Webauthn login on android chrome does not work

Contribution guidelines

[X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

[X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
[X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
[X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Try to authenticate with an Fido2 security key (Nitrokey 3A) on Android with mobile Chrome does not work and result in following error message:

Validation failed: Use of an empty àllowCredetianls list is not supported on this device.

Authentication on Windows with Firefox or Chrome works fine. Google Pixel 4a 5G with Android 13 and mobile Chrome 106.

mailcow

Logs

mailcow-nginx-mailcow-1      | 172.25.0.2 - - [15/Oct/2022:18:29:37 +0200] "GET /?lang=en HTTP/2.0" 200 6217 "https://mail.xxxx.xxx/" "Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36"
mailcow-php-fpm-mailcow-1    | fd4d:6169:6c63:6f77::6 -  15/Oct/2022:18:29:37 +0200 "GET /json_api.php" 200
mailcow-nginx-mailcow-1      | 172.25.0.2 - - [15/Oct/2022:18:29:37 +0200] "GET /api/v1/get/passwordpolicy/html HTTP/2.0" 200 20 "https://mail.xxxx.xxx/" "Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36"
mailcow-php-fpm-mailcow-1    | 172.22.1.4 -  15/Oct/2022:18:29:40 +0200 "GET /index.php" 200
mailcow-nginx-mailcow-1      | 172.25.0.2 - - [15/Oct/2022:18:29:40 +0200] "GET /?lang=en HTTP/2.0" 200 6217 "https://mail.xxxx.xxx/" "Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36"
mailcow-php-fpm-mailcow-1    | fd4d:6169:6c63:6f77::6 -  15/Oct/2022:18:29:40 +0200 "GET /json_api.php" 200
mailcow-nginx-mailcow-1      | 172.25.0.2 - - [15/Oct/2022:18:29:40 +0200] "GET /api/v1/get/passwordpolicy/html HTTP/2.0" 200 20 "https://mail.xxxx.xxx/" "Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36"
mailcow-watchdog-mailcow-1   | Sat Oct 15 18:29:42 CEST 2022 ACME health level: 100% (1/1), health trend: 0
mailcow-php-fpm-mailcow-1    | 172.22.1.4 -  15/Oct/2022:18:29:42 +0200 "GET /json_api.php" 200
mailcow-nginx-mailcow-1      | 172.25.0.2 - - [15/Oct/2022:18:29:42 +0200] "GET /api/v1/get/fido2-get-args HTTP/2.0" 200 162 "https://mail.xxxx.xxx/" "Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36"
mailcow-watchdog-mailcow-1   | Sat Oct 15 18:29:44 CEST 2022 Redis health level: 100% (5/5), health trend: 0
mailcow-nginx-mailcow-1      | 172.22.1.3 - - [15/Oct/2022:18:29:45 +0200] "GET / HTTP/1.1" 200 15 "-" "check_http/v (nagios-plugins 2.3.3)"

Steps to reproduce

Add an Fido2 security key for administrator (used Win/Firefox for this!)
Go to the mailcow login page on Android device with mobile Chrome.
Select Fido2/Webauthn for login
Get the error message and not the android system dialog to use the security key.

System information

Question	Answer
My operating system	Debian 11
Is Apparmor, SELinux or similar active?	No
Virtualization technology (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported	KVM
Server/VM specifications (Memory, CPU Cores)	24 GB RAM 8 Cores
Docker version (`docker version`)	20.10.18
docker-compose version (`docker-compose version`)	v2.10.1
mailcow version (git describe --tags `git rev-list --tags --max-count=1`)	2022-09a
Reverse proxy (custom solution)	traefik2

Output of git diff origin/master, any other changes to the code? If so, please post them:

diff --git a/docker-compose.yml b/docker-compose.yml
index cb9402da..3553c2c0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -376,9 +376,9 @@ services:
         - ./data/conf/nginx/:/etc/nginx/conf.d/:z
         - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
         - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
-      ports:
-        - "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
-        - "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
+      #ports:
+      #  - "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
+      #  - "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
       restart: always
       networks:
         mailcow-network:
@@ -580,36 +580,6 @@ services:
           aliases:
             - ofelia
-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-

