andryyy
commented
4 years ago Ufw is not supported officially as you read in the docs.
Besides that, you need port 80 for acme to work. And furthermore filtering INPUT chains is useless for Docker, as packages go through the FORWARD chain. That's why we say "ufw is not supported". Firewalls do much more than filtering inbound ports. We don't want to struggle with that in issues on GitHub.
acme-mailcow will drop the certificate if a name cannot be validated anymore. It can only do so when acme-mailcow is running. If it is stopped, nothing will happen. It should not be stopped anyway. But it would also not change anything with your certificates, if it was stopped.
That's a lot of changes that break the function of acme-mailcow and mailcow in general. Even running it on 2G is not a good idea.
If you don't have acme listening on port 80 and play with your own firewall, as well as stopping acme while this is not how it should be used, I cannot see how this is a bug. That's actually expected to fail. :)
Please use the community channels for support questions or the ticket system at Servercow.
Am 23.06.2020 um 09:27 schrieb Warwick Bruce Chapman notifications@github.com:
Prior to placing the issue, please check following: (fill out each checkbox with an X once done)
I understand, that not following or deleting the below instructions, will result in immediate closing and deletion of my issue. I have understood that answers are voluntary and community-driven, and not commercial support. I have verified that my issue has not been already answered in the past. I also checked previous issues. Description of the bug:
I initially setup mailcow-dockerized on MAILCOW_HOSTNAME mail.x.com serving mail for x.com.
Then, I added y.com and all was good the world.
We were serving mail for addresses at x.com and y.com and I did one or two ./update.sh runs during the working period.
Then, a couple of weeks ago, we got an SSL error from an expired certificate that (I believe) resulted from ufw being enabled on the host and causing acme-mailcow to not function properly.
Because there are (I apologise) two other services running on this box, I added a cronjob to disable the firewall, restart acme-mailcow and re-enable the firewall because that's the process I used two weeks ago to renew the cert.
However, in the last few days, we are getting an error NET::ERR_CERT_COMMON_NAME_INVALID that the the system is now using a cert autodiscover.y.com which does not match mail.x.com that the system was originally configured for.
Docker container logs of affected containers:
It would appear that by running docker-compose down && docker-compose up -d as part of the process described below, I have destroyed these logs. I am happy to help dig for them if they can be found.
Reproduction of said bug:
I searched and tried a few things like:
adding mail.* to ADDITIONAL_SAN and running docker-compose down && docker-compose up -d
setting ENABLE_SSL_SNI to y and running docker-compose down && docker-compose up -d
running ./update.sh
I am reporting here because it seems bug-like that a certificate for a secondary domain and hostname != MAILCOW_HOSTNAME is being used for SSL - even if there is a (unsupported) firewall issue causing / conflating the problem.
The resolution, though I am not sure this will work every time, is to stop ufw perform an ./update.sh and then start ufw again.
System information:
Question Answer My operating system Ubuntu 18.04.4 LTS Is Apparmor, SELinux or similar active? Yes, see below Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported Hetzner Cloud Instance Server/VM specifications (Memory, CPU Cores) 2G Memory, 1 core Docker Version (docker version) Docker version 19.03.10, build 9424aeaee9 Docker-Compose Version (docker-compose version) docker-compose version 1.26.0, build d4451659 Reverse proxy (custom solution) Only running on port 8080 for other services - should have no impact on mailcow Output of git diff origin/master, any other changes to the code? If so, please post them. root@host:/opt/mailcow-dockerized# git diff origin/master root@host:/opt/mailcow-dockerized# All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn, ip6tables -L -vn, iptables -L -vn -t nat and ip6tables -L -vn -t nat. ufw status
root@orch:/opt/mailcow-dockerized# ufw status Status: active
To Action From
22/tcp ALLOW Anywhere 8080 ALLOW Anywhere 6273 ALLOW Anywhere 110 ALLOW Anywhere 143 ALLOW Anywhere 25 ALLOW Anywhere 4190 ALLOW Anywhere 443 ALLOW Anywhere 465 ALLOW Anywhere 587 ALLOW Anywhere 993 ALLOW Anywhere 995 ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 8080 (v6) ALLOW Anywhere (v6) 6273 (v6) ALLOW Anywhere (v6) 110 (v6) ALLOW Anywhere (v6) 143 (v6) ALLOW Anywhere (v6) 25 (v6) ALLOW Anywhere (v6) 4190 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6) 465 (v6) ALLOW Anywhere (v6) 587 (v6) ALLOW Anywhere (v6) 993 (v6) ALLOW Anywhere (v6) 995 (v6) ALLOW Anywhere (v6) iptables -L -vn
iptables -L -vn
Chain INPUT (policy DROP 122 packets, 5536 bytes) pkts bytes target prot opt in out source destination 159K 63M MAILCOW all -- 0.0.0.0/0 0.0.0.0/0 183M 78G ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0 183M 78G ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0 319K 878M ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0 282K 876M ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0 282K 876M ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0 282K 876M ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 20268 14M MAILCOW all -- 0.0.0.0/0 0.0.0.0/0 20559 15M DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0 20559 15M DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0 16516 14M ACCEPT all -- br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 1221 79016 DOCKER all -- br-mailcow 0.0.0.0/0 0.0.0.0/0 2822 1021K ACCEPT all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0 1187 77048 ACCEPT all -- br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0 0 0 ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0 0 0 ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0 0 0 ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 17 