exim4 relay not permitted error about mailman2 HOT 27 CLOSED

Hi there,

This container is used in production with many deployments and no exim error of this type was reported.
It sounds like it might be a DNS configuration problem: did you well have set the correct DNS records (A, PTR & MX are mandatory) for the subdomain you want to use to send emails i.e: lists.mydomain.hu pointing to the server from which you deploy your docker-compose (or to the load-balancer/reverse-proxy you are using)? cf https://github.com/Angatar/mailman2#dns-configuration
You should take a look at your SPF record too if you have defined it.

NB: HOSTNAME and DOMAINNAME are not environment variables handled by this container so you can remove them from your environment file ... the domain name is set by using URL_HOST for the web server part and EMAIL_HOST for the email server.

Hope this helps.

from mailman2.

BTW It might also be an issue with the definition of the hostname inside the container.
The docker commands suggested were not tested in production: the reported working productions are usually deployed with K8s where we declare the email server hostname in additional points cf https://github.com/Angatar/mailman2/blob/master/k8s/deployment.yaml

Could you try to enter into your deployed d3fk/mailman container and inspect if the hostname is well set to lists.mydomain.hu for 127.0.0.1 and for the container IP ?
If it is not the case this might be fixed by the docker run options --domainname and --hostname. These options should have an equivalent with docker-compose version 3
In case this fix your deployment I'll update the README file accordingly.

from mailman2.

Could you confirm that using the docker --hostname option set to lists.mydomain.hu simply fix your sending error?

$ docker run --rm -d --name mailman \
             --hostname lists.mydomain.hu \
             -p 443:443 -p 25:25 -p 465:465 -p 587:587 \
             -e URL_HOST=lists.mydomain.hu \
             -e EMAIL_HOST=lists.mydomain.hu \
             -e [email protected] \
             -e MASTER_PASSWORD="supersecretpassword" \
             -e URL_ROOT=""
             -e URL_PATTERN="https" \
             -e SSL_FROM_CONTAINER="true" \
             -e SSL_SELFSIGNED="no" \
             -v apachelogs:/var/log/apache2 \
             -v $(pwd)/lists:/var/lib/mailman/lists \
             -v $(pwd)/dkimcert:/etc/exim4/tls.d \
             -v PATH/customcert.pem:/etc/ssl/certs/ssl-cert-snakeoil.pem \
             -v PATH/customcertkey.key:/etc/ssl/private/ssl-cert-snakeoil.key \
             d3fk/mailman2

This should at least make Exim set its primary_hostname variable to lists.mydomain.hu. I guess that if the primary_hostname matches perfectly the qualify_domain & the qualify_recipient there is no more reason it thinks it is a relay.

You can check the values of these specific Exim variables in the container by using the following command:

$ docker exec -ti mailman exim -bP primary_hostname qualify_domain qualify_recipient

Waiting for your feedback before changing the README file

from mailman2.

Hi!
Thanks the answer!
The hostname is fine, hostname --fqdn give me the fully qualified hostname and the primary_hostname, qualify_recipient also the server fqdn. I dont have any SPF record since there is no MX record. This is a standalone host and there is no other thing behind it just the mailman server, so the 'A' record just point to the mailman server. I currently use it in a vmware vm enviroment with the mailman2 too. That is what i want to migrate to docker. I change the router NAT rules to point to the docker, i can telnet to the exim port but since there is no MX or SPF record this could be the issue? The old server uses postfix and that did not check the MX or the SPF.

from mailman2.

MX and PTR DNS records are essential: The MX record will simply specifies the mail server responsible for accepting email messages on behalf of your subdomain name while the PTR record is used by recipients' email servers for a reverse DNS lookup.

If there is no SPF then SPF is not an issue: the SPF record well set would simply tell to all recipients which email servers have rights to send emails using the subdomain you selected for your mailing list server (avoiding to usurp your list identity): lists.mydomain.hu

In your case the command

$ docker exec -ti mailman exim -bP primary_hostname qualify_domain qualify_recipient

should return

primary_hostname = lists.mydomain.hu
qualify_domain = lists.mydomain.hu
qualify_recipient = lists.mydomain.hu

from mailman2.

