maxileith commented 3 years ago

Prior to placing the issue, please check following: (fill out each checkbox with an X once done)

[X] I understand that not following or deleting the below instructions will result in immediate closure and/or deletion of my issue.
[X] I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[X] I have understood that answers are voluntary and community-driven, and not commercial support.
[X] I have verified that my issue has not been already answered in the past. I also checked previous issues.

Summary

Hello,

I have found a bug that causes the ssl_* settings of the configuration file data/conf/nginx/includes/site-defaults.conf to be ignored.

I came across this bug because I was wondering why TLSv1.3 is not available over HTTPS, even though I enabled the setting in said file ssl_protocols: TLSv1.2 TLSv1.3;.

The bug occurs exactly when XMPP is enabled for at least one domain. This results in errors appearing in the NGINX logs when loading the site-defaults.conf configuration file. See below.

Logs

docker-compose logs -f --tail=200 nginx-mailcow

nginx-mailcow_1      | 2021/04/18 14:58:32 [emerg] 21#21: host not found in upstream "rspamd" in /etc/nginx/conf.d/includes/site-defaults.conf:104
nginx-mailcow_1      | nginx: [emerg] host not found in upstream "rspamd" in /etc/nginx/conf.d/includes/site-defaults.conf:104
nginx-mailcow_1      | nginx: configuration file /etc/nginx/nginx.conf test failed
nginx-mailcow_1      | 172.22.1.13 - - [18/Apr/2021:14:58:36 +0200] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.74.0"
nginx-mailcow_1      | 2021/04/18 14:58:37 [error] 25#25: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 1.2.3.4, server: mail.example.org, request: "GET / HTTP/2.0", upstream: "fastcgi://172.22.1.9:9002", host: "mail.example.org"
nginx-mailcow_1      | 2021/04/18 14:58:37 [error] 25#25: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 1.2.3.4, server: mail.example.org, request: "GET / HTTP/2.0", upstream: "fastcgi://[fd4d:6169:6c63:6f77::c]:9002", host: "mail.example.org"
nginx-mailcow_1      | 1.2.3.4 - - [18/Apr/2021:14:58:37 +0200] "GET / HTTP/2.0" 502 1076 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0"
nginx-mailcow_1      | 2021/04/18 14:58:37 [error] 25#25: *5 connect() failed (111: Connection refused) while connecting to upstream, client: 172.22.1.13, server: im.example.org, request: "GET / HTTP/1.1", upstream: "http://172.22.1.8:5281/", host: "nginx"
nginx-mailcow_1      | 2021/04/18 14:58:37 [warn] 25#25: *5 upstream server temporarily disabled while connecting to upstream, client: 172.22.1.13, server: im.example.org, request: "GET / HTTP/1.1", upstream: "http://172.22.1.8:5281/", host: "nginx"
nginx-mailcow_1      | 2021/04/18 14:58:37 [error] 25#25: *5 connect() failed (111: Connection refused) while connecting to upstream, client: 172.22.1.13, server: im.example.org, request: "GET / HTTP/1.1", upstream: "http://[fd4d:6169:6c63:6f77::b]:5281/", host: "nginx"
nginx-mailcow_1      | 2021/04/18 14:58:37 [warn] 25#25: *5 upstream server temporarily disabled while connecting to upstream, client: 172.22.1.13, server: im.example.org, request: "GET / HTTP/1.1", upstream: "http://[fd4d:6169:6c63:6f77::b]:5281/", host: "nginx"
nginx-mailcow_1      | 172.22.1.13 - - [18/Apr/2021:14:58:37 +0200] "GET / HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 1.2.3.4 - - [18/Apr/2021:14:58:38 +0200] "GET /bower_components/bootstrap/dist/css/bootstrap.min.css HTTP/2.0" 404 146 "https://mail.example.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0"
nginx-mailcow_1      | 1.2.3.4 - - [18/Apr/2021:14:58:38 +0200] "GET /favicon.ico HTTP/2.0" 404 146 "https://mail.example.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0"
nginx-mailcow_1      | 2021/04/18 14:58:39 [error] 25#25: *8 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/102472615215298 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/102472615215298", host: "smtp.domain2.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:39 +0200] "GET /.well-known/acme-challenge/102472615215298 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 2021/04/18 14:58:39 [error] 25#25: *9 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/2069866630629 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/2069866630629", host: "imap.domain2.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:39 +0200] "GET /.well-known/acme-challenge/2069866630629 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 2021/04/18 14:58:39 [error] 25#25: *10 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/10862291576498 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/10862291576498", host: "pop.domain2.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:39 +0200] "GET /.well-known/acme-challenge/10862291576498 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:40 +0200] "GET /.well-known/acme-challenge/59162341722626 HTTP/1.1" 200 15 "-" "curl/7.74.0"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:40 +0200] "GET /.well-known/acme-challenge/9659861623163 HTTP/1.1" 200 14 "-" "curl/7.74.0"