All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  18M 6590M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  18M 6590M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
 3470 2095K ACCEPT     all  --  *      br-90678195243e  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-90678195243e  0.0.0.0/0            0.0.0.0/0
 4151  628K ACCEPT     all  --  br-90678195243e !br-90678195243e  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-90678195243e br-90678195243e  0.0.0.0/0            0.0.0.0/0
1226K  349M ACCEPT     all  --  *      br-227fb1a701b7  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
10044  603K DOCKER     all  --  *      br-227fb1a701b7  0.0.0.0/0            0.0.0.0/0
 5156  293K ACCEPT     all  --  br-227fb1a701b7 !br-227fb1a701b7  0.0.0.0/0            0.0.0.0/0
10044  603K ACCEPT     all  --  br-227fb1a701b7 br-227fb1a701b7  0.0.0.0/0            0.0.0.0/0
  410 30528 ACCEPT     all  --  *      br-18ba96acf8f7  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  370 25990 DOCKER     all  --  *      br-18ba96acf8f7  0.0.0.0/0            0.0.0.0/0
  701  212K ACCEPT     all  --  br-18ba96acf8f7 !br-18ba96acf8f7  0.0.0.0/0            0.0.0.0/0
    2   120 ACCEPT     all  --  br-18ba96acf8f7 br-18ba96acf8f7  0.0.0.0/0            0.0.0.0/0
 485K   72M ACCEPT     all  --  *      br-6bd074432e79  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  988 59280 DOCKER     all  --  *      br-6bd074432e79  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-6bd074432e79 !br-6bd074432e79  0.0.0.0/0            0.0.0.0/0
  988 59280 ACCEPT     all  --  br-6bd074432e79 br-6bd074432e79  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      br-04bebda2d4d0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-04bebda2d4d0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-04bebda2d4d0 !br-04bebda2d4d0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-04bebda2d4d0 br-04bebda2d4d0  0.0.0.0/0            0.0.0.0/0
   23 74276 ACCEPT     all  --  *      br-0184dacf97f3  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    60 DOCKER     all  --  *      br-0184dacf97f3  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-0184dacf97f3 !br-0184dacf97f3  0.0.0.0/0            0.0.0.0/0
    1    60 ACCEPT     all  --  br-0184dacf97f3 br-0184dacf97f3  0.0.0.0/0            0.0.0.0/0
  13M 5422M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
1304K   81M DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
1198K  182M ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
1286K   80M ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0
 436K  414M ACCEPT     all  --  *      br-f25b95d45fd8  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
20863 1203K DOCKER     all  --  *      br-f25b95d45fd8  0.0.0.0/0            0.0.0.0/0
 116K   57M ACCEPT     all  --  br-f25b95d45fd8 !br-f25b95d45fd8  0.0.0.0/0            0.0.0.0/0
 6985  419K ACCEPT     all  --  br-f25b95d45fd8 br-f25b95d45fd8  0.0.0.0/0            0.0.0.0/0
36807 7317K ACCEPT     all  --  *      br-d26f3c3ab46d  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 1291 77460 DOCKER     all  --  *      br-d26f3c3ab46d  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-d26f3c3ab46d !br-d26f3c3ab46d  0.0.0.0/0            0.0.0.0/0
 1291 77460 ACCEPT     all  --  br-d26f3c3ab46d br-d26f3c3ab46d  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (10 references)
 pkts bytes target     prot opt in     out     source               destination
   14   840 ACCEPT     tcp  --  !br-18ba96acf8f7 br-18ba96acf8f7  0.0.0.0/0            172.23.0.2           tcp dpt:53
  354 25030 ACCEPT     udp  --  !br-18ba96acf8f7 br-18ba96acf8f7  0.0.0.0/0            172.23.0.2           udp dpt:53
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:8983
12605  657K ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.12          tcp dpt:3306
  947 53536 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
   48  2660 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
 1290 69404 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
  518 30100 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
 1143 67676 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
  507 29364 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
  512 29512 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
 7226  410K ACCEPT     tcp  --  !br-f25b95d45fd8 br-f25b95d45fd8  0.0.0.0/0            172.25.0.2           tcp dpt:443
 5822  329K ACCEPT     tcp  --  !br-f25b95d45fd8 br-f25b95d45fd8  0.0.0.0/0            172.25.0.2           tcp dpt:80
    0     0 ACCEPT     udp  --  !br-f25b95d45fd8 br-f25b95d45fd8  0.0.0.0/0            172.25.0.5           udp dpt:8443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 4151  628K DOCKER-ISOLATION-STAGE-2  all  --  br-90678195243e !br-90678195243e  0.0.0.0/0            0.0.0.0/0

 5156  293K DOCKER-ISOLATION-STAGE-2  all  --  br-227fb1a701b7 !br-227fb1a701b7  0.0.0.0/0            0.0.0.0/0

  701  212K DOCKER-ISOLATION-STAGE-2  all  --  br-18ba96acf8f7 !br-18ba96acf8f7  0.0.0.0/0            0.0.0.0/0

    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-6bd074432e79 !br-6bd074432e79  0.0.0.0/0            0.0.0.0/0

    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-04bebda2d4d0 !br-04bebda2d4d0  0.0.0.0/0            0.0.0.0/0

    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-0184dacf97f3 !br-0184dacf97f3  0.0.0.0/0            0.0.0.0/0

