For IPv6, the user UI no longer shows the real IPs, only internal IPs

denschub commented 1 year ago

Contribution guidelines

[X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

[X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
[X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
[X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

I had to rotate an app-specific password just now, and logging into the the mailcow UI, I noticed that I don't see the client's real IPv6 address, but the login instead is shown as "Web/EAS/Internal (fd4d:6169:6c63:6f77::1)". 

This used to work just fine a while ago, although I'm not sure when exactly this broke, since I don't look at the data too often :/

Also, it's worth noting that this isn't affecting all services. rspamd, for example, is showing real IPv6 addresses in its UI for inbound email.

I'm not using the old IPv6 NAT setup, I've enabled native IPv6 as soon as that was available. My network config in `docker-compose.yml` is unchanged from the default, but the `ipv6nat-mailcow` is removed, obviously.

Logs:

n/a

Steps to reproduce:

1. Log into the UI, or IMAP, or SMTP with an IPv6 connection
2. Inspect the "Seen successful connections" sectoin

Which branch are you using?

master

Operating System:

Arch

Server/VM specifications:

n/a

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

23.0.1

docker-compose version or docker compose version:

2.16.0

mailcow version:

2023-02a

Reverse proxy:

nginx, as defined in the default docker-compose

Logs of git diff:

diff --git a/data/assets/ssl-example/cert.pem b/data/assets/ssl-example/cert.pem
index 96d16bec..0aee9c02 100644
--- a/data/assets/ssl-example/cert.pem
+++ b/data/assets/ssl-example/cert.pem
@@ -1,19 +1,33 @@
[snip]
diff --git a/data/assets/ssl-example/key.pem b/data/assets/ssl-example/key.pem
index cedf35a0..133affd3 100644
--- a/data/assets/ssl-example/key.pem
+++ b/data/assets/ssl-example/key.pem
@@ -1,27 +1,52 @@
[snip]
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index a445b60c..a9065c40 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -198,3 +198,6 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks

