SSL / TLS is broken for postfix and imap - URGENT

[laymonk]

Contribution guidelines

• [X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

A server that was previously running OK, suddenly stopped accepting user outbound emails.  ON closer investigation I encountered the error message below in postfix logs:

fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify at least one working instance of: reject_unauth_destination, defer_unauth_destination, reject, defer, defer_if_permit or check_relay_domains

I then tried a few things to resolve this:

1. created a mynetworks entry in data/conf/postfix/extra.cf
2. Checked in the web UI and ensured that routing for the domain was ok: Relay this domain was set and Relay all recipients was set.

None of these helped until I ran the following command - (see this):

docker compose exec postfix-mailcow postconf -e compatibility_level=2

That problem was fixed (error message went away), but then mail delivery to users was failing on account of Relay access denied. Also, users could no longer send emails, as it was failing to smtp authentication error. Both seemed TLS related.

I looked at the /etc/postfix/main.cf in the postfix container and discovered that it had:

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

So, essentially, TLS was broken and that meant external senders couldn't auth via sasl, and relay failed.

So, my focus shifted to looking at SSL.

The mailcow version was from early last year, so I decided to update to the latest first. But after the updates, the issues remained ...

Things I have since tried ... but none helped

1. I follewed the guide to force acme to renew SSL certs (after checking that acme did have valid ssl certs). No Change
2. Then I followed the guide here to start over with TLS certs but that hasn't helped either.
3. I even tried enabling unsafe older TLS versions

Need to figure out how to ensure postfix sees the certs being obtained by acme

• Even a temporary solution is ok for now

Logs:

The issues reported by ACME and Postfix and openssl tests

• Acme renews the certs successfully or detects certs don't need renewal, but throws up a few repeated errors in it's logs

  mailcowdockerized-acme-mailcow-1  | Thu Mar 30 01:54:51 WAT 2023 - Waiting for containers to settle...
  mailcowdockerized-acme-mailcow-1  | Could not read certificate from <stdin>
  mailcowdockerized-acme-mailcow-1  | Unable to load certificate
  mailcowdockerized-acme-mailcow-1  | Thu Mar 30 01:55:01 WAT 2023 - Some services do return old end dates, something went wrong!
  mailcowdockerized-acme-mailcow-1  | OK
  mailcowdockerized-acme-mailcow-1  | Thu Mar 30 01:55:01 WAT 2023 - Certificates successfully requested and renewed where required, sleeping one day

• Openssl tests of all the mailports fail with the same library errors

  
  root@mail:~/mailcow-dockerized# openssl s_client -starttls smtp -connect mail.example.net:587 | openssl x509 -noout -text
  139971535791424:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
  unable to load certificate
  140187009013056:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

root@mail:~/mailcow-dockerized# openssl s_client -showcerts -connect mail.example.net:587 -starttls smtp CONNECTED(00000003) 139983341598016:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 268 bytes and written 346 bytes Verification: OK

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)

* Running expiry-dates.sh says 

root@mail:~/mailcow-dockerized# bash helper-scripts/expiry-dates.sh unable to load certificate 139828192908608:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE TLS expiry dates: Postfix: Dovecot: Jun 27 21:11:36 2023 GMT Nginx: Jun 27 21:11:36 2023 GMT

* Finally in postfix logs, we see TLS related errors like the following

postfix/submission/smtpd[411]: warning: No server certs available. TLS won't be enabled ... postfix/smtps/smtpd[379]: warning: Wrapper-mode request dropped from unknown[46.148.40.197] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.