packets, 1076 bytes) pkts bytes target prot opt in out source destination 154M 64G ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0 154M 64G ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0 677K 66M ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0 677K 66M ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0 677K 66M ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0 677K 66M ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.2 tcp dpt:8983 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.9 tcp dpt:3306 10 608 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.10 tcp dpt:443 3 120 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.10 tcp dpt:80 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190 2 100 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110 2 120 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.11 tcp dpt:587 13 780 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.11 tcp dpt:465 4 240 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.11 tcp dpt:25
Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 2822 1021K DOCKER-ISOLATION-STAGE-2 all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 23M 19G RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- br-mailcow 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- docker0 0.0.0.0/0 0.0.0.0/0 2687K 676M RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 23M 19G RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain MAILCOW (2 references) pkts bytes target prot opt in out source destination
Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 0 0 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 0 0 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 0 0 ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 38 1968 ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 74 3590 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 86465 41M ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0 19676 8022K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 211 83205 ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 211 83205 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 23309 1969K ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 23309 1969K ufw-user-input all -- * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 86465 41M ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0 23647 3437K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 343 22662 ufw-user-output all -- * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 74 27936 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10 67 37932 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 23309 1969K RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL 0 0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 38 1968 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 198 11880 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW 128 9706 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 188 11280 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 939 56220 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8080 88 5280 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6273 21934 1888K ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6273 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:110 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:143 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:25 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4190 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:465 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:587 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:993 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:995
Chain ufw-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destination ip6tables -L -vn
ip6tables -L -vn
Chain INPUT (policy DROP 1 packets, 64 bytes) pkts bytes target prot opt in out source destination 293 23664 MAILCOW all ::/0 ::/0 224K 207M ufw6-before-logging-input all ::/0 ::/0 224K 207M ufw6-before-input all ::/0 ::/0 5575 424K ufw6-after-input all ::/0 ::/0 5573 424K ufw6-after-logging-input all ::/0 ::/0 5573 424K ufw6-reject-input all ::/0 ::/0 5573 424K ufw6-track-input all ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 11445 20M DOCKER-USER all ::/0 ::/0 11603 20M MAILCOW all ::/0 ::/0 8671K 17G DOCKER all br-mailcow ::/0 ::/0 7497K 17G ACCEPT all br-mailcow ::/0 ::/0 ctstate RELATED,ESTABLISHED 445K 77M ACCEPT all br-mailcow !br-mailcow ::/0 ::/0 1162K 83M ACCEPT all br-mailcow br-mailcow ::/0 ::/0 1253 96973 DOCKER-ISOLATION-STAGE-1 all ::/0 ::/0 1253 96973 ufw6-before-logging-forward all ::/0 ::/0 1253 96973 ufw6-before-forward all ::/0 ::/0 1253 96973 ufw6-after-forward all ::/0 ::/0 1253 96973 ufw6-after-logging-forward all ::/0 ::/0 1253 96973 ufw6-reject-forward all ::/0 ::/0 1253 96973 ufw6-track-forward all ::/0 ::/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 212K 16M ufw6-before-logging-output all ::/0 ::/0 212K 16M ufw6-before-output all ::/0 ::/0 2052 201K ufw6-after-output all ::/0 ::/0 2052 201K ufw6-after-logging-output all ::/0 ::/0 2052 201K ufw6-reject-output all ::/0 ::/0 2052 201K ufw6-track-output all ::/0 ::/0
Chain DOCKER (1 references) pkts bytes target prot opt in out source destination 40 5845 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::d tcp dpt:443 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::d tcp dpt:80 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:143 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:4190 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:993 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:995 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:110 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:25 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:465 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:587
Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION-STAGE-2 all br-mailcow !br-mailcow ::/0 ::/0 0 0 RETURN all ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all br-mailcow ::/0 ::/0 0 0 RETURN all * ::/0 ::/0
Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 9118K 17G RETURN all ::/0 ::/0
