How to send emails via a TCP socket listening on localhost on the host? (rootless)

[eriksjolund]

Scenario: An SMTP server is listening on localhost port 25 (TCP) on the host. I would like to send emails from
a container. The container is running rootless (started via Podman as my non-root user).

Do you have any recommendations of how to do this? (Preferably giving as little permissions to the container as possible).

Alternative A: podman run --net host ...

Quote from podman-run.1.md
host: use the Podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure;

Alternative B: podman run --network slirp4netns:allow_host_loopback=true ...

Mentioned here:
#6912 (comment)

Quote from podman-run.1.md

• allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (10.0.2.2, which is added to /etc/hosts as host.containers.internal for your convenience). Default is false.

Alternative C: somehow forward the traffic via a Unix Domain socket

Just a speculation:
/usr/bin/nc or /usr/bin/socat might be able to listen on a Unix Domain socket and forward the traffic to a listening TCP socket.
The Unix Domain socket would then be bind-mounted into the container (command-line options --volume or --mount given to podman run).

---

Do you have any recommendations of how to send emails via a TCP socket listening on localhost on the host? (rootless)
I'm looking for the most secure way to do this. (Preferably giving as little permissions to the container as possible).
Do you have other ideas how to do this (e.g. a sidecar container)?

[Luap99]

Does the mail server listen only on localhost(127.0.0.1) or also on your eth0 interface. The container can connect to the eth0 interface ip. Only access to 127.0.0.1 via 10.0.2.2 is blocked by default.

[eriksjolund]

It only listens on localhost.

$ ss -tlnp | grep 25
LISTEN 0      100        127.0.0.1:25         0.0.0.0:*          
LISTEN 0      100            [::1]:25            [::]:*          
$ 

Unfortunately I don't have root permissions on the host. Changing this configuration will not be so easy because the host computer is maintained by another group. Thanks, for the idea, though. I'll remember the suggestion as an alternative solution.

[Luap99]

I would not recommend using --net=host unless you really need it.
I think using allow_host_loopback=true is the easiest solution. Security wise, it depends on whether you have something running on 127.0.0.1 that the container should not be allowed to connect to.
Using a UDS might be the most secure since you could limit this to one port but I am not sure how complicated this setup is, SELinux could also cause problems in this case.

[proletarius101]

Also, if you want to expose your service to the external network (i.e., not via the loopback device lo), you will also want to set --network slirp4netns:mtu=1500, rather than the default 65536. Otherwise, it will drastically degrade network performance.

The recommended MTU value depends on your egress network device.