Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: unbound container failing to resolve mailcow.email and other domains #5884

Closed
5 tasks done
patrickstump opened this issue May 23, 2024 · 2 comments
Closed
5 tasks done

bug: unbound container failing to resolve mailcow.email and other domains #5884

patrickstump opened this issue May 23, 2024 · 2 comments
Labels
bug

Comments

@patrickstump
Copy link

patrickstump commented May 23, 2024
edited

Contribution guidelines

I've found a bug and checked that ...

  • ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

After running update on a previously working installation, unbound failed to start. It stated that it was unhealthy. This resulted in the message:

dependency failed to start: container mailcowdockerized-unbound-mailcow-1 is unhealthy

Which also cause postfix not to start.

After finding the health checks and setting SKIP_UNBOUND_HEALTHCHECK=y in the .env file, I was able to get my installation back up and running.

Exec'ing a bash shell in the unbound container and running the checks found in data/Dockerfiles/unbound/healthcheck.sh, I was able to find that mailcow.email was not resolving inside the shell, thus failing the health check.

307038f79db1:/etc/unbound# host mailcow.email 127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out

DNS working outside of container and other DNS

I have confirmed that my host OS can lookup mailcow.email. Also, inside the container can lookup mailcow.email when using another server like 1.1.1.1.

This seems like an unbound issue as I don't think I can find anything that has changed.
I am trying to see if something has changed with the mailcow.email domain that the root servers would not respond, but everything works for me outside of the docker container.

Git Commit

user@mail:/opt/mailcow-dockerized# git log
commit 36b5cccd186090d726de62b6b00d1e842e67aacd (HEAD, tag: 2024-04, origin/master, origin/HEAD)
Merge: 8d4ef147 9decfa9c
Author: Patrick Schult <[email protected]>
Date:   Thu Apr 4 08:50:58 2024 +0200

    Merge pull request #5819 from mailcow/staging
    
    2024-04

Firewall

I have confirmed no external firewall is blocking packets, and I confirmed the hosts's firewall was not blocking any packets.

Workaround

Edit .env config file and turn off unbound checks

`SKIP_UNBOUND_HEALTHCHECK=y
`
Then `docker-compose down` and `docker-compose up -d`.

Logs:

## Logs from startup of container:


docker logs mailcowdockerized-unbound-mailcow-1
Setting console permissions...
Receiving anchor key...
Receiving root hints...
######################################################################## 100.0%
setup in directory /etc/unbound
Certificate request self-signature ok
subject=CN = unbound-control
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use
[1716490919] unbound[1:0] notice: init module 0: validator
[1716490919] unbound[1:0] notice: init module 1: iterator
[1716490919] unbound[1:0] info: start of service (unbound 1.17.1).
[1716490931] unbound[1:0] info: generate keytag query _ta-4f66. NULL IN