nginx-mailcow_1      | 2021/04/18 14:58:40 [error] 25#25: *13 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/283991918413145 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/283991918413145", host: "smtp.cloud.example.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:40 +0200] "GET /.well-known/acme-challenge/283991918413145 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 2021/04/18 14:58:40 [error] 25#25: *14 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/32198465228232 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/32198465228232", host: "imap.cloud.example.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:40 +0200] "GET /.well-known/acme-challenge/32198465228232 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 2021/04/18 14:58:40 [error] 25#25: *15 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/24658236972251 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/24658236972251", host: "pop.cloud.example.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:40 +0200] "GET /.well-known/acme-challenge/24658236972251 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:40 +0200] "GET /.well-known/acme-challenge/294612835620092 HTTP/1.1" 200 16 "-" "curl/7.74.0"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:41 +0200] "GET /.well-known/acme-challenge/166611843630677 HTTP/1.1" 200 16 "-" "curl/7.74.0"
nginx-mailcow_1      | 2021/04/18 14:58:41 [error] 25#25: *18 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/95605814366 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/95605814366", host: "smtp.domain3.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:41 +0200] "GET /.well-known/acme-challenge/95605814366 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 2021/04/18 14:58:41 [error] 25#25: *19 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/313172300010597 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/313172300010597", host: "imap.domain3.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:41 +0200] "GET /.well-known/acme-challenge/313172300010597 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 2021/04/18 14:58:41 [error] 25#25: *20 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/170081988211230 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/170081988211230", host: "pop.domain3.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:41 +0200] "GET /.well-known/acme-challenge/170081988211230 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:41 +0200] "GET /.well-known/acme-challenge/30384963615285 HTTP/1.1" 200 15 "-" "curl/7.74.0"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:42 +0200] "GET /.well-known/acme-challenge/137032221611752 HTTP/1.1" 200 16 "-" "curl/7.74.0"
nginx-mailcow_1      | 2021/04/18 14:58:42 [error] 25#25: *23 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/212032373115520 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/212032373115520", host: "smtp.anotherdomain.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:42 +0200] "GET /.well-known/acme-challenge/212032373115520 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 2021/04/18 14:58:42 [error] 25#25: *24 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/300942093431564 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/300942093431564", host: "imap.anotherdomain.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:42 +0200] "GET /.well-known/acme-challenge/300942093431564 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 2021/04/18 14:58:43 [error] 25#25: *25 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/142711022424005 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/142711022424005", host: "pop.anotherdomain.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:43 +0200] "GET /.well-known/acme-challenge/142711022424005 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:43 +0200] "GET /.well-known/acme-challenge/135851638926536 HTTP/1.1" 200 16 "-" "curl/7.74.0"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:43 +0200] "GET /.well-known/acme-challenge/230571735122734 HTTP/1.1" 200 16 "-" "curl/7.74.0"
nginx-mailcow_1      | 2021/04/18 14:58:43 [error] 25#25: *28 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/149922837611819 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/149922837611819", host: "smtp.yetanotherdomain.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:43 +0200] "GET /.well-known/acme-challenge/149922837611819 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 2021/04/18 14:58:43 [error] 25#25: *29 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/107922716330515 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/107922716330515", host: "imap.yetanotherdomain.org"
nginx-mailcow_1      | fd4d:6169:6c63:6f77::1 - - [18/Apr/2021:14:58:43 +0200] "GET /.well-known/acme-challenge/107922716330515 HTTP/1.1" 502 150 "-" "curl/7.74.0" "-"
nginx-mailcow_1      | 2021/04/18 14:58:43 [error] 25#25: *30 no live upstreams while connecting to upstream, client: fd4d:6169:6c63:6f77::1, server: im.example.org, request: "GET /.well-known/acme-challenge/31755322909 HTTP/1.1", upstream: "http://ejabberd/.well-known/acme-challenge/31755322909", host: "pop.yetanotherdomain.org"

Reproduction

At this point, XMPP is disabled for all domains. TLSv1.3 works:

openssl s_client -showcerts -connect localhost:443 -servername example.org

Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    ...

