On 12/23/22 09:58, Samer Afach wrote: > Dear postfix experts: > > I think I'm getting to the end of this problem. I was able to use > haproxy to relay connections to my docker container with correct source > information (and I'm seeing the correct IP addresses in the logs of > postfix/dovecot). I would appreciate it if you could take a look at my > settings before going public and changing the MX records back to this > server. > > How I tested: I was actively blocking/unblocking firewalls, > starting/stopping containers (start, test, stop), and in every step, I > ran swaks, with one of these configurations (in fact, I'm planning to > automate these tests and run them periodically, what a nice tool this > turned out to be): > > swaks --to a...@example.com --from=b...@example.com --server > mail.example.com:587 --tls > swaks --to a...@example.com --from=b...@example.com --server > mail.example.com:465 --tlsc > swaks --to a...@example.com --from=b...@example.com --server > mail.example.com:25 --tls > swaks --to a...@example.com --from=b...@example.com --server > mail.example.com:25 > > I was consistently getting the result "Access denied" in swaks, which I > hope means that no relaying is possible anymore. Meanwhile, I succeeded > in sending messages with Thunderbird with proper authentication. > > Email relaying was only possible when sending emails with swaks through > localhost (even though it's going through the proxy in localhost), i.e.: > > swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:587 > --tls > swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:465 > --tlsc > swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:25 > --tls > swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:25 > > Does this constitute proof that relaying isn't possible anymore?
You need to ensure that the outside world cannot connect to Postfix or Dovecot directly, bypassing HAProxy. -- Sincerely, Demi Marie Obenour (she/her/hers)
