來自主機的Docker和不一致的IP地址

Question

我想設置一些容器來管理我的VPS上的個人電子郵件。

我爲後綴服務器設置了TLS加密。雖然設置SPF來識別僞造的電子郵件，我發現，如果使用加密報告的IP是不依賴於相同的：

當接收來自某些發件人的電子郵件：

Received: from zproxy.mydomain.com (zproxy110.mydomain.com [137.**.**.**]) 
    by localhost (Postfix) with ESMTP id 5250459F 

當從接收電子郵件我（TLS啓用）的Gmail帳戶：

Received: from mail-lf0-x241.google.com (dockerhost [172.18.0.1]) 
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) 
    (No client certificate requested) 
    by localhost (Postfix) with ESMTPS id 2EDEF59F 

當從其他網絡接收電子郵件：

Received: from cabale.usenet-fr.net (dockerhost [172.18.0.1]) 
    by localhost (Postfix) with ESMTP id 834F8520 

它看起來像報告的IP是Docker主機的IP ... 隨機基礎，使用IP 172.18.0.1。除了本身是一個問題，它也影響SPF，因爲來自Google的電子郵件被標記爲SoftFail，因爲IP不被允許。

我一直無法理解爲什麼有些服務器（總是）報告dockerhost IP，有些則不報告。這與TLS加密無關，因爲我首先考慮了這一點。

這是我master.cnf文件：

# appending .domain is the MUA's job. 
append_dot_mydomain = no 

# Uncomment the next line to generate "delayed mail" warnings 
#delay_warning_time = 4h 

readme_directory = no 

# TLS parameters 
smtpd_tls_cert_file = /etc/ssl/certs/postfix-cert.pem 
smtpd_tls_key_file = /etc/ssl/private/postfix-cert.key 
smtpd_use_tls=yes 
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache 

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for 
# information on enabling SSL in the smtp client. 

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination check_policy_service unix:private/policy-spf 
myhostname = localhost 
alias_maps = hash:/etc/aliases 
alias_database = hash:/etc/aliases 
mydestination = /etc/mailname, 11687faae091, localhost.localdomain, localhost 
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 
mailbox_size_limit = 0 
recipient_delimiter = + 
inet_interfaces = all 
inet_protocols = all 
virtual_gid_maps = static:5000 
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf 
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf 
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf 
virtual_transport = dovecot 
dovecot_destination_recipient_limit = 1 
smtpd_tls_loglevel = 1 
smtpd_tls_received_header = yes 
smtpd_tls_security_level = may 
smtpd_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2 
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2 
smtpd_tls_mandatory_exclude_ciphers = aNULL,MD5,RC4 
smtpd_tls_mandatory_ciphers = high 
smtp_tls_security_level = may 
smtp_tls_loglevel = 1 
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2 
smtp_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2 
smtp_tls_mandatory_exclude_ciphers = aNULL,MD5,RC4 
policy-spf_time_limit = 3600s 

而且我main.cnf文件：

smtp  inet n  -  n  -  -  smtpd 
pickup  unix n  -  n  60  1  pickup 
cleanup unix n  -  n  -  0  cleanup 
qmgr  unix n  -  n  300  1  qmgr 
tlsmgr  unix -  -  n  1000? 1  tlsmgr 
rewrite unix -  -  n  -  -  trivial-rewrite 
bounce  unix -  -  n  -  0  bounce 
defer  unix -  -  n  -  0  bounce 
trace  unix -  -  n  -  0  bounce 
verify  unix -  -  n  -  1  verify 
flush  unix n  -  n  1000? 0  flush 
proxymap unix -  -  n  -  -  proxymap 
proxywrite unix -  -  n  -  1  proxymap 
smtp  unix -  -  n  -  -  smtp 
relay  unix -  -  n  -  -  smtp 
showq  unix n  -  n  -  -  showq 
error  unix -  -  n  -  -  error 
retry  unix -  -  n  -  -  error 
discard unix -  -  n  -  -  discard 
local  unix -  n  n  -  -  local 
virtual unix -  n  n  -  -  virtual 
lmtp  unix -  -  n  -  -  lmtp 
anvil  unix -  -  n  -  1  anvil 
scache  unix -  -  n  -  1  scache 
maildrop unix -  n  n  -  -  pipe flags=DRhu 
    user=vmail argv=/usr/bin/maildrop -d ${recipient} 
uucp  unix -  n  n  -  -  pipe flags=Fqhu 
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) 
ifmail  unix -  n  n  -  -  pipe flags=F user=ftn 
    argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) 
bsmtp  unix -  n  n  -  -  pipe flags=Fq. 
    user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient 
scalemail-backend unix - n  n  -  2  pipe flags=R 
    user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} 
    ${user} ${extension} 

mailman unix -  n  n  -  -  pipe flags=FR 
    user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} 
    ${user} 
dovecot unix -  n  n  -  -  pipe 
    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -a ${recipient} 
submission inet n  -  -  -  -  smtpd 
    -o smtpd_tls_security_level=encrypt 
    -o smtpd_sasl_auth_enable=yes 
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject 
policy-spf unix -  n  n  -  -  spawn 
    user=nobody argv=/usr/bin/policyd-spf 

來自哪裏這種行爲，我怎麼能修補它，這樣的報道IP是實際的一個？

編輯：OK，我只是從另一個供應商進行測試，它看起來像加密可能什麼都沒有用它做：

Received: from o1.30e.fshared.sendgrid.net (o1.30e.fshared.sendgrid.net [167.89.55.41]) 
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) 

Answer 1

這是目前已知的bug（2016年10月10日） Docker版本： 用戶級代理用於將容器端口綁定到主機端口，但存在您遇到的不一致情況。我自己也有同樣的問題。

參考文獻：

• https://github.com/docker/docker/issues/15086 - 基地問題關於 問題，建議最好的解決辦法是禁用的用戶級代理 和用iptables，而不是路由端口（一個或多個）
• https://github.com/docker/docker/issues/14856 - 作出努力到 默認情況下禁用用戶級代理，但當前被阻止，請參閱下面的
• 使用「--userland-proxy = false」會導致主機網絡嚴重問題，因此目前不推薦使用，請參閱碼頭問題＃5618