 # DO NOT EDIT ANYTHING BELOW #
 # User overrides #
+
+myhostname = alpha.0b101010.email
+postscreen_dnsbl_sites =
diff --git a/data/conf/rspamd/local.d/rbl.conf b/data/conf/rspamd/local.d/rbl.conf
index f132b4d6..f826a613 100644
--- a/data/conf/rspamd/local.d/rbl.conf
+++ b/data/conf/rspamd/local.d/rbl.conf
@@ -1,24 +1,26 @@
 rbls {
   sorbs {
-    symbol = "RBL_SORBS";
-    rbl = "dnsbl.sorbs.net";
-    returncodes {
+    symbol = "RBL_SORBS";
+    rbl = "dnsbl.sorbs.net";
+    checks = ["from"]
+    returncodes {
       # http:// www.sorbs.net/general/using.shtml
-      RBL_SORBS_HTTP = "127.0.0.2";
-      RBL_SORBS_SOCKS = "127.0.0.3";
-      RBL_SORBS_MISC = "127.0.0.4";
-      RBL_SORBS_SMTP = "127.0.0.5";
-      RBL_SORBS_RECENT = "127.0.0.6";
-      RBL_SORBS_WEB = "127.0.0.7";
-      RBL_SORBS_DUL = "127.0.0.10";
-      RBL_SORBS_BLOCK = "127.0.0.8";
-      RBL_SORBS_ZOMBIE = "127.0.0.9";
+      RBL_SORBS_HTTP = "127.0.0.2";
+      RBL_SORBS_SOCKS = "127.0.0.3";
+      RBL_SORBS_MISC = "127.0.0.4";
+      RBL_SORBS_SMTP = "127.0.0.5";
+      RBL_SORBS_RECENT = "127.0.0.6";
+      RBL_SORBS_WEB = "127.0.0.7";
+      RBL_SORBS_DUL = "127.0.0.10";
+      RBL_SORBS_BLOCK = "127.0.0.8";
+      RBL_SORBS_ZOMBIE = "127.0.0.9";
     }
   }
   interserver_ip {
     symbol = "RBL_INTERSERVER_IP";
     rbl = "rbl.interserver.net";
     ipv6 = false;
+    checks = ["from", "received"]
     returncodes {
       RBL_INTERSERVER_BAD_IP = "127.0.0.2";
     }
@@ -35,4 +37,31 @@ rbls {
       RBL_INTERSERVER_BAD_URI = "127.0.0.2";
     }
   }
+
+  # Custom
+
+  barracudacentral {
+    symbol = "RBL_BARRACUDA";
+    rbl = "b.barracudacentral.org";
+    checks = ["from", "received"]
+    returncodes {
+      RBL_BARRACUDA_LISTED = "127.0.0.2";
+    }
+  }
+  spamcop {
+    symbol = "RBL_SPAMCOP";
+    rbl = "bl.spamcop.net";
+    checks = ["from", "received"]
+    returncodes {
+      RBL_SPAMCOP_LISTED = "127.0.0.2";
+    }
+  }
+  junkemailfilter {
+    symbol = "RBL_JUNKEMAIL";
+    rbl = "hostkarma.junkemailfilter.com";
+    checks = ["from", "received"]
+    returncodes {
+      RBL_JUNKEMAIL_LISTED = "127.0.0.2";
+    }
+  }
 }
diff --git a/data/conf/rspamd/local.d/rbl_group.conf b/data/conf/rspamd/local.d/rbl_group.conf
index 4e3dce71..4f4bdee2 100644
--- a/data/conf/rspamd/local.d/rbl_group.conf
+++ b/data/conf/rspamd/local.d/rbl_group.conf
@@ -57,4 +57,31 @@ symbols = {
     score = 4.0;
     description = "Listed on Interserver RBL";
   }
+
+  # Custom
+
+  "RBL_BARRACUDA" {
+    score = 0.0;
+    description = "Unrecognised result from BarracudaCentral RBL.";
+  }
+  "RBL_BARRACUDA_LISTED" {
+    score = 2.0;
+    description = "Blocklisted in BarracudaCentral.";
+  }
+  "RBL_SPAMCOP" {
+    score = 0.0;
+    description = "Unrecognised result from SpamCop RBL.";
+  }
+  "RBL_SPAMCOP_LISTED" {
+    score = 2.0;
+    description = "Blocklisted in SpamCop.";
+  }
+  "RBL_JUNKEMAIL" {
+    score = 0.0;
+    description = "Unrecognised result from Junke Mail Filter RBL.";
+  }
+  "RBL_JUNKEMAIL_LISTED" {
+    score = 2.0;
+    description = "Blocklisted in Junke Mail Filter.";
+  }
 }
diff --git a/docker-compose.yml b/docker-compose.yml
index 7c6c5d6a..4468b5c4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -81,11 +81,12 @@ services:
       depends_on:
         - dovecot-mailcow
       environment:
-        - TZ=${TZ}
         - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
         - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
+        - MASTER=${MASTER:-y}
         - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
         - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
+        - TZ=${TZ}
       volumes:
         - ./data/hooks/rspamd:/hooks:Z
         - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
@@ -96,6 +97,10 @@ services:
         - ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local:Z
         - ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override:Z
         - rspamd-vol-1:/var/lib/rspamd
+      labels:
+        ofelia.enabled: "true"
+        ofelia.job-exec.rspamd_dmarc_reporting.schedule: "@midnight"
+        ofelia.job-exec.rspamd_dmarc_reporting.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/bin/rspamadm dmarc_report > /var/lib/rspamd/dmarc_reports_last_log 2>&1 || exit 0\""
       restart: always
       hostname: rspamd
       dns:
@@ -569,8 +574,9 @@ services:
       environment:
         - TZ=${TZ}
       depends_on:
-        - sogo-mailcow
         - dovecot-mailcow
+        - rspamd-mailcow
+        - sogo-mailcow
       labels:
         ofelia.enabled: "true"
       security_opt:
@@ -582,36 +588,6 @@ services:
           aliases:
             - ofelia

-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 1714 packets, 528K bytes)
 pkts bytes target     prot opt in     out     source               destination
1644K  813M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  19M 5386M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0
  19M 5386M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0
  19M 5386M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
  15M 4886M ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
1406K   89M DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
2602K  410M ACCEPT     0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
1333K   85M ACCEPT     0    --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1841 packets, 279K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.3           tcp dpt:3306
10028  521K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
 3281  195K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
   21  1088 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
 8614  513K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:443
32950 1882K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.13          tcp dpt:8983
  546 32528 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
 1737 89697 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:80
 6588  413K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
 8783  526K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
  362 21028 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2602K  410M DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
  19M 5386M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
2602K  410M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  19M 5386M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination
   28  1580 REJECT     0    --  *      *       141.98.10.76         0.0.0.0/0            reject-with icmp-port-unreachable

