I don't understand why it works to send emails to your domain without authentication and from a non-existent user.

[ivanff]

I am running docker-mailserver in the default configuration

services:
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    container_name: mailserver
    # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
    hostname: mail.****
    env_file: mailserver.env
    # More information about the mail-server ports:
    # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
    ports:
      - "25:25"    # SMTP  (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
      - "143:143"  # IMAP4 (explicit TLS => STARTTLS)
      - "465:465"  # ESMTP (implicit TLS)
      - "587:587"  # ESMTP (explicit TLS => STARTTLS)
      - "993:993"  # IMAP4 (implicit TLS)
    volumes:
      - ./docker-data/dms/mail-data/:/var/mail/
      - ./docker-data/dms/mail-state/:/var/mail-state/
      - ./docker-data/dms/mail-logs/:/var/log/mail/
      - ./docker-data/dms/config/:/tmp/docker-mailserver/
      - ./docker-data/dms/custom-certs/:/tmp/dms/custom-certs/:ro
      - /etc/localtime:/etc/localtime:ro
    restart: always
    stop_grace_period: 1m
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0

swaks --ehlo mail.**** --to test@**** --from fake@**** --server mail.****:25
=== Trying mail.****:25...
=== Connected to mail.****.
<-  220 mail.**** ESMTP
 -> EHLO mail.****
<-  250-mail.****
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-ETRN
<-  250-STARTTLS
<-  250-AUTH PLAIN LOGIN
<-  250-AUTH=PLAIN LOGIN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 CHUNKING
 -> MAIL FROM:<fake@****>
<-  250 2.1.0 Ok
 -> RCPT TO:<test@****>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Wed, 22 Oct 2025 15:40:36 +0300
 -> To: test@****
 -> From: fake@****
 -> Subject: test Wed, 22 Oct 2025 15:40:36 +0300
 -> Message-Id: <20251022154036.853155@ivan-office>
 -> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 -> 
 -> This is a test mailing
 -> 
 -> 
 -> .
<-  250 2.0.0 Ok: queued as 02D0FE34
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

users:

test@**** - exists

fake@**** - not exists

it turns out that anyone can connect to SMTP and try to send any number of emails across domains without any authentication.

[audioscavenger]

how about this

# Configures the handling of creating mails with forged sender addresses.
#
# **0** => (not recommended) Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address (see also https://en.wikipedia.org/wiki/Email_spoofing).
# 1 => Mail spoofing denied. Each user may only send with their own or their alias addresses. Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
SPOOF_PROTECTION=0

[ivanff]

Thank you for responding, and for trying to help. I've enabled this environment variable, but absolutely nothing has changed. emails from non-existent addresses continue to be accepted by any existing address in my domain.

here is the container's log.