## Manually running health check commands from 

```bash
307038f79db1:/etc/unbound# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=54 time=1.235 ms
^C
--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.235/1.235/1.235 ms
307038f79db1:/etc/unbound# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=54 time=1.230 ms
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.230/1.230/1.230 ms

307038f79db1:/etc/unbound# ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: seq=0 ttl=55 time=1.028 ms
^C
--- 9.9.9.9 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.028/1.028/1.028 ms

307038f79db1:/etc/unbound# host hub.docker.com 127.0.0.1

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

hub.docker.com is an alias for elb-default.us-east-1.aws.dckr.io.
elb-default.us-east-1.aws.dckr.io is an alias for prodextdefblue-be9epwf86ra-011431b53d8e1adf.elb.us-east-1.amazonaws.com.
prodextdefblue-be9epwf86ra-011431b53d8e1adf.elb.us-east-1.amazonaws.com has address 54.156.140.159
prodextdefblue-be9epwf86ra-011431b53d8e1adf.elb.us-east-1.amazonaws.com has address 52.44.227.212
prodextdefblue-be9epwf86ra-011431b53d8e1adf.elb.us-east-1.amazonaws.com has address 44.221.37.199
prodextdefblue-be9epwf86ra-011431b53d8e1adf.elb.us-east-1.amazonaws.com has IPv6 address 2600:1f18:2148:bc02:a090:6a5b:b2ff:3152
prodextdefblue-be9epwf86ra-011431b53d8e1adf.elb.us-east-1.amazonaws.com has IPv6 address 2600:1f18:2148:bc01:1983:8fd2:2dfc:a04c
prodextdefblue-be9epwf86ra-011431b53d8e1adf.elb.us-east-1.amazonaws.com has IPv6 address 2600:1f18:2148:bc00:a81:7e44:4669:3426
307038f79db1:/etc/unbound# 

307038f79db1:/etc/unbound# host mailcow.email 127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; no servers could be reached

307038f79db1:/etc/unbound#

Logs from host syslog

May 24 13:48:11 mail dockerd[117555]: time="2024-05-24T13:48:11.378112103Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:172.22.1.7:56369" dns-server="udp:172.22.1.254:53" error="read udp 172.22.1.7:56369->172.22.1.254:53: i/o timeout" question=";ip6.mailcow.email.\tIN\t AAAA" spanID=cafd172930b69486 traceID=96b76067cbd47022279bef1d5d6ed2cd
May 24 13:48:13 mail dockerd[117555]: time="2024-05-24T13:48:13.881059076Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:172.22.1.7:56959" dns-server="udp:172.22.1.254:53" error="read udp 172.22.1.7:56959->172.22.1.254:53: i/o timeout" question=";ip6.mailcow.email.\tIN\t AAAA" spanID=64685929bbf86a5e traceID=150850768d58b67d78d007ce80e7e31c
May 24 13:53:30 mail dockerd[117555]: time="2024-05-24T13:53:30.561638859Z" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:172.22.1.250:48390" dns-server="udp:172.22.1.254:53" error="read udp 172.22.1.250:48390->172.22.1.254:53: i/o timeout" question=";mailcow.email.\tIN\t A" spanID=b0590e4f04e796aa traceID=893e1e13af1e96c046c598e11ede0ccd

Steps to reproduce:

1. Run `update --force`
2. `docker-compose down`
3. `docker-compose up -d`

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Ubuntu 22.04 LTS amd64

Server/VM specifications:

8GB, 8 cores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

Proxmox/KVM

Docker version:

25.0.3

docker-compose version or docker compose version:

2.11.1

mailcow version:

2024-04

Reverse proxy:

nginx

Logs of git diff:

NA

Logs of iptables -L -vn:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 8086 1604K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 243K  990M ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 243K  990M ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  647 65320 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  540 31904 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  540 31904 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  540 31904 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
24163 7260K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
24163 7260K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
24163 7260K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
17499 6205K ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 2346  158K DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
 4318  897K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 1885  130K ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 231K  197M ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 231K  197M ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  888 57802 ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  888 57802 ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  888 57802 ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  888 57802 ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:8983
   46  2800 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:443
   19  1140 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.6           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
   33  1980 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
   14   832 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    6   360 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
   16   960 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    8   480 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    5   300 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4318  897K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
 171K   57M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
29144 7155K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 171K   57M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            multiport dports 3306,6379,8983,12345

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
    1    44 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
    4   192 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
   95 31160 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
19182 3880K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 213K  952M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   15   780 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
   15   780 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
  973 43543 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
 1248 94435 ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
 1248 94435 ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
19195 3881K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 207K  192M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  749 45894 ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-caps-testgt7oogq7 (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-caps-testo1k9athw (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-caps-testwsw1iayw (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1153 63275 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
   95 31160 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
  100 31396 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  628 37680 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
  100  7254 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
       

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of ip6tables -L -vn:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  258 15360 MAILCOW    all      *      *       ::/0                 ::/0                
 1484 89147 ufw6-before-logging-input  all      *      *       ::/0                 ::/0                
