Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Watchdog webhook doesn't include body #6153

Open
5 tasks done
Jniklas2 opened this issue Nov 11, 2024 · 0 comments
Open
5 tasks done

Watchdog webhook doesn't include body #6153

Jniklas2 opened this issue Nov 11, 2024 · 0 comments
Labels
bug

Comments

@Jniklas2
Copy link

Contribution guidelines

I've found a bug and checked that ...

  • ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

It seems like the watchdog webhook doesn't include information about the issue but only the path to a temporary file in the body.

Logs:

Can't produce them currently, but I will submit them later

Steps to reproduce:

1. Configure a webhook for the watchdog (in my case discord)
my config:

WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/redacted
WATCHDOG_NOTIFY_WEBHOOK_BODY='{"content":null,"embeds":[{"title":"${SUBJECT}","description":"${BODY}","color":5814783}],"username":"mailcow Watchdog","avatar_url":"https://docs.mailcow.email/assets/images/favicon.png","attachments":[]}'

2. trigger any kind of notifications (for example a ip ban), except the monitoring started message
3. See the message from the bot

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Debian 12

Server/VM specifications:

ETH-Services GIANFAR: 4 vCores, 8GB RAM, 80GB SSD

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

kvm

Docker version:

27.3.1

docker-compose version or docker compose version:

v2.29.7

mailcow version:

2024-11

Reverse proxy:

No

Logs of git diff:

