Impact

If you're using Mailserver on a host that has a routable IPv6 address you should update.

Docker-proxy handles port exported with -p / --publish. Published ports accept connections from both IPv4 and IPv6 remotes on the host by default. IPv4 connections will be routed into the container with their original remote source address. However, IPv6 connections will be converted into IPv4 and will have the docker host IP as source address. The connection will look like it is originating from within the mailserver container's private network.

In other words, all external hosts connecting via IPv6 will be treated like local connections.

Since local networks have a different (often elevated) trust relationship with the mailserver, this potentially has security implications, depending on the respective local set-up.

Patches

mailserver-1.2.2 works around this issue by explicitly binding all published ports to IPv4 (0.0.0.0).

Workarounds

If you don't want to upgrade please consider cherry-picking e3ae638 to your start_mailserver.sh.

References

Mailserver 1.2.2 release notes https://github.com/t-lo/mailserver/releases/tag/mailserver-v1.2.2