2025-10-23T08:41:07.795656+03:00 mail dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=172.19.0.2, lip=172.19.0.3, mpid=1292, TLS, session=<Q6s14cxB0t+sEwAC>
2025-10-23T08:41:07.807856+03:00 mail dovecot: imap([email protected])<1292><Q6s14cxB0t+sEwAC>: Disconnected: Logged out in=156 out=1137 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
2025-10-23T08:41:08.159514+03:00 mail postfix/postscreen[1026]: CONNECT from [172.19.0.1]:44612 to [172.19.0.3]:25
2025-10-23T08:41:08.159548+03:00 mail postfix/postscreen[1026]: PASS OLD [172.19.0.1]:44612
2025-10-23T08:41:08.181878+03:00 mail postfix/smtpd[1027]: connect from my-hostname-infra[172.19.0.1]
2025-10-23T08:41:08.351985+03:00 mail policyd-spf[1036]: : prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=172.19.0.1; helo=mail.example.com; [email protected]; receiver=example.com 
2025-10-23T08:41:08.352666+03:00 mail postfix/smtpd[1027]: 5614062: client=my-hostname-infra[172.19.0.1]
2025-10-23T08:41:08.398123+03:00 mail postfix/cleanup[1037]: 5614062: message-id=<20251023084108.906440@ivan-office>
2025-10-23T08:41:08.416570+03:00 mail opendkim[868]: 5614062: my-hostname-infra [172.19.0.1] not internal
2025-10-23T08:41:08.416580+03:00 mail opendkim[868]: 5614062: not authenticated
2025-10-23T08:41:08.418184+03:00 mail opendkim[868]: 5614062: no signature data
2025-10-23T08:41:08.445832+03:00 mail opendmarc[876]: 5614062: example.com fail
2025-10-23T08:41:08.547195+03:00 mail postfix/qmgr[968]: 5614062: from=<[email protected]>, size=666, nrcpt=1 (queue active)
2025-10-23T08:41:08.570093+03:00 mail postfix/smtpd[1027]: disconnect from my-hostname-infra[172.19.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2025-10-23T08:41:08.590138+03:00 mail postfix/smtp-amavis/smtp[1038]: 5614062: prepend: header Message-Id: <20251023084108.906440@ivan-office>: X-MS-Reactions: disallow
2025-10-23T08:41:08.609380+03:00 mail postfix/smtpd-amavis/smtpd[1060]: 94BF7BF6E: client=localhost[127.0.0.1]
2025-10-23T08:41:08.610335+03:00 mail postfix/cleanup[1037]: 94BF7BF6E: message-id=<20251023084108.906440@ivan-office>
2025-10-23T08:41:08.614004+03:00 mail postfix/smtpd-amavis/smtpd[1060]: disconnect from localhost[127.0.0.1] ehlo=1 mail=2 rcpt=2 data=2 noop=1 quit=1 commands=9
2025-10-23T08:41:08.614084+03:00 mail postfix/qmgr[968]: 94BF7BF6E: from=<[email protected]>, size=918, nrcpt=1 (queue active)
2025-10-23T08:41:08.615119+03:00 mail dovecot: lmtp(1042): Connect from local
2025-10-23T08:41:08.618385+03:00 mail amavis[1019]: (01019-02) Passed CLEAN {RelayedInbound}, [172.19.0.1]:44612 <[email protected]> -> <[email protected]>, Queue-ID: 5614062, Message-ID: <20251023084108.906440@ivan-office>, mail_id: f8IGZMg6bKip, Hits: -, size: 707, queued_as: 94BF7BF6E, 70 ms
2025-10-23T08:41:08.619348+03:00 mail postfix/smtp-amavis/smtp[1038]: 5614062: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.39, delays=0.32/0/0/0.07, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 94BF7BF6E)
2025-10-23T08:41:08.619500+03:00 mail postfix/qmgr[968]: 5614062: removed
2025-10-23T08:41:08.628226+03:00 mail postfix/lmtp[1041]: 94BF7BF6E: to=<[email protected]>, relay=mail.example.com[/var/run/dovecot/lmtp], delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> 4JOjJPS/+WgSBAAAGWd5GQ Saved)
2025-10-23T08:41:08.628315+03:00 mail dovecot: lmtp([email protected])<1042><4JOjJPS/+WgSBAAAGWd5GQ>: sieve: msgid=<20251023084108.906440@ivan-office>: stored mail into mailbox 'INBOX'

[polarathene]

it turns out that anyone can connect to SMTP and try to send any number of emails across domains without any authentication.

Have you only attempted this via swaks in the container? Security is relaxed by default if you have software running within the DMS container.

From another container or external connection, DMS should refuse to act as an OpenRelay (where anyone can submit mail to have the MTA send outbound). When DNS records like SPF are setup, those will be respected too, verifying that the connected client is authorized to send mail on behalf of that sender address domain.

If you login with credentials to port 587 or 465, you are authorized by default to use any sender address you like, regardless of if you own the domain (sending mail outbound when you do not have the authorization by that domains DNS will likely get flagged and could get your server IP blacklisted though as it'll appear to be spam / untrustworthy should that happen enough times).

The SPOOF_PROTECTION ENV feature will prevent this and restrict what your authenticated account can send mail as, should you need to enforce that for your users.

It should not be possible to submit mail through port 25 from any connecting client outside of the DMS container.

---

As for accepting mail into DMS:

• The sender address isn't checked even if it's from a mail domain you have DMS manage, only the domain has relevant security checks, unless you've added config to allow/reject sender address patterns.
• The recipient address is checked when it belongs to your managed mail domains.
  • Postfix will query the account via Dovecot and that will inform it if the account exists or not for delivery. If there is no account mailbox to store mail it'll be rejected.
  • Alternatively, you have an alias address and that may resolve to an external mail domain like Gmail. That would get relayed, so long as you've got an alias that is accepted, otherwise the recipient address will be rejected as DMS won't accept mail for relaying to another MTA without authentication.
  • Wildcard / catch-all alias addresses will result in accepting mail to any non-existent address, since that would be resolved to an internal mailbox or external MTA for delivery, Postfix will just accept that.
    • If you want a catch-all that only resolves for valid account/alias addresses, you would need to implement this yourself (doesn't make much sense though as that would largely conflict with the mail account / alias configured addresses, you'd be better off with a regexp alias instead or multiple explicit aliases).

[ivanff]

but this is a potential threat, anyone can sort through the delivery addresses in the domain served by docker-mailserver without any restrictions., and find out the real addresses.

[polarathene]

and find out the real addresses

Can you show how that is a problem? Normally when you send mail an MTA will let you know via a bounce mail if delivery failed, otherwise you might send a mail to the wrong address with a typo and be unaware?