SMTP config to use localhost or 172.17.0.1 is not working, how to debug

Continuing the discussion from How to set SMTP config to use localhost?:

I’m trying to connect to Protonmail Bridge running at the host machine, and it fails with connection refused. My settings are:

  DISCOURSE_SMTP_ADDRESS: 172.17.0.1
  DISCOURSE_SMTP_PORT: 1025

Now, nmap tests:

nmap 127.0.0.1 on the host machine outputs:

Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
1025/tcp open  NFS-or-IIS
1042/tcp open  afrog

nmap 172.17.0.1 in the docker container does not output any 1025 port

I also tried in my app.yml file, in expose section:

172.17.0.1:1025:1025

But then the docker container failed to start erroring “the port is already in use”.

Finally, if I try to connect with using openssl from localhost:

openssl s_client -connect 127.0.01:1025 -starttls smtp

it works fine; but not when I try to from the docker container:

openssl s_client -connect 172.17.0.1:1025 -starttls smtp

Checking with ss on host machine:

ss -plnt
State  Recv-Q  Send-Q  Local Address:Port  Peer Address:Port  Process
LISTEN   0      4096       127.0.0.1:1025      0.0.0.0:*    users:(("proton-bridge",pid=953,fd=12))

What am I doing wrong?


One thing I found in this stackoverflow answer says:

  • you will only be able to access host services that are either (a) listening on INADDR_ANY (aka 0.0.0.0) or that are explicitly listening on the docker0 interface.

Firstly, I checked iptables --list, which I believe gives default output:

iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Now, I’m wondering if the Protonmail Bridge service that’s listening on 127.0.0.1:1025 is not accepting connections from the Docker container because they are not from 127.0.0.1 exactly?

Turns out the traffic needs to be redirected, read more here:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.