diff --git a/data/assets/nextcloud/nextcloud.conf b/data/assets/nextcloud/nextcloud.conf
deleted file mode 100644
index 81567d39..00000000
--- a/data/assets/nextcloud/nextcloud.conf
+++ /dev/null
@@ -1,130 +0,0 @@
-map $http_x_forwarded_proto $client_req_scheme_nc {
-     default $scheme;
-     https https;
-}
-
-server {
-  include /etc/nginx/conf.d/listen_ssl.active;
-  include /etc/nginx/conf.d/listen_plain.active;
-  include /etc/nginx/mime.types;
-  charset utf-8;
-  override_charset on;
-
-  ssl_certificate /etc/ssl/mail/cert.pem;
-  ssl_certificate_key /etc/ssl/mail/key.pem;
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_prefer_server_ciphers on;
-  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
-  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
-  ssl_session_cache shared:SSL:50m;
-  ssl_session_timeout 1d;
-  ssl_session_tickets off;
-  add_header Referrer-Policy "no-referrer" always;
-  add_header X-Content-Type-Options "nosniff" always;
-  add_header X-Download-Options "noopen" always;
-  add_header X-Frame-Options "SAMEORIGIN" always;
-  add_header X-Permitted-Cross-Domain-Policies "none" always;
-  add_header X-Robots-Tag "noindex, nofollow" always;
-  add_header X-XSS-Protection "1; mode=block" always;
-
-  fastcgi_hide_header X-Powered-By;
-
-  server_name NC_SUBD;
-
-  root /web/nextcloud/;
-
-  location = /robots.txt {
-    allow all;
-    log_not_found off;
-    access_log off;
-  }
-
-  location = /.well-known/carddav {
-    return 301 $client_req_scheme_nc://$host/remote.php/dav;
-  }
-
-  location = /.well-known/caldav {
-    return 301 $client_req_scheme_nc://$host/remote.php/dav;
-  }
-
-  location = /.well-known/webfinger {
-    return 301 $client_req_scheme_nc://$host/index.php/.well-known/webfinger;
-  }
-
-  location = /.well-known/nodeinfo {
-    return 301 $client_req_scheme_nc://$host/index.php/.well-known/nodeinfo;
-  }
-
-  location ^~ /.well-known/acme-challenge/ {
-    default_type "text/plain";
-    root /web;
-  }
-
-  fastcgi_buffers 64 4K;
-
-  gzip on;
-  gzip_vary on;
-  gzip_comp_level 4;
-  gzip_min_length 256;
-  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-  set_real_ip_from fc00::/7;
-  set_real_ip_from 10.0.0.0/8;
-  set_real_ip_from 172.16.0.0/12;
-  set_real_ip_from 192.168.0.0/16;
-  real_ip_header X-Forwarded-For;
-  real_ip_recursive on;
-
-  location / {
-    rewrite ^ /index.php$uri;
-  }
-
-  location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-    deny all;
-  }
-  location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-    deny all;
-  }
-
-  location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+)\.php(?:$|\/) {
-    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
-    set $path_info $fastcgi_path_info;
-    try_files $fastcgi_script_name =404;
-    include fastcgi_params;
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    fastcgi_param PATH_INFO $path_info;
-    fastcgi_param HTTPS on;
-    # Avoid sending the security headers twice
-    fastcgi_param modHeadersAvailable true;
-    # Enable pretty urls
-    fastcgi_param front_controller_active true;
-    fastcgi_pass phpfpm:9002;
-    fastcgi_intercept_errors on;
-    fastcgi_request_buffering off;
-    client_max_body_size 0;
-    fastcgi_read_timeout 1200;
-  }
-
-  location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
-    try_files $uri/ =404;
-    index index.php;
-  }
-
-  location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
-    try_files $uri /index.php$request_uri;
-    add_header Cache-Control "public, max-age=15778463";
-    add_header Referrer-Policy "no-referrer" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Download-Options "noopen" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Permitted-Cross-Domain-Policies "none" always;
-    add_header X-Robots-Tag "none" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    access_log off;
-  }
-
-  location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
-    try_files $uri /index.php$request_uri;
-    access_log off;
-  }
-}
diff --git a/data/assets/nextcloud/occ b/data/assets/nextcloud/occ
deleted file mode 100755
index 5113ac01..00000000
--- a/data/assets/nextcloud/occ
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) php /web/nextcloud/occ ${@}
diff --git a/data/assets/ssl-example/cert.pem b/data/assets/ssl-example/cert.pem
index 96d16bec..ce51ced3 100644
--- a/data/assets/ssl-example/cert.pem
+++ b/data/assets/ssl-example/cert.pem
@@ -1,19 +1,33 @@
 -----BEGIN CERTIFICATE-----
-MIIDBDCCAe6gAwIBAgIQeJMoL/3dxhxhT9EwuRTL/DALBgkqhkiG9w0BAQswEjEQ
-MA4GA1UEChMHbWFpbGNvdzAeFw0xNjEyMTMxMDExMDBaFw0xOTExMjgxMDExMDBa
-MC0xEDAOBgNVBAoTB21haWxjb3cxGTAXBgNVBAMTEG1haWwuZXhhbXBsZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRg0xT3At9DSb3H5OMp3K1
-MpXAgYyotSK6TS61fC0QEHy2fMXiws7Agcye6Ln7CG63Fe1eN2jkdlefy9xJivS8
