Installation issues regarding SMTP, Postfix, Docker and Proton Mail Bridge

AETRN · March 29, 2023, 8:02pm

Checklist
[ x] I have read intro post: About the Installation Issues category
[ x] I have read the tutorials, help and searched for similar issues
[ x] I provide relevant information about my server (component names and versions, etc.)
[ x] I provide a copy of my logs and healthcheck
[ x] I describe the steps I have taken to trouble shoot the problem
[ x] I describe the steps on how to reproduce the issue

Heyall
Im pretty new to passbolt and also new to experimenting with my homelab.
I wanted to add postfix (running on the host) as smtp host in passbolt but I cannot get it working.

[
    {
        "cmd": null,
        "response": [
            {
                "code": "220",
                "message": "core-ctrlr ESMTP Postfix (Ubuntu)"
            }
        ]
    },
    {
        "cmd": "EHLO passbolt.MYDOMAIN.TLD",
        "response": [
            {
                "code": "250",
                "message": "core-ctrlr"
            },
            {
                "code": "250",
                "message": "PIPELINING"
            },
            {
                "code": "250",
                "message": "SIZE 10240000"
            },
            {
                "code": "250",
                "message": "VRFY"
            },
            {
                "code": "250",
                "message": "ETRN"
            },
            {
                "code": "250",
                "message": "STARTTLS"
            },
            {
                "code": "250",
                "message": "ENHANCEDSTATUSCODES"
            },
            {
                "code": "250",
                "message": "8BITMIME"
            },
            {
                "code": "250",
                "message": "DSN"
            },
            {
                "code": "250",
                "message": "SMTPUTF8"
            },
            {
                "code": "250",
                "message": "CHUNKING"
            }
        ]
    },
    {
        "cmd": "STARTTLS",
        "response": [
            {
                "code": "220",
                "message": "2.0.0 Ready to start TLS"
            }
        ]
    }
]

This is the output im getting from passbolt when trying to send a test mail.
Passbolt is running in a docker container and the SMTP host I try to reach is the host itself via 172.17.0.1 (ip from the docker0).
I cofigured iptables to allow all incomming request on port 25 from my docker networks.
In Postfix I also added the network of the passbolt-stack to my allowed networks.
Checking the postfix logs I get this output:

Since I got the same SMTP stuff working on my Keycloak-docker-stack I assume it might be a problem from my passbolt installation. From my limited knowledge I would say I either got to configure passbolt to ignore any SSL validation or change something with the self-signed certificate from the proton mail bridge which is being used for postfix.
I would really appreciate your help and if its not a “passbolt” probleme please excuse me for not knowing

If I can provide you with any more logs/ configfiles please let me know.

garrett · March 30, 2023, 12:41am

You will need to look up how to do Docker networking with the host. See the Network Drivers “host” section Networking overview

There are pros and cons because incorporating the host network removes the isolated nature of the containers.

AETRN · March 30, 2023, 7:56am

Since other container have no problem using the postfix I assume it might be an issue with my installation and not specifically and error with my docker networking.
Even with exposing the postfix to the internal network and going over that instead of trying accessing it via the internal docker0 (e.g dockerhost.local:25 via the homelab-dns instead of doing the 172.17.0.1 on the host ) throws me the same error.

garrett · March 30, 2023, 12:35pm

More info about your mail server is probably needed - like how you are using it. Only for local users? Is it publicly resolvable? Internal only? Used as a relay for outgoing only?

If you are running the mail server for internal only, the following may not be as meaningful.

I run a public mail server using postfix so I often end up helping with mail issues. The mail sever is totally isolated from everything else. I would be hesitant to install anything else on it. How to set up a mail server and technical networking, though, is a bit outside of the scope of what we typically discuss in the forum. Network security on your server is your responsibility, but with that said, here are some thoughts. And sorry for the verbosity.

I have postfix listening on 25 for incoming delivery, and 587 for smtp. Passbolt config by default is set to 587, but it can be changed. Sometimes folks run postfix smtp on 25, but this takes firewalling smtp to only private networks off the table if you still want 25 open to the public.

Running passbolt in Docker would generally lead one then to consider possibly running postfix or other needed services in Docker as well, in order to be available to other containers via bridge networking. This containerization duplicates the same setup on the host without containers, but with all the glory that containers bring for management and backup, etc. But you have postfix on your host.

The problem when containers are isolated from the host network or a service on the host network is how to get them talking to a port on the host network. Sending data from a container to a container’s local network will only hit the containers in that network. The host is not part of this. If you are accessing the host network from a container without using the Docker host driver it sounds like something is broken.

In order not to create a tutorial, these are intentionally not specific:

use of Docker already requires some tweaking of iptables for allowing outbound forwarding, iptables might help with this
I would not use the host driver. I would maintain container isolation from the host network.
In passbolt smtp config I would set mail host to the container network localhost or docker host, or some known container ip, and use port 587.
On host, I manually would port forwarding the corresponding container ip 587 to host 127.0.0.1:587.

The goal would be all calls to 587 internally in the container get forwarded to your postfix host service on port 587.

But now we’re talking crazy stuff. If you have any other easy questions, fire away!