Sas*_*cha 11 ubuntu postfix-mta ports dovecot docker
这让我疯了,但出于某种原因,我无法从外面访问某些端口.我几乎检查了所有可能的设置,但我不知道为什么这不起作用.我不知道在哪里解决这个问题(Ubuntu防火墙与Docker vs. Dovecot vs. Postfix),我真的希望你们能帮助我.
仅供参考:mycooldomain.com只是我域名的占位符,目前我不想分享.
我会为帮我解决这个问题的人买一杯啤酒!:)
简介
在我的根服务器上,我正在运行以下docker邮件服务器容器(https://github.com/tomav/docker-mailserver/),它暴露了几个端口(143,25,587,993).容器运行dovecot(IMAP)和后缀(SMTP).
TL;博士
我有上述邮件服务器(dovecot,postfix)在docker容器中运行,只能连接到一个端口(143 - IMAP).其他端口25,587和993无法从外部访问 - 仅可从主机直接访问.Docker正确公开它们并正确地列在iptables中.容器中的日志(dovecot,postfix)在请求进入时没有显示任何反应(没有被拒绝的请求或类似的东西),所以我想它们永远不会到达容器中的服务.其他docker容器端口(例如我的web服务器:80,443).
这是详细信息:
我可以直接从主机连接到每个端口(让我们测试IMAP安全端口):
mastix@localhost:~$ telnet mail.mycooldomain.com 993
Trying xxx.xxx.xxx.xxx…
Connected to mail.mycooldomain.com.
Escape character is '^]'.
220 mail.mycooldomain.com ESMTP Postfix (Ubuntu)
但不是来自我的本地机器:
mastixmc$ telnet mail.mycooldomain.com 993
Trying xxx.xxx.xxx.xxx…
telnet:connect to address xxx.xxx.xxx.xxx: Operation timed out
telnet: Unable to connect to remote host
docker-compose ps告诉我他们暴露并正确绑定:
110/tcp,
0.0.0.0:143-143/tcp,
0.0.0.0:25->25/tcp, 4190/tcp,
0.0.0.0:587->587/tcp,
0.0.0.0:993->993/tcp, 995/tcp
netstat -ntlp 告诉我同样的事情:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::587 :::* LISTEN -
tcp6 0 0 :::143 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::25 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN -
tcp6 0 0 :::2332 :::* LISTEN -
tcp6 0 0 :::993 :::* LISTEN -
我可以访问我的网络服务器(80/443)和不安全的IMAP(143) - 我将来不允许这样做.但是所有其他端口都无法访问.
我甚至设置了UFW(尽管不需要),以确保Ubuntu不阻止任何事情:
Added user rules (see 'ufw status' for running firewall):
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 25/tcp
ufw allow 587/tcp
ufw allow 143/tcp
ufw allow 993/tcp
查看日志(Dovecot,Postfix)时,我看不到任何信息,因此看起来请求无法到达服务.
我没有触及以下Docker/UFW设置:
在/ etc /默认/ UFW
DEFAULT_FORWARD_POLICY="DROP"
并且DID不会iptables = false在docker引擎中更改.
这是iptables -L调用,你可以清楚地看到DOCKER链正确添加规则(我的ufw规则也在那里):
Chain INPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:http
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:imaps
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:submission
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:imap2
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:smtp
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
[...]
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT udp -- anywhere anywhere udp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:2332
ACCEPT udp -- anywhere anywhere udp dpt:2332
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT udp -- anywhere anywhere udp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT udp -- anywhere anywhere udp dpt:imap2
所以一切看起来都对我不对.
更新#1:
来自docker host的nmap(针对mycooldomain.com):
PORT STATE SERVICE
25/tcp filtered smtp
80/tcp filtered http
143/tcp filtered imap
443/tcp filtered https
587/tcp filtered submission
993/tcp filtered imaps
来自我本地机器的nmap(针对mycooldomain.com):
PORT STATE SERVICE
80/tcp open http
143/tcp open imap
443/tcp open https
如您所见,端口未打开,因此我无法从远程连接到端口25,587和993.
更新#2:
所以我已经停止了所有容器并打开了一个简单的python HTTP服务器:
sudo python -m SimpleHTTPServer 993
也无法访问此端口.所以我用端口8080 =>成功打开了同一台服务器.
它看起来像Ubuntu或我的主机是阻止端口993!我目前正与提供根服务器的人联系.
我已经在项目中提出了一个问题(https://github.com/tomav/docker-mailserver/issues/602),但他们也无法帮助我.
非常感谢你提前,
格尔茨,
萨沙
我修好了……或者至少我的主人修好了。还有另一个硬件防火墙阻止了某些端口。他们必须启用特定的“邮件服务器”防火墙规则集,该规则集允许运行邮件服务器。
感谢您的帮助和提示!!!
问候,
萨沙
| 归档时间: |
|
| 查看次数: |
1431 次 |
| 最近记录: |