Chain MAILCOW (2 references) pkts bytes target prot opt in out source destination
Chain ufw6-after-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-after-input (1 references) pkts bytes target prot opt in out source destination 0 0 ufw6-skip-to-policy-input udp ::/0 ::/0 udp dpt:137 0 0 ufw6-skip-to-policy-input udp ::/0 ::/0 udp dpt:138 0 0 ufw6-skip-to-policy-input tcp ::/0 ::/0 tcp dpt:139 0 0 ufw6-skip-to-policy-input tcp ::/0 ::/0 tcp dpt:445 0 0 ufw6-skip-to-policy-input udp ::/0 ::/0 udp dpt:546 0 0 ufw6-skip-to-policy-input udp ::/0 ::/0 udp dpt:547
Chain ufw6-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-after-logging-input (1 references) pkts bytes target prot opt in out source destination 1 64 LOG all ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-after-logging-output (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-after-output (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all ::/0 ::/0 rt type:0 0 0 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 1 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 2 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 3 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 4 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 129 0 0 ufw6-user-forward all ::/0 ::/0
Chain ufw6-before-input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo ::/0 ::/0 0 0 DROP all ::/0 ::/0 rt type:0 8 4214 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 129 0 0 ufw6-logging-deny all ::/0 ::/0 ctstate INVALID 0 0 DROP all ::/0 ::/0 ctstate INVALID 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 1 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 2 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 3 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 4 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128 42 2352 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255 25 1800 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255 34 2176 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 130 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 131 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 132 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 143 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 144 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 145 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 146 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 147 0 0 ACCEPT udp fe80::/10 fe80::/10 udp spt:547 dpt:546 0 0 ACCEPT udp ::/0 ff02::fb udp dpt:5353 0 0 ACCEPT udp ::/0 ff02::f udp dpt:1900 1 64 ufw6-user-input all * ::/0 ::/0
Chain ufw6-before-logging-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-before-logging-input (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-before-logging-output (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-before-output (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo ::/0 ::/0 0 0 DROP all ::/0 ::/0 rt type:0 10 1615 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 1 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 2 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 3 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 4 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 129 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255 25 1600 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255 34 2448 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 130 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 131 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 132 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 143 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255 0 0 ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1 0 0 ACCEPT icmpv6 fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1 1 80 ufw6-user-output all * ::/0 ::/0
Chain ufw6-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw6-logging-deny (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all ::/0 ::/0 ctstate INVALID limit: avg 3/min burst 10 0 0 LOG all ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-reject-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-reject-input (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-reject-output (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all ::/0 ::/0
Chain ufw6-skip-to-policy-input (6 references) pkts bytes target prot opt in out source destination 0 0 DROP all ::/0 ::/0
Chain ufw6-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all ::/0 ::/0
Chain ufw6-track-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-track-input (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-track-output (1 references) pkts bytes target prot opt in out source destination 1 80 ACCEPT tcp ::/0 ::/0 ctstate NEW 0 0 ACCEPT udp ::/0 ::/0 ctstate NEW
Chain ufw6-user-forward (1 references) pkts bytes target prot opt in out source destination
Chain ufw6-user-input (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:22 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:8080 0 0 ACCEPT udp ::/0 ::/0 udp dpt:8080 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:6273 0 0 ACCEPT udp ::/0 ::/0 udp dpt:6273 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:110 0 0 ACCEPT udp ::/0 ::/0 udp dpt:110 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:143 0 0 ACCEPT udp ::/0 ::/0 udp dpt:143 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:25 0 0 ACCEPT udp ::/0 ::/0 udp dpt:25 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:4190 0 0 ACCEPT udp ::/0 ::/0 udp dpt:4190 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:443 0 0 ACCEPT udp ::/0 ::/0 udp dpt:443 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:465 0 0 ACCEPT udp ::/0 ::/0 udp dpt:465 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:587 0 0 ACCEPT udp ::/0 ::/0 udp dpt:587 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:993 0 0 ACCEPT udp ::/0 ::/0 udp dpt:993 0 0 ACCEPT tcp ::/0 ::/0 tcp dpt:995 0 0 ACCEPT udp ::/0 ::/0 udp dpt:995
Chain ufw6-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all ::/0 ::/0 reject-with icmp6-port-unreachable
