How to get spooler to authenticate to smtp?


  • I cannot seem to find ANYTHING about getting it to do that… Like, at all. All the guides seem to suggest and require that spooler and smtp is on the same network and configure the smtp to accept everything in that network without auth. But, that doesn’t work at all in any network with a source NATed inbound connection, such as many Kubernetes and all Docker Swarm setups, as well as many other setups, because in such setups, ALL traffic is seen as being from within the local network.

  • Kopano

    Hi @EtherMan,

    you cannot find any documentation for this, as this is simply not possible at the moment. Spooler expects to make unauthenticated connections to a local MTA, which then could relay the messages to a server needing authentication.

    In postfix you can use the mynetworks setting to control which network segments (or single ips) can send without authentication.


  • @fbartels

    You didn’t read it seems. Setting mynetworks in postfix to the local subnet, would permit EVERYTHING, because the reverse proxy, something both Kubernetes and Swarm rely on is seen as the source normally. The only way to avoid it for those, is to use an external load balancer which is a single entrypoint. I tried looking at ways around that but it seems postfix, even though it supports the Proxy protocol and thus, can log the real IP, well, it doesn’t actually resolve that prior to determining if the client is an allowed client for relaying or not. Setting to a single IP, is also not an option in such environments, since IPs change constantly. Every single update that happens on the spooler pod, changes the IP of it and thus, would require a change to postfix config as well, and mail would not be possible to send in the mean time. Not really an acceptable solution… Why ever would spooler in this day and age not support something as basic as authentication to the smtp? Seems like a huge oversight.

  • Kopano

    You don’t need to know the exact ip of the pod. but you can have an internal network for this. In a first thought kopano-server, kopano-spooler and your mta need to be part of this network. Then you can allow services from this network to send mails without authentication. so no need to allow EVERYTHING. And not everything that can be considered basic or easy is really necessary, which is the main reason why spooler does not know how to authenticate itself towards an mta. If you feel this is a must feature then you are welcome to submit a patch for it. If don’t feel that you could create such a feature yourself then you are also welcome to pay someone (e.g. kopano b.v.) to implement such a feature for you. And now I am wondering what else I could still write to demonstrate how difficult it is to read posts that do not use line breaks or paragraphs, but I cannot really think of something else… ;-)


  • @fbartels

    I’m sorry but you’re not reading… That internal network, is something that already exists. It is in fact the one and only way k8s works in. You MUST have that internal network. But, even on an internal network, the various services have an IP… That is NOT fixed. And that range, does include the ingress services, as in, the reverse proxy that directs traffic to all resources within k8s, be it through the use of nodePort or a reverse proxy. All connections as far as postfix sees them, are from that same internal range. There’s no way around that.

    The ONLY way around that, is by completely disabling inter node routing and having an external load balancer that directs the traffic only to the node that has the service. That load balancer then becomes a single point of failure.

    While a patch could certainly be developed for it… You not even understanding the problem, leaves little confidence that such a patch would be accepted even if made.

    And your own paragraph is no shorter than mine so complaining about a long paragraph is ridiculous when you’re doing the exact same thing, nor is it in ANY way difficult to read a paragraph that is not even 6 lines. Just look up any basic writing course on paragraphs and you’ll find many MANY examples of using much longer paragraphs. I’m not proclaiming to be some expert on writing style, but paragraph length is certainly not one of the faults.

  • Kopano

    In docker-compose (and therefore most likely usable in swarm) you can define additional networks. This is what I was talking about.

    • Don’t disable the default network (even if that would be possible)
    • do not allow all services in your internal network to send
    • but define a new network that consists of your mta and kopano-spooler
      • (kopano-server an second thought does not need to be part of this network)
    • and allow all services in this network to send mail.

    @EtherMan said in How to get spooler to authenticate to smtp?:

    You not even understanding the problem

    I am just trying to explain you ways around this problem.

    @EtherMan said in How to get spooler to authenticate to smtp?:

    And your own paragraph is no shorter than mine so complaining about a long paragraph is ridiculous when you’re doing the exact same thing

    Yes, I did it on purpose to drive my point across.

    Sure, there may be valid reasons to write page long paragraphs, but using more frequent line breaks helps with readability, especially when you are touching multiple topics. You know make it as easy as possible for strangers on the internet to provide the help you are asking for. Especially if you do not directly compensate them monetarily.


  • @fbartels

    Doesn’t

    work

    like

    that

    in

    neither

    Swarm

    nor

    kubernetes

    no.

    Sorry.

    Is this line breaking preferable to you? Did that become easier to read? And I didn’t touch on multiple points. It really was a single point I was discussing and as far as I’m aware in the English language, change of paragraph is for when you change the subject, timeframe or similar. In no way do you drive your point across about somehow “unreadable paragraph lenghts”, by you yourself using a perfectly readable and short paragraph.

  • Kopano

    If you think this is a good way to communicate, then I have no longer an interest in helping you. Goodbye

    /unsubscribe


  • @fbartels Personal? Where ever did I get personal?

    And since you edited: Good way to communicate? You were complaining about my formatting, a formatting that is acceptable English everywhere else, a style that is used throughout your own manuals… I have absolutely no idea how to change it in order to make it conform to your standard because you have not GIVEN any other standard to adhere to. All you’ve said is that paragraphs are too long, ok so I shortened it. That wasn’t good enough and you wanted them even shorter… And now somehow took offense because I shortened it too much?

    It’s like you’re trying to deflect the problem in Spooler to try and point to something, ANYTHING else in order to avoid answering. I seriously hope that’s not the case, but it certainly is looking more and more like that is what this is currently about…