Hello community,

I’ve recently noticed in Rspamd that some emails were neither from nor to any of the users listed in my Mailcow instance, so they were relayed without authentication but I haven’t set any rule in place to allow such thing.

Here is an example from the logs, none of the domains are related to my MC instance :

Any idea on how this was made possible ? The instance was created a few years ago and regularly updated.

Thank you !

    • Best Answerset by cygbr

    So in the end I found out that ipv6nat-mailcow was missing from my docker-compose file, I’m not sure why updates didn’t add it. Now I can see the real IPv6 in the logs.

Default MC postfix main.cf

smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
permit_mynetworks,
permit_sasl_authenticated,
reject_unlisted_sender,
reject_unknown_sender_domain

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Hi @luchris ,

Thanks for the reply.

I also have the same values in my main.cf :

I haven’t changed any config file.

Also I did a check on mxtoolbox.com and it says :

I see that some emails are received from public IPs, but some are coming from the same internal (I believe) IPv6 : fd4d:6169:6c63:6f77::1, which is the origin IP for both legit emails and the relayed ones

Maybe you have an authenticated user who is sending/relaying these mails?

    Thanks for your reply esackbauer

    I did further tests : I SSHed into another server that is hosted by the same provider (could explain ?) then I used telnet to connect directly using the smtp port, and was able to send an email to myself from the admin@ user without having to authenticate, how possible ?!

      So in the end I found out that ipv6nat-mailcow was missing from my docker-compose file, I’m not sure why updates didn’t add it. Now I can see the real IPv6 in the logs.

      cygbr I mean, isn’t that how email works? A mail server connects to your server to deliver mail. Other mail servers also don’t authenticate. This is where your spam filter comes into play. It should reject the mail as spoofed.

      If you want to test an open relay, you have to send mail to other servers, not your own server.

        Hi D4niel

        The mail server connecting in this case is pretending to be my mail server !
        I would have expected the emails to be rejected without reaching the spam filtering process.

        Now that ipv6nat-mailcow is up, trying to reproduce the issue I get 554 5.7.1 This message does not meet our delivery requirements as expected.

        No one is typing