch (this is probably equivalent to PERMIT_DOCKER=container/network): echo "Allow this network (${CONTAINER_NETWORK_V4})"
source /usr/local/bin/helpers/log.sh
source /usr/local/bin/helpers/utils.sh
# Copied from /usr/local/bin/setup.d/networking.sh since it is wrapped into another function
__add_to_postfix_mynetworks() {
local NETWORK_TYPE=$1
local NETWORK=$2
_log 'trace' "Adding ${NETWORK_TYPE} (${NETWORK}) to Postfix 'main.cf:mynetworks'"
_adjust_mtime_for_postfix_maincf
postconf "$(postconf | grep '^mynetworks =') ${NETWORK}"
[[ ${ENABLE_OPENDMARC} -eq 1 ]] && echo "${NETWORK}" >>/etc/opendmarc/ignore.hosts
[[ ${ENABLE_OPENDKIM} -eq 1 ]] && echo "${NETWORK}" >>/etc/opendkim/TrustedHosts
}
# Custom ENV: CONTAINER_NETWORK_V4
__add_to_postfix_mynetworks 'Container network' "${CONTAINER_NETWORK_V4}" |
Assuming you mean the default
While here you are referring to your modified approach?
|
( 'container' ) | |
__add_to_postfix_mynetworks 'Container IP address' "${CONTAINER_IP}/32" | |
;; | |
( 'host' ) | |
__add_to_postfix_mynetworks 'Host Network' "${CONTAINER_NETWORK}/16" | |
;; |
Those are not relevant to you because they have the fixed CIDR of /32
or /16
appended.
connected-networks
mode, as shown above would collect all known subnets instead:
docker-mailserver/target/scripts/startup/setup.d/networking.sh
Lines 50 to 55 in f28fce9
( 'connected-networks' ) | |
for CONTAINER_NETWORK in "${CONTAINER_NETWORKS[@]}"; do | |
CONTAINER_NETWORK=$(_sanitize_ipv4_to_subnet_cidr "${CONTAINER_NETWORK}") | |
__add_to_postfix_mynetworks 'Docker Network' "${CONTAINER_NETWORK}" | |
done | |
;; |
Which only really leaves network
which ignores all that for the fixed subnet:
docker-mailserver/target/scripts/startup/setup.d/networking.sh
Lines 65 to 67 in f28fce9
( 'network' ) | |
__add_to_postfix_mynetworks 'Docker IPv4 Subnet' '172.16.0.0/12' | |
;; |
That is all covered in the tracking issue as known bugs: #3478
You just need the fix I had suggested which doesn't assume the fixed subnet for network
. If you want to use that network interface, I can't think of much reason that it should be contained within a larger subnet range like it is currently. It should replace network
and host
for new option subnet
, while container
can still lock to the single IP.
Actual issue:
Have a public IPv6 on the MX record
The email will be received by the gateway IP of docker
You have this arriving through your /28 via the gateway IP yes? That is bad, fix that.
- Follow our IPv6 docs and grant the container IPv6 address too, or disable the ability for IPv6 to route to the container. This will allow external connections directly connecting to DMS published ports to keep the client IP correct, like it is with IPv4.
- If you have a proxy inbetween, follow the advice of our PROXY protocol docs (_updated in v14 / edge docs). This will allow you to keep the correct client IP when it internally connects to DMS.
At least this is what I get from your description that it's an XY problem.
You do not want to use PERMIT_DOCKER
as a fix for traffic arriving through the docker network gateway IP, as that enables open relay IIRC. While you may be the trusted client on the other side, if you're trusting an entire subnet for a docker network DMS belongs to, you open up that vulnerability.
For trusting a specific external client IP, you shouldn't need a CIDR at all, and just provide the static IP explicitly.
This comment was marked as off-topic.
This comment was marked as off-topic.
IPv6 to IPv4 losing proper client IP is bad when an IP unrelated to the private network DMS is connected thinks the client IP is also from that (the gateway IP). It means anyone that connects to your DMS instance this way via IPv6 can bypass the trust in the same way. Why would you want that? I have told you how to prevent it as it's a security vulnerability.
Need more context. Why is an internal service of yours going through IPv6 MX record to the Docker host of DMS?
No.. As per above host is
Your referenced commit doesn't say why you reverted.
Likewise lacking context. I can only see you doing some custom things there. You perhaps configure wrong? If you don't use IPv6 on DMS why have MX records resolve IPv6?
If you have Fail2Ban active, then just need to perform failed logins via IPv6 to trigger ban on gateway IP, then no IPv6 connections accepted. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This issue has become stale because it has been open for 20 days without activity.
|
Context
If I use spf with rspamd it results in internal emails being send to myself (logging reports etc) as spam due to rspamd rules.
I have solved this by adding internal networks to a rspamd whitelist.
The whitelist gives the network -9 points and that works well here.
Description
I have added two files to whitelist an internal network like so
Alternatives
non, this is the way (for rpamd as far as I could find)
see also https://github.com/moisseev/rspamd-multimap-bl/blob/master/local.d/multimap.conf
and https://rspamd.com/doc/modules/multimap.html
Applicable Users
to whomever wants to whitelist networks or other things in rspamd
Are you going to implement it?
Yes, because I know the probability of someone else doing it is low and I can learn from it.
What are you going to contribute?
see above for the solution. I am using it
The text was updated successfully, but these errors were encountered: