Mailcow relaying spam, even though open relay is disabled

kolaente

In my mailcow, I have started receiving bounces from other servers for mails I never sent.

They usually look like this:


This is the mail system at host mail.domain.tld.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<younes.ar@sfr.fr>: host smtp-in.sfr.fr[93.17.128.123] said: 550 5.7.1 Email
    4cJP5p5ms0z1LQKcv rejected per SPAM policy (in reply to end of DATA
    command)


Reporting-MTA: dns; mail.domain.tld
X-Postcow-Queue-ID: DE0454421F
X-Postcow-Sender: rfc822; hello@domain.tld
Arrival-Date: Fri,  5 Sep 2025 19:49:26 +0200 (CEST)

Final-Recipient: rfc822; younes.ar@sfr.fr
Original-Recipient: rfc822;younes.ar@sfr.fr
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp-in.sfr.fr
Diagnostic-Code: smtp; 550 5.7.1 Email 4cJP5p5ms0z1LQKcv rejected per SPAM
    policy


Votre compte SOCGN temporairement suspendu - Action requise.eml
Subject: 
Votre compte SOCGN temporairement suspendu - Action requise
From: 
hello@domain.tld
Date: 
05/09/2025, 19:50
To: 
younes.ar@sfr.fr

Here’s what that looks like in rspamd (through mailcow UI):

The IP address is the one that’s configured in my mailcow.conf. I did not change anything there regarding the IP config.

Other threads here (one, two) seem to indicate I’m not the only one this is happening to.

Everything seems to point to my mailcow being configured as Open Relay, but I never configured this. As far as I understand the config, it is not enabled:

$ cat data/conf/postfix/extra.cf
myhostname = mail.domain.tld

$ grep mynetworks data/conf/postfix/*.cf
data/conf/postfix/main.cf:smtpd_relay_restrictions = permit_mynetworks,
data/conf/postfix/main.cf:mynetworks_style = subnet
data/conf/postfix/main.cf:postscreen_access_list = permit_mynetworks,
data/conf/postfix/main.cf:  $mynetworks,
data/conf/postfix/main.cf:  permit_mynetworks,
data/conf/postfix/main.cf:  permit_mynetworks,
data/conf/postfix/main.cf:parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,qmqpd_authorized_clients
data/conf/postfix/master.cf:  -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain
data/conf/postfix/master.cf:  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
data/conf/postfix/master.cf:  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
data/conf/postfix/master.cf:  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
data/conf/postfix/master.cf:  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
data/conf/postfix/master.cf:  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
data/conf/postfix/master.cf:  -o smtpd_sender_restrictions=check_sasl_access,regexp:/opt/postfix/conf/allow_mailcow_local.regexp,reject_authenticated_sender_login_mismatch,permit_mynetworks,permit_sasl_authenticated,reject_unlisted_sender,reject_unknown_sender_domain
data/conf/postfix/master.cf:  -o smtpd_client_restrictions=permit_mynetworks,reject
data/conf/postfix/master.cf:  -o smtpd_client_restrictions=permit_mynetworks,reject
data/conf/postfix/master.cf:  -o smtpd_client_restrictions=permit_mynetworks,reject

Is it possible that someone is forging their IP address so that the mailcow thinks the mail is coming from an allowed network?

Why does the mailcow even allow sending mail as unauthenticated sender?

ETNyx

Well, we can at least partially check your setup, but you must give us your domain,…

Other than that it’s just guessing,.. if I read it right your own Rspamd is think your LTD is “fishy” 🤣 so what do you expect from third-party server? 🙄

kolaente Is it possible that someone is forging their IP address so that the mailcow thinks the mail is coming from an allowed network?

Well in theory, but unlikely, attacker would have be men in the middle in close proximity (like your ISP and more considering encryption,…) or on compromised system,…

kolaente Why does the mailcow even allow sending mail as unauthenticated sender?

That’s depend on point of view, but random entity on internet is not allowed sending without auth in default MC configuration,…

But as i wrote, give us your mail and we can run some test for you,…

kolaente

ETNyx Thanks for the reply.

The mailcow domain is mail.kolaente.de - do you need the mail domain as well?

ETNyx

Yes, please, what is the “fishy” LTD

and good news, this server is not open relay

Connecting to 159.69.89.190

220-mail.kolaente.de ESMTP Postcow
220 mail.kolaente.de ESMTP Postcow [3516 ms]
EHLO keeper-us-east-1d.mxtoolbox.com
250-mail.kolaente.de
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN [219 ms]
MAIL FROM:<supertool@mxtoolboxsmtpdiag.com>
250 2.1.0 Ok [219 ms]
RCPT TO:<test@mxtoolboxsmtpdiag.com>
454 4.7.1 <test@mxtoolboxsmtpdiag.com>: Relay access denied [297 ms]


- LookupServer [smtp:mail.kolaente.de] 5108ms

kolaente

ETNyx The TLD is vikunja.cloud - I am sending mails from that domain without problems.