Now enable XMPP for at least one domain and execute the following commands:

docker-compose down
docker-compose up -d

TLSv1.3 does not work now. openssl s_client -showcerts -connect localhost:443 -servername example.org

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
...

System information

Question	Answer
My operating system	Debian 10
Is Apparmor, SELinux or similar active?	Linux example.org 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported	KVM
Server/VM specifications (Memory, CPU Cores)	8GB, 4 Cores
Docker Version (`docker version`)	Docker version 20.10.6, build 370c289
Docker-Compose Version (`docker-compose version`)	docker-compose version 1.29.1, build c34c88b2
Reverse proxy (custom solution)	No

Output of git diff origin/master, any other changes to the code? If so, please post them. git diff origin/master


diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 1005b284..65d82924 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -198,3 +198,6 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks

# DO NOT EDIT ANYTHING BELOW #
# User overrides #

+myhostname = mail.example.org +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf index 2513f496..a17f05cb 100644 --- a/data/conf/sogo/sogo.conf +++ b/data/conf/sogo/sogo.conf @@ -27,8 +27,7 @@ // Example:

// SOGoDomainsVisibility = (
// (domain1.tld, domain5.tld),
// (domain3.tld, domain2.tld)
// (webmail.example.org) // );

// self-signed is not trusted anymore @@ -60,7 +59,7 @@ WONoDetach = YES;

SOGoIMAPAclConformsToIMAPExt = Yes;
SOGoPageTitle = "SOGo Groupware";
SOGoPageTitle = "Webmail"; SOGoFirstDayOfWeek = "1";

SOGoSieveFolderEncoding = "UTF-8";

All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn, ip6tables -L -vn, iptables -L -vn -t nat and ip6tables -L -vn -t nat. iptables -L -vn


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
10   517 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
5462  446K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
2577K 1491M FILTERS    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
80931 265M DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
50978 20M DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
26460 16M ACCEPT all -- br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2389 151K DOCKER all -- br-mailcow 0.0.0.0/0 0.0.0.0/0
22129 3481K ACCEPT all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
2389 151K ACCEPT all -- br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1623K packets, 416M bytes) pkts bytes target prot opt in out source destination

Chain FILTERS (2 references) pkts bytes target prot opt in out source destination
4426K 4841M ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 11509 486K DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 13 728 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:57462 3551 199K ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 8494 495K ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 3764 200K ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 4532 271K ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465 788 46432 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587 4344 260K ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143 14800 907K ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993 3565 213K ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 3857 231K ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995 18 1024 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:4190 3161 190K ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:63733 70 3696 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5222 38 2068 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5269 57 3268 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5443 1338K 448M DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination
3250K 3802M FILTERS all -- eth0 0.0.0.0/0 0.0.0.0/0
23M 12G RETURN all -- * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER (2 references) pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.6 tcp dpt:8983 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.7 tcp dpt:5443 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.7 tcp dpt:5269 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.7 tcp dpt:5222 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.9 tcp dpt:3306 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.11 tcp dpt:587 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.11 tcp dpt:465 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.11 tcp dpt:25 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.12 tcp dpt:443 0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.12 tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination
22129 3481K DOCKER-ISOLATION-STAGE-2 all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
9534K 4749M RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references) pkts bytes target prot opt in out source destination
0 0 DROP all -- br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- docker0 0.0.0.0/0 0.0.0.0/0
1343K 581M RETURN all -- 0.0.0.0/0 0.0.0.0/0

Warning: iptables-legacy tables present, use iptables-legacy to see them

`ip6tables -L -vn`

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
2755 222K DOCKER all ::/0 ::/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain POSTROUTING pkts bytes target 0 0 MASQUERADE all 172K 16M MASQUERADE all 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp 0 0 MASQUERADE tcp (policy ACCEPT 0 packets, 0 bytes) prot opt in out source destination
br-mailcow ::/0 ::/0 ADDRTYPE match dst-type LOCAL !br-mailcow fd4d:6169:6c63:6f77::/64 ::/0
fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:110 fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:143 fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:4190 fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:993 fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:995 fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:110 fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:143 fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:4190 fd4d:6169:6c63:6f77::a fd4d:6169:6c63:6f77::a tcp dpt:5222 fd4d:6169:6c63:6f77::a fd4d:6169:6c63:6f77::a tcp dpt:5269 fd4d:6169:6c63:6f77::a fd4d:6169:6c63:6f77::a tcp dpt:5443 fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:143 fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:4190 fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:993 fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:995 fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:110 fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:5222 fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:5269 fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:5443 fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:25 fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:465 fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:587 fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:993 fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:995 fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:25 fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:465 fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:587 fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:5222 fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:5269 fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:5443 fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:110 fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:143 fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:4190 fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:993 fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:995 fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:25 fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:465 fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:587 fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:5222 fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:5269 fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:5443

