@polarathene What I'm wondering about is if it should be filed under Examples -> Use cases`` instead of Configuration -> Tips?

What I'm wondering about is if it should be filed under Examples -> Use cases`` instead of Configuration -> Tips?

Yes, I think this is more niche. It would be better added to our Example docs for now. The config section of our docs is already quite big.

Please move the file and choose a smaller title like "Binding to a specific network". It's possible for DMS to have more than one network attached without using host network mode too, so the advice can still be helpful there.

Thanks for taking the time to contribute to DMS! It's very much appreciated 😁

This is rather a very specific and special setup, because I host several things at one node with multiple IP addresses.

Be free to to squash your commits and amend while insert your-self with Co-authored-by: NAME <[email protected]> in the bottom of the commit message @polarathene .

Postfix is configured in DMS to deliver incoming mail and use a content_filter to forward mails with SMTP protocol to the smtp-amavis for scanning. This again is delivered back to postfix again on :10025 via localhost for further processing.

That said smtp_bind_address + smtp_bind_address6 could possibly be set in postfix-master.cf to target the smtp service specifically, instead of Amavis (and anything else that may be affected at some point/configuration), if it's only a relevant setting for the smtp service (outbound mail)?:

This is basically what I'm doing with the custom postfix-master.cf for smtp traffic targeting amavis. (which is used by the content_filter.) See docker exec mailserver postconf -P .

The default DMS configuration for postfix-master.cf could probably contain this default binding to localhost (smtp-amavis/unix/smtp_bind_address = 127.0.0.1), as long as the setup doesn't change where amavis runs on another node (for scaling, ie requires multiple instances of amavis) and postfix requires to communicate with it by non-loopback. However, those who need that and uses DMS, probably know how to update these configuration by using the possibilities of overriding the main and master configs.

I'll wrap up this PR and merge it, although your feedback on advice below would be good to hear first :)

This is rather a very specific and special setup, because I host several things at one node with multiple IP addresses.

Is there any reason you use host mode networking for DMS btw? If you want to target a specific interface, I believe you can specify that beside the port mapping in compose.yaml and it will bind only to that IP on the host. Presumably that would also restrict the interface used if the others are not needed in DMS.

If you could test that and let me know that'd be appreciated, we could add it in the docs page too.

However, those who need that and uses DMS, probably know how to update these configuration by using the possibilities of overriding the main and master configs.

Yes, and DMS isn't really maintained for internal services to be scaled out individually (although we do provide a means to disable/enable many of them specifically).

If smtp_bind_address was not already inherited, the smtp-amavis service could just set inet_interfaces=loopback-only I believe. Looking back on master.cf, on the right-most column is the process that will run, while on the left-most is the service definition (named unix socket or inet port); it'd probably be valid to set smtp_bind_address on the smtp inet service with smtp-amavis/unix/smtp_bind_address = your_ip_here, assuming no other service needs the change (every other service in master.cf would inherit the main.cf default smtp_bind_address (empty) then AFAIK):

smtp/inet/smtp_bind_address = 198.51.100.10
smtp/inet/smtp_bind_address6 = 2001:DB8::10

No smtp-amavis (postfix-master.cf) or postfix-main.cf changes would be required if the above works.

As smtp-amavis is for internal use in DMS (and planned to eventually be replaced by rspamd AFAIK), I'm happy to upstream the smtp_bind_address=127.0.0.1 + smtp_bind_address6=::1 settings to the amavis config in postfix-amavis.cf.

I'll wrap up this PR and merge it, although your feedback on advice below would be good to hear first :)

This is rather a very specific and special setup, because I host several things at one node with multiple IP addresses.

Is there any reason you use host mode networking for DMS btw? If you want to target a specific interface, I believe you can specify that beside the port mapping in compose.yaml and it will bind only to that IP on the host. Presumably that would also restrict the interface used if the others are not needed in DMS.

If you could test that and let me know that'd be appreciated, we could add it in the docs page too.

I only ended up with host networking due to gmail rejecting emails with spf failures, and then I looked into why it was rejecting. I didn't notice right away that outbound smtp connections randomly bound to the "first" random IP address on the interface.

I started a new job this week, but I can probably test during the weekend if time allows it by temporarying adding a server and configure a domain for testing in https://github.com/norrs/ansible/tree/main/playbooks/mailserver .

As smtp-amavis is for internal use in DMS (and planned to eventually be replaced by rspamd AFAIK), I'm happy to upstream the smtp_bind_address=127.0.0.1 + smtp_bind_address6=::1 settings to the amavis config in postfix-amavis.cf.

I believe those changes should work without issues, even in non host-mode in docker networking. Unsure what happens if you try to configure IPv6 binding and your system doesn't have IPv6 enabled tho..

Also IPv6 in docker probably needs to be configured like mentioned here ( https://docs.docker.com/config/daemon/ipv6/ ), which I actually haven't done myself .. 😨

Which I guess is also why I went direct to networking host-mode in the first place 🙃

I started a new job this week, but I can probably test during the weekend if time allows it by temporarying adding a server and configure a domain for testing

Congrats on the new role! 🎉

No rush. If you can find the time to test and get back to me (in this PR is fine, even if it's closed), that'd be appreciated 👍

Also IPv6 in docker probably needs to be configured like mentioned here ( https://docs.docker.com/config/daemon/ipv6/ ), which I actually haven't done myself .. 😨

Which I guess is also why I went direct to networking host-mode in the first place 🙃

I recently rewrote our IPv6 docs, until v13 is released you can only see them in the edge versioned docs: https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/ipv6/

I also contributed to the updated upstream Docker IPv6 docs you linked, as prior they were not very good. I'd advise giving our IPv6 docs a good look.

If you have a more advanced IPv6 setup where ULA is not appropriate for you, you'll find some extra tips linked to the IPv6 docs rewrite PR, as I didn't have the time to figure all that out and document it properly. IPv6 ULA should meet most users needs very well though (just specify the IPv6 address on host to bind the containers internal ULA address to).

For the record:

@polarathene I have not forgotten about this, but I havent had any free time the last weeks. Maybe I find some wriggle room next week or early october.

As I plan to test #3465 (comment) this in regards of networking: bridge mode

@norrs can you please resume working on this? I am trying to "clean" up old PRs because I know from experience that PRs like this tend to fade and rot 🙈

I removed the label for the stale-bot; this PR has approximately 3 more weeks until it is labelled as stale.

I'll do a review pass over this again sometime this week. If it's worthwhile to me then, I'll wrap this PR up and merge, otherwise will reject.

👍🏼 Please close if you come to the conclusion that this may not be worthwhile :)

Documentation preview for this PR is ready! 🎉

Built with commit: ff7bcee

A huge thanks @polarathene , I never managed to follow this up in a timely manner and I apology for this. In the end, the suggested changes and extra work you put into it made it even better 💜

Next challenge, able to solve this with a non host networking mode as mentioned in #3465 (comment) ? 🤔
Maybe I brew something together one day 😅

Next challenge, able to solve this with a non host networking mode as mentioned in #3465 (comment) ? 🤔

Just letting you know we received a contribution recently that resolves that concern: #4330