Deploying using docker compose from example results in an open relay config

[feisuzhu]

Support guidelines

• I've read the support guidelines

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

See title.

Expected behaviour

Deny relaying mail.

Actual behaviour

Allow relaying for any domain.

Steps to reproduce

1. Setup an anonaddy instance using docker compose

Docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
  scan: Docker Scan (Docker Inc.)
    Version:  v0.23.0
    Path:     /usr/libexec/docker/cli-plugins/docker-scan

Server:
 Containers: 4
  Running: 4
  Paused: 0
  Stopped: 0
 Images: 19
 Server Version: 24.0.7
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
 Kernel Version: 5.4.0-147-generic
 Operating System: Ubuntu 20.04.6 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.771GiB
 Name: thbattle.net
 ID: ZORI:BSXV:PKIM:M23M:YGI5:5WDB:ENUK:SAYG:DDSI:4TCN:KRKA:DSTM
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Docker Compose config

Unmodified from examples

Logs

May 31 15:32:52 mail postfix/smtp[986]: connect to renjuoffline-com.mail.protection.outlook.com[2a01:111:f403:c801::1]:25: Network unreachable
May 31 15:32:52 mail postfix/smtp[995]: connect to mx3.qq.com[240d:c040:1:40::133]:25: Network unreachable
May 31 15:32:52 mail postfix/smtp[1034]: connect to mx3.qq.com[240d:c040:1:40::133]:25: Network unreachable
May 31 15:32:52 mail postfix/smtp[1002]: 2E5C742880: to=<11bnvrjh@portaventuraworld.com>, relay=mxa-008d1f01.gslb.pphosted.com[66.159.232.228]:25, delay=1310, delays=1308/0.01/1.8/0, dsn=4.0.0, status=deferred (host mxa-008d1f01.gslb.pphosted.com[66.159.232.228] refused to talk to me: 554 Blocked - see https://ipcheck.proofpoint.com/?ip=172.104.68.55)
May 31 15:32:52 mail postfix/smtp[992]: connect to renjuoffline-com.mail.protection.outlook.com[2a01:111:f403:f907::1]:25: Network unreachable
May 31 15:32:52 mail postfix/smtp[1002]: connect to renjuoffline-com.mail.protection.outlook.com[2a01:111:f403:f907::1]:25: Network unreachable
May 31 15:32:52 mail postfix/smtp[983]: 5255542782: to=<82yqtajccowa@jurgenallewijn.nl>, relay=mailsec.protonmail.ch[185.205.70.129]:25, delay=1141, delays=1139/1.2/0.67/0.26, dsn=5.1.1, status=bounced (host mailsec.protonmail.ch[185.205.70.129] said: 550 5.1.1 <82yqtajccowa@jurgenallewijn.nl>: Recipient address rejected: Address does not exist (in reply to RCPT TO command))
May 31 15:32:52 mail postfix/smtp[1020]: DD33C428D3: host renjuoffline-com.mail.protection.outlook.com[52.101.41.6] said: 451 4.4.4 Mail received as unauthenticated, incoming to a recipient domain configured in a hosted tenant which has no mail-enabled subscriptions. ATTR5 [SJ1PEPF00001CE9.namprd03.prod.outlook.com 2025-05-31T07:32:52.287Z 08DD9FF1B34EB0F7] (in reply to RCPT TO command)
May 31 15:32:52 mail postfix/smtp[991]: E53D6427C6: to=<82uisef@jurgenallewijn.nl>, relay=mailsec.protonmail.ch[185.70.42.129]:25, delay=1138, delays=1135/1.3/0.67/0.26, dsn=5.1.1, status=bounced (host mailsec.protonmail.ch[185.70.42.129] said: 550 5.1.1 <82uisef@jurgenallewijn.nl>: Recipient address rejected: Address does not exist (in reply to RCPT TO command))