-y5w0M8i168v5znzC8fnylL2iOiSYfK/B/oEqfU7YH4RcegO53oDDIUZmi4Frgnu7
-39VVOU1ZyHEVqGJ2H2aAIkoZRjGzumD9Ym4LWGidtKJzBgFt/qmhUeWXipM8w281
-XkQnJU79+x2ywnJSvEZ3r/ZVJC7kbjiVw+/k15k9Cxk6Ik8wmJ0X/+xWxoZomHQI
-1LM0VKAS/iaU95dn2bplvL6jTiiyWAbrMjSKs4XbPt/fIbOicNkj6+CFy0MVfyyH
-AgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIAqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
-KwYBBQUHAwEwDAYDVR0TAQH/BAIwADALBgkqhkiG9w0BAQsDggEBAI/jBJa1P8nB
-eHUN5muQmjBVDVOYyWAAEapOe2HYsBcpjaB2H8Iw3DQzJtz6peYeYSCmHRVqFLCm
-VPrq36l9mPUotyPDPlQQAxCj9R2+WbGaJO+N/E1F8FQ94dr3jqwUyfjVPoqEjmIH
-NFkvbA0RJOeBm9oYGdhM0wjOBV9c9MTHFG82nQ/zQeTuPb7GXuKIOXYCxoLNOZMw
-UJ02Cqjv5ImrgOhcstAKX3Ip0urSvZUGvtPla4CGh+M6yDFJ08GzX6OiMIH207RW
-jAbUXXERSUv/7hysdDjGo5HZjCeMzVu9KAxoZXqnmvkk8g2swKWtWBRcoeU1VGx0
-Bx4Q4KMjuYQ=
+MIIFszCCA5ugAwIBAgIUZpebqmavOh7B20CFgvtCaO8ek2kwDQYJKoZIhvcNAQEL
+BQAwaTELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEQMA4GA1UEBwwHV2lsbGlj
+aDEQMA4GA1UECgwHbWFpbGNvdzEQMA4GA1UECwwHbWFpbGNvdzEWMBQGA1UEAwwN
+bWFpbC5jY3Nydi5ldTAeFw0yMTA1MDYyMjE5MjhaFw0yMjA1MDYyMjE5MjhaMGkx
+CzAJBgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxEDAOBgNVBAcMB1dpbGxpY2gxEDAO
+BgNVBAoMB21haWxjb3cxEDAOBgNVBAsMB21haWxjb3cxFjAUBgNVBAMMDW1haWwu
+Y2NzcnYuZXUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDvgZHqiaa9
+57v/+kCyS9pnnTDEN27aQGVOKlW4uvVMS5SzkjXlWr5sT7KGZMfx+Oo+G+AvAKs3
+Li16Aakf0/AxinWTWJ12uzvPNBRTpm5xDqac7yBlcOcGMlPFLBHmYHFyBOmeuB3f
+L5NvaqTBoZPP/hM8AV47wLazkqBFLv8fy0zTANJ5CygjpoxTCR0CZ1nyQBfIg6wk
+gJkyLeAiVbv5+VMgcGjsD/+3SUFx367nbGXesuxaK9QCJUSSQ8dI+K9O9m7EymVL
+Orn584mecsS/vPI68BYdk8KW89DtAi9fJ8ykx7QTGQ93q/5cLWc2dGP+pbizk7DN
+RPi0H9+sb+fxOWCo8arxaU6+QztNLVAtFs7RQhoqYTWM4e+c5RtjSKWxa+qcZ0kS
+t1Ns+paFgkYSy3Jo6pVeDdQIcuOzaXlJsYR5H0yTS3grJ5a9bt9Mf+StStMbXwGo
+dB01dnjDyQaoIxYg6eBd8j82f91OOhF8uigRQoF09kADvMySmpMjFxmKUS253SDz
+iuhuI4odOAd/4K6PQsbqkSON4p8HHuQ5NwdSijVJeW8MANC71cBZjL4rQTIwqSJU
+Ia75AvNf8VumeI5WYaHMbOKZv5GAwkvQTLApwZuK4nXLhnKOthAnxLkvNhnI6S/a
+Sy7sfusheTsu0q021vbI4wXJgLW4AUB3sQIDAQABo1MwUTAdBgNVHQ4EFgQUUa4Y
+AT74jujDiLxXMGi0ZdmCzF4wHwYDVR0jBBgwFoAUUa4YAT74jujDiLxXMGi0ZdmC
+zF4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEA3x1hAr1oRLDC
+nA5rvLz8uPKQzzaItP/oTEsgDXCFzuaaAeumAlcMOI9W3xVzudE5kzEWwQjs8Va+
+EXuRLCT4rqdIAsfXkRbA67eQae2xD8cWmmKyNx1dP6dJ+9DpJqN/afuaG2w/HBhv
+xtyb/DT9cslSKGGUUZ3aUSh1fLNKg8qSEgcx2D5JlfUoPd1FP+Ct20NwrVgOBSKf
+GZfWYje7Xj5ghItwKmh67cinCx60SYB4rJExDskk6V7Am+ah2liZdr74ZjoBpGcM
+BSawsqxqxMFVgwc952Nl23CP8PCUrodz5DDZqIDO7NdM59ls2ksTo6r80ng6aNaf
+DfzNgHKUoP+GGH+HMs0ouLibrKbBKJ7R+Y627rEMH3URHidh5X+jTkZ6d4aktY+4
+h3MGGuK+Uv5y7SsNB9G7ZBSvhnkHTTojXOYTcY2iqRD87S7pUuO1ue5+Lz344hqi
+t3mlMwv4bIHHaekt1GVObpEOwyhb07Prma/lP5xfhI8FKtyuqUby8sz6hfjx9CnA
+e3bTTQYOYCR9+lxR+R6VhrY2jFYtyZNDMiM81dL6tPU0XgNovzzYLb/9MwG16/s5
+jiaAgweRW5V6EIo+zL2/375NSvFL023Rfv7CFPfBSb7uL0VgGGzzqmYhonJ2lsUX
+nYaiRyxgTFTotXOzy2jmYr1U4VRmf2s=
 -----END CERTIFICATE-----
diff --git a/data/assets/ssl-example/key.pem b/data/assets/ssl-example/key.pem
index cedf35a0..8e58384f 100644
--- a/data/assets/ssl-example/key.pem
+++ b/data/assets/ssl-example/key.pem
@@ -1,27 +1,52 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0YNMU9wLfQ0m9x+TjKdytTKVwIGMqLUiuk0utXwtEBB8tnzF
-4sLOwIHMnui5+whutxXtXjdo5HZXn8vcSYr0vMucNDPItevL+c58wvH58pS9ojok
-mHyvwf6BKn1O2B+EXHoDud6AwyFGZouBa4J7u9/VVTlNWchxFahidh9mgCJKGUYx
-s7pg/WJuC1honbSicwYBbf6poVHll4qTPMNvNV5EJyVO/fsdssJyUrxGd6/2VSQu
-5G44lcPv5NeZPQsZOiJPMJidF//sVsaGaJh0CNSzNFSgEv4mlPeXZ9m6Zby+o04o
-slgG6zI0irOF2z7f3yGzonDZI+vghctDFX8shwIDAQABAoIBAQC9kiLnIgxXGyZt
-pmmYdA6re1jatZ2zLSp+DcY8ul3/0hs195IKCyCOOSQPiR520Pt0t+duP46uYZIJ
-aakp9gxaI5Vz+oMacH/AyaBDuDTj1Mf9WMSyIOfbDVCMRJOppGLcVh62+Gfjp2EO
-+h2hTJBuvypFkbK2kVIZOaHVpbXWKw1oYuEcTftk9XfxxvfSMw1HQ12/P2CAcbaa
-jPmVbisunv6kpXtewSBTcaLSYWJf1MYD5Hi8fzkD2FJSXYbfQd8RKvT2rj6FA7ux
-CDMzbYhdnd7lc63OARCIjfCRNtDT1cZ3gR1CQHD98lWxmPQIZukv+w7s/bSrFgnQ
-ROZ0ghBJAoGBAOmE/3d5FDmp0aJNxXynKcRGdpEEM4O40RIdqa2eR6Pa7aTRosao
-z0qVgdFuJrqjlB3jgedxXEX1M0abCUzzM9Q5F7JLl+KsjwRwpkIOkPiyUncLp7LK
-QbY3tvYBIdpjlF1USOMGRL4j11hqr4vQC/yPBF7jj81kCZDTbmZhp82jAoGBAOWu
-ql5QFUOlmqkuWIAFkiLEZhOu+ptqkE+zG50CCGMJIX0dJ2PHXFyNGInomAeT0nbI
-pbnK3x7KeEKiGrAqZFNCTHhApTwkrIj0L/RQbMDZ7u7j1AEUVNFEhIm62kg84FtG
-xtfxVxredE+NQc/tyV3hXegdNZxegALirlcMKIvNAoGAWFwIxk48Ru1o8z72QQqH
-lUsMRicOzwK5qV8r+xPvC6MlVL42F3F8rj4QFwzU/r4yp3SUjNyqC5aSRl8Xj9Re
-gijwPHi6Cf09SHLPliMo29GtvnnchJxfbPF7+23GP3p6gy4HPk/65u9s5nnH3uFk
-B7ad8sGsgg0eSXyXQ4okEn0CgYEAnogPuedGthlxBgMiPMMbmfm7hyyId4t3Ljuu
-/JExnsHnpobf8EPjoVIWNOIhRWGnrCtUEEhR9tvDZCKljyDDfKBPTdU496lMmX8K
-NnToi7gg7iy84T3aSVMktDgPgDrclMPmbZh8CeSvnVUfrtgu3Ci4+4Rlw5eKffNe
-aGDQ/6UCgYAbUq9mRT2WOXIo+Dchi9VzDWgtfOw5VEyqkSpb7hPiIYx5jNaENnVK
-cAi3iqbBgPJBuMlTrKmmaxdmssGOEZNJLuuXLDbCU+f5cpu5PQ4crC6UtRI5rlhp
-8Yc+oiv3HWbSw3sVRpMFB6NP4DnvgFW3B2Wdfb/lNzPCKWqBsX7gWw==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDvgZHqiaa957v/