Logs of ip6tables -L -vn:

Chain INPUT (policy ACCEPT 992K packets, 114M bytes)
 pkts bytes target     prot opt in     out     source               destination
 992K  114M MAILCOW    0    --  *      *       ::/0                 ::/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
4344K 3220M MAILCOW    0    --  *      *       ::/0                 ::/0
4346K 3220M DOCKER-USER  0    --  *      *       ::/0                 ::/0
4346K 3220M DOCKER-ISOLATION-STAGE-1  0    --  *      *       ::/0                 ::/0
    0     0 ACCEPT     0    --  *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  ::/0                 ::/0
    0     0 ACCEPT     0    --  docker0 !docker0  ::/0                 ::/0
    0     0 ACCEPT     0    --  docker0 docker0  ::/0                 ::/0
3550K 3146M ACCEPT     0    --  *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 499K   36M DOCKER     0    --  *      br-mailcow  ::/0                 ::/0
 297K   38M ACCEPT     0    --  br-mailcow !br-mailcow  ::/0                 ::/0
 498K   36M ACCEPT     0    --  br-mailcow br-mailcow  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 1136K packets, 249M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
 1152 92144 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:587
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:995

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  ::/0                 ::/0
 297K   38M DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  ::/0                 ::/0
4346K 3220M RETURN     0    --  *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      docker0  ::/0                 ::/0
    0     0 DROP       0    --  *      br-mailcow  ::/0                 ::/0
 297K   38M RETURN     0    --  *      *       ::/0                 ::/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
4346K 3220M RETURN     0    --  *      *       ::/0                 ::/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 2313K packets, 159M bytes)
 pkts bytes target     prot opt in     out     source               destination
 126K 6401K DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 44845 packets, 1741K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1257 packets, 93913 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1407K packets, 89M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0
 936K   72M MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  6    --  *      *       172.22.1.3           172.22.1.3           tcp dpt:3306
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  6    --  *      *       172.22.1.11          172.22.1.11          tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       172.22.1.13          172.22.1.13          tcp dpt:8983
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       172.22.1.11          172.22.1.11          tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0
   16   960 RETURN     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.3:3306
10359  538K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
10642  636K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
   21  1088 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
 8614  513K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.11:443
33052 1887K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.13:8983
  546 32528 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
 1737 89697 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.11:80
 6585  413K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
 8784  526K DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
  362 21028 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 493K packets, 43M bytes)
 pkts bytes target     prot opt in     out     source               destination
 5290  425K DOCKER     0    --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 4138 packets, 333K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 7574 packets, 606K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 243K packets, 19M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      !docker0  fd00:dead:beef:c0::/80  ::/0
 255K   24M MASQUERADE  0    --  *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:443

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  docker0 *       ::/0                 ::/0
   12   960 RETURN     0    --  br-mailcow *       ::/0                 ::/0
 1152 92144 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::b]:587

DNS check:

151.101.1.69
151.101.65.69
151.101.129.69
151.101.193.69

denschub commented 1 year ago

Okay, well, I now manually set IPv4 and IPv6 bindings directly to the public IPs as per this doc, and that appears to resolve this issue. I now see my servers IPv6 in the logins again!

This might be a "setup issue" then, but given this worked at some point, I'll leave this open. Feel free to close, though, if you feel like this isn't a valid issue. I have no idea why exactly that broke (maybe even a Docker upgrade?!), so closing is fine, too.

denschub commented 1 year ago

My last message might not have been entirely true. I still see IMAP logins from local addresses, even though dovecot has public-IPv6-bindings now.

milkmaker commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

denschub commented 1 year ago

Still an issue.

juliushaertl commented 1 year ago

I had a similar problem that I could solve but dropping any other firewall servicing on the instance I have based on the hints in https://github.com/mailcow/mailcow-dockerized/issues/4220#issuecomment-895778997

The ip6tables rules looked sane form a first sight, but turned out that I had firewalld still installed on this system and removing that and restarting docker fixed it for me.

milkmaker commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

denschub commented 1 year ago

Still an issue - but this will be the last time I bump this issue, because quite frankly, I can't be bothered.

milkmaker commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

mailcow / mailcow-dockerized