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
20 1600 DOCKER all ::/0 !::1 ADDRTYPE match dst-type LOCAL

Chain DOCKER (2 references) pkts bytes target prot opt in out source destination
0 0 RETURN all br-mailcow ::/0 ::/0
0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:110 to:[fd4d:6169:6c63:6f77::e]:110 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:143 to:[fd4d:6169:6c63:6f77::e]:143 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::e]:4190 5 420 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:993 to:[fd4d:6169:6c63:6f77::e]:993 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:995 to:[fd4d:6169:6c63:6f77::e]:995 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:25 to:[fd4d:6169:6c63:6f77::f]:25 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:465 to:[fd4d:6169:6c63:6f77::f]:465 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:587 to:[fd4d:6169:6c63:6f77::f]:587 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:5222 to:[fd4d:6169:6c63:6f77::a]:5222 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:5269 to:[fd4d:6169:6c63:6f77::a]:5269 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:5443 to:[fd4d:6169:6c63:6f77::a]:5443

Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them

root@vmd47018:/opt/mailcow-dockerized# ip6tables -L -vn Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
240 270K ACCEPT all lo ::/0 ::/0
77537 5158K ACCEPT icmpv6 ::/0 ::/0
16M 1525M FILTERS all * ::/0 ::/0

Chain FORWARD (policy DROP 723 packets, 60826 bytes) pkts bytes target prot opt in out source destination
4542 8518K DOCKER-USER all ::/0 ::/0
4650K 9636M DOCKER-ISOLATION-STAGE-1 all ::/0 ::/0
4409K 9606M DOCKER all br-mailcow ::/0 ::/0
3815K 9564M ACCEPT all br-mailcow ::/0 ::/0 ctstate RELATED,ESTABLISHED 240K 29M ACCEPT all br-mailcow !br-mailcow ::/0 ::/0
594K 42M ACCEPT all br-mailcow br-mailcow ::/0 ::/0

Chain OUTPUT (policy ACCEPT 8188K packets, 113G bytes) pkts bytes target prot opt in out source destination

Chain FILTERS (2 references) pkts bytes target prot opt in out source destination
17M 1601M ACCEPT all ::/0 ::/0 state RELATED,ESTABLISHED 59 4332 DROP all ::/0 ::/0 state INVALID 0 0 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:57462 1112 88960 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:80 1235 98800 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:443 19 1520 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:25 3 244 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:465 42 3364 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:587 46 3708 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:143 250 21000 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:993 0 0 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:110 0 0 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:995 0 0 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:4190 0 0 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:63733 0 0 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:5222 0 0 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:5269 0 0 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:5443 21 1795 DROP all ::/0 ::/0

Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination
237K 76M FILTERS all eth0 ::/0 ::/0
4650K 9636M RETURN all * ::/0 ::/0

Chain DOCKER (1 references) pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:110 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:143 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:4190 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:993 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:995 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:25 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:465 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:587 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::a tcp dpt:5222 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::a tcp dpt:5269 0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::a tcp dpt:5443

Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination
283 52436 DOCKER-ISOLATION-STAGE-2 all br-mailcow !br-mailcow ::/0 ::/0
4275 8463K RETURN all ::/0 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination
0 0 DROP all br-mailcow ::/0 ::/0
283 52436 RETURN all * ::/0 ::/0

Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them

`iptables -L -vn -t nat`

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
63704 3756K DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
1438 109K MASQUERADE all -- !br-mailcow 172.22.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- 172.22.1.249 172.22.1.249 tcp dpt:6379 0 0 MASQUERADE tcp -- 172.22.1.6 172.22.1.6 tcp dpt:8983 0 0 MASQUERADE tcp -- 172.22.1.7 172.22.1.7 tcp dpt:5443 0 0 MASQUERADE tcp -- 172.22.1.7 172.22.1.7 tcp dpt:5269 0 0 MASQUERADE tcp -- 172.22.1.7 172.22.1.7 tcp dpt:5222 0 0 MASQUERADE tcp -- 172.22.1.9 172.22.1.9 tcp dpt:3306 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:12345 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:4190 0 0 MASQUERADE tcp -- 172.22.1.11 172.22.1.11 tcp dpt:587 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:995 0 0 MASQUERADE tcp -- 172.22.1.11 172.22.1.11 tcp dpt:465 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:993 0 0 MASQUERADE tcp -- 172.22.1.11 172.22.1.11 tcp dpt:25 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:143 0 0 MASQUERADE tcp -- 172.22.1.250 172.22.1.250 tcp dpt:110 0 0 MASQUERADE tcp -- 172.22.1.12 172.22.1.12 tcp dpt:443 0 0 MASQUERADE tcp -- 172.22.1.12 172.22.1.12 tcp dpt:80

