Need help configuring Mailserver as Relay

[tedstriker]

Hello,

I'm trying to use the mail server as a relay for outgoing mail for my domain. But unfortunately I can't get it to work, because
I couldn't find the - what I think - necessary configuration attributes in form of environment variables, config files, etc. if they exist.

Environment

The container with the "to be relay mail server" runs on a hosted server with a fixed IP. Lets call it external mail server for better distinction.
It will receive Mails from *@myowndomain.com from an internal mail server, where all accounts and aliases are configured.

So the flow would be: my email -> internal mail server -> external mail server -> destination mail server

Goals

Here's what I'm trying to achieve

• I want the internal mail server to forward all outgoing mail to the external mail server
  I know how to configure it, so that's already possible
• The DMS should reject unencrypted (non-TLS) connections. Maybe it can be enforced on port 25 as well.
• The internal server should authenticate against the external server with a username and password when using it as relay. This user may have a mailbox, but it would not be necessary as it is not supposed to receive any email.
• The external server should only deliver mails from *@myowndomain.com to *@anyotherdomainintheworld.com.

Bonus goals

• [] If I could use the external server also to receive mail for *@myowndomain.com and forward them to the internal server.
• [] In case the internal server is unreachable, the external server stores mails until the internal server becomes reachable again.

What I got so far...

• only SMTP is running using SMTP_ONLY=1
• created a user, but no authentication is requested
• LetsEncrypt certificate is configured and can be used (confirmed with swaks)

The struggle

All the time I'm thinking "It can't be that complicated", probably it's just a few variables to be set, but for my life I can't figure out.
Is this even possible with Docker Mail Server?

Any help is appreciated
Thank you.

[polarathene]

• The DMS should reject unencrypted (non-TLS) connections. Maybe it can be enforced on port 25 as well.

Port 25 is for delivery. Mail inbound is checked against an account to deliver to, if there's a valid recipient it's accepted, otherwise it's rejected.

If this server is never meant to receive mail, don't expose port 25.

Port 587 is for StartTLS mail submission. This is what your relay should be using to authenticate against a DMS user account on the relay DMS. You configure credentials and it will relay the mail for you after successful authentication.

I believe we have port 587 configured to reject if TLS cannot be established via StartTLS. However if you want to enforce it, you should be using port 465 instead which is implicit TLS similar to HTTPS.

---

The internal server should authenticate against the external server with a username and password when using it as relay.
This user may have a mailbox, but it would not be necessary as it is not supposed to receive any email.

This is a null mail client. There are similar names for it.

We partially support this with SMTP_ONLY=1 which disables Dovecot (Mail storage), but presently there is no support for creating an account. This is similar to the relay submission mentioned above (your external MTA).

Technically if you have no use for the internal DMS for anything else, the applications that would mail it could connect to the external DMS over port 465 with credentials (either with the same username/password, or individual credentials to better isolate a compromised account).

A common setup is to have local services submit mail via DMS on port 465, and have DMS use a third-party like SendGrid as the relayhost (DMS sends outbound mail to the relayhost with credentials configured). In your description, you're using DMS as a relayhost (external MTA).

---

The external server should only deliver mails from *@myowndomain.com to *@anyotherdomainintheworld.com.

We have SPOOF_PROTECTION=1 to restrict an account from what mail they can send as. The default (SPOOF_PROTECTION=0) allows any DMS account to submit mail as anybody (including domains you don't actually have the right to send as).

You can enable SPOOF_PROTECTION=1, but you will want to relax the restriction. I think our documentation is lacking on how to do that, but it enables the smtpd_sender_login_maps Postfix setting in main.cf. There is a specific lookup table appended to that setting by the feature in addition to general alias lookup tables, but I think this was not implemented well (it's in need of a refactor, there's just a lack of time to spend on it).

We have a separate lookup table though that would be useful here, a regexp alias (pcre:/etc/postfix/regexp), this one is covered in our docs and all you need to do is add the postfix-regexp.cf to your Docker config volume (it'll be copied to that internal location during container startup). You'd have something like:

/(.*@myowndomain.com)$/ ${1}

---

If I could use the external server also to receive mail for *@myowndomain.com and forward them to the internal server.

I believe we have support for Dovecot to be set to an external instance instead. However you'd need to keep any accounts in sync between the two that it's kinda like setting up two DMS instances anyway..?

One other option might be to just have the external/public server proxy to the internal one? (inbound traffic flows from external server to internal DMS, and outbound traffic for internal DMS flows through external server)

---

In case the internal server is unreachable, the external server stores mails until the internal server becomes reachable again.

