LXD Portforwarding for Postfix Mailserver

I have an iRedMail Mail Server running in an LXD container.
Unfortunately, all e-mail is currently treated as internal e-mail, effectively making it an openrelay.

Container host
VPS, with its own public IP adress
OS: Debian 10
Container: LXD
FQDN: xxx.yyy
Networkconfig:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 155.xx.xx.xx  netmask 255.255.255.255  broadcast 155.xx.xx.xx
lxdbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 10.33.196.1  netmask 255.255.255.0  broadcast 0.0.0.0

Mailserver running inside container
OS: Debian 10
Mailserver: iRedMail 1.1 LDAP
Postfix ver: 3.4.10
FQDN: mail.xxx.yyy
Networkconfig:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 10.33.196.133  netmask 255.255.255.0  broadcast 10.33.196.255     
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0


When an external party attempts to send an e-mail over port 25 without credentials, this happens:
/var/log/mail.log: (edited for privacy reasons)

May 14 17:18:35 mail postfix/postscreen[18271]: WHITELISTED [127.0.0.1]:57298
May 14 17:18:37 mail postfix/smtpd[18273]: connect from mail.xxx.yyy[127.0.0.1]
May 14 17:18:37 mail postfix/smtpd[18273]: Anonymous TLS connection established from mail.xxx.yyy[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
May 14 17:18:39 mail postfix/smtpd[18273]: 49NJCz4yZqzBl7wn: client=mail.xxx.yyy[127.0.0.1]
May 14 17:18:39 mail postfix/cleanup[18294]: 49NJCz4yZqzBl7wn: message-id=<e0df89eba9ca328b06c05a6c4c792944@test.server.com>
May 14 17:18:39 mail postfix/qmgr[1287]: 49NJCz4yZqzBl7wn: from=<myfrom@randomadress.com>, size=562, nrcpt=1 (queue active)
May 14 17:18:39 mail postfix/smtpd[18273]: disconnect from mail.xxx.yyy[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
May 14 17:18:40 mail postfix/10025/smtpd[18297]: connect from mail.xxx.yyy[127.0.0.1]
May 14 17:18:40 mail postfix/10025/smtpd[18297]: 49NJD00vNpzBl7wv: client=mail.xxx.yyy[127.0.0.1]
May 14 17:18:40 mail postfix/cleanup[18294]: 49NJD00vNpzBl7wv: message-id=<e0df89eba9ca328b06c05a6c4c792944@test.server.com>
May 14 17:18:40 mail postfix/10025/smtpd[18297]: disconnect from mail.xxx.yyy[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 14 17:18:40 mail postfix/qmgr[1287]: 49NJD00vNpzBl7wv: from=<myfrom@randomadress.com>, size=1009, nrcpt=1 (queue active)
May 14 17:18:40 mail amavis[689]: (00689-01) Passed CLEAN {RelayedInternal}, MYNETS LOCAL [127.0.0.1]:57298 ESMTP/ESMTP <myfrom@randomadress.com> -> <test123@otherserver.com>, (), Queue-ID: 49NJCz4yZqzBl7wn,$
May 14 17:18:40 mail postfix/amavis/smtp[18295]: 49NJCz4yZqzBl7wn: to=<test123@otherserver.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, delays=0.76/0.02/0.05/0.27, dsn=2.0.0, status=sent (250 2.0.0 fr$
May 14 17:18:40 mail postfix/qmgr[1287]: 49NJCz4yZqzBl7wn: removed<br>
May 14 17:18:41 mail postfix/smtp[18298]: Trusted TLS connection established to mx.zzz.com[153.x.x.x]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 14 17:18:42 mail postfix/smtp[18298]: 49NJD00vNpzBl7wv: to=<test123@otherserver.com>, relay=mx.zoho.com[136.x.x.x]:25, delay=2.6, delays=0.01/0.05/1.6/0.96, dsn=2.0.0, status=sent (250 Message rec$
May 14 17:18:42 mail postfix/qmgr[1287]: 49NJD00vNpzBl7wv: removed

So the message is succesfully sent.

To me it looks like this is happening because all connections are forwarded by the Container host to the container loopback if, but I was unable to succesfully change this to an alternative working configuration.

Currently ports are forwarded to the container using LXC, as follows:

root@xxx:~# lxc config device show mailserver
port25:
   connect: tcp:127.0.0.1:25
   listen: tcp:0.0.0.0:25
   type: proxy
port110:
   connect: tcp:127.0.0.1:110
   listen: tcp:0.0.0.0:110
   type: proxy
...

I have tried changing this to:

port25:
   connect: tcp:10.33.196.133:25
   listen: tcp:0.0.0.0:25
   type: proxy

But this created separate problems, and external e-mails were still percieved as internal.
I have searched for containerised postfix configurations and other situations in which a mailserver was ran in LXD, but wasn’t able to find a solution.

If someone is able to point me in the right direction, that would be great!
Also, if any additional information is needed, let me know. Thanks for your help.

1 Like

Hi,

The issue is that the proxy device (by its very nature of proxying packets rather than forwarding them) is losing the original source address.

See my post on a similar topic recently of switching the proxy device into nat mode which allows you to maintain the original source address: Proxy device only creates IPv6 port

1 Like

iRedMail Mail Server supports the PROXY protocol, so you also have the option to enable it in the LXD proxy device.

2 Likes

Ah thanks for pointing that out.

Thank you very much! Can’t believe the option was so simple.
After adding the
proxy_protocol=true
parameter to the LXD proxy device, and
postscreen_upstream_proxy_protocol = haproxy
to /etc/postfix/main.cf
It works!

1 Like