Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No usable MXs when sending to IPv6-only domain #631

Closed
cuihaoleo opened this issue Oct 5, 2023 · 0 comments · Fixed by #632
Closed

No usable MXs when sending to IPv6-only domain #631

cuihaoleo opened this issue Oct 5, 2023 · 0 comments · Fixed by #632
Labels
bug Something isn't working.

Comments

@cuihaoleo
Copy link
Contributor

cuihaoleo commented Oct 5, 2023
edited
Loading

Describe the bug

Hi, I set up a maddy instance in a podman container. Everything looks good so far. When I test my server with https://email-security-scans.org/, it always fails with IPv6 test. I believe I have setup IPv6 access properly.

One of the failed email addresses is [email protected]. Relevent logs:

[debug] remote: trying        {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","remote_server":"mail-v6.measurement.email-security-scans.org."}
[debug] mx_auth.mtasts: MTA-STS error        {"err":"mtasts: no policy"}
remote: cannot use MX        {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","reason":"no address associated with the host","remote_server":"mail-v6.measurement.email-security-scans.org.","tls_err":null}

And I can confirm that the container can resolve and connect to the v6-only MX server:

$ sudo podman exec maddy nslookup -type=MX v6-mail.measurement.email-security-scans.org
Server:         185.12.64.1
Address:        185.12.64.1:53

Non-authoritative answer:
v6-mail.measurement.email-security-scans.org    mail exchanger = 10 mail-v6.measurement.email-security-scans.org

$ sudo podman exec maddy nslookup -type=AAAA mail-v6.measurement.email-security-scans.org
Server:         185.12.64.1
Address:        185.12.64.1:53

Non-authoritative answer:
Name:   mail-v6.measurement.email-security-scans.org
Address: 2a06:d1c0:dead:3::86

$ sudo podman exec maddy nc 2a06:d1c0:dead:3::86 25
220 mail.measurement.email-security-scans.org ESMTP Postfix

Steps to reproduce

Send an email to [email protected]. It will fail.

Log files

With debug yes, IP/domain names redacted:

submission: incoming message        {"msg_id":"045b14e1","sender":"[email protected]","src_host":"[192.168.31.119]","src_ip":"XXX.XXX.XXX.XXX:57870","username":"[email protected]"}
[debug] smtp/pipeline: sender [email protected] matched by domain rule 'mydomain.com'        {"msg_id":"045b14e1"}
[debug] smtp/pipeline: initializing state for check.authorize_sender: (0x400013b080)        {"msg_id":"045b14e1"}
[debug] normalized names        {"auth":"[email protected]","from":"[email protected]","msg_id":"045b14e1"}
[debug] authorized emails        {"msg_id":"045b14e1","ok":true,"preparedEmail":["[email protected]"]}
[debug] smtp/pipeline: global rcpt modifiers: [email protected] => [[email protected]]        {"msg_id":"045b14e1"}
[debug] smtp/pipeline: per-source rcpt modifiers: [email protected] => [[email protected]]        {"msg_id":"045b14e1"}
[debug] smtp/pipeline: recipient [email protected] matched by default rule (clean = [email protected])        {"msg_id":"045b14e1"}
[debug] smtp/pipeline: per-rcpt modifiers: [email protected] => [[email protected]]        {"msg_id":"045b14e1"}
[debug] smtp/pipeline: tgt.Start([email protected]) ok, target = queue:remote_queue        {"msg_id":"045b14e1"}
submission: RCPT ok        {"msg_id":"045b14e1","rcpt":"[email protected]"}
[debug] autobuffer: keeping the message in RAM (read 13 bytes, got EOF)        
[debug] normalized names        {"auth":"[email protected]","from":"[email protected]","msg_id":"045b14e1"}
[debug] authorized emails        {"msg_id":"045b14e1","ok":true,"preparedEmail":["[email protected]"]}
[debug] modify.dkim: signed        {"domain":"mydomain.com"}
[debug] smtp/pipeline: delivery.Body ok, Delivery object = *msgpipeline.delivery        {"msg_id":"045b14e1"}
submission: accepted        {"msg_id":"045b14e1"}
[debug] queue: starting delivery for 045b14e1        
[debug] queue: waiting on delivery semaphore for 045b14e1        
[debug] queue: delivery semaphore acquired for 045b14e1        
[debug] queue: using message ID = 045b14e1-651e2d3a        {"msg_id":"045b14e1"}
[debug] queue: target.Start OK        {"msg_id":"045b14e1"}
[debug] remote: opening new connection        {"cache_ignored":false,"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a"}
[debug] submission: reset        
[debug] mx_auth.mtasts: MTA-STS error        {"err":"mtasts: no policy","msg_id":"045b14e1-651e2d3a"}
[debug] remote: trying        {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","remote_server":"mail-v6.measurement.email-security-scans.org."}
[debug] mx_auth.mtasts: MTA-STS error        {"err":"mtasts: no policy"}
remote: cannot use MX        {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","reason":"no address associated with the host","remote_server":"mail-v6.measurement.email-security-scans.org.","tls_err":null}
[debug] queue: delivery.AddRcpt [email protected] failed: no address associated with the host        {"msg_id":"045b14e1"}
[debug] queue: delivery.Abort (no accepted receipients)        {"msg_id":"045b14e1"}
[debug] queue: errors: map[[email protected]:no address associated with the host]        {"msg_id":"045b14e1"}
queue: delivery attempt failed        {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1","rcpt":"[email protected]","reason":"no address associated with the host","smtp_code":451,"smtp_enchcode":"5.4.0","smtp_msg":"No usable MXs, last err: no address associated with the host","target":"remote","tls_err":null}
[debug] queue: delay: 15m0s * 1.25 ^ (1 - 1)        {"msg_id":"045b14e1"}
queue: will retry        {"attempts_count":{"[email protected]":1},"msg_id":"045b14e1","next_try_delay":"14m59.999962199s","rcpts":["[email protected]"]}
[debug] imapsql: sending external update        {"key":2,"type":0}

