docker
docker copied to clipboard
SPF Authentication Failure for emails received
Support guidelines
- [X] I've read the support guidelines
I've found a bug and checked that ...
- [X] ... the documentation does not mention anything about my problem
- [X] ... there are no open or closed issues that are related to my problem
Description
I recently installed AnonAddy docker - and love the service. I followed all the guides and got almost everything to work - I'm able to send and receive emails, I have TLS working, and almost everything is great - EXCEPT for a lingering SPF authentication issue that I can't seem to shake.
Whenever an email is sent to an alias email account, the SPF reflects the IP address of the email server for the original sender and NOT the IP address of my AnonAddy server. This causes the SPF to fail.
For example, If a user from Gmail sends an email to my alias [email protected]
, the received SPF shows a Gmail IP and NOT the the IP of my AnonAddy server. This is causing the emails to get dumped into my junk mail box.
I've tried to modify a bunch of settings to wit's end, and can't figure out how to fix this. Am I doing something wrong?
Here is my configuration. Hoping somebody can guide me to the right direction. I have the a static IP, and my ptr records point to my IP (reverse dns works). I am using mail.myhost.com
as a base email domain, as I have a different email server running on the root domain myhost.com
.
Base Details
Email Domain: mail.myhost.com
AnonAddy Host: webmail.myhost.com
Server IP: 3.3.3.3
(Example)
I have TLS certs for my domain generated using .acme.sh
, and have mapped the cert and key to /certs
in the anonaddy container.
DNS Configuration
A Records
-
smtp -> 3.3.3.3
MX Record
-
mail -> smtp.myhost.com
DKIM Record
-
default._domainkey.mail -> v=DKIM1; k=rsa; p=<Something long>
DMARC Record
-
_dmarc.mail -> v=DMARC1; p=reject; sp=none; aspf=r; fo=1:d:s
SPF Record
-
mail -> v=spf1 mx ~all
anonaddy.env
Configuration
## General System Config
TZ=America/Los_Angeles
PUID=1000
PGID=1000
MEMORY_LIMIT=256M
UPLOAD_MAX_SIZE=16M
OPCACHE_MEM_SIZE=128
REAL_IP_FROM=0.0.0.0/32
REAL_IP_HEADER=X-Forwarded-For
LOG_IP_VAR=http_x_forwarded_for
## APP Environments
APP_KEY=<redacted>
APP_DEBUG=true
# URL Of AnonAddy Install
APP_URL=https://webmail.myhost.com # Can be whatever
[email protected]
ANONADDY_ADMIN_USERNAME=anonaddy
ANONADDY_ENABLE_REGISTRATION=true
ANONADDY_DOMAIN=mail.myhost.com
#ANONADDY_ALL_DOMAINS=mail.myhost.com
ANONADDY_HOSTNAME=smtp.myhost.com
ANONADDY_DNS_RESOLVER=127.0.0.1
ANONADDY_SECRET=37WYeWU6k00WttSqedDm
ANONADDY_LIMIT=200 # Number of emails a user can forward and reply per hour
ANONADDY_BANDWIDTH_LIMIT=1048576000 # Monthly bandwidth limit for users in bytes domains to use
ANONADDY_NEW_ALIAS_LIMIT=30 # Number of new aliases a user can create each hour
ANONADDY_ADDITIONAL_USERNAME_LIMIT=50 # Number of additional usernames a user can add to their account
## RSPAMD Config
RSPAMD_ENABLE=true
RSPAMD_NO_LOCAL_ADDRS=true
RSPAMD_WEB_PASSWORD=oneworld
## Mail Config
MAIL_FROM_NAME=AnonAddy
[email protected]
## Postfig Configuration
POSTFIX_DEBUG=true
POSTFIX_SMTPD_TLS=true
POSTFIX_SMTP_TLS=true
#Certs
POSTFIX_SMTPD_TLS_CERT_FILE=/certs/fullchain.pem
POSTFIX_SMTPD_TLS_KEY_FILE=/certs/privkey.pem
Anonaddy config in docker-compose.yml
anonaddy:
image: anonaddy/anonaddy:latest
container_name: anonaddy
depends_on:
- db
- redis
ports:
- target: 25
published: 25
protocol: tcp
volumes:
- "./data:/data"
## mydomain.com
- "/etc/mydomains/mydomain.com/fullchain.cer:/certs/fullchain.pem:ro" # Link to certs created by Acme.sh
- "/etc/mydomains/mydomain.com/privkey.key:/certs/privkey.pem:ro" # Link to key for islnt.com created by Acme.sh
env_file:
- "./anonaddy.env"
environment:
- "DB_HOST=db"
- "DB_DATABASE=${MYSQL_DATABASE}"
- "DB_USERNAME=${MYSQL_USER}"
- "DB_PASSWORD=${MYSQL_PASSWORD}"
- "REDIS_HOST=redis"
restart: always
Expected behaviour
I expected the SPF to pass. The emails should be regenerated from AnonAddy, and the SPF should reflect the IP address of the AnonAddy server.
Actual behaviour
The SPF is failing. I ran the headers through MX toolbox, and the SPF authentication fails. The SPF reflects the IP address of the email provider of the sender. SPF alignment looks to be okay, and and DKIM alignment also looks okay.
Steps to reproduce
Described above. Anytime I receive an email sent to my alias, the email SPF authentication fails. The IP address shows the IP of Gmail (or any other provider) rather than my AnonAddy server.