++kCyS9pnnTDEN27aQGVOKlW4uvVMS5SzkjXlWr5sT7KGZMfx+Oo+G+AvAKs3Li16
+Aakf0/AxinWTWJ12uzvPNBRTpm5xDqac7yBlcOcGMlPFLBHmYHFyBOmeuB3fL5Nv
+aqTBoZPP/hM8AV47wLazkqBFLv8fy0zTANJ5CygjpoxTCR0CZ1nyQBfIg6wkgJky
+LeAiVbv5+VMgcGjsD/+3SUFx367nbGXesuxaK9QCJUSSQ8dI+K9O9m7EymVLOrn5
+84mecsS/vPI68BYdk8KW89DtAi9fJ8ykx7QTGQ93q/5cLWc2dGP+pbizk7DNRPi0
+H9+sb+fxOWCo8arxaU6+QztNLVAtFs7RQhoqYTWM4e+c5RtjSKWxa+qcZ0kSt1Ns
++paFgkYSy3Jo6pVeDdQIcuOzaXlJsYR5H0yTS3grJ5a9bt9Mf+StStMbXwGodB01
+dnjDyQaoIxYg6eBd8j82f91OOhF8uigRQoF09kADvMySmpMjFxmKUS253SDziuhu
+I4odOAd/4K6PQsbqkSON4p8HHuQ5NwdSijVJeW8MANC71cBZjL4rQTIwqSJUIa75
+AvNf8VumeI5WYaHMbOKZv5GAwkvQTLApwZuK4nXLhnKOthAnxLkvNhnI6S/aSy7s
+fusheTsu0q021vbI4wXJgLW4AUB3sQIDAQABAoICAEufeMg6YGi0A9tmVAk4BCUV
+L/G0ow7MqHAO0/Q5K/zEHJa6gsQBbADdBTyEE9HmS2gC+z08E9OfhAJzBcij7cJm
+uoskvstfgRoCkqx674JJIviIVI1TIc8GEwc9zAUWzJs4y98uuVfgOMhEPvNYpkhV
+LBOVRwDM76Mxl+NgXHPYiFBTgSFxEWJ4UvRg+0ToBzGDZT8NvEvmQvjiHVQaB/l8
+7O9gLvDieFaSDdT70MkHo/62NgSetBldVRJtzj3PL+NZ0k3Wrjcbut8eM4TRLihw
+a3eKmSELp7RsFbrQJs7/zRD2cXhaQFUD/JN0TpOWGoCsKO6ion+d2H1fVwumZfBb
+SIZgqJvXL9eEoqKjscpDX0qBUuRt47rtC3c01K5S3G8F+c1BS7nBHOUAz7/lFSQt
+Si6ZamJC0OmYIQBG8qZ2gSwBeCna9SSO5XvEwjVqN1b20GIk1PfooNI3+EmF2doa
+dwLba72lrkVieJNU2cMceZ+TkLLnrGyPQ5ghFrdDBzmMzbVg22Go45RQxNmY3iy5
+W7ma0KNh4QRUtbvmoiqKB4beAx7CTRrk+6XnLRu1vfkDVcCSo9Igc+h0PrfZc2d/
+yLrM/UdkPpaSEq7aL/kYXBfHMINNJHYYFqd8W72/a4B3wI7FDHlD8CbxoQca4lI8
+cn9xAbq8TA0dkbGupjQBAoIBAQD9nvKup9hDwF7TuMw4UygF0z9/FiiiskKekb8t
+6RY2NHB/Mnzdg6J58ezXBrbGIUsu4vkF8igzvx2NSPs7x98SOpRq5EQDmS1YJnLS
+vssjHsnp/QcW+bl3EIuGxY1p5YP8juxk7PDVwTj3AaSO3uDt+Y+IeWfy8mN0vmQq
+soXAZ/c9Iml82OWooQaASEW6r/hC+t84WwvI4BScUsN7px3JZdriRfU0vbnR19F+
+TC7xvp0oWV4wEV76LYYlnnLvTIJ2b6wX1jZkkfXCVWnucgnvcYk/itwqu4ydFyc6
+EpI7/8s129if3q9phR2SgDMh2PjRjaNxdCtl0Ixf2CZryKHxAoIBAQDxwLn4jJlz
+y9/U7ZYrdDsA2yIdgc00sbjUGz5LgWObHIxr/2dqFqfWqoCZrIZqCOERAdk6RamO
++SOLcnVGYxnSuIYeMVCqMs0EbK7jjzCCroqQBCaNGUgHqtuicnq/Ci46rfw8nuRd
+oNPFrQ/5cfmbQZ6sW5OFlOgmgJ+s/mNYUhXeIHEkCTno/lyo+H/9nFgaf5R+1SXZ
+ZJbVRclUgbdnUg6d4Ixa0HUOo6p7o8j8MP5zH5ywm9D9UajNPAiU51rlxjPyk400
+ivLvU4JPsJyoBurLX8Qvq6gyeYigggfBsOrraIbTXaJI1ccIhpWQ1LGb91uh94Cz
+X07/Te80s3HBAoIBABUZP/8fn3IjcsASQ4r7//xcEpAz+7VtNvWSEmFzXpGr0yAB
+xzl2VfHnGljZCiN5aZPA9g50krubTo4OYDgc7IXLscUisDXMbGVE7ZByptuJGCsL
+DafvpmotSi4wCQ+iNFSyXyAWRgLCTEbgMBxilju14ybrUqZ3W6a+n/6dU1sqSvse
+/b+RG6nnm27YlFRvhyurSx6ZFGXlnlFS4UhMIsI6Yvcn8rosfmTim17yX4Vk4hYV
+OSyuhUQyvVIr2EvoBYJsz9g7zdKYAeXkzSc0/XaZ710F5EL5zzzSTEUcfmXXZcRZ
+QbArClSw6kDhwV8zeZ+VNN+fVmzl6Iegp7GXw0ECggEAf+mtfKlH+FEDGbKsJknV
+flpz7pDjduIiHXhcua64eTXdxrbYjPV30MleSfFTHX+dNlZ4DbEWSiPgfsQM8TU2
+UJx5ujf1qlg+yfyHfLgivsKDZjgL/dRGnGf21jkkYTiNxVaRg7G+uxuBcbJkJWP8
+4f0Sa7f4klF7lAOyeOIQxoaIM4OO2bZYAcO0W2NAtXun0j124LT+1cu3Uxkdsa0A
+0ZZFTZumJ9bsWNaYOdsrWOTDfT5Ytcl8BszSN+Vv1PmkyrbYfZ08tXRfnendpTSZ
+bv5Z9UmykFaPJEXR2Lt0RzPI2M3xqJx+ZXNXYFd1g7BGWXPD9Cr02fOv5L3jt0rL
+AQKCAQEA3UVp1tdYhuI/PxTw4mscL/XkY49bn7wvriBirq+XqFyZRZKukM9Auoz1
+Z4Tir6ZNTDjIUtYObPKAkDZDD1CfnhSbcYaZvjfUzley/6Tn0d3mSV7gF4JiAktS
+DLp7xi2AXCzjSa0SkMZ16sQQZ+HOsvehO4VFHYFnETRY23SuyfagoJgX+I3DBQ70
+7I9krZmu25XgaUTzC3wLSCAXzmxbZXrx4D/ZqIQSod1yE+n8geCFyD9YzM9j9DMj
+VKhzglDHl0WwqlGQT+/M9Udey3bN5g15rq3Gg32N7h4xPNLrqMNOBI4GsBfvmgw4
+xtsJKegNG5tf4cfk4LIN5vVEZ77Y6w==
+-----END PRIVATE KEY-----
diff --git a/data/conf/clamav/clamd.conf b/data/conf/clamav/clamd.conf
index df1aa1e1..b6847983 100644
--- a/data/conf/clamav/clamd.conf
+++ b/data/conf/clamav/clamd.conf
@@ -17,7 +17,7 @@ IdleTimeout 20
 SelfCheck 3600
 User clamav
 Foreground yes
-DetectPUA yes
+#DetectPUA yes
 # See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md
 #ExcludePUA NetTool
 #ExcludePUA PWTool
@@ -37,11 +37,25 @@ PhishingScanURLs no
 HeuristicScanPrecedence yes
 ScanHTML yes
 ScanArchive yes
-MaxScanSize 50M
-MaxFileSize 25M
-MaxRecursion 5
+#MaxScanSize 50M
+#MaxFileSize 25M
+#MaxRecursion 5
 MaxFiles 200
 Bytecode yes
 BytecodeSecurity TrustSigned
 BytecodeTimeout 1000
 ConcurrentDatabaseReload no
+
+DetectPUA yes
+ExcludePUA PUA.Win.Packer
+ExcludePUA PUA.Win.Trojan.Packed
+ExcludePUA PUA.Win.Trojan.Molebox
+ExcludePUA PUA.Win.Packer.Upx
+ExcludePUA PUA.Doc.Packed
+MaxScanSize 150M
+MaxFileSize 100M
+MaxRecursion 40
+MaxEmbeddedPE 100M
+MaxHTMLNormalize 50M
+MaxScriptNormalize 50M
+MaxZipTypeRcg 50M
diff --git a/data/conf/clamav/freshclam.conf b/data/conf/clamav/freshclam.conf
index cfb497e9..5d79135d 100644
--- a/data/conf/clamav/freshclam.conf
+++ b/data/conf/clamav/freshclam.conf
@@ -3,6 +3,7 @@ LogTime yes
 PidFile /run/clamav/freshclam.pid
 DatabaseOwner clamav
 DNSDatabaseInfo current.cvd.clamav.net
+DatabaseMirror db.de.clamav.net
 DatabaseMirror db.uk.clamav.net
 DatabaseMirror db.nl.clamav.net
 DatabaseMirror db.fr.clamav.net
@@ -13,7 +14,23 @@ Checks 6
 NotifyClamd /etc/clamav/clamd.conf
 Foreground yes
 ConnectTimeout 20
-ReceiveTimeout 20
+ReceiveTimeout 90
 TestDatabases yes
 Bytecode yes