Chain ufw6-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all ::/0 ::/0
Chain ufw6-user-logging-forward (0 references) pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-input (0 references) pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-output (0 references) pkts bytes target prot opt in out source destination
Chain ufw6-user-output (1 references) pkts bytes target prot opt in out source destination iptables -L -vn -t nat
iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 32953 packets, 2752K bytes) pkts bytes target prot opt in out source destination 34M 2903M DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 30295 packets, 2565K bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4172 packets, 256K bytes) pkts bytes target prot opt in out source destination 16 960 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 5231 packets, 324K bytes) pkts bytes target prot opt in out source destination 1599 123K MASQUERADE all -- !br-mailcow 172.22.1.0/24 0.0.0.0/0 0 0 MASQUERADE all -- !docker0 172.17.0.0/16 0.0.0.0/0 0 0 MASQUERADE tcp -- 172.22.1.2 172.22.1.2 tcp dpt:8983 0 0 MASQUERADE tcp -- 172.22.1.249 172.22.1.249 tcp dpt:6379 0 0 MASQUERADE tcp -- 172.22.1.9 172.22.1.9 tcp dpt:3306 0 0 MASQUERADE tcp -- 172.22.1.10 172.22.1.10 tcp dpt:443 0 0 MASQUERADE tcp -- 172.22.1.10 172.22.1.10 tcp dpt:80 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:12345 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:4190 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:995 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:993 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:143 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:110 0 0 MASQUERADE tcp -- 172.22.1.11 172.22.1.11 tcp dpt:587 0 0 MASQUERADE tcp -- 172.22.1.11 172.22.1.11 tcp dpt:465 0 0 MASQUERADE tcp -- 172.22.1.11 172.22.1.11 tcp dpt:25
Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- br-mailcow 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- docker0 0.0.0.0/0 0.0.0.0/0 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:18983 to:172.22.1.2:8983 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.9:3306 10 608 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.22.1.10:443 3 120 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.22.1.10:80 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 to:172.22.1.250:4190 2 100 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:172.22.1.250:995 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:172.22.1.250:993 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.22.1.250:143 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.22.1.250:110 2 120 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:172.22.1.11:587 13 780 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:172.22.1.11:465 4 240 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.22.1.11:25 ip6tables -L -vn -t nat
ip6tables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 1123 packets, 104K bytes) pkts bytes target prot opt in out source destination 6233 468K DOCKER all ::/0 ::/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 5 packets, 400 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 80 bytes) pkts bytes target prot opt in out source destination 2628 210K DOCKER all ::/0 !::1 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 415 packets, 33223 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all br-mailcow ::/0 ::/0 ADDRTYPE match dst-type LOCAL 396K 40M MASQUERADE all !br-mailcow fd4d:6169:6c63:6f77::/64 ::/0 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:443 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:80 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:110 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:443 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:80 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:143 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:4190 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:25 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:465 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:587 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:993 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:995 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:110 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:443 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:80 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:110 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:143 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:25 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:465 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:587 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:4190 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:993 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:995 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:25 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:465 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:587 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:143 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:4190 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:993 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:995 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:25 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:465 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:587 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::7 fd4d:6169:6c63:6f77::7 tcp dpt:110 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::7 fd4d:6169:6c63:6f77::7 tcp dpt:143 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::7 fd4d:6169:6c63:6f77::7 tcp dpt:4190 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::7 fd4d:6169:6c63:6f77::7 tcp dpt:993 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::7 fd4d:6169:6c63:6f77::7 tcp dpt:995 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:443 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:80
Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 10 800 RETURN all br-mailcow ::/0 ::/0 5 400 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:443 to:[fd4d:6169:6c63:6f77::d]:443 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:80 to:[fd4d:6169:6c63:6f77::d]:80 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:143 to:[fd4d:6169:6c63:6f77::e]:143 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::e]:4190 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:993 to:[fd4d:6169:6c63:6f77::e]:993 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:995 to:[fd4d:6169:6c63:6f77::e]:995 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:110 to:[fd4d:6169:6c63:6f77::e]:110 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:25 to:[fd4d:6169:6c63:6f77::f]:25 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:465 to:[fd4d:6169:6c63:6f77::f]:465 0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:587 to:[fd4d:6169:6c63:6f77::f]:587 DNS problems? Please run docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 (set the IP accordingly, if you changed the internal mailcow network) and post the output. root@host:/opt/mailcow-dockerized# docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 151.101.65.69 151.101.193.69 151.101.129.69 151.101.1.69 AppArmor details:
aa-status
apparmor module is loaded. 18 profiles are loaded. 18 profiles are in enforce mode. /sbin/dhclient /usr/bin/lxc-start /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/sbin/mysqld /usr/sbin/ntpd /usr/sbin/tcpdump docker-default lxc-container-default lxc-container-default-cgns lxc-container-default-with-mounting lxc-container-default-with-nesting man_filter man_groff 0 profiles are in complain mode. 89 processes have profiles defined. 89 processes are in enforce mode. /sbin/dhclient (812) /usr/sbin/mysqld (1186) docker-default (15158) docker-default (15280) docker-default (15300) docker-default (15356) docker-default (15373) docker-default (15388) docker-default (15395) docker-default (15409) docker-default (15418) docker-default (15738) docker-default (15742) docker-default (15869) docker-default (16063) docker-default (16157) docker-default (16622) docker-default (16623) docker-default (16652) docker-default (16665) docker-default (17358) docker-default (17875) docker-default (17880) docker-default (17913) docker-default (17921) docker-default (17957) docker-default (17991) docker-default (18024) docker-default (18066) docker-default (18072) docker-default (18083) docker-default (18106) docker-default (18155) docker-default (18167) docker-default (18210) docker-default (18216) docker-default (18217) docker-default (18218) docker-default (18219) docker-default (18220) docker-default (18221) docker-default (18295) docker-default (18296) docker-default (18320) docker-default (18507) docker-default (18510) docker-default (18582) docker-default (18839) docker-default (18841) docker-default (18842) docker-default (18843) docker-default (18844) docker-default (18861) docker-default (19111) docker-default (19207) docker-default (19208) docker-default (19456) docker-default (19841) docker-default (19940) docker-default (19941) docker-default (19942) docker-default (19943) docker-default (19950) docker-default (19951) docker-default (19952) docker-default (19953) docker-default (19954) docker-default (19955) docker-default (19956) docker-default (19959) docker-default (19961) docker-default (19962) docker-default (19963) docker-default (20329) docker-default (20330) docker-default (20331) docker-default (20332) docker-default (20333) docker-default (20477) docker-default (20802) docker-default (20868) docker-default (21252) docker-default (21688) docker-default (21820) docker-default (21992) docker-default (21996) docker-default (21999) docker-default (22041) docker-default (22173) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
warwickchapman
WernerCoder
shiz0
Prior to placing the issue, please check following: (fill out each checkbox with an
Xonce done)Description of the bug:
I initially setup mailcow-dockerized on
MAILCOW_HOSTNAMEmail.x.com serving mail for x.com.Then, I added y.com and all was good the world.
We were serving mail for addresses at x.com and y.com and I did one or two
./update.shruns during the working period.Then, a couple of weeks ago, we got an SSL error from an expired certificate that (I believe) resulted from
ufwbeing enabled on the host and causingacme-mailcowto not function properly.Because there are (I apologise) two other services running on this box, I added a cronjob to disable the firewall, restart
acme-mailcowand re-enable the firewall because that's the process I used two weeks ago to renew the cert.However, in the last few days, we are getting an error
NET::ERR_CERT_COMMON_NAME_INVALIDthat the the system is now using a certautodiscover.y.comwhich does not matchmail.x.comthat the system was originally configured for.Docker container logs of affected containers:
It would appear that by running
docker-compose down && docker-compose up -das part of the process described below, I have destroyed these logs. I am happy to help dig for them if they can be found.Reproduction of said bug:
I searched and tried a few things like:
adding
mail.*toADDITIONAL_SANand runningdocker-compose down && docker-compose up -dsetting
ENABLE_SSL_SNItoyand runningdocker-compose down && docker-compose up -drunning
./update.shI am reporting here because it seems bug-like that a certificate for a secondary domain and hostname
!=MAILCOW_HOSTNAMEis being used for SSL - even if there is a (unsupported) firewall issue causing / conflating the problem.The resolution, though I am not sure this will work every time, is to stop
ufwperform an./update.shand then startufwagain.System information:
docker version)Docker version 19.03.10, build 9424aeaee9docker-compose version)docker-compose version 1.26.0, build d4451659git diff origin/master, any other changes to the code? If so, please post them.iptables -L -vn,ip6tables -L -vn,iptables -L -vn -t natandip6tables -L -vn -t nat.ufw statusiptables -L -vnip6tables -L -vniptables -L -vn -t natip6tables -L -vn -t natdocker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254(set the IP accordingly, if you changed the internal mailcow network) and post the output.