Docker info
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
compose: Docker Compose (Docker Inc., v2.6.0)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 4
Running: 4
Paused: 0
Stopped: 0
Images: 4
Server Version: 20.10.17
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc version: v1.1.2-0-ga916309
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: default
cgroupns
Kernel Version: 5.15.0-78-generic
Operating System: Ubuntu 22.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.756GiB
Name: lnx-docker01
ID: R6NO:FVB5:TQV3:BO5V:A6QI:DKHL:KORH:JHFX:CYCX:XIAL:VMVR:KGFY
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Docker Compose config
name: anonaddy
services:
anonaddy:
container_name: anonaddy
depends_on:
db:
condition: service_started
redis:
condition: service_started
environment:
ANONADDY_ADDITIONAL_USERNAME_LIMIT: "50"
ANONADDY_ADMIN_USERNAME: anonaddy
ANONADDY_BANDWIDTH_LIMIT: "1048576000"
ANONADDY_DNS_RESOLVER: 127.0.0.1
ANONADDY_DOMAIN: mail.mydomain.com
ANONADDY_ENABLE_REGISTRATION: "true"
ANONADDY_HOSTNAME: smtp.mydomain.com
ANONADDY_LIMIT: "200"
ANONADDY_NEW_ALIAS_LIMIT: "30"
ANONADDY_RETURN_PATH: [email protected]
ANONADDY_SECRET: <redacted>
APP_DEBUG: "true"
APP_KEY: <redacted>
APP_URL: https://webmail.mydomain.com
DB_DATABASE: anonaddy
DB_HOST: db
DB_PASSWORD: anonaddy
DB_USERNAME: anonaddy
LOG_IP_VAR: http_x_forwarded_for
MAIL_FROM_ADDRESS: [email protected]
MAIL_FROM_NAME: AnonAddy
MEMORY_LIMIT: 256M
OPCACHE_MEM_SIZE: "128"
PGID: "1000"
POSTFIX_DEBUG: "true"
POSTFIX_SMTP_TLS: "true"
POSTFIX_SMTPD_TLS: "true"
POSTFIX_SMTPD_TLS_CERT_FILE: /certs/fullchain.pem
POSTFIX_SMTPD_TLS_KEY_FILE: /certs/privkey.pem
PUID: "1000"
REAL_IP_FROM: 0.0.0.0/32
REAL_IP_HEADER: X-Forwarded-For
REDIS_HOST: redis
RSPAMD_ENABLE: "true"
RSPAMD_WEB_PASSWORD: testing123
TZ: America/Los_Angeles
UPLOAD_MAX_SIZE: 16M
image: anonaddy/anonaddy:latest
networks:
default: null
ports:
- target: 25
published: "25"
protocol: tcp
restart: always
volumes:
- type: bind
source: /opt/docker/anonaddy/data
target: /data
bind:
create_host_path: true
- type: bind
source: /etc/mydomains/mydomain.com/fullchain.cer
target: /certs/fullchain.pem
read_only: true
bind:
create_host_path: true
- type: bind
source: /etc/mydomains/mydomain.com/privkey.key
target: /certs/privkey.pem
read_only: true
bind:
create_host_path: true
db:
command:
- mysqld
- --character-set-server=utf8mb4
- --collation-server=utf8mb4_unicode_ci
container_name: anonaddy_db
environment:
MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
MYSQL_DATABASE: anonaddy
MYSQL_PASSWORD: anonaddy
MYSQL_USER: anonaddy
image: mariadb:10.5
networks:
default: null
restart: always
volumes:
- type: bind
source: /opt/docker/anonaddy/mariadb
target: /var/lib/mysql
bind:
create_host_path: true
nginx:
container_name: anonaddy_nginx
depends_on:
anonaddy:
condition: service_started
image: nginx:alpine
networks:
default: null
ports:
- mode: ingress
target: 80
published: "80"
protocol: tcp
- mode: ingress
target: 443
published: "443"
protocol: tcp
restart: unless-stopped
volumes:
- type: bind
source: /etc/ssl/dhparam.pem
target: /etc/ssl/dhparam.pem
read_only: true
bind:
create_host_path: true
- type: bind
source: /opt/docker/anonaddy/nginx/sites
target: /etc/nginx/conf.d
bind:
create_host_path: true
- type: bind
source: /opt/docker/anonaddy/nginx/logs
target: /var/log/nginx
bind:
create_host_path: true
- type: bind
source: /etc/mydomains/mydomain.com/fullchain.cer
target: /certs/fullchain.pem
read_only: true
bind:
create_host_path: true
- type: bind
source: /etc/mydomains/mydomain.com/privkey.key
target: /certs/privkey.pem
read_only: true
bind:
create_host_path: true
redis:
container_name: anonaddy_redis
image: redis:4.0-alpine
networks:
default: null
restart: always
networks:
default:
name: anonaddy_default
Logs
I saw these logs in postfix. Not sure if they are relevant:
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: dns_get_answer: type A for NAM10-DM6-obe.outbound.protection.outlook.com
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: generic_checks: name=reject_unknown_helo_hostname status=0
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: >>> END Helo command RESTRICTIONS <<<
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: >>> START Sender address RESTRICTIONS <<<
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: generic_checks: name=permit_mynetworks
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: permit_mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com 40.107.93.67
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? 127.0.0.0/8
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? 127.0.0.0/8
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? [::ffff:127.0.0.0]/104
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? [::ffff:127.0.0.0]/104
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? [::1]/128
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? [::1]/128
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? 10.0.0.0/8
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? 10.0.0.0/8
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? 172.16.0.0/12
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? 172.16.0.0/12
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? 192.168.0.0/16
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? 192.168.0.0/16
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_list_match: mail-dm6nam10on2067.outbound.protection.outlook.com: no match
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_list_match: 40.107.93.67: no match
anonaddy | Jul 28 15:56:32 smtp postfix/smtpd[994]: generic_checks: name=permit_mynetworks status=0
Additional info
No response