Ok, so this is really about the DMS instance on the external server being your primary instance, with DNS records to direct mail to it from that domain.

The internal instance could instead sync / pull mail from that external instance, or perhaps via aliases forward it to an internal non-public domain?

I think in that instance, it may have Postfix try to send the mail from external DMS to internal DMS, and when not reachable, it'll be kept in a queue to try again with exponential backoff.

---

created a user, but no authentication is requested

Oh alright, you already went with SMTP_ONLY=1. Like mentioned above, this is not quite full-featured, the contributor didn't document it well.

You can use LDAP or look through related issues on the feature for how other users were manually setting up a user account.

---

Is this even possible with Docker Mail Server?

I don't think I see this setup discussed often.

But a null mail client instance yes. A relayhost instance yes. The other concerns perhaps are just approaching it the wrong way?

[dfoxg]

@tedstriker did your setup now works? Would you like to share your configs? I want to have the same setup (home mailserver behind a dynamic ip already receives all my mails - now i want to use my other, external mailserver with a static ip for sending my private mails).

[dfoxg]

Just tested it, works like charm.

[polarathene]

Does it still work like a charm if you run that from within the local DMS container?

If so then perhaps review your relay config? Two separate DMS instances were configured to work correctly with relay host config (really lengthy discussion, but some config snippets can be useful).

These settings should be set:

/etc/postfix/sasl_passwd should contain your credentials to login to remote DMS for relaying.

docker-mailserver/target/scripts/helpers/relay.sh

Lines 94 to 101 in a815bf5

	# Enable credential lookup + SASL authentication to relayhost:
	# - `noanonymous` enforces authentication requirement
	# - `encrypt` enforces requirement for a secure connection (prevents sending credentials over cleartext, aka mandatory TLS)
	postconf \
	'smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd' \
	'smtp_sasl_auth_enable = yes' \
	'smtp_sasl_security_options = noanonymous' \
	'smtp_tls_security_level = encrypt'

/etc/postfix/relayhost_map should contain your remote DMS and port 587 to login:

docker-mailserver/target/scripts/helpers/relay.sh

Line 133 in a815bf5

postconf 'sender_dependent_relayhost_maps = texthash:/etc/postfix/relayhost_map'

Or since you're using DEFAULT_RELAY_HOST ENV, you should be relying on this main.cf setting being configured correctly with your remote DMS + port configured:

docker-mailserver/target/scripts/helpers/relay.sh

Lines 180 to 183 in a815bf5

	if [[ -n ${DEFAULT_RELAY_HOST} ]]; then
	_log 'trace' "Setting default relay host ${DEFAULT_RELAY_HOST}"
	postconf "relayhost = ${DEFAULT_RELAY_HOST}"
	fi

---

The v14 / edge docs for relayhost feature summarizes the settings managed by the feature here:

If you disable any relay host ENV configuration, you can add that via our postfix-main.cf override support, this should be all you need:

# Send all outbound mail through this relay service:
relayhost = [remote-dms.example.com]:587

# Remote DMS account credentials (static table type): `<username> : <password>`
smtp_sasl_password_maps = static:john.doe@relay-service.com:secret

smtp_sasl_auth_enable = yes
# These two require all outbound mail to be via the relay (which is what the `relayhost` setting above does):
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt

Remember to use docker compose up --force-recreate when "restarting" to properly apply config changes.

[dfoxg]

I just found my problem.. /etc/postfix/sasl_passwd contained a invalid entry, probability from my testing which I didnt cleaned up.. so there was:

@<my local domain> <invalid-user>:<invalid-password>
mail.<my remote domain>:587    <valid email>:<valid password>

So docker mailserver was using the wrong credentials the whole time :( Sorry for wasting your time with that :/

But just an idea, so that another one isnt running in the same problem: Currently the setup relay command only allows adding some entrys, but not viewing/removing entrys. Probably it would be great to have a setup relay view-command of something like that?

PS: I just sponsored the project, thanks for your incredible help!

[polarathene]

Sorry for wasting your time with that :/

No worries, got there in the end! Glad it wasn't a new bug :)

Currently the setup relay command only allows adding some entries, but not viewing/removing entries. Probably it would be great to have a setup relay view-command of something like that?

There's a related issue for that already I think. The feature needs to be refactored first, something like that could follow afterwards 👍

---

PS: I just sponsored the project, thanks for your incredible help!

Awesome, thanks! @georglauterbach will appreciate the support to keep the project going 😁 (I don't take sponsorship as I plan to step down from my maintainer role in future)

[georglauterbach]

Very much appreciated, thanks!