As far as I understand it, the issue is not rspamd here, it just allows me to become aware of the issue.

ETNyx

Ok sorry bad news you are open relay but only on IPv6, you need to fix this.

Quick fix is to disable IPv6, other than that check first mynetworks, relayhost and smtpd_relay_restrictions

post here what print those docker exec -it mailcowdockerized-postfix-mailcow-1 postconf mynetworks check your real container name,…

kolaente

ETNyx

Here are the values:

$ grep relayhost data/conf/postfix/*.cf
data/conf/postfix/main.cf:relayhost =

$ grep smtpd_relay_restrictions data/conf/postfix/*.cf -A 5
data/conf/postfix/main.cf:smtpd_relay_restrictions = permit_mynetworks,
data/conf/postfix/main.cf-  permit_sasl_authenticated,
data/conf/postfix/main.cf-  defer_unauth_destination

$ docker exec -it mailcowdockerized-postfix-mailcow-1 postconf mynetworks
mynetworks = 127.0.0.0/8 172.22.1.0/24 [::1]/128 [fd4d:6169:6c63:6f77::]/64 [fe80::]/64

DocFraggle

Are you running a supported OS? I found this GitHub issue regarding Arch Linux which seems to cause this problem as well

mailcow/mailcow-dockerized5242

kolaente

DocFraggle I’ve been running this on the same Debian server since 7 years.

DocFraggle

kolaente I’ve been running this on the same Debian server since 7 years.

So which Debian version is this? 9? And your mailcow, is it up to date?

ETNyx

What docker version are you on?

And those config lines seems to be good

DocFraggle

Also check your “Forwarding Hosts” in the mailcow UI, maybe you added the IPv6 address there accidentially?

kolaente

Docker version:

Client: Docker Engine - Community
 Version:           26.1.4
 API version:       1.45
 Go version:        go1.21.11
 Git commit:        5650f9b
 Built:             Wed Jun  5 11:29:15 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          26.1.4
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.11
  Git commit:       de5c9cf
  Built:            Wed Jun  5 11:29:15 2024
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.6.33
  GitCommit:        d2d58213f83a351ca8f528a95fbd145f5654e957
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

DocFraggle Also check your “Forwarding Hosts” in the mailcow UI, maybe you added the IPv6 address there accidentially?

Is that this config? I don’t have anything configured there.

The IP address is set up in the mailcow.conf, but I guess that was done during the installation?

DocFraggle

kolaente The IP address is set up in the mailcow.conf

Where is it set there? My public IP isn’t in the mailcow.conf file, only the local IPv6 docker network

kolaente

DocFraggle It is set like this:

# Internal IPv6 subnet in fc00::/7
IPV6_NETWORK=fd4d:6169:6c63:6f77::/64

The IP is the one used by the br-mailcow network interface. I assume this is similar to local networks (like 10.0.0.0 or 192.168.0.0)? I can’t remember configuring this explicitly, I assume this was done during the mailcow setup.

[unknown] If I disable ipv6, does that mean other servers won’t be able to talk to my mailcow using ipv6? Or is that separate and should work as long as my server has a public ipv6 address (which it does)?

stefan21

@kolaente

I suppose, you have a static business ipv4.

If your installation/configuration is o.k., you may follow this: https://community.mailcow.email/d/5310-rspamd-error-httpfuzzymailcowemailbad-subject-regextxt/8

Ignore the fuzzy things - just disable ipv6.

Should solve your problem.

DocFraggle

kolaente Yes, ths is just the local IPv6 etwork, not your public IPv6 address. The public IPv6 address is also configured on your host, right? No reverse proxy / NAT stuff or something like this?

kolaente

DocFraggle it is configured on the host (I see it for the eth0 interface when running ip a).

kolaente

DocFraggle It is running on Debian 12, mailcow 2025-07. I guess that’s up to date.

DocFraggle

Ah ok, I thought it’s an older version because you wrote something about 7 years 🙂