Configuration file

Almost the default one:

## Maddy Mail Server - default configuration file (2022-06-18)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddy subcommands.
#
# See tutorials at https://maddy.email for guidance on typical
# configuration changes.

# ----------------------------------------------------------------------------
# Base variables

$(hostname) = mx.mydomain.com
$(primary_domain) = mydomain.com
$(local_domains) = $(primary_domain)

tls file /certs/fullchain.pem /certs/privkey.pem
debug yes

# ----------------------------------------------------------------------------
# Local storage & authentication

# pass_table provides local hashed passwords storage for authentication of
# users. It can be configured to use any "table" module, in default
# configuration a table in SQLite DB is used.
# Table can be replaced to use e.g. a file for passwords. Or pass_table module
# can be replaced altogether to use some external source of credentials (e.g.
# PAM, /etc/shadow file).
#
# If table module supports it (sql_table does) - credentials can be managed
# using 'maddy creds' command.

auth.pass_table local_authdb {
    table sql_table {
        driver sqlite3
        dsn credentials.db
        table_name passwords
    }
}

# imapsql module stores all indexes and metadata necessary for IMAP using a
# relational database. It is used by IMAP endpoint for mailbox access and
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddy.

storage.imapsql local_mailboxes {
    driver sqlite3
    dsn imapsql.db
}

# ----------------------------------------------------------------------------
# SMTP endpoints + message routing

hostname $(hostname)

table.chain local_rewrites {
    optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
    optional_step static {
        entry postmaster postmaster@$(primary_domain)
    }
    optional_step file /data/aliases
}

msgpipeline local_routing {
    # Insert handling for special-purpose local domains here.
    # e.g.
    # destination lists.example.org {
    #     deliver_to lmtp tcp://127.0.0.1:8024
    # }

    destination postmaster $(local_domains) {
        modify {
            replace_rcpt &local_rewrites
        }

        deliver_to &local_mailboxes
    }

    default_destination {
        reject 550 5.1.1 "User doesn't exist"
    }
}

smtp tcp://[::]:25 {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections.
        all rate 20 1s
        all concurrency 10
    }

    dmarc yes
    check {
        require_mx_record
        dkim
        spf
    }

    source $(local_domains) {
        reject 501 5.1.8 "Use Submission for outgoing SMTP"
    }
    default_source {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.1.1 "User doesn't exist"
        }
    }
}

submission tcp://[::]:587 {
    limits {
        # Up to 50 msgs/sec across any amount of SMTP connections.
        all rate 50 1s
    }

    auth &local_authdb

    source $(local_domains) {
        check {
            authorize_sender {
                prepare_email &local_rewrites
                user_to_email identity
            }
        }

        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            modify {
                dkim $(primary_domain) $(local_domains) default
            }
            deliver_to &remote_queue
        }
    }
    default_source {
        reject 501 5.1.8 "Non-local sender domain"
    }
}

target.remote outbound_delivery {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections
        # for each recipient domain.
        destination rate 20 1s
        destination concurrency 10
    }
    mx_auth {
        dane
        mtasts {
            cache fs
            fs_dir mtasts_cache/
        }
        local_policy {
            min_tls_level encrypted
            min_mx_level none
        }
    }
}

target.queue remote_queue {
    target &outbound_delivery

    autogenerated_msg_domain $(primary_domain)
    bounce {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
        }
    }
}

# ----------------------------------------------------------------------------
# IMAP endpoints

imap tls://[::]:993 {
    auth &local_authdb
    storage &local_mailboxes
}

Environment information

  • maddy version: 0.7

Running in a podman container. Full command:

podman run
        --rm \
        -d \
        --replace \
        --name maddy \
        --security-opt label=type:unconfined_t \
        -e MADDY_HOSTNAME=mx.mydomain.com \
        -e MADDY_DOMAIN=mydomain.com \
        -v /srv/pods/maddy/data:/data \
        -v /etc/letsencrypt/live/mx.mydomain.comfullchain.pem:/certs/fullchain.pem:ro \
        -v /etc/letsencrypt/live/mx.mydomain.com/privkey.pem:/certs/privkey.pem:ro \
        --net=dualstack \
        -p 25:25 \
        -p 587:587 \
        -p 993:993 \
        foxcpp/maddy:0.7

The network dualstack is created with:

$ podman network create --disable-dns --driver=bridge --ipv6 dualstack
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix wrong DNS query type in DANE lookups for IPv6-only hosts cuihaoleo/maddy
1 participant
@cuihaoleo