LXD Portforwarding for Postfix Mailserver

I have an iRedMail Mail Server running in an LXD container.
Unfortunately, all e-mail is currently treated as internal e-mail, effectively making it an openrelay.

Container host
VPS, with its own public IP adress
OS: Debian 10
Container: LXD
FQDN: xxx.yyy
Networkconfig:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 155.xx.xx.xx  netmask 255.255.255.255  broadcast 155.xx.xx.xx
lxdbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 10.33.196.1  netmask 255.255.255.0  broadcast 0.0.0.0

Mailserver running inside container
OS: Debian 10
Mailserver: iRedMail 1.1 LDAP
Postfix ver: 3.4.10
FQDN: mail.xxx.yyy
Networkconfig:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 10.33.196.133  netmask 255.255.255.0  broadcast 10.33.196.255     
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0


When an external party attempts to send an e-mail over port 25 without credentials, this happens:
/var/log/mail.log: (edited for privacy reasons)

May 14 17:18:35 mail postfix/postscreen[18271]: WHITELISTED [127.0.0.1]:57298
May 14 17:18:37 mail postfix/smtpd[18273]: connect from mail.xxx.yyy[127.0.0.1]
May 14 17:18:37 mail postfix/smtpd[18273]: Anonymous TLS connection established from mail.xxx.yyy[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
May 14 17:18:39 mail postfix/smtpd[18273]: 49NJCz4yZqzBl7wn: client=mail.xxx.yyy[127.0.0.1]
May 14 17:18:39 mail postfix/cleanup[18294]: 49NJCz4yZqzBl7wn: message-id=<e0df89eba9ca328b06c05a6c4c792944@test.server.com>
May 14 17:18:39 mail postfix/qmgr[1287]: 49NJCz4yZqzBl7wn: from=<myfrom@randomadress.com>, size=562, nrcpt=1 (queue active)
May 14 17:18:39 mail postfix/smtpd[18273]: disconnect from mail.xxx.yyy[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
May 14 17:18:40 mail postfix/10025/smtpd[18297]: connect from mail.xxx.yyy[127.0.0.1]
May 14 17:18:40 mail postfix/10025/smtpd[18297]: 49NJD00vNpzBl7wv: client=mail.xxx.yyy[127.0.0.1]
May 14 17:18:40 mail postfix/cleanup[18294]: 49NJD00vNpzBl7wv: message-id=<e0df89eba9ca328b06c05a6c4c792944@test.server.com>
May 14 17:18:40 mail postfix/10025/smtpd[18297]: disconnect from mail.xxx.yyy[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 14 17:18:40 mail postfix/qmgr[1287]: 49NJD00vNpzBl7wv: from=<myfrom@randomadress.com>, size=1009, nrcpt=1 (queue active)
May 14 17:18:40 mail amavis[689]: (00689-01) Passed CLEAN {RelayedInternal}, MYNETS LOCAL [127.0.0.1]:57298 ESMTP/ESMTP <myfrom@randomadress.com> -> <test123@otherserver.com>, (), Queue-ID: 49NJCz4yZqzBl7wn,$
May 14 17:18:40 mail postfix/amavis/smtp[18295]: 49NJCz4yZqzBl7wn: to=<test123@otherserver.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, delays=0.76/0.02/0.05/0.27, dsn=2.0.0, status=sent (250 2.0.0 fr$
May 14 17:18:40 mail postfix/qmgr[1287]: 49NJCz4yZqzBl7wn: removed<br>
May 14 17:18:41 mail postfix/smtp[18298]: Trusted TLS connection established to mx.zzz.com[153.x.x.x]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 14 17:18:42 mail postfix/smtp[18298]: 49NJD00vNpzBl7wv: to=<test123@otherserver.com>, relay=mx.zoho.com[136.x.x.x]:25, delay=2.6, delays=0.01/0.05/1.6/0.96, dsn=2.0.0, status=sent (250 Message rec$
May 14 17:18:42 mail postfix/qmgr[1287]: 49NJD00vNpzBl7wv: removed

So the message is succesfully sent.

To me it looks like this is happening because all connections are forwarded by the Container host to the container loopback if, but I was unable to succesfully change this to an alternative working configuration.

Currently ports are forwarded to the container using LXC, as follows:

root@xxx:~# lxc config device show mailserver
port25:
   connect: tcp:127.0.0.1:25
   listen: tcp:0.0.0.0:25
   type: proxy
port110:
   connect: tcp:127.0.0.1:110
   listen: tcp:0.0.0.0:110
   type: proxy
...

I have tried changing this to:

port25:
   connect: tcp:10.33.196.133:25
   listen: tcp:0.0.0.0:25
   type: proxy

But this created separate problems, and external e-mails were still percieved as internal.
I have searched for containerised postfix configurations and other situations in which a mailserver was ran in LXD, but wasn’t able to find a solution.

If someone is able to point me in the right direction, that would be great!
Also, if any additional information is needed, let me know. Thanks for your help.

Hi,

The issue is that the proxy device (by its very nature of proxying packets rather than forwarding them) is losing the original source address.

See my post on a similar topic recently of switching the proxy device into nat mode which allows you to maintain the original source address: Proxy device only creates IPv6 port

1 Like

iRedMail Mail Server supports the PROXY protocol, so you also have the option to enable it in the LXD proxy device.

2 Likes

Ah thanks for pointing that out.

Thank you very much! Can’t believe the option was so simple.
After adding the
proxy_protocol=true
parameter to the LXD proxy device, and
postscreen_upstream_proxy_protocol = haproxy
to /etc/postfix/main.cf
It works!