### Steps to reproduce:

```plain text
1. Docer compose up -d 
2. Try to use email ... or run openssl tests on mail ports
3. Watch postfix and acme logs

Which branch are you using?

master

Operating System:

Ubuntu 20.04

Server/VM specifications:

16GB; 2 Core x Xeon X5550 @ 2.67 GHz

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

None

Docker version:

23.0.2

docker-compose version or docker compose version:

v2.17.2

mailcow version:

2023-03

Reverse proxy:

Nginx

Logs of git diff:

diff --git a/data/assets/ssl-example/cert.pem b/data/assets/ssl-example/cert.pem
index 96d16bec..9997c146 100644
--- a/data/assets/ssl-example/cert.pem
+++ b/data/assets/ssl-example/cert.pem
@@ -1,19 +1,33 @@
 -----BEGIN CERTIFICATE-----
-MIIDBDCCAe6gAwIBAgIQeJMoL/3dxhxhT9EwuRTL/DALBgkqhkiG9w0BAQswEjEQ
-MA4GA1UEChMHbWFpbGNvdzAeFw0xNjEyMTMxMDExMDBaFw0xOTExMjgxMDExMDBa
-MC0xEDAOBgNVBAoTB21haWxjb3cxGTAXBgNVBAMTEG1haWwuZXhhbXBsZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRg0xT3At9DSb3H5OMp3K1
-MpXAgYyotSK6TS61fC0QEHy2fMXiws7Agcye6Ln7CG63Fe1eN2jkdlefy9xJivS8
-y5w0M8i168v5znzC8fnylL2iOiSYfK/B/oEqfU7YH4RcegO53oDDIUZmi4Frgnu7
-39VVOU1ZyHEVqGJ2H2aAIkoZRjGzumD9Ym4LWGidtKJzBgFt/qmhUeWXipM8w281
-XkQnJU79+x2ywnJSvEZ3r/ZVJC7kbjiVw+/k15k9Cxk6Ik8wmJ0X/+xWxoZomHQI
-1LM0VKAS/iaU95dn2bplvL6jTiiyWAbrMjSKs4XbPt/fIbOicNkj6+CFy0MVfyyH
-AgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIAqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
-KwYBBQUHAwEwDAYDVR0TAQH/BAIwADALBgkqhkiG9w0BAQsDggEBAI/jBJa1P8nB
-eHUN5muQmjBVDVOYyWAAEapOe2HYsBcpjaB2H8Iw3DQzJtz6peYeYSCmHRVqFLCm
-VPrq36l9mPUotyPDPlQQAxCj9R2+WbGaJO+N/E1F8FQ94dr3jqwUyfjVPoqEjmIH
-NFkvbA0RJOeBm9oYGdhM0wjOBV9c9MTHFG82nQ/zQeTuPb7GXuKIOXYCxoLNOZMw
-UJ02Cqjv5ImrgOhcstAKX3Ip0urSvZUGvtPla4CGh+M6yDFJ08GzX6OiMIH207RW
-jAbUXXERSUv/7hysdDjGo5HZjCeMzVu9KAxoZXqnmvkk8g2swKWtWBRcoeU1VGx0
-Bx4Q4KMjuYQ=
+MIIFwzCCA6ugAwIBAgIUF3LO9Gw8tvoqUcDC0lPeUDRsEjQwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEQMA4GA1UEBwwHV2lsbGlj
+aDEQMA4GA1UECgwHbWFpbGNvdzEQMA4GA1UECwwHbWFpbGNvdzEeMBwGA1UEAwwV
+bWFpbC52b2l4bmV0d29ya3MubmV0MB4XDTIzMDMyOTIyMDU0NFoXDTI0MDMyODIy
+MDU0NFowcTELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEQMA4GA1UEBwwHV2ls