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
4 240 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain DOCKER (2 references) pkts bytes target prot opt in out source destination
1 60 RETURN all -- br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- docker0 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:18983 to:172.22.1.6:8983 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:5443 to:172.22.1.7:5443 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:5269 to:172.22.1.7:5269 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 to:172.22.1.7:5222 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.9:3306 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 to:172.22.1.250:4190 4 240 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:172.22.1.11:587 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:172.22.1.250:995 1 60 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:172.22.1.11:465 15 924 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:172.22.1.250:993 7 388 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.22.1.11:25 7 420 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.22.1.250:143 0 0 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.22.1.250:110 4 208 DNAT tcp -- !br-mailcow 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.22.1.12:443 6 308 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.22.1.12:80

Warning: iptables-legacy tables present, use iptables-legacy to see them

`ip6tables -L -vn -t nat`

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
2755 222K DOCKER all ::/0 ::/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
0 0 MASQUERADE all br-mailcow ::/0 ::/0 ADDRTYPE match dst-type LOCAL 172K 16M MASQUERADE all !br-mailcow fd4d:6169:6c63:6f77::/64 ::/0
0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:110 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:143 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:4190 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:993 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:995 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:110 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:143 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:4190 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::a fd4d:6169:6c63:6f77::a tcp dpt:5222 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::a fd4d:6169:6c63:6f77::a tcp dpt:5269 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::a fd4d:6169:6c63:6f77::a tcp dpt:5443 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:143 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:4190 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:993 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:995 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:110 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:5222 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:5269 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:5443 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:25 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:465 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:587 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:993 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:995 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:25 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:465 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:587 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:5222 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:5269 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:5443 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:110 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:143 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:4190 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:993 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:995 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:25 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:465 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:587 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:5222 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:5269 0 0 MASQUERADE tcp fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:5443

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
20 1600 DOCKER all ::/0 !::1 ADDRTYPE match dst-type LOCAL

Chain DOCKER (2 references) pkts bytes target prot opt in out source destination
0 0 RETURN all br-mailcow ::/0 ::/0
0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:110 to:[fd4d:6169:6c63:6f77::e]:110 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:143 to:[fd4d:6169:6c63:6f77::e]:143 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::e]:4190 5 420 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:993 to:[fd4d:6169:6c63:6f77::e]:993 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:995 to:[fd4d:6169:6c63:6f77::e]:995 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:25 to:[fd4d:6169:6c63:6f77::f]:25 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:465 to:[fd4d:6169:6c63:6f77::f]:465 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:587 to:[fd4d:6169:6c63:6f77::f]:587 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:5222 to:[fd4d:6169:6c63:6f77::a]:5222 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:5269 to:[fd4d:6169:6c63:6f77::a]:5269 0 0 DNAT tcp !br-mailcow ::/0 ::/0 tcp dpt:5443 to:[fd4d:6169:6c63:6f77::a]:5443

Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them

- DNS problems? Please run `docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254` (set the IP accordingly, if you changed the internal mailcow network) and post the output.
`docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254`

1.254 151.101.65.69 151.101.193.69 151.101.1.69 151.101.129.69

andryyy commented 3 years ago

Hi Max,

That's a good catch!

I will fix it ASAP.

André

pgit commented 3 years ago

Had a similar problem, not with XMPP, but with custom sites: It turns out NGINX needs TLSv1.3 to be enabled on the default server section as well. It is not enough to just enable it in your virtual hosting sections (the ones containing a "server_name" directective). I guess this makes sense because SNI (and thus virtual hosting) is exchanged after TLSv1.3 is negotiated.

mailcow / mailcow-dockerized

Enabling XMPP results in incorrect behavior from loading NGINX configuration #4064

Summary

Logs

Reproduction

System information

Warning: iptables-legacy tables present, use iptables-legacy to see them

Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them

Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them

Warning: iptables-legacy tables present, use iptables-legacy to see them

Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them