+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/redacted/securiteinfo.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/redacted/securiteinfo.ign2
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/redacted/javascript.ndb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/redacted/spam_marketing.ndb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/redacted/securiteinfohtml.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/redacted/securiteinfoascii.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/redacted/securiteinfoandroid.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/redacted/securiteinfoold.hdb
+DatabaseCustomURL https://www.securiteinfo.com/get/signatures/redacted/securiteinfopdf.hdb
+
+DatabaseCustomURL http://sigs.interserver.net/interserver256.hdb
+DatabaseCustomURL http://sigs.interserver.net/interservertopline.db
+DatabaseCustomURL http://sigs.interserver.net/shell.ldb
+DatabaseCustomURL http://sigs.interserver.net/whitelist.fp
+
+DatabaseCustomURL https://urlhaus.abuse.ch/downloads/urlhaus.ndb
diff --git a/data/conf/ejabberd/autogen/ejabberd_acl.yml b/data/conf/ejabberd/autogen/ejabberd_acl.yml
new file mode 100644
index 00000000..21db66a4
--- /dev/null
+++ b/data/conf/ejabberd/autogen/ejabberd_acl.yml
@@ -0,0 +1 @@
+# Autogenerated by mailcow
diff --git a/data/conf/ejabberd/autogen/ejabberd_api.yml b/data/conf/ejabberd/autogen/ejabberd_api.yml
new file mode 100644
index 00000000..58c0ffd7
--- /dev/null
+++ b/data/conf/ejabberd/autogen/ejabberd_api.yml
@@ -0,0 +1,16 @@
+# Autogenerated by mailcow
+api_permissions:
+  "Reload by mailcow":
+    who:
+      - ip: "172.22.1.0/24"
+    what:
+      - "reload_config"
+      - "restart"
+      - "list_certificates"
+      - "list_cluster"
+      - "join_cluster"
+      - "leave_cluster"
+      - "backup"
+      - "status"
+      - "stats"
+      - "muc_online_rooms"
diff --git a/data/conf/ejabberd/autogen/ejabberd_hosts.yml b/data/conf/ejabberd/autogen/ejabberd_hosts.yml
new file mode 100644
index 00000000..21db66a4
--- /dev/null
+++ b/data/conf/ejabberd/autogen/ejabberd_hosts.yml
@@ -0,0 +1 @@
+# Autogenerated by mailcow
diff --git a/data/conf/ejabberd/autogen/ejabberd_macros.yml b/data/conf/ejabberd/autogen/ejabberd_macros.yml
new file mode 100644
index 00000000..d6b0a58c
--- /dev/null
+++ b/data/conf/ejabberd/autogen/ejabberd_macros.yml
@@ -0,0 +1,4 @@
+# Autogenerated by mailcow
+define_macro:
+  'MAILCOW_HOSTNAME': "mail.redacted"
+  'EJABBERD_HTTPS': 5443
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 6721204c..2aaa932e 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -52,6 +52,8 @@ postscreen_pipelining_enable = no
 proxy_read_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf,
   proxy:mysql:/opt/postfix/conf/sql/mysql_mbr_access_maps.cf,
   proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
+#  proxy:mysql:/opt/postfix/conf/sql/mysql_local_senders.cf,
+#  proxy:mysql:/opt/postfix/conf/sql/mysql_non-local_srs.cf,
   $sender_dependent_default_transport_maps,
   $smtp_tls_policy_maps,
   $local_recipient_maps,
@@ -175,3 +177,54 @@ lmtp_destination_recipient_limit=1