+bGljaDEQMA4GA1UECgwHbWFpbGNvdzEQMA4GA1UECwwHbWFpbGNvdzEeMBwGA1UE
+AwwVbWFpbC52b2l4bmV0d29ya3MubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEA21W9s3oTVJRYl0EBgDC5vTvJg05PenQ6yhTWFtCrBJxYJfaQ2Tse
+6nKJnD24HoK5PItvMjP/gtJYStPwlkLmT3oeuhAwUHlNPDLzwJi57eiCDjuPB7Vd
+0vaeeWx34y7YkdsRZ44vS1eKnxck9j4oOhpExDaaenDDgJ8fXGg4AwVcCLhgQwEC
+Qh/0coGQ9wJATEep69sUG54d5b7Y/IYdgJWUTfs805a6wH+SIPEX7ZUSDPt1OhVw
+pzcDWMhtklnY8C5Iut/nIfvCZBjfUoP1rqKbDwFC6ol3dT/mKVg1DyMN43vhuHxS
+Y8t2wOkh0APTJmGGGH2aqPkAW3zzVq3pszoXw7vP//WdkR3AzinLQiCYTVbaz/7U
+cfj3EFyb+gvBSgdaExg8/gcEookghHlXQ0Yi8CigufpCF5YpbcBni0/G/yMh82vi
+VsjgbldRxZ6+ybxnzfej3n8rjCxDBtE5GqO1k1jZFi/edqsecJa3IUMYljNOwQD6
+zr8N6jtgtmmTsx5etaL+okgkJ5eAai3moSjVZ1lycPUF9thg4LJrBwD3S7Wb+fxN
+pytWg3qv80YJ6vItONM0aY0oI2xnnaTX9D7J0JM9/u4H4T8ZCihTBMkoznoLrzZE
+THkEG1xNu9OG/sj49Ecs7SUNODIF6V2AfATtukOpTzb9q74ZJsQzY+ECAwEAAaNT
+MFEwHQYDVR0OBBYEFAfXS4CDb2yZCnnwcQSL7MwTTKZaMB8GA1UdIwQYMBaAFAfX
+S4CDb2yZCnnwcQSL7MwTTKZaMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggIBADIsVUP+pWRM7FfpIeoOGnuhQrBFZs/ypWImjiZ+Oc5bU5BBh6C3OPBo
+X1Yqlr4nvQXt3LcLO3+b5iMoRhHBfRUlmrvOKjalg8Qe6UmErxYjN3v+P4JbLnxH
+XSt2IUDPsNmPF6BYtiLXR50lA7b5hl7cHiGaavPqzMNQTHaH67FpJpkwNKZfk0TP
+MDucQriDFmUhB6PQG0fIUm/qb8BE+Qc9CeoYg908F3KN2bgQ8N0HaL6puz7zJfoL
+Fb/1k4s+29WSMkIcOkQEzIb3yvVOosEZET3jBotmnE9ofZLOcdMnKXvbLOxrHM6p
+nfIelwkX9gVgoQyFUDnpnRQgsGbN/7pOXW2vOpC86A6JfnNs3BIVBRha8B1wYcGB
+eahq86++XzOQiMcSQlk0rdbA50Lx9m9hGnGboSpBtQejAS48LXyVMd+3Qi50BmjG
+zL8V5cznwBmLmcv1zrx9hsoNxOxp0nKrvrV+hp7sJi+ClUdFvynvRIMv8Z3eSOZ5
+Q03FehLPN6KJiVQcEe/eNB60Tujl2hd+Z0b0IHfoO5elY13Hs1DPnNkN4mSJIpn1
+5boNgfojR/o7huPlrqZ+V8D0iAGBx4WHpJPjeC30aAubqH/ute3RnOmrbDtJIPq/
+OGZNhRtFPEDIfPnEF+bmrKV7FBpnqWDZb8B//rPLT7ah088RzgA5
 -----END CERTIFICATE-----
diff --git a/data/assets/ssl-example/key.pem b/data/assets/ssl-example/key.pem
index cedf35a0..12827b94 100644
--- a/data/assets/ssl-example/key.pem
+++ b/data/assets/ssl-example/key.pem
@@ -1,27 +1,52 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0YNMU9wLfQ0m9x+TjKdytTKVwIGMqLUiuk0utXwtEBB8tnzF
-4sLOwIHMnui5+whutxXtXjdo5HZXn8vcSYr0vMucNDPItevL+c58wvH58pS9ojok
-mHyvwf6BKn1O2B+EXHoDud6AwyFGZouBa4J7u9/VVTlNWchxFahidh9mgCJKGUYx
