No usable MXs when sending to IPv6-only domain #631
Description
Describe the bug
Hi, I set up a maddy instance in a podman container. Everything looks good so far. When I test my server with https://email-security-scans.org/, it always fails with IPv6 test. I believe I have setup IPv6 access properly.
One of the failed email addresses is [email protected]. Relevent logs:
[debug] remote: trying {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","remote_server":"mail-v6.measurement.email-security-scans.org."}
[debug] mx_auth.mtasts: MTA-STS error {"err":"mtasts: no policy"}
remote: cannot use MX {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","reason":"no address associated with the host","remote_server":"mail-v6.measurement.email-security-scans.org.","tls_err":null}
And I can confirm that the container can resolve and connect to the v6-only MX server:
$ sudo podman exec maddy nslookup -type=MX v6-mail.measurement.email-security-scans.org
Server: 185.12.64.1
Address: 185.12.64.1:53
Non-authoritative answer:
v6-mail.measurement.email-security-scans.org mail exchanger = 10 mail-v6.measurement.email-security-scans.org
$ sudo podman exec maddy nslookup -type=AAAA mail-v6.measurement.email-security-scans.org
Server: 185.12.64.1
Address: 185.12.64.1:53
Non-authoritative answer:
Name: mail-v6.measurement.email-security-scans.org
Address: 2a06:d1c0:dead:3::86
$ sudo podman exec maddy nc 2a06:d1c0:dead:3::86 25
220 mail.measurement.email-security-scans.org ESMTP Postfix
Steps to reproduce
Send an email to [email protected]. It will fail.
Log files
With debug yes, IP/domain names redacted:
submission: incoming message {"msg_id":"045b14e1","sender":"[email protected]","src_host":"[192.168.31.119]","src_ip":"XXX.XXX.XXX.XXX:57870","username":"[email protected]"}
[debug] smtp/pipeline: sender [email protected] matched by domain rule 'mydomain.com' {"msg_id":"045b14e1"}
[debug] smtp/pipeline: initializing state for check.authorize_sender: (0x400013b080) {"msg_id":"045b14e1"}
[debug] normalized names {"auth":"[email protected]","from":"[email protected]","msg_id":"045b14e1"}
[debug] authorized emails {"msg_id":"045b14e1","ok":true,"preparedEmail":["[email protected]"]}
[debug] smtp/pipeline: global rcpt modifiers: [email protected] => [[email protected]] {"msg_id":"045b14e1"}
[debug] smtp/pipeline: per-source rcpt modifiers: [email protected] => [[email protected]] {"msg_id":"045b14e1"}
[debug] smtp/pipeline: recipient [email protected] matched by default rule (clean = [email protected]) {"msg_id":"045b14e1"}
[debug] smtp/pipeline: per-rcpt modifiers: [email protected] => [[email protected]] {"msg_id":"045b14e1"}
[debug] smtp/pipeline: tgt.Start([email protected]) ok, target = queue:remote_queue {"msg_id":"045b14e1"}
submission: RCPT ok {"msg_id":"045b14e1","rcpt":"[email protected]"}
[debug] autobuffer: keeping the message in RAM (read 13 bytes, got EOF)
[debug] normalized names {"auth":"[email protected]","from":"[email protected]","msg_id":"045b14e1"}
[debug] authorized emails {"msg_id":"045b14e1","ok":true,"preparedEmail":["[email protected]"]}
[debug] modify.dkim: signed {"domain":"mydomain.com"}
[debug] smtp/pipeline: delivery.Body ok, Delivery object = *msgpipeline.delivery {"msg_id":"045b14e1"}
submission: accepted {"msg_id":"045b14e1"}
[debug] queue: starting delivery for 045b14e1
[debug] queue: waiting on delivery semaphore for 045b14e1
[debug] queue: delivery semaphore acquired for 045b14e1
[debug] queue: using message ID = 045b14e1-651e2d3a {"msg_id":"045b14e1"}
[debug] queue: target.Start OK {"msg_id":"045b14e1"}
[debug] remote: opening new connection {"cache_ignored":false,"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a"}
[debug] submission: reset
[debug] mx_auth.mtasts: MTA-STS error {"err":"mtasts: no policy","msg_id":"045b14e1-651e2d3a"}
[debug] remote: trying {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","remote_server":"mail-v6.measurement.email-security-scans.org."}
[debug] mx_auth.mtasts: MTA-STS error {"err":"mtasts: no policy"}
remote: cannot use MX {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1-651e2d3a","reason":"no address associated with the host","remote_server":"mail-v6.measurement.email-security-scans.org.","tls_err":null}
[debug] queue: delivery.AddRcpt [email protected] failed: no address associated with the host {"msg_id":"045b14e1"}
[debug] queue: delivery.Abort (no accepted receipients) {"msg_id":"045b14e1"}
[debug] queue: errors: map[[email protected]:no address associated with the host] {"msg_id":"045b14e1"}
queue: delivery attempt failed {"domain":"v6-mail.measurement.email-security-scans.org","msg_id":"045b14e1","rcpt":"[email protected]","reason":"no address associated with the host","smtp_code":451,"smtp_enchcode":"5.4.0","smtp_msg":"No usable MXs, last err: no address associated with the host","target":"remote","tls_err":null}
[debug] queue: delay: 15m0s * 1.25 ^ (1 - 1) {"msg_id":"045b14e1"}
queue: will retry {"attempts_count":{"[email protected]":1},"msg_id":"045b14e1","next_try_delay":"14m59.999962199s","rcpts":["[email protected]"]}
[debug] imapsql: sending external update {"key":2,"type":0}
Configuration file
Almost the default one:
## Maddy Mail Server - default configuration file (2022-06-18)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddy subcommands.