But that’s exactly what I’m running, too. Very strange… you could try to check for potential diffs by running

git diff refs/tags/2025-07 data/

in your mailcow-dockerized dir. There will be legit diffs there, but you can check if there’s something else which you may have done in the past

kolaente

DocFraggle It seems like the only modifications are autogenerated config, nothing related to ipv6 or relay functionality:

diff --git a/data/assets/ejabberd/sqlite/sqlite.db b/data/assets/ejabberd/sqlite/sqlite.db
new file mode 100644
index 00000000..981ba6b9
Binary files /dev/null and b/data/assets/ejabberd/sqlite/sqlite.db differ
diff --git a/data/conf/ejabberd/autogen/ejabberd_acl.yml b/data/conf/ejabberd/autogen/ejabberd_acl.yml
new file mode 100644
index 00000000..21db66a4
--- /dev/null
+++ b/data/conf/ejabberd/autogen/ejabberd_acl.yml
@@ -0,0 +1 @@
+# Autogenerated by mailcow
diff --git a/data/conf/ejabberd/autogen/ejabberd_api.yml b/data/conf/ejabberd/autogen/ejabberd_api.yml
new file mode 100644
index 00000000..58c0ffd7
--- /dev/null
+++ b/data/conf/ejabberd/autogen/ejabberd_api.yml
@@ -0,0 +1,16 @@
+# Autogenerated by mailcow
+api_permissions:
+  "Reload by mailcow":
+    who:
+      - ip: "172.22.1.0/24"
+    what:
+      - "reload_config"
+      - "restart"
+      - "list_certificates"
+      - "list_cluster"
+      - "join_cluster"
+      - "leave_cluster"
+      - "backup"
+      - "status"
+      - "stats"
+      - "muc_online_rooms"
diff --git a/data/conf/ejabberd/autogen/ejabberd_hosts.yml b/data/conf/ejabberd/autogen/ejabberd_hosts.yml
new file mode 100644
index 00000000..21db66a4
--- /dev/null
+++ b/data/conf/ejabberd/autogen/ejabberd_hosts.yml
@@ -0,0 +1 @@
+# Autogenerated by mailcow
diff --git a/data/conf/ejabberd/autogen/ejabberd_macros.yml b/data/conf/ejabberd/autogen/ejabberd_macros.yml
new file mode 100644
index 00000000..59bcdf7f
--- /dev/null
+++ b/data/conf/ejabberd/autogen/ejabberd_macros.yml
@@ -0,0 +1,4 @@
+# Autogenerated by mailcow
+define_macro:
+  'MAILCOW_HOSTNAME': "mail.kolaente.de"
+  'EJABBERD_HTTPS': 5443
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 07065f04..44d33142 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -174,3 +174,35 @@ lmtp_destination_recipient_limit=1

 # DO NOT EDIT ANYTHING BELOW #
 # Overrides #
+
+postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
+  hostkarma.junkemailfilter.com=127.0.0.1*-2
+  list.dnswl.org=127.0.[0..255].0*-2
+  list.dnswl.org=127.0.[0..255].1*-4
+  list.dnswl.org=127.0.[0..255].2*-6
+  list.dnswl.org=127.0.[0..255].3*-8
+  bl.spamcop.net*2
+  bl.suomispam.net*2
+  hostkarma.junkemailfilter.com=127.0.0.2*3
+  hostkarma.junkemailfilter.com=127.0.0.4*2
+  hostkarma.junkemailfilter.com=127.0.1.2*1
+  backscatter.spameatingmonkey.net*2
+  bl.ipv6.spameatingmonkey.net*2
+  bl.spameatingmonkey.net*2
+  b.barracudacentral.org=127.0.0.2*7
+  bl.mailspike.net=127.0.0.2*5
+  bl.mailspike.net=127.0.0.[10;11;12]*4
+  dnsbl.sorbs.net=127.0.0.10*8
+  dnsbl.sorbs.net=127.0.0.5*6
+  dnsbl.sorbs.net=127.0.0.7*3
+  dnsbl.sorbs.net=127.0.0.8*2
+  dnsbl.sorbs.net=127.0.0.6*2
+  dnsbl.sorbs.net=127.0.0.9*2
+  zen.spamhaus.org=127.0.0.[10;11]*8
+  zen.spamhaus.org=127.0.0.[4..7]*6
+  zen.spamhaus.org=127.0.0.3*4
+  zen.spamhaus.org=127.0.0.2*3
+
+# User Overrides
+myhostname = mail.kolaente.de
+
diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf
index 2c8d80a1..6fa6834d 100644
--- a/data/conf/sogo/sogo.conf
+++ b/data/conf/sogo/sogo.conf
@@ -5,7 +5,7 @@
         PrivateDAndTViewer
     );

-    WOWorkersCount = "20";
+    WOWorkersCount = "7";
     SOGoACLsSendEMailNotifications = YES;
     SOGoAppointmentSendEMailNotifications = YES;
     SOGoDraftsFolderName = "Drafts";
diff --git a/data/web/.well-known/mta-sts.txt b/data/web/.well-known/mta-sts.txt
new file mode 100644
index 00000000..3ae76dd8
--- /dev/null
+++ b/data/web/.well-known/mta-sts.txt
@@ -0,0 +1,4 @@
+version: STSv1
+mode: enforce
+max_age: 15552000
+mx: mail.kolaente.de