1198K  182M DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
 116K   57M DOCKER-ISOLATION-STAGE-2  all  --  br-f25b95d45fd8 !br-f25b95d45fd8  0.0.0.0/0            0.0.0.0/0

    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-d26f3c3ab46d !br-d26f3c3ab46d  0.0.0.0/0            0.0.0.0/0

  18M 6590M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-90678195243e  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-227fb1a701b7  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-18ba96acf8f7  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-6bd074432e79  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-04bebda2d4d0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-0184dacf97f3  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-f25b95d45fd8  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-d26f3c3ab46d  0.0.0.0/0            0.0.0.0/0
1324K  240M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  18M 6590M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

ip6tables -L -vn:

# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
3788K 4565M DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0
    0     0 ACCEPT     all      docker0 !docker0  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 docker0  ::/0                 ::/0
    0     0 ACCEPT     all      *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      docker0  ::/0                 ::/0
2796K 4184M ACCEPT     all      *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 506K   36M DOCKER     all      *      br-mailcow  ::/0                 ::/0
 101K   10M ACCEPT     all      br-mailcow !br-mailcow  ::/0                 ::/0
 506K   36M ACCEPT     all      br-mailcow br-mailcow  ::/0                 ::/0
 178K   74M ACCEPT     all      *      br-f25b95d45fd8  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
23398 1403K DOCKER     all      *      br-f25b95d45fd8  ::/0                 ::/0
 184K  259M ACCEPT     all      br-f25b95d45fd8 !br-f25b95d45fd8  ::/0                 ::/0
21845 1282K ACCEPT     all      br-f25b95d45fd8 br-f25b95d45fd8  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (3 references)
 pkts bytes target     prot opt in     out     source               destination
    5   380 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::e  tcp dpt:587
   50  3964 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::e  tcp dpt:465
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::12  tcp dpt:4190
   35  2508 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::e  tcp dpt:25
   65  5164 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::12  tcp dpt:995
   42  3340 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::12  tcp dpt:993
    3   224 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::12  tcp dpt:143
    4   284 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::12  tcp dpt:110
 1309  102K ACCEPT     tcp      !br-f25b95d45fd8 br-f25b95d45fd8  ::/0                 2001:db8:1::2        tcp dpt:443
  106  8008 ACCEPT     tcp      !br-f25b95d45fd8 br-f25b95d45fd8  ::/0                 2001:db8:1::2        tcp dpt:80
    0     0 ACCEPT     udp      !br-f25b95d45fd8 br-f25b95d45fd8  ::/0                 2001:db8:1::5        udp dpt:8443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all      docker0 !docker0  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-90678195243e !br-90678195243e  ::/0                 ::/0

    0     0 DOCKER-ISOLATION-STAGE-2  all      br-227fb1a701b7 !br-227fb1a701b7  ::/0                 ::/0

    0     0 DOCKER-ISOLATION-STAGE-2  all      br-18ba96acf8f7 !br-18ba96acf8f7  ::/0                 ::/0

    0     0 DOCKER-ISOLATION-STAGE-2  all      br-6bd074432e79 !br-6bd074432e79  ::/0                 ::/0

    0     0 DOCKER-ISOLATION-STAGE-2  all      br-04bebda2d4d0 !br-04bebda2d4d0  ::/0                 ::/0

    0     0 DOCKER-ISOLATION-STAGE-2  all      br-0184dacf97f3 !br-0184dacf97f3  ::/0                 ::/0

 101K   10M DOCKER-ISOLATION-STAGE-2  all      br-mailcow !br-mailcow  ::/0                 ::/0
 184K  259M DOCKER-ISOLATION-STAGE-2  all      br-f25b95d45fd8 !br-f25b95d45fd8  ::/0                 ::/0

    0     0 DOCKER-ISOLATION-STAGE-2  all      br-d26f3c3ab46d !br-d26f3c3ab46d  ::/0                 ::/0

3788K 4565M RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      docker0  ::/0                 ::/0
    0     0 DROP       all      *      br-90678195243e  ::/0                 ::/0
    0     0 DROP       all      *      br-227fb1a701b7  ::/0                 ::/0
    0     0 DROP       all      *      br-18ba96acf8f7  ::/0                 ::/0
    0     0 DROP       all      *      br-6bd074432e79  ::/0                 ::/0
    0     0 DROP       all      *      br-04bebda2d4d0  ::/0                 ::/0
    0     0 DROP       all      *      br-0184dacf97f3  ::/0                 ::/0
    0     0 DROP       all      *      br-mailcow  ::/0                 ::/0
    0     0 DROP       all      *      br-f25b95d45fd8  ::/0                 ::/0
    0     0 DROP       all      *      br-d26f3c3ab46d  ::/0                 ::/0
 285K  270M RETURN     all      *      *       ::/0                 ::/0

