I’m noticing the same behavior. Random sender addresses on my domain sending to random @qq.com addresses from 172.22.1.1. I just disabled IPv6 on my host and will monitor if it stops. This is a pretty huge security issue. Mailcow should assume IPv6 is enabled on the host and authenticate traffic from the network stack or block it all together instead of just allowing open relay.

I had the same problem. Disabling IPv6 on ports 25, 587 and 465 at the incoming firewall did the trick. I assume, that the postfix-container needs additional configuration. He maps all ports 587 to tcp:587, the IPv6-Ports also. Afterwards he ist listening at that port on :::587, although extra.cf has defined inet_protocols = ipv4.

    chris65 I went and also blocked IPv6 on my hosting configuration’s firewall rules.

      Perhaps you can block it for the three ports only. Then you still can use IPv6 for other purposes on your server . . . I did not find a paramter to make postfix block ipv6-port

      Yep thats possible. The real issue is why postfix is allowing unauthenticated relaying on IPv6. It should be treated as IPv4 requiring authentication or policy to allow it.

      If you guy’s suspecting that postfix acting as an Open-Relay on ipv6, i highly recommend file a Bugreport with all the evidence.
      At least on my end i can’t reproduce.

       telnet 2...................::1 25
Trying 2...................::1
Connected to 2...................::1
Escape character is '^]'.
220 mydomain.xyz ESMTP Postcow
ehlo vlah.com
250-mydomain.xyz
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: nlah.com
250 2.1.0 Ok
rcpt to: something.xyz
554 5.7.1 <something.xyz>: **Relay access denied**

        piperino recommend file a Bugreport with all the evidence.

        That was already discussed here:
        mailcow/mailcow-dockerized5242

        Seems its not a mailcow problem, but a docker problem with userland proxy and/or unsupported OS running mailcow on.

            May be a docker problem. Fact is, that some chinese people can relay with our server on rocky linux, when firewall is open and they can’t, when firewall ports 25, 465 an 587 are closed. The postfix-container seems to route it to local 587, which is open as trusted. All steps to work without ipv6 are done as instructed in the manual. Where should we post it? Also, postfix is configured via extra.cf to use ipv4-protocol only.

              chris65 Where should we post it?

              Open an issue on github referencing the one above.

                i am not familiar with readable postings, so could you please do it for me in better words? Thank you!

                esackbauer Looks like this is correct. I still have IPv6 disabled on my OS and firewall level and since it is unnecessary for my purposes and will leave it that way. IPv6 continues to be the center of more problems than a solution to them in my experience thus far.

                  No one is typing