I keep getting random “Undelivered Mail Returned to Sender” emails that look like this:

I didn’t send any emails to qq.com but it keeps appearing randomly every 3-10 days.
On the mailcow logs on rspamd I keep seeing this being spammed full from the IP “172.22.1.1”, when I send email an email myself (for example using K9-Mail) it shows my own IP.

And on Postfix logs it looks like this:

I already disabled ipv6 by doing enable_ipv6: false and commenting out the ipv6 subnet inside of docker-compose.yml and by setting the ipv6nat in docker-compose.override.yml like on docs.mailcow.email Icon Disable IPv6 - mailcow: dockerized documentation

docs.mailcow.email Icon docs.mailcow.email
Disable IPv6 - mailcow: dockerized documentation
None
docs.mailcow.email

I looked up some stuff and it seemed like an “Open Relay” but when I looked on mxtoolbox it didn’t say so.

Can someone help me fix/remove this issue?

  • ETNyx I am using ipv6 for other things in my server, seems like enabling ipv6 by reverting the changes fixed the issues!

    I do not want to be harbinger of bad news but, from what you wrote I would guess you have been hacked. Ip 172.22.1.1 belongs to inner Mailcow network. So if someone sending from this IP it is probably from inside of docker. Are you regularly upgrading system?

    Well what to do? You can try to diff files inside container against fresh install, not sure if this will be helpfull.

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

      Well thread suggest you can be open relay over ipv6, sadly I believe mxtoolbox does not test ipv6 for open relay, you will need to test i by your self something like this using telnet

      +telnet -6 ipv6_address_of_your_server 25
-Trying ...
-Connected to ...
-Escape character is '^]'.
-220-mail.name ESMTP Postcow
-220 mail.name ESMTP Postcow
+HELO im.test.com
-250 mail.name
+mail from:<test@test.com>
-250 2.1.0 Ok
+rcpt to:<recive@test.com>
-554 5.7.1 <recive@test.com>: Relay access denied
+QUIT
-221 2.0.0 Bye
-Connection closed by foreign host.

      do not copy + and - from start of lines, + is supposed to be write by you - is what is supposed to be response from servr

        ETNyx It doesn’t say “Relay access denied”, it just says “250 2.1.5 Ok” at “RCPT TO” when I try connecting to the ipv6 address.

        Also something I noticed (probably unrelated) is that when I try connecting to the ipv6 address it says
        “220 mail.playlook.de ESMTP Postcow”
        but when I try connecting to the ipv4 address of my server it says something about my local ISP:
        “220 some domains relating to the ISP Swisscom AG ESMTP server ready” and even here it accepts the RCPT TO

            chocolateimage is already the latest (v2.27.1) if you are meaning that reply.

            No, I meant the whole thread. Maybe its an issue with IPv6.

            chocolateimage but when I try connecting to the ipv4 address of my server it says something about my local ISP:

            That is strange and I can only imagine that this is due to a transparent NAT rule of your ISP forwarding any packet to your IPv4 Address instead to their own mail service.

                  Yes on IPv4 your ISP is most likely hijacking your traffic, pretty common in my region, but nasty,..

                  Well most likely you did not disable IPv6 in the proper way. Is there a reason to disable IPv6? Im running Mailcow whit IPv6 just fine,… Any way review your steps a find whats wrong, or I do not know make proper firewall in front that will drop all IPv6 if you cant do it any other way, just be careful UFW and other firewall tools do not play whit Mailcow more whit Docker nicely,… or disable IPv6 on your host interface if you must, better than be open relay,…

                    ETNyx For me ipv6 caused emails not sending properly to some providers like gmail (emails bounced) so I disabled it then email sending worked

                    [unknown] I tried actually sending an email with telnet over ipv6 and it seems like I got an email in my inbox without any authorization. In the logs it says: connect from unknown[172.22.1.1] so somehow it allowed the ipv6 connection to Postfix even though I disabled it.

                    [unknown] I tried actually sending an email with telnet over ipv6 and it seems like I got an email in my inbox without any authorization. In the logs it says: connect from unknown[172.22.1.1] so somehow it allowed the ipv6 connection to Postfix even though I disabled it.

                    also sorry for the weird formatting in the message above, seems like the forum bugged out there.

                      Ok, so you can try to solve why did bounced,

                      or double check you did all necessary steps to disable ipv6 in mailcow stack, i found the docs little bit confusing,.. docs.mailcow.email Icon Disable IPv6 - mailcow: dockerized documentation

                      docs.mailcow.email Icon docs.mailcow.email
                      Disable IPv6 - mailcow: dockerized documentation
                      None
                      docs.mailcow.email

                      If this does not work you can try to disable ipv6 on your hosts it self: This come from my memory double check it on internet and against for your disto,…
                      sudo nano /etc/sysctl.conf

                      net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

                      than restart

                        ETNyx I am using ipv6 for other things in my server, seems like enabling ipv6 by reverting the changes fixed the issues!

                          I’m noticing the same behavior. Random sender addresses on my domain sending to random @qq.com addresses from 172.22.1.1. I just disabled IPv6 on my host and will monitor if it stops. This is a pretty huge security issue. Mailcow should assume IPv6 is enabled on the host and authenticate traffic from the network stack or block it all together instead of just allowing open relay.

                          I had the same problem. Disabling IPv6 on ports 25, 587 and 465 at the incoming firewall did the trick. I assume, that the postfix-container needs additional configuration. He maps all ports 587 to tcp:587, the IPv6-Ports also. Afterwards he ist listening at that port on :::587, although extra.cf has defined inet_protocols = ipv4.

                            chris65 I went and also blocked IPv6 on my hosting configuration’s firewall rules.

                              Perhaps you can block it for the three ports only. Then you still can use IPv6 for other purposes on your server . . . I did not find a paramter to make postfix block ipv6-port

                              Yep thats possible. The real issue is why postfix is allowing unauthenticated relaying on IPv6. It should be treated as IPv4 requiring authentication or policy to allow it.

                              If you guy’s suspecting that postfix acting as an Open-Relay on ipv6, i highly recommend file a Bugreport with all the evidence.
                              At least on my end i can’t reproduce.

                               telnet 2...................::1 25
Trying 2...................::1
Connected to 2...................::1
Escape character is '^]'.
220 mydomain.xyz ESMTP Postcow
ehlo vlah.com
250-mydomain.xyz
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: nlah.com
250 2.1.0 Ok
rcpt to: something.xyz
554 5.7.1 <something.xyz>: **Relay access denied**

                                piperino recommend file a Bugreport with all the evidence.

                                That was already discussed here:
                                mailcow/mailcow-dockerized5242

                                Seems its not a mailcow problem, but a docker problem with userland proxy and/or unsupported OS running mailcow on.

                                    May be a docker problem. Fact is, that some chinese people can relay with our server on rocky linux, when firewall is open and they can’t, when firewall ports 25, 465 an 587 are closed. The postfix-container seems to route it to local 587, which is open as trusted. All steps to work without ipv6 are done as instructed in the manual. Where should we post it? Also, postfix is configured via extra.cf to use ipv4-protocol only.