Docker 和主机的 IP 地址不一致
Docker and inconsistent IP addresses from host
我正在尝试设置一些容器来管理我 VPS 上的个人电子邮件。
我已经为 postfix 服务器设置了 TLS 加密。在设置 SPF 以检测伪造的电子邮件时,我发现 报告的 IP 因是否使用加密而不同:
当收到来自某些发件人的电子邮件时:
Received: from zproxy.mydomain.com (zproxy110.mydomain.com [137.**.**.**])
by localhost (Postfix) with ESMTP id 5250459F
从我的 GMail 帐户(启用 TLS)接收电子邮件时:
Received: from mail-lf0-x241.google.com (dockerhost [172.18.0.1])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by localhost (Postfix) with ESMTPS id 2EDEF59F
从其他网络接收电子邮件时:
Received: from cabale.usenet-fr.net (dockerhost [172.18.0.1])
by localhost (Postfix) with ESMTP id 834F8520
看起来报告的 IP 是 Docker 主机的 IP,基于...随机,使用 IP 172.18.0.1。除了本身是一个问题外,它还会影响 SPF,因为来自 Google 的电子邮件被标记为 SoftFail,因为 IP 是不允许的。
我一直无法理解为什么有些服务器(总是)报告 dockerhost IP,而有些则不。这与我最初认为的 TLS 加密无关。
这是我的 master.cnf 文件:
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/postfix-cert.pem
smtpd_tls_key_file = /etc/ssl/private/postfix-cert.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination check_policy_service unix:private/policy-spf
myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = /etc/mailname, 11687faae091, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_gid_maps = static:5000
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtpd_tls_mandatory_exclude_ciphers = aNULL,MD5,RC4
smtpd_tls_mandatory_ciphers = high
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtp_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtp_tls_mandatory_exclude_ciphers = aNULL,MD5,RC4
policy-spf_time_limit = 3600s
还有我的 main.cnf 文件:
smtp inet n - n - - smtpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -a ${recipient}
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf
这种行为从何而来?我该如何修补它,以便报告的 IP 是真实 IP?
编辑:好的,我刚刚从另一家供应商那里测试过,看起来加密可能与它无关:
Received: from o1.30e.fshared.sendgrid.net (o1.30e.fshared.sendgrid.net [167.89.55.41])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
这是当前 (2016-10-10) Docker 版本中的已知错误:
userland 代理用于将容器端口绑定到主机端口,但存在您遇到的不一致问题。我自己也有同样的问题。
参考文献:
- https://github.com/docker/docker/issues/15086 - 关于基本问题
问题,建议的最佳解决方案是禁用 userland 代理
并改用 iptables 来路由端口
- https://github.com/docker/docker/issues/14856 - 努力做到
默认情况下禁用 userland 代理,但目前已被阻止,见下文
- 使用“--userland-proxy=false”会导致主机网络出现严重问题,因此目前不推荐使用,请参阅docker issue #5618
我正在尝试设置一些容器来管理我 VPS 上的个人电子邮件。
我已经为 postfix 服务器设置了 TLS 加密。在设置 SPF 以检测伪造的电子邮件时,我发现 报告的 IP 因是否使用加密而不同:
当收到来自某些发件人的电子邮件时:
Received: from zproxy.mydomain.com (zproxy110.mydomain.com [137.**.**.**])
by localhost (Postfix) with ESMTP id 5250459F
从我的 GMail 帐户(启用 TLS)接收电子邮件时:
Received: from mail-lf0-x241.google.com (dockerhost [172.18.0.1])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by localhost (Postfix) with ESMTPS id 2EDEF59F
从其他网络接收电子邮件时:
Received: from cabale.usenet-fr.net (dockerhost [172.18.0.1])
by localhost (Postfix) with ESMTP id 834F8520
看起来报告的 IP 是 Docker 主机的 IP,基于...随机,使用 IP 172.18.0.1。除了本身是一个问题外,它还会影响 SPF,因为来自 Google 的电子邮件被标记为 SoftFail,因为 IP 是不允许的。
我一直无法理解为什么有些服务器(总是)报告 dockerhost IP,而有些则不。这与我最初认为的 TLS 加密无关。
这是我的 master.cnf 文件:
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/postfix-cert.pem
smtpd_tls_key_file = /etc/ssl/private/postfix-cert.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination check_policy_service unix:private/policy-spf
myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = /etc/mailname, 11687faae091, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_gid_maps = static:5000
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtpd_tls_mandatory_exclude_ciphers = aNULL,MD5,RC4
smtpd_tls_mandatory_ciphers = high
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtp_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2
smtp_tls_mandatory_exclude_ciphers = aNULL,MD5,RC4
policy-spf_time_limit = 3600s
还有我的 main.cnf 文件:
smtp inet n - n - - smtpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -a ${recipient}
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf
这种行为从何而来?我该如何修补它,以便报告的 IP 是真实 IP?
编辑:好的,我刚刚从另一家供应商那里测试过,看起来加密可能与它无关:
Received: from o1.30e.fshared.sendgrid.net (o1.30e.fshared.sendgrid.net [167.89.55.41])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
这是当前 (2016-10-10) Docker 版本中的已知错误: userland 代理用于将容器端口绑定到主机端口,但存在您遇到的不一致问题。我自己也有同样的问题。
参考文献:
- https://github.com/docker/docker/issues/15086 - 关于基本问题 问题,建议的最佳解决方案是禁用 userland 代理 并改用 iptables 来路由端口
- https://github.com/docker/docker/issues/14856 - 努力做到 默认情况下禁用 userland 代理,但目前已被阻止,见下文
- 使用“--userland-proxy=false”会导致主机网络出现严重问题,因此目前不推荐使用,请参阅docker issue #5618