May 31 15:32:52 mail postfix/smtp[988]: DFD554289F: host renjuoffline-com.mail.protection.outlook.com[52.101.40.2] said: 451 4.4.4 Mail received as unauthenticated, incoming to a recipient domain configured in a hosted tenant which has no mail-enabled subscriptions. ATTR5 [CY4PEPF0000E9DB.namprd05.prod.outlook.com 2025-05-31T07:32:52.343Z 08DD9FAD6BF621FF] (in reply to RCPT TO command)
May 31 15:32:52 mail postfix/smtp[1015]: 3283142874: to=<82fmhshgye@jurgenallewijn.nl>, relay=mailsec.protonmail.ch[176.119.200.129]:25, delay=1134, delays=1132/1.2/0.77/0.27, dsn=5.1.1, status=bounced (host mailsec.protonmail.ch[176.119.200.129] said: 550 5.1.1 <82fmhshgye@jurgenallewijn.nl>: Recipient address rejected: Address does not exist (in reply to RCPT TO command))
May 31 15:32:52 mail postfix/smtp[1016]: D73BD42835: to=<82qzpzpqgl@jurgenallewijn.nl>, relay=mailsec.protonmail.ch[185.70.42.129]:25, delay=1311, delays=1308/1.3/0.68/0.26, dsn=5.1.1, status=bounced (host mailsec.protonmail.ch[185.70.42.129] said: 550 5.1.1 <82qzpzpqgl@jurgenallewijn.nl>: Recipient address rejected: Address does not exist (in reply to RCPT TO command))
May 31 15:32:52 mail postfix/smtp[1020]: connect to renjuoffline-com.mail.protection.outlook.com[2a01:111:f403:c946::5]:25: Network unreachable
May 31 15:32:52 mail postfix/smtp[1020]: connect to renjuoffline-com.mail.protection.outlook.com[2a01:111:f403:f907::1]:25: Network unreachable
May 31 15:32:52 mail postfix/smtp[1005]: 10DC242724: to=<215304081@qq.com>, relay=mx3.qq.com[203.205.219.57]:25, conn_use=2, delay=3104, delays=3101/1.5/0.07/0.58, dsn=2.0.0, status=sent (250 OK: queued as.)
May 31 15:32:52 mail postfix/qmgr[980]: 10DC242724: removed
May 31 15:32:52 mail postfix/smtp[984]: 1DD1B4271E: to=<969723909@qq.com>, relay=mx3.qq.com[203.205.219.57]:25, conn_use=2, delay=3106, delays=3103/1.6/0.08/0.54, dsn=2.0.0, status=sent (250 OK: queued as.)
May 31 15:32:52 mail postfix/qmgr[980]: 1DD1B4271E: removed
May 31 15:32:52 mail postfix/smtp[987]: 46AB8428A2: to=<82aqldpancm@jurgenallewijn.nl>, relay=mailsec.protonmail.ch[185.70.42.129]:25, delay=1134, delays=1132/1.3/0.68/0.26, dsn=5.1.1, status=bounced (host mailsec.protonmail.ch[185.70.42.129] said: 550 5.1.1 <82aqldpancm@jurgenallewijn.nl>: Recipient address rejected: Address does not exist (in reply to RCPT TO command))
May 31 15:32:52 mail postfix/smtp[993]: 81306427A4: host renjuoffline-com.mail.protection.outlook.com[52.101.41.6] said: 451 4.4.4 Mail received as unauthenticated, incoming to a recipient domain configured in a hosted tenant which has no mail-enabled subscriptions. ATTR5 [SJ1PEPF00001CE9.namprd03.prod.outlook.com 2025-05-31T07:32:52.446Z 08DD9FF1B34EB112] (in reply to RCPT TO command)
May 31 15:32:52 mail postfix/qmgr[980]: 5255542782: removed
May 31 15:32:52 mail postfix/smtp[988]: connect to renjuoffline-com.mail.protection.outlook.com[2a01:111:f403:c902::3]:25: Network unreachable

Additional info

It was caused by the bridge & docker-proxy, they hided the source ip, and postfix will always treat them as 'requests from local net', allowing relaying.

See https://github.com/anonaddy/docker/blob/master/rootfs/etc/cont-init.d/15-config-postfix.sh#L72,
and for my setup, source ip is always 172.19.0.1.

I have switched to host network to workaround this.

[RichyHBM]

Could this be related/the same as #290 ?