Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check_policy_service should come before permit_mynetworks in Postfix conf #294

Open
3 tasks done
draeklae opened this issue Jul 23, 2024 · 0 comments
Open
3 tasks done

check_policy_service should come before permit_mynetworks in Postfix conf #294

draeklae opened this issue Jul 23, 2024 · 0 comments
Labels
kind/bug status/triage

Comments

@draeklae
Copy link

Support guidelines

I've found a bug and checked that ...

  • ... the documentation does not mention anything about my problem
  • ... there are no open or closed issues that are related to my problem

Description

Postfix configuration at the moment is such that check_policy_service comes after permit_mynetworks. The effect is that all mail from local networks is forwarded without checking if, e.g., an alias is activated or not. This is especially problematic when Addy is receiving mail forwarded from a Postfix relay in the same network (e.g., another mail server container on the same host).

Expected behaviour

All mail should be going through the policy service, even if it comes from local networks.

Actual behaviour

If mail comes from local network (e.g., a Postfix relay in the same network), then Addy delivers the email without going through policy checks.

Steps to reproduce

  1. Create Addy instance that is receiving mail from another Postfix server in the same network
  2. Create an alias and deactivate it
  3. Send email to deactivated alias
    (mail is delivered even though alias is deactivated)

Docker info

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 12
  Running: 12
  Paused: 0
  Stopped: 0
 Images: 48
 Server Version: 20.10.24+dfsg1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 1.6.20~ds1-1+b1
 runc version: 1.1.5+ds1-1+deb12u1
 init version: 
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 6.1.0-23-amd64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.62GiB
 Name: v220240637402273018
 ID: JOAL:Y3H2:TW2J:SWQH:UHJ6:WGOB:NN6F:QIOD:NYFH:KOQY:H46T:RSPU
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Docker Compose config

No response

Logs

---

Additional info

Bug is fixed simply by reordering the two in smtpd_recipient_restrictions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug status/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@draeklae