Yes, that is what i get. I create a dns entry for the subdomain with the MX record. The PTR record is fine, we have 3 full C class subnet, every IP have a PTR record.
Its looks like this:
lists.mydomain.hu 'A' record point to the server IP address.
The server IP address PTR record its like this: ptr123.mydomain.hu (where the 123 is the last part of the IP address).
The ptr123.mydomain.hu have an 'A' record which is point to the server IP too.
I need to change this like the PTR record should be the lists.mydomain.hu too? Or this is not important?

from mailman2.

To make the PTR record work for the benefit of your email list server it should definitely be lists.mydomain.hu too.

If you still receive the mailman bounces errors after that, could you check that you can send an email directly from Exim to one of your valid email address with the following command:

$  docker exec -ti mailman exim -v [email protected] 

wait a few seconds for the empty prompt then enter the following lines

From: [email protected]
Subject: Test mail
Simple test message

Finally send your test email by pressing ctrl+d ; you should see the details about the SMTP connection that might help you for debugging purpose.

from mailman2.

This is strange. With this method the exim itself can send the message:
2020-06-25 09:18:58 1joO1Y-0001LU-5W => [email protected] R=dnslookup T=remote_smtp H=mx1.mydomain.hu [IPaddress] X=TLS1.2:RSA_AES_256_GCM_SHA384:256 CV=no DN="C=hu,ST=HU,L=Debrecen,O=TTRE,OU=IT,CN=mx1.mydomain.hu,EMAIL=[email protected]" C="250 OK id=1joO26-0000D5-0B"
2020-06-25 09:18:58 1joO1Y-0001LU-5W Completed

And i got the email from the [email protected]. But when i add myself to the mylist and the mailman try to send a welcome email, the exim log say: relay not permitted.
I dont get it :)

from mailman2.

This is the exact error:
2020-06-25 09:23:23 H=ttre_mailman.ipvlan1009 (lista.mydomain.hu) [IPAddress] F=[email protected] rejected RCPT [email protected]: relay not permitted

from mailman2.

So the problem probably comes from the mailman configuration file and not from exim ... a rapid look on the web shows that /etc/hosts file content might be involved in this mailman error especially if you are using IPv6

from mailman2.

The container hosts file looks this:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.9.251 lista.mydomain.hu lista

Looks ok, the mailman config use the lista.mydomain.hu hostname too. Im really out of ideas here. I need to dig in more. But thanks for the help :)

from mailman2.

Maybe you could have a look on the reasons that made appear "ttre_mailman.ipvlan1009" as your server hostname in the error log.

from mailman2.

ttre_mailman is the container name, and the network uses ipvlan with vlan tag 1009. But you see its there the real hostname between the brackets and i already tryed with standard docker bridge, its not helping. I dont think this is the problem, since the exim itself can send the email. There is something between the mailman and the exim. I didnt figured out yet.

from mailman2.

Yep, of course ... I was just suggesting that mailman might understand ttre_mailman.ipvlan1009 as the hostname and says exim to use this as hostname which might be understood by exim as a request for a relay since it is different from the authorized hostname "lista.mydomain.hu" which is between the brackets and might be considered as an alias. That could explain a difference of behavior between the 2 sending methods (mailman sending email with exim and you sending email with exim command line).
Did you retrieved ttre_mailman.ipvlan1009 in the sources of the test email you directly sent from Exim?
Did you tried to deploy the container using a simple docker run with --hostname option (this would make it closer to the way we deploy with k8s in production) ?

from mailman2.

I created with the standard docker run and with the --hostname. The result is same.

2020-06-25 13:29:05 H=lista.mydomain.hu (lista.mydomain.hu) [172.21.0.2] F=[email protected] rejected RCPT [email protected]: relay not permitted
2020-06-25 13:29:05 H=lista.mydomain.hu (lista.mydomain.hu) [172.21.0.2] F=[email protected] rejected RCPT [email protected]: relay not permitted

But if i send an email manually, its works.

from mailman2.