 # DO NOT EDIT ANYTHING BELOW #
 # Overrides #
+
+postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
+  hostkarma.junkemailfilter.com=127.0.0.1*-2
+  list.dnswl.org=127.0.[0..255].0*-2
+  list.dnswl.org=127.0.[0..255].1*-4
+  list.dnswl.org=127.0.[0..255].2*-6
+  list.dnswl.org=127.0.[0..255].3*-8
+  ix.dnsbl.manitu.net*2
+  bl.spamcop.net*2
+  bl.suomispam.net*2
+  hostkarma.junkemailfilter.com=127.0.0.2*3
+  hostkarma.junkemailfilter.com=127.0.0.4*2
+  hostkarma.junkemailfilter.com=127.0.1.2*1
+  backscatter.spameatingmonkey.net*2
+  bl.ipv6.spameatingmonkey.net*2
+  bl.spameatingmonkey.net*2
+  b.barracudacentral.org=127.0.0.2*7
+  bl.mailspike.net=127.0.0.2*5
+  bl.mailspike.net=127.0.0.[10;11;12]*4
+  dnsbl.sorbs.net=127.0.0.10*8
+  dnsbl.sorbs.net=127.0.0.5*6
+  dnsbl.sorbs.net=127.0.0.7*3
+  dnsbl.sorbs.net=127.0.0.8*2
+  dnsbl.sorbs.net=127.0.0.6*2
+  dnsbl.sorbs.net=127.0.0.9*2
+  redacted.zen.dq.spamhaus.net=127.0.0.[4..7]*6
+  redacted.zen.dq.spamhaus.net=127.0.0.[10;11]*8
+  redacted.zen.dq.spamhaus.net=127.0.0.3*4
+  redacted.zen.dq.spamhaus.net=127.0.0.2*3
+postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply.map
+
+# User Overrides
+myhostname = mail.redacted
+submission_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+# For postsrsd
+## In order to disable postsrsd, just comment out the following two blocks and restart postfix-mailcow!
+## There is also config in master.cf, but it shouldn't interfere without these config lines here
+
+## postsrsd's reverse service is listening on port 10002
+#sender_canonical_classes = envelope_sender
+#recipient_canonical_maps = socketmap:inet:172.30.1.42:10003:reverse, proxy:mysql:/opt/postfix/conf/sql/mysql_recipient_canonical_maps.cf
+#recipient_canonical_classes = envelope_recipient, header_recipient
+
+# Also for postsrsd, we override the default transport maps to use the smtpd on port 10029 for all non-local recipients
+#transport_maps = pcre:/opt/postfix/conf/custom_transport.pcre,
+#  pcre:/opt/postfix/conf/local_transport,
+#  proxy:mysql:/opt/postfix/conf/sql/mysql_relay_ne.cf,
+#  proxy:mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf,
+#  proxy:mysql:/opt/postfix/conf/sql/mysql_non-local_srs.cf
diff --git a/data/conf/postfix/master.cf b/data/conf/postfix/master.cf
index d5114df2..4b127a8b 100644
--- a/data/conf/postfix/master.cf
+++ b/data/conf/postfix/master.cf
@@ -144,3 +144,19 @@ watchdog_discard    unix  -       -       n       -       -       discard
    -o syslog_facility=local7
    -o syslog_name=watchdog
 # end watchdog-specific
+
+# SRS config
+cleanup-srs unix  n       -       -       -       0       cleanup
+  -o sender_canonical_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_local_senders.cf,socketmap:inet:172.30.1.42:10003:forward
+  -o sender_canonical_classes=envelope_sender
+  #-o recipient_canonical_maps=regexp:/opt/postfix/conf/regex_sender_canonical_srs
+  -o syslog_name=cleanup-srs
+
+# Only non-local recipients should end up here per our transport map in extra.cf
+127.0.0.1:10029 inet    n       -       -       -       -       smtpd
+  -o cleanup_service_name=cleanup-srs
+  -o smtpd_tls_security_level=none
+  -o content_filter=smtp:
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+  -o smtpd_milters=
+  -o syslog_name=srs
diff --git a/data/conf/rspamd/custom/global_smtp_from_whitelist.map b/data/conf/rspamd/custom/global_smtp_from_whitelist.map
index 3c872889..26187051 100644
--- a/data/conf/rspamd/custom/global_smtp_from_whitelist.map
+++ b/data/conf/rspamd/custom/global_smtp_from_whitelist.map
@@ -1 +1,2 @@
-# /.+example\.com/i
+# /.+example\.com/i
[email protected]
diff --git a/data/conf/rspamd/local.d/antivirus.conf b/data/conf/rspamd/local.d/antivirus.conf
index c8d31d1e..1e5f0634 100644
--- a/data/conf/rspamd/local.d/antivirus.conf
+++ b/data/conf/rspamd/local.d/antivirus.conf
@@ -9,3 +9,12 @@ clamav {
   servers = "clamd:3310";
   max_size = 20971520;
 }
+
+patterns {
+  # Extra Signatures (Securite) Not shipped with mailcow.
+  CLAM_SECI_SPAM = "^SecuriteInfo\.com\.Spam.*";
+  CLAM_SECI_JPG = "^SecuriteInfo\.com\.JPG.*";
+  CLAM_SECI_PDF = "^SecuriteInfo\.com\.PDF.*";
+  CLAM_SECI_HTML = "^SecuriteInfo\.com\.HTML.*";
+  CLAM_SECI_JS = "^SecuriteInfo\.com\.JS.*";
+}
diff --git a/data/conf/rspamd/local.d/history_redis.conf b/data/conf/rspamd/local.d/history_redis.conf
index 68a59b0c..77e1ae3d 100644
--- a/data/conf/rspamd/local.d/history_redis.conf
+++ b/data/conf/rspamd/local.d/history_redis.conf
@@ -1 +1 @@
-nrows = 1000;
+nrows = 10000;
diff --git a/data/conf/sogo/custom-theme.js b/data/conf/sogo/custom-theme.js
index 0df50677..5d5a7f7c 100644
--- a/data/conf/sogo/custom-theme.js
+++ b/data/conf/sogo/custom-theme.js
@@ -33,4 +33,4 @@
     $mdThemingProvider.generateThemesOnDemand(false);
   }
 })();
- */
\ No newline at end of file
+*/
diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf
index d398eb05..ac85a255 100644
--- a/data/conf/sogo/sogo.conf
+++ b/data/conf/sogo/sogo.conf
@@ -24,7 +24,7 @@
       js/custom-sogo.js
     );

