I used this for my Yunohost, and there’s an issue with this.
I’ve been getting outside spam being sent through my server, and I couldn’t figure out why. There’s no compromised accounts, nor any malformed PHP scripts. Blocking port 25 took care of the problem, but looking at postfix configuration files, I believe that Yunohost is configured to accept any emails coming from localhost/127.0.0.1 as automatically valid.
The problem being, because of how the proxy works, a quick netstat
shows all connections as coming from 127.0.0.1
. Observe:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:389 127.0.0.1:59096 ESTABLISHED 427/slapd
tcp 0 0 127.0.0.1:55064 127.0.0.1:389 TIME_WAIT -
tcp 0 0 127.0.0.1:59092 127.0.0.1:389 ESTABLISHED 895/nginx: worker p
tcp 0 0 127.0.0.1:389 127.0.0.1:58064 ESTABLISHED 427/slapd
tcp 0 0 127.0.0.1:58984 127.0.0.1:389 ESTABLISHED 713/nslcd
tcp 0 0 127.0.0.1:59096 127.0.0.1:389 ESTABLISHED 895/nginx: worker p
tcp 0 0 127.0.0.1:58046 127.0.0.1:389 ESTABLISHED 713/nslcd
tcp 0 0 127.0.0.1:58064 127.0.0.1:389 ESTABLISHED 713/nslcd
tcp 0 0 127.0.0.1:389 127.0.0.1:59092 ESTABLISHED 427/slapd
tcp 0 0 127.0.0.1:389 127.0.0.1:58068 ESTABLISHED 427/slapd
tcp 0 0 127.0.0.1:389 127.0.0.1:58046 ESTABLISHED 427/slapd
tcp 0 0 127.0.0.1:51928 127.0.0.1:3306 ESTABLISHED 341/node
tcp 0 0 127.0.0.1:58068 127.0.0.1:389 ESTABLISHED 713/nslcd
tcp 0 0 127.0.0.1:53920 127.0.0.1:57300 ESTABLISHED -
tcp 0 0 127.0.0.1:389 127.0.0.1:59654 ESTABLISHED 427/slapd
tcp 0 0 127.0.0.1:57300 127.0.0.1:53920 ESTABLISHED 1159/sshd: admin [p
tcp 0 0 127.0.0.1:59654 127.0.0.1:389 ESTABLISHED 713/nslcd
tcp 0 0 127.0.0.1:389 127.0.0.1:58984 ESTABLISHED 427/slapd
tcp6 0 0 127.0.0.1:3306 127.0.0.1:51928 ESTABLISHED 460/mysqld
udp 0 0 127.0.0.1:54948 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:44202 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:54957 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:47278 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:44206 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:55492 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:42693 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:34502 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:44240 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:49368 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:60648 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:54003 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:55543 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:40705 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:51971 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:44300 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:41741 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:42805 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:41273 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:52029 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:45394 127.0.1.1:53 ESTABLISHED 895/nginx: worker p
udp 0 0 127.0.0.1:42335 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:37728 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:56164 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:52075 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:54635 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:58235 127.0.0.1:53 ESTABLISHED 895/nginx: worker p
udp 0 0 127.0.0.1:35232 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:60323 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:47556 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:40902 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:53220 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:56805 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:39415 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:37891 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:54796 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:46113 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:54315 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:51256 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:39992 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:37438 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:52326 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:56423 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:50798 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:47239 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:47751 127.0.0.1:53 ESTABLISHED 881/rspamd: normal
udp 0 0 127.0.0.1:48779 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:42128 127.0.0.1:53 ESTABLISHED 880/rspamd: control
udp 0 0 127.0.0.1:47250 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp 0 0 127.0.0.1:36504 127.0.0.1:53 ESTABLISHED 879/rspamd: rspamd_
udp6 0 0 ::1:47282 ::1:47282 ESTABLISHED 542/postgres ```
Apparently poorly configured load balancers have a similar problem. (It still won’t let me connect as root, though I suspect that’s simply because I never gave it a key for root login.)
So this may not be tenable for general users without some reconfiguration. If I’m reading this correctly, a quick fix would be to send the host machine’s IP instead of 127.0.0.1
to the proxy connect
, so that it doesn’t think the requests are coming from localhost
.
However, a more robust fix would be to also give your container a static IP, and add nat=true
to the proxy device so the actual originating IP request is passed. But the command line for this is a bit different. Assuming an IP of 192.0.2.0
for the host and 192.0.2.1
for the container, this should work…
$ lxc config device add mycontainer myport80 proxy listen=tcp:192.0.2.0:80 connect=tcp:192.0.2.1:80 nat=true
This didn’t actually work for me, but my NAT configuration is probably slightly funky; that said, it still functions like the first option, so it’s not going to do any harm (as far as I know). NAT seems to make it run faster too, but that might just be because it’s not choked full of spam.
It’s a really simple and useful command, just, make sure it doesn’t turn outside traffic into localhost
traffic, or postfix will send every single email it’s asked to.
tl;dr: Don’t proxy to 127.0.0.1 or postfix will send spam constantly!