 1484 89147 ufw6-before-input  all      *      *       ::/0                 ::/0                
    1    64 ufw6-after-input  all      *      *       ::/0                 ::/0                
    1    64 ufw6-after-logging-input  all      *      *       ::/0                 ::/0                
    1    64 ufw6-reject-input  all      *      *       ::/0                 ::/0                
    1    64 ufw6-track-input  all      *      *       ::/0                 ::/0                

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4224 4414K DOCKER-USER  all      *      *       ::/0                 ::/0                
 8979 7143K MAILCOW    all      *      *       ::/0                 ::/0                
 8983 7143K DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0                
 4420 6827K ACCEPT     all      *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 4563  316K DOCKER     all      *      br-mailcow  ::/0                 ::/0                
    0     0 ACCEPT     all      br-mailcow !br-mailcow  ::/0                 ::/0                
 4563  316K ACCEPT     all      br-mailcow br-mailcow  ::/0                 ::/0                
    0     0 ACCEPT     all      *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      docker0  ::/0                 ::/0                
    0     0 ACCEPT     all      docker0 !docker0  ::/0                 ::/0                
    0     0 ACCEPT     all      docker0 docker0  ::/0                 ::/0                
    0     0 ufw6-before-logging-forward  all      *      *       ::/0                 ::/0                
    0     0 ufw6-before-forward  all      *      *       ::/0                 ::/0                
    0     0 ufw6-after-forward  all      *      *       ::/0                 ::/0                
    0     0 ufw6-after-logging-forward  all      *      *       ::/0                 ::/0                
    0     0 ufw6-reject-forward  all      *      *       ::/0                 ::/0                
    0     0 ufw6-track-forward  all      *      *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5281  677K ufw6-before-logging-output  all      *      *       ::/0                 ::/0                
 5281  677K ufw6-before-output  all      *      *       ::/0                 ::/0                
  280 27776 ufw6-after-output  all      *      *       ::/0                 ::/0                
  280 27776 ufw6-after-logging-output  all      *      *       ::/0                 ::/0                
  280 27776 ufw6-reject-output  all      *      *       ::/0                 ::/0                
  280 27776 ufw6-track-output  all      *      *       ::/0                 ::/0                

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::c  tcp dpt:443
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::c  tcp dpt:80
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:4190
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:995
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:993
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:110
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:587
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:465
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:25

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all      docker0 !docker0  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-mailcow !br-mailcow  ::/0                 ::/0                
 4224 4414K RETURN     all      *      *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      docker0  ::/0                 ::/0                
    0     0 DROP       all      *      br-mailcow  ::/0                 ::/0                
    0     0 RETURN     all      *      *       ::/0                 ::/0                

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
50073   46M RETURN     all      *      *       ::/0                 ::/0                

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw6-skip-to-policy-input  udp      *      *       ::/0                 ::/0                 udp dpt:137
    0     0 ufw6-skip-to-policy-input  udp      *      *       ::/0                 ::/0                 udp dpt:138
    0     0 ufw6-skip-to-policy-input  tcp      *      *       ::/0                 ::/0                 tcp dpt:139
    0     0 ufw6-skip-to-policy-input  tcp      *      *       ::/0                 ::/0                 tcp dpt:445
    0     0 ufw6-skip-to-policy-input  udp      *      *       ::/0                 ::/0                 udp dpt:546
    0     0 ufw6-skip-to-policy-input  udp      *      *       ::/0                 ::/0                 udp dpt:547

Chain ufw6-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw6-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw6-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
    0     0 ufw6-user-forward  all      *      *       ::/0                 ::/0                

Chain ufw6-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2    98 ACCEPT     all      lo     *       ::/0                 ::/0                
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
    0     0 ufw6-logging-deny  all      *      *       ::/0                 ::/0                 ctstate INVALID
    0     0 DROP       all      *      *       ::/0                 ::/0                 ctstate INVALID
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
  856 47936 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134 HL match HL == 255
  238 17136 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135 HL match HL == 255
  231 14784 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 141 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 142 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 130
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 131
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 132
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 143
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 148 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 149 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 151 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 152 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 153 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 144
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 145
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 146
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 147
    0     0 ACCEPT     udp      *      *       fe80::/10            fe80::/10            udp spt:547 dpt:546
    0     0 ACCEPT     udp      *      *       ::/0                 ff02::fb             udp dpt:5353
    0     0 ACCEPT     udp      *      *       ::/0                 ff02::f              udp dpt:1900
    0     0 ufw6-user-input  all      *      *       ::/0                 ::/0                

Chain ufw6-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2    98 ACCEPT     all      *      lo      ::/0                 ::/0                
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
 3260  471K ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
    4   224 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133 HL match HL == 255
  237 15224 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136 HL match HL == 255
  360 25920 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 141 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 142 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 130