-    SOGoEnablePublicAccess = YES;
+    SOGoEnablePublicAccess = NO;

     // Multi-domain setup
     // Domains are isolated, you can define visibility options here.
@@ -35,11 +35,18 @@
     //  (domain3.tld, domain2.tld)
     // );

+    SOGoDomainsVisibility = (
+     (redacted, redacted, redacted)
+    );
+
+    SOGoSuperUsernames = (admin@redacted);
+
     // self-signed is not trusted anymore
     WOPort = "0.0.0.0:20000";
     SOGoMemcachedHost = "memcached";

-    SOGoLanguage = English;
+//    SOGoLanguage = English;
+    SOGoLanguage = German;
     SOGoMailAuxiliaryUserAccountsEnabled = YES;
     // SOGoCreateIdentitiesDisabled = NO;
     SOGoMailCustomFromEnabled = YES;
@@ -68,6 +75,7 @@

     SOGoSieveFolderEncoding = "UTF-8";
     SOGoPasswordChangeEnabled = NO;
+//    SOGoTOTPEnabled = NO;
     SOGoSentFolderName = "Sent";
     SOGoMailShowSubscribedFoldersOnly = NO;
     NGImap4ConnectionStringSeparator = "/";
diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index 34e47a54..7d8128ac 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -59,6 +59,7 @@ if (isset($_POST["verify_tfa_login"])) {
     unset($_SESSION['pending_pw_reset_token']);
     unset($_SESSION['pending_pw_new_password']);
     unset($_SESSION['pending_mailcow_cc_username']);
+    unset($_SESSION["mailcow_cc_role"]);
     unset($_SESSION['pending_mailcow_cc_role']);
     unset($_SESSION['pending_tfa_methods']);
   }
diff --git a/data/web/js/site/mailbox.js b/data/web/js/site/mailbox.js
index af2862a3..6f6c5919 100644
--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
@@ -945,6 +945,9 @@ jQuery(function($){
               if (ALLOW_ADMIN_EMAIL_LOGIN) {
                 item.action += '<a href="/sogo-auth.php?login=' + encodeURIComponent(item.username) + '" class="login_as btn btn-sm btn-xs-lg btn-xs-half btn-primary" target="_blank"><i class="bi bi-envelope-fill"></i> SOGo</a>';
               }
+              if (ALLOW_ADMIN_EMAIL_LOGIN_ROUNDCUBE) {
+                item.action += '<a href="/rc-auth.php?login=' + encodeURIComponent(item.username) + '" class="login_as btn btn-sm btn-xs-half btn-primary" target="_blank"><i class="bi bi-envelope-fill"></i> Roundcube</a>';
+              }
               item.action += '</div>';
             }
             else {
diff --git a/data/web/mailbox.php b/data/web/mailbox.php
index 65c76f53..71e07298 100644
--- a/data/web/mailbox.php
+++ b/data/web/mailbox.php
@@ -42,6 +42,7 @@ $template_data = [
   'lang_mailbox' => json_encode($lang['mailbox']),
   'lang_rl' => json_encode($lang['ratelimit']),
   'lang_datatables' => json_encode($lang['datatables']),
+  'allow_admin_email_login_roundcube' => (preg_match("/^(yes|y)+$/i", $_ENV["ALLOW_ADMIN_EMAIL_LOGIN_ROUNDCUBE"])) ? 'true' : 'false',
 ];

 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/footer.inc.php';
diff --git a/data/web/templates/mailbox.twig b/data/web/templates/mailbox.twig
index b61896d7..a62e24c0 100644
--- a/data/web/templates/mailbox.twig
+++ b/data/web/templates/mailbox.twig
@@ -74,5 +74,6 @@
   var role = '{{ role }}';
   var is_dual = {{ is_dual }};
   var ALLOW_ADMIN_EMAIL_LOGIN = {{ allow_admin_email_login }};
+  var ALLOW_ADMIN_EMAIL_LOGIN_ROUNDCUBE = {{ allow_admin_email_login_roundcube }};
 </script>
 {% endblock %}
diff --git a/docker-compose.yml b/docker-compose.yml
index c462ba88..1a330f2c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -614,36 +614,6 @@ services:
           aliases:
             - ofelia