#
# See tutorials at https://maddy.email for guidance on typical
# configuration changes.
# ----------------------------------------------------------------------------
# Base variables
$(hostname) = mx.mydomain.com
$(primary_domain) = mydomain.com
$(local_domains) = $(primary_domain)
tls file /certs/fullchain.pem /certs/privkey.pem
debug yes
# ----------------------------------------------------------------------------
# Local storage & authentication
# pass_table provides local hashed passwords storage for authentication of
# users. It can be configured to use any "table" module, in default
# configuration a table in SQLite DB is used.
# Table can be replaced to use e.g. a file for passwords. Or pass_table module
# can be replaced altogether to use some external source of credentials (e.g.
# PAM, /etc/shadow file).
#
# If table module supports it (sql_table does) - credentials can be managed
# using 'maddy creds' command.
auth.pass_table local_authdb {
table sql_table {
driver sqlite3
dsn credentials.db
table_name passwords
}
}
# imapsql module stores all indexes and metadata necessary for IMAP using a
# relational database. It is used by IMAP endpoint for mailbox access and
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddy.
storage.imapsql local_mailboxes {
driver sqlite3
dsn imapsql.db
}
# ----------------------------------------------------------------------------
# SMTP endpoints + message routing
hostname $(hostname)
table.chain local_rewrites {
optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
optional_step static {
entry postmaster postmaster@$(primary_domain)
}
optional_step file /data/aliases
}
msgpipeline local_routing {
# Insert handling for special-purpose local domains here.
# e.g.
# destination lists.example.org {
# deliver_to lmtp tcp://127.0.0.1:8024
# }
destination postmaster $(local_domains) {
modify {
replace_rcpt &local_rewrites
}
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
smtp tcp://[::]:25 {
limits {
# Up to 20 msgs/sec across max. 10 SMTP connections.
all rate 20 1s
all concurrency 10
}
dmarc yes
check {
require_mx_record
dkim
spf
}
source $(local_domains) {
reject 501 5.1.8 "Use Submission for outgoing SMTP"
}
default_source {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
}
submission tcp://[::]:587 {
limits {
# Up to 50 msgs/sec across any amount of SMTP connections.
all rate 50 1s
}
auth &local_authdb
source $(local_domains) {
check {
authorize_sender {
prepare_email &local_rewrites
user_to_email identity
}
}
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
modify {
dkim $(primary_domain) $(local_domains) default
}
deliver_to &remote_queue
}
}
default_source {
reject 501 5.1.8 "Non-local sender domain"
}
}
target.remote outbound_delivery {
limits {
# Up to 20 msgs/sec across max. 10 SMTP connections
# for each recipient domain.
destination rate 20 1s
destination concurrency 10
}
mx_auth {
dane
mtasts {
cache fs
fs_dir mtasts_cache/
}
local_policy {
min_tls_level encrypted
min_mx_level none
}
}
}
target.queue remote_queue {
target &outbound_delivery
autogenerated_msg_domain $(primary_domain)
bounce {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
}
}
}
# ----------------------------------------------------------------------------
# IMAP endpoints
imap tls://[::]:993 {
auth &local_authdb
storage &local_mailboxes
}
Environment information
- maddy version: 0.7
Running in a podman container. Full command:
podman run
--rm \
-d \
--replace \
--name maddy \
--security-opt label=type:unconfined_t \
-e MADDY_HOSTNAME=mx.mydomain.com \
-e MADDY_DOMAIN=mydomain.com \
-v /srv/pods/maddy/data:/data \
-v /etc/letsencrypt/live/mx.mydomain.comfullchain.pem:/certs/fullchain.pem:ro \
-v /etc/letsencrypt/live/mx.mydomain.com/privkey.pem:/certs/privkey.pem:ro \
--net=dualstack \
-p 25:25 \
-p 587:587 \
-p 993:993 \
foxcpp/maddy:0.7
The network dualstack is created with:
$ podman network create --disable-dns --driver=bridge --ipv6 dualstack