Docker translates all incoming IPv6 connections to IPv4. Due to this, all incoming IPv6 connections appear to be IPv4 connections coming from 172.22.1.1 from the perspective of the services (Dovecot, Postfix).
This has a few security-relevant consequences:
dovecot-anvil cannot slow down brute-force attempts coming in via IPv6.
fail2ban cannot block brute-forcing IPv6 hosts/networks trying to access Postfix or Dovecot.
I'm not sure whether the web interface or SOGo have any authentication failure penalty, but if they do, the same thing applies unless you are using a reverse proxy.
Postfix postscreen and greylisting do not work for IPv6. Another consequence is that Received: headers added to emails received via IPv6 contain 172.22.1.1 instead of the remote host's IPv6 address.
Furthermore, Postfix cannot deliver outgoing emails via IPv6 because Docker's protocol translation only works for incoming connections.
This is not directly a problem of Mailcow (in fact, IPv6 worked on the standalone non-dockerized Mailcow), but rather a consequence of that its Docker containers are not set up in an IPv6-aware fashion. It is not clear to me how this can be fixed (as far as I am aware, Docker doesn't do NAT for IPv6 like it does for IPv4, so that whole port-exposing mechanism doesn't exist), but as it is security-relevant, it should be fixed soon. Perhaps docker-ipv6nat could be integrated into Mailcow-dockerized.
Docker translates all incoming IPv6 connections to IPv4. Due to this, all incoming IPv6 connections appear to be IPv4 connections coming from 172.22.1.1 from the perspective of the services (Dovecot, Postfix).
This has a few security-relevant consequences:
Received:
headers added to emails received via IPv6 contain172.22.1.1
instead of the remote host's IPv6 address.Furthermore, Postfix cannot deliver outgoing emails via IPv6 because Docker's protocol translation only works for incoming connections.
This is not directly a problem of Mailcow (in fact, IPv6 worked on the standalone non-dockerized Mailcow), but rather a consequence of that its Docker containers are not set up in an IPv6-aware fashion. It is not clear to me how this can be fixed (as far as I am aware, Docker doesn't do NAT for IPv6 like it does for IPv4, so that whole port-exposing mechanism doesn't exist), but as it is security-relevant, it should be fixed soon. Perhaps docker-ipv6nat could be integrated into Mailcow-dockerized.