iptables -L -vn -t nat:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 146K 7592K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
  235 14100 MASQUERADE  all  --  *      !br-90678195243e  172.21.0.0/16        0.0.0.0/0
   32  1920 MASQUERADE  all  --  *      !br-227fb1a701b7  172.18.0.0/16        0.0.0.0/0
    2   126 MASQUERADE  all  --  *      !br-18ba96acf8f7  172.23.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      !br-6bd074432e79  172.26.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      !br-04bebda2d4d0  172.20.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      !br-0184dacf97f3  172.24.0.0/16        0.0.0.0/0
 438K   33M MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
  333 19932 MASQUERADE  all  --  *      !br-f25b95d45fd8  172.25.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      !br-d26f3c3ab46d  172.19.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.23.0.2           172.23.0.2           tcp dpt:53
    0     0 MASQUERADE  udp  --  *      *       172.23.0.2           172.23.0.2           udp dpt:53
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.10          172.22.1.10          tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.12          172.22.1.12          tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.25.0.2           172.25.0.2           tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.25.0.2           172.25.0.2           tcp dpt:80
    0     0 MASQUERADE  udp  --  *      *       172.25.0.5           172.25.0.5           udp dpt:8443

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    7   420 RETURN     all  --  br-90678195243e *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-227fb1a701b7 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-18ba96acf8f7 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-6bd074432e79 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-04bebda2d4d0 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-0184dacf97f3 *       0.0.0.0/0            0.0.0.0/0
 4991  299K RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    2   120 RETURN     all  --  br-f25b95d45fd8 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-d26f3c3ab46d *       0.0.0.0/0            0.0.0.0/0
   14   840 DNAT       tcp  --  !br-18ba96acf8f7 *       0.0.0.0/0            10.0.0.1             tcp dpt:53 to:172.23.0.2:53
  280 19620 DNAT       udp  --  !br-18ba96acf8f7 *       0.0.0.0/0            10.0.0.1             udp dpt:53 to:172.23.0.2:53
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.10:8983
12606  657K DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.12:3306
11120  664K DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
   48  2660 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
 1290 69404 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
  518 30100 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
 1143 67676 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
  507 29364 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
  512 29512 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
 7226  410K DNAT       tcp  --  !br-f25b95d45fd8 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.25.0.2:443
 5823  329K DNAT       tcp  --  !br-f25b95d45fd8 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.25.0.2:80
    0     0 DNAT       udp  --  !br-f25b95d45fd8 *       0.0.0.0/0            0.0.0.0/0            udp dpt:8443 to:172.25.0.5:8443

ip6tables -L -vn -t nat:

# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2767  204K DOCKER     all      *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all      *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all      *      !docker0  fd00::/80            ::/0
80202 7516K MASQUERADE  all      *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0
  177 14364 MASQUERADE  all      *      !br-f25b95d45fd8  2001:db8:1::/64      ::/0
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:587
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:465
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::12  fd4d:6169:6c63:6f77::12  tcp dpt:4190
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:25
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::12  fd4d:6169:6c63:6f77::12  tcp dpt:995
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::12  fd4d:6169:6c63:6f77::12  tcp dpt:993
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::12  fd4d:6169:6c63:6f77::12  tcp dpt:143
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::12  fd4d:6169:6c63:6f77::12  tcp dpt:110
    0     0 MASQUERADE  tcp      *      *       2001:db8:1::2        2001:db8:1::2        tcp dpt:443
    0     0 MASQUERADE  tcp      *      *       2001:db8:1::2        2001:db8:1::2        tcp dpt:80
    0     0 MASQUERADE  udp      *      *       2001:db8:1::5        2001:db8:1::5        udp dpt:8443

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all      docker0 *       ::/0                 ::/0
   54  4320 RETURN     all      br-mailcow *       ::/0                 ::/0
   15  1200 RETURN     all      br-f25b95d45fd8 *       ::/0                 ::/0
    5   380 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::e]:587
   50  3964 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::e]:465
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::12]:4190
   35  2508 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::e]:25
   65  5164 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::12]:995
   42  3340 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::12]:993
    3   224 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::12]:143
    4   284 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::12]:110
 1309  102K DNAT       tcp      !br-f25b95d45fd8 *       ::/0                 ::/0                 tcp dpt:443 to:[2001:db8:1::2]:443
  106  8008 DNAT       tcp      !br-f25b95d45fd8 *       ::/0                 ::/0                 tcp dpt:80 to:[2001:db8:1::2]:80
    0     0 DNAT       udp      !br-f25b95d45fd8 *       ::/0                 ::/0                 udp dpt:8443 to:[2001:db8:1::5]:8443

DNS problems? Please run docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 (set the IP accordingly, if you changed the internal mailcow network) and post the output:

151.101.129.69
151.101.193.69
151.101.65.69
151.101.1.69

mailcow / mailcow-dockerized