-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1700K 2267M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
1701K 2267M ts-input   0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 896K  636M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
 896K  636M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 896K  636M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
27834 3188K ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
55658 4091K ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
 292K  562M ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
41665 1709K DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
 478K   65M ACCEPT     0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 ts-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:3306
  128  7580 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
  225 12896 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
   57  3356 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
39530 1584K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:80
 1576 92720 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:443
   11   620 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
   33  1880 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
   75  3856 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
   28  1580 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    2   120 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.3           tcp dpt:8983

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
55658 4091K DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
 478K   65M DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 896K  636M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
 534K   69M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 896K  636M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Chain ts-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       0    --  tailscale0 *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x40000/0xff0000
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x40000/0xff0000
    0     0 DROP       0    --  *      tailscale0  100.64.0.0/10        0.0.0.0/0           
    0     0 DROP       0    --  *      tailscale0  0.0.0.0/0            0.0.0.0/0            ! ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      tailscale0  0.0.0.0/0            0.0.0.0/0           

Chain ts-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  lo     *       100.80.17.104        0.0.0.0/0           
    0     0 RETURN     0    --  !tailscale0 *       100.115.92.0/23      0.0.0.0/0           
    0     0 DROP       0    --  !tailscale0 *       100.64.0.0/10        0.0.0.0/0           
 144K  121M ACCEPT     0    --  tailscale0 *       0.0.0.0/0            0.0.0.0/0           
44131   11M ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:41641

Logs of ip6tables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1202K  212M MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
1202K  212M ts-input   0    --  *      *       ::/0                 ::/0                

Chain FORWARD (policy DROP 10 packets, 676 bytes)
 pkts bytes target     prot opt in     out     source               destination         
97873   36M MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
97875   36M DOCKER-USER  0    --  *      *       ::/0                 ::/0                
97877   36M DOCKER-ISOLATION-STAGE-1  0    --  *      *       ::/0                 ::/0                
    0     0 ACCEPT     0    --  *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  ::/0                 ::/0                
    0     0 ACCEPT     0    --  docker0 !docker0  ::/0                 ::/0                
    0     0 ACCEPT     0    --  docker0 docker0  ::/0                 ::/0                
46472   11M ACCEPT     0    --  *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 2642  210K DOCKER     0    --  *      br-mailcow  ::/0                 ::/0                
48759   24M ACCEPT     0    --  br-mailcow !br-mailcow  ::/0                 ::/0                
    0     0 ACCEPT     0    --  br-mailcow br-mailcow  ::/0                 ::/0                
   10   676 ts-forward  0    --  *      *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   97  7596 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::6  tcp dpt:25
    8   608 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::6  tcp dpt:465
    4   304 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::6  tcp dpt:587
   26  1752 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::e  tcp dpt:80
 2431  194K ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::e  tcp dpt:443
   13   908 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:110
   11   748 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:143
   20  1496 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:993
   31  2372 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:995
    1    80 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:4190

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  ::/0                 ::/0                
48759   24M DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  ::/0                 ::/0                
97882   36M RETURN     0    --  *      *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      docker0  ::/0                 ::/0                
    0     0 DROP       0    --  *      br-mailcow  ::/0                 ::/0                
48759   24M RETURN     0    --  *      *       ::/0                 ::/0                

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
97875   36M RETURN     0    --  *      *       ::/0                 ::/0                

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ts-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       0    --  tailscale0 *       ::/0                 ::/0                 MARK xset 0x40000/0xff0000
    0     0 ACCEPT     0    --  *      *       ::/0                 ::/0                 mark match 0x40000/0xff0000
    0     0 DROP       0    --  *      tailscale0  ::/0                 ::/0                 ! ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      tailscale0  ::/0                 ::/0                

Chain ts-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  lo     *       fd7a:115c:a1e0:ab12:4843:cd96:6250:1168  ::/0                
    0     0 ACCEPT     0    --  tailscale0 *       ::/0                 ::/0                
 252K  148M ACCEPT     17   --  *      *       ::/0                 ::/0                 udp dpt:41641

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
71006 3293K DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1794  273K DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1797  273K MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0
95197 7336K MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
 118K 7407K ts-postrouting  0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  6    --  *      *       172.22.1.5           172.22.1.5           tcp dpt:3306
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       172.22.1.10          172.22.1.10          tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       172.22.1.10          172.22.1.10          tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  6    --  *      *       172.22.1.3           172.22.1.3           tcp dpt:8983

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.5:3306
 3909  234K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
 1218 70476 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
  320 18568 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
40123 1617K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.10:80
 2372  138K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.10:443
   54  3004 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
  130  7376 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
  149  7932 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
  143  8208 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
   39  2324 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.3:8983

Chain ts-postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x40000/0xff0000

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 593K   33M DOCKER     0    --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
                                                                                                                                                                                                                                                            Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL
                                                                                                                                                                                                                                                            Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      !docker0  fd00:dead:beef:c0::/80  ::/0
19745 2005K MASQUERADE  0    --  *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0
20836 1683K ts-postrouting  0    --  *      *       ::/0                 ::/0
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::6  fd4d:6169:6c63:6f77::6  tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::6  fd4d:6169:6c63:6f77::6  tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::6  fd4d:6169:6c63:6f77::6  tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:110
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:4190

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  docker0 *       ::/0                 ::/0
   86  6880 RETURN     0    --  br-mailcow *       ::/0                 ::/0
   97  7596 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::6]:25
    8   608 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::6]:465
    4   304 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::6]:587
  191 14952 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:80 to:[fd4d:6169:6c63:6f77::e]:80
 2647  211K DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:443 to:[fd4d:6169:6c63:6f77::e]:443
   13   908 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::d]:110
   12   808 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::d]:143
   20  1496 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::d]:993
   35  2644 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::d]:995
    1    80 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::d]:4190

Chain ts-postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      *       ::/0                 ::/0                 mark match 0x40000/0xff0000

DNS check:

172.64.155.249
104.18.32.7
@Jniklas2 Jniklas2 added the bug label Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Jniklas2