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 131
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 132
  470 46640 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 143
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 148 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 149 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 151 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 152 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 153 HL match HL == 1
  238 23588 ufw6-user-output  all      *      *       ::/0                 ::/0                

Chain ufw6-caps-testtt71mxzs (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all      *      *       ::/0                 ::/0                 ctstate NEW recent: SET name: DEFAULT side: source mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    0     0            all      *      *       ::/0                 ::/0                 ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Chain ufw6-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw6-logging-deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all      *      *       ::/0                 ::/0                 ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw6-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      *       ::/0                 ::/0                

Chain ufw6-skip-to-policy-input (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      *       ::/0                 ::/0                

Chain ufw6-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                

Chain ufw6-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 ctstate NEW
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 ctstate NEW

Chain ufw6-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable

Chain ufw6-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                

Chain ufw6-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 569 packets, 39154 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6550  368K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 12 packets, 576 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 136 packets, 26631 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   11   660 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 576 packets, 54741 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2984  229K MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.5           172.22.1.5           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.8           172.22.1.8           tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.8           172.22.1.8           tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.6           172.22.1.6           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.5:8983
   53  3220 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.8:443
   23  1380 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.8:80
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.6:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
   23  1380 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
   58  3480 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
   27  1620 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
   23  1360 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
   13   780 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    2   120 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 88 packets, 7644 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all      *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all      *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 46 packets, 3680 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all      *      br-mailcow  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
    0     0 MASQUERADE  all      *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0                
    0     0 MASQUERADE  all      *      docker0  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
    0     0 MASQUERADE  all      *      !docker0  fd00:dead:beef:c0::/80  ::/0                
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::c  fd4d:6169:6c63:6f77::c  tcp dpt:443
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::c  fd4d:6169:6c63:6f77::c  tcp dpt:80
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:4190
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:995
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:993
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:110
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:587
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:465
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:25

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all      docker0 *       ::/0                 ::/0                
    0     0 RETURN     all      br-mailcow *       ::/0                 ::/0                
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:443 to:[fd4d:6169:6c63:6f77::c]:443
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:80 to:[fd4d:6169:6c63:6f77::c]:80
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::b]:4190
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::b]:995
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::b]:993
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::b]:143
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::b]:110
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::f]:587
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::f]:465
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::f]:25

DNS check:

104.18.32.7
172.64.155.249
@patrickstump
Copy link
Author

There seems to be a number of hosts unbound is not resolving. I found

Logs for the dovecot container showed that www.spamassassin.heinlein-support.de was not being resolved.

mail:~#docker exec -it mailcowdockerized-unbound-mailcow-1 bash
18b739925f75:/# host www.spamassassin.heinlein-support.de 127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; no servers could be reached

18b739925f75:/# host www.spamassassin.heinlein-support.de 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases: 

www.spamassassin.heinlein-support.de has address 185.97.174.62
18b739925f75:/# host www.spamassassin.heinlein-support.de 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

www.spamassassin.heinlein-support.de has address 185.97.174.62

@patrickstump patrickstump changed the title bug: unbound container failing to resolve mailcow.email bug: unbound container failing to resolve mailcow.email and other domains May 24, 2024
@patrickstump
Copy link
Author

SOLVED!

Our upstream provider was blocking IPS from www.ipdeny.com. This was causing unbound to not be able to hit root dns servers and for dovecot to not be able to connect to www.spamassassin.heinlein-support.de which causes it to not start properly.

This caused mailcow to reset the 993 connection attempt, which is what lead me down this road originally.

Long story short, if you are getting dovecot container reseting connection attempts to its ports (993,995,110,143) and/or unbound is not resolving random hostnames, check that your ip connections are not being blocked up stream.

They removed the blocks and evrything is working perfectly now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@patrickstump