I found something.
This option:
hostlist relay_from_hosts = MAIN_RELAY_NETS
And this:
MAIN_RELAY_NETS=: 127.0.0.1 : ::::1

I put the lista.mydomain.hu into the MAIN_RELAY_NETS, and its working now. Its resolved to the docker interface IP.

from mailman2.

For make it permanent i did this:
root@lista:/etc/exim4# cat update-exim4.conf.conf | grep dc_relay_nets
dc_relay_nets='lista.mydomain.hu'
root@lista:/etc/exim4#

And run the /usr/sbin/update-exim4.conf

from mailman2.

I created with the standard docker run and with the --hostname. The result is same.

2020-06-25 13:29:05 H=lista.mydomain.hu (lista.mydomain.hu) [172.21.0.2] F=[email protected] rejected RCPT [email protected]: relay not permitted
2020-06-25 13:29:05 H=lista.mydomain.hu (lista.mydomain.hu) [172.21.0.2] F=[email protected] rejected RCPT [email protected]: relay not permitted

But if i send an email manually, its works.

Ok, still stuck with this error but now the container name/ network doesn't appears anymore in the error, you only have here the authorized subdomain... but with a local IP. I think it is a good move to use the --hostname option.
Did you checked the header of the received email for the hostname and IP ?

from mailman2.

So it is working if you accept your domain as a relay....
Glad that it works for now.... but I don't think it is the good way to fix it permanently.
Your fully qualified declared domain should not be considered as relay.
I think it has to be fixed with mailman configuration or environment variables since Exim was working before it doesn't need to be fixed by a configuration change.

from mailman2.

Relay_nets only have the 127.0.0.1 and the ipv6 equivalent. I think mailman uses the docker bridge interface address with the hostname which is not accepted, so if im not authenticated with login i cant send. At least postfix works like that. Im not using my list domain as a relaydomain but my listdomain IP address as a relay net. This is different what you say and it is a specific ip address not a whole network. This is how the postfix works. I dont know why exim works otherwise, exim+debian is always a weirdo... Anyway its working like this, i just need to figure out how can put my EMAIL_HOST into the dc_relay_nets. I dont know what could be wrong with mailman. My test list is a new created empty list with the default options. It should be work. Im not imported my old mailman server lists yet. Everything is point to that is exim not accept the docker bridge IF address as a relay host, since only the localhost accepted and mailman uses the bridge IF not the localhost. Its seems logic.

from mailman2.

Check this: https://gehrcke.de/2014/07/discourse-docker-container-send-mail-through-exim/
Docker bridge IF address/net should be put in the dc_relay_nets order to send email through exim.

I think the reason why your enviroment works because your mailman use the localhost ip not the bridge ip. I dont know mine is why different.

from mailman2.

Another solution:
adjust the container hosts file to resolve the lists hostname to the 127.0.0.1 too. Like this exim accept the email without modification. Nodoby run into this just me? :)
Its resolved, thanks for the help!

from mailman2.

Used the extra_hosts param in the composer yaml file and put the "${EMAIL_HOST}:127.0.0.1" into that and its works like a charm. No need to adjust the exim config or else :)

from mailman2.

I prefer this second solution that makes more sense to me ... And was mentionned in my second post ;)

Could you try to enter into your deployed d3fk/mailman container and inspect if the hostname is well set to lists.mydomain.hu for 127.0.0.1 and for the container IP ?

The deployment with k8s as described in the container description sets this hostname for 127.0.0.1 that explains the difference.

I'll update the README file with this solution for docker and docker-compose.
Thanks for your contribution!
This close this issue.

from mailman2.

Just one more thing. You need to add this into the docker run command too:
--add-host lists.example.com:127.0.0.1

where lists.example.com is the EMAIL_HOST (or use ${EMAIL_HOST})

Otherwise the email host address will point to the bridge address what is not good.
In the composer (the same level like the image, and other things):
extra_hosts:
- "lists.example.com:127.0.0.1"

This did the same what is in the kubernetes yaml file.

Regards, Peter

from mailman2.

Thanks Peter!
The README file was well updated.

from mailman2.

Perfect! Happy to help you! :)
Stay safe!

from mailman2.