Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Potential Backscatter issue/SPF lookup
See original GitHub issueI’m not sure if this needs to be here, or in wildduck-haraka (or even Haraka itself!). Sorry. I may have even just missed the correct config file.
For info: I am using Wildduck-dockerized (but via podman) if that flags anything up.
First of all - great job on Wildduck, it’s fantastic and I like it a lot!
However, I’ve noticed I am able to send FROM myself, TO myself (and any other internal email address) using an unauthenticated SMTP connection. This only affects internal email accounts, i.e. I cannot send FROM myself TO any external address using the same method.
For Example:
> telnet my.mail.server 25
220 my.mail.server ESMTP WildDuck MX
> helo my.mail.server
250 my.mail.server Hello my.location.rDNS [my.ip.addr.ess]Haraka is at your service.
> mail from: my@emailaddress.com
250 sender <my@emailaddress.com> OK
> rcpt to: my@emailaddress.com
250 recipient <my@emailaddress.com> OK
> data
354 go ahead, make my day
> subject: test email
> body content of email
> some more text
> etc.
> and so on
> etc.
> ending with a single dot
> .
250 Message processed (me-ss-age-id)
And the message arrives - no problem at all. I’ve also tested on another Wildduck server I have access to (but don’t manage) and the same is true there. It seems to me, Haraka/Wildduck is not performing SPF lookups on incoming emails correctly, as ultimately, legitimate emails sent FROM a wildduck email address, should not be handled via haraka anyway and handled internally via zonemta and wildduck itself - I could be mistaken though.
Also, I’ve just noticed I can perform exactly the same process FROM any email address I desire as long as the internal address exists - which is something SPF is supposed to prevent.
So, I’m thinking I’m missing something. I believe Haraka and Wildduck are both very decent mail handling services so I must have missed some configuration somewhere. Can anyone help?
P.S. I’m experienced in configuring DNS, and the records are set up correctly. I also manage many other non-wildduck mail servers which do not experience this problem
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
It didn’t haha, no worries.
Glad it’s useful!
I know that feeling…
Just in case anyone comes across this as a similar “issue” in the future - as I expected, Wildduck is working perfectly fine and was checking things appropriately. The issue, for me, was that as I was using Wildduck-dockerised in a rootless podman container, via HAProxy (and then subsequently Traefik to test an alternative) - the proxied connecting/client IP address was being understood as either 127.0.0.1 or 10.0.2.100, dependent on if I’m sending the
PROXYcommand (send-proxyin HAProxy,proxyProtocol: version: 1for Traefik) or not. Both those IP addresses are effectively localhost for rootless containers in my set up.So, for me, I fixed it by configuring the Traefik container to use host networking mode (
--net host) and to send thePROXYcommand. I also needed to create ahaproxy_hostsfile within the haraka config directory and enter the10.0.2.100into it (rootless podman network IP) The connecting client IP is now being understood as the correct public IP, and if I try to send again using a spoof email address, rspamd checks the email and gives me a 451 4.7.1 Try again later error - which is exactly what I want to see.So, ultimately it’s down to me using rootless Podman rather than Docker and shooting myself in the foot a little bit, but sorted now and quite happy!