Docker和来自主机的IP地址不一致
我试图设置一些容器来pipe理我的VPS上的个人电子邮件。
我为后缀服务器设置了TLSencryption。 在设置SPF来检测伪造电子邮件时,我发现报告的IP是不一样的,这取决于是否使用了encryption :
从某些发件人收到电子邮件时:
Received: from zproxy.mydomain.com (zproxy110.mydomain.com [137.**.**.**]) by localhost (Postfix) with ESMTP id 5250459F 从我的GMail帐户接收电子邮件时(启用TLS):
Received: from mail-lf0-x241.google.com (dockerhost [172.18.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by localhost (Postfix) with ESMTPS id 2EDEF59F
从其他networking接收电子邮件时:
Received: from cabale.usenet-fr.net (dockerhost [172.18.0.1]) by localhost (Postfix) with ESMTP id 834F8520
它看起来像报告的IP是一个随机的基础上的Docker主机的IP,使用IP 172.18.0.1。 除了本身是一个问题,它也影响SPF,因为来自Google的电子邮件被标记为SoftFail,因为IP是不允许的。
我一直无法理解为什么有些服务器(总是)报告dockerhost IP,有些则不。 这与TLSencryption无关,因为我首先是这样做的。
这是我的master.cnf文件:
# appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file = /etc/ssl/certs/postfix-cert.pem smtpd_tls_key_file = /etc/ssl/private/postfix-cert.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination check_policy_service unix:private/policy-spf myhostname = localhost alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = /etc/mailname, 11687faae091, localhost.localdomain, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all virtual_gid_maps = static:5000 virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1 smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2 smtpd_tls_mandatory_exclude_ciphers = aNULL,MD5,RC4 smtpd_tls_mandatory_ciphers = high smtp_tls_security_level = may smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2 smtp_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2 smtp_tls_mandatory_exclude_ciphers = aNULL,MD5,RC4 policy-spf_time_limit = 3600s
和我的main.cnf文件:
smtp inet n - n - - smtpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - nn - - local virtual unix - nn - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache maildrop unix - nn - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - nn - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - nn - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - nn - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - nn - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - nn - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - nn - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -a ${recipient} submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject policy-spf unix - nn - - spawn user=nobody argv=/usr/bin/policyd-spf
这种行为从哪里来,我如何修补它,以便报告的IP是实际的?
编辑 :好的,我只是从另一个提供商testing,它看起来像encryption可能无关它:
Received: from o1.30e.fshared.sendgrid.net (o1.30e.fshared.sendgrid.net [167.89.55.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
这是当前(2016-10-10)Docker版本中的一个已知错误:用户级代理用于将容器端口绑定到主机端口,但存在您遇到的不一致问题。 我自己也有同样的问题。
参考文献:
- https://github.com/docker/docker/issues/15086 – 有关问题的基本问题,build议最好的解决scheme是禁用userland代理,并使用iptables来代替路由端口(S)
- https://github.com/docker/docker/issues/14856 – 默认禁用userland代理,但目前被阻止,请参阅下文
- 使用“–userland-proxy = false”会导致主机networking出现严重问题,因此目前不推荐使用,请参阅docker issue#5618