-s7pg/WJuC1honbSicwYBbf6poVHll4qTPMNvNV5EJyVO/fsdssJyUrxGd6/2VSQu
-5G44lcPv5NeZPQsZOiJPMJidF//sVsaGaJh0CNSzNFSgEv4mlPeXZ9m6Zby+o04o
-slgG6zI0irOF2z7f3yGzonDZI+vghctDFX8shwIDAQABAoIBAQC9kiLnIgxXGyZt
-pmmYdA6re1jatZ2zLSp+DcY8ul3/0hs195IKCyCOOSQPiR520Pt0t+duP46uYZIJ
-aakp9gxaI5Vz+oMacH/AyaBDuDTj1Mf9WMSyIOfbDVCMRJOppGLcVh62+Gfjp2EO
-+h2hTJBuvypFkbK2kVIZOaHVpbXWKw1oYuEcTftk9XfxxvfSMw1HQ12/P2CAcbaa
-jPmVbisunv6kpXtewSBTcaLSYWJf1MYD5Hi8fzkD2FJSXYbfQd8RKvT2rj6FA7ux
-CDMzbYhdnd7lc63OARCIjfCRNtDT1cZ3gR1CQHD98lWxmPQIZukv+w7s/bSrFgnQ
-ROZ0ghBJAoGBAOmE/3d5FDmp0aJNxXynKcRGdpEEM4O40RIdqa2eR6Pa7aTRosao
-z0qVgdFuJrqjlB3jgedxXEX1M0abCUzzM9Q5F7JLl+KsjwRwpkIOkPiyUncLp7LK
-QbY3tvYBIdpjlF1USOMGRL4j11hqr4vQC/yPBF7jj81kCZDTbmZhp82jAoGBAOWu
-ql5QFUOlmqkuWIAFkiLEZhOu+ptqkE+zG50CCGMJIX0dJ2PHXFyNGInomAeT0nbI
-pbnK3x7KeEKiGrAqZFNCTHhApTwkrIj0L/RQbMDZ7u7j1AEUVNFEhIm62kg84FtG
-xtfxVxredE+NQc/tyV3hXegdNZxegALirlcMKIvNAoGAWFwIxk48Ru1o8z72QQqH
-lUsMRicOzwK5qV8r+xPvC6MlVL42F3F8rj4QFwzU/r4yp3SUjNyqC5aSRl8Xj9Re
-gijwPHi6Cf09SHLPliMo29GtvnnchJxfbPF7+23GP3p6gy4HPk/65u9s5nnH3uFk
-B7ad8sGsgg0eSXyXQ4okEn0CgYEAnogPuedGthlxBgMiPMMbmfm7hyyId4t3Ljuu
-/JExnsHnpobf8EPjoVIWNOIhRWGnrCtUEEhR9tvDZCKljyDDfKBPTdU496lMmX8K
-NnToi7gg7iy84T3aSVMktDgPgDrclMPmbZh8CeSvnVUfrtgu3Ci4+4Rlw5eKffNe
-aGDQ/6UCgYAbUq9mRT2WOXIo+Dchi9VzDWgtfOw5VEyqkSpb7hPiIYx5jNaENnVK
-cAi3iqbBgPJBuMlTrKmmaxdmssGOEZNJLuuXLDbCU+f5cpu5PQ4crC6UtRI5rlhp
-8Yc+oiv3HWbSw3sVRpMFB6NP4DnvgFW3B2Wdfb/lNzPCKWqBsX7gWw==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDbVb2zehNUlFiX
+QQGAMLm9O8mDTk96dDrKFNYW0KsEnFgl9pDZOx7qcomcPbgegrk8i28yM/+C0lhK
+0/CWQuZPeh66EDBQeU08MvPAmLnt6IIOO48HtV3S9p55bHfjLtiR2xFnji9LV4qf
+FyT2Pig6GkTENpp6cMOAnx9caDgDBVwIuGBDAQJCH/RygZD3AkBMR6nr2xQbnh3l
+vtj8hh2AlZRN+zzTlrrAf5Ig8RftlRIM+3U6FXCnNwNYyG2SWdjwLki63+ch+8Jk
+GN9Sg/WuopsPAULqiXd1P+YpWDUPIw3je+G4fFJjy3bA6SHQA9MmYYYYfZqo+QBb
+fPNWremzOhfDu8//9Z2RHcDOKctCIJhNVtrP/tRx+PcQXJv6C8FKB1oTGDz+BwSi
+iSCEeVdDRiLwKKC5+kIXliltwGeLT8b/IyHza+JWyOBuV1HFnr7JvGfN96PefyuM
+LEMG0Tkao7WTWNkWL952qx5wlrchQxiWM07BAPrOvw3qO2C2aZOzHl61ov6iSCQn
+l4BqLeahKNVnWXJw9QX22GDgsmsHAPdLtZv5/E2nK1aDeq/zRgnq8i040zRpjSgj
+bGedpNf0PsnQkz3+7gfhPxkKKFMEySjOeguvNkRMeQQbXE2704b+yPj0RyztJQ04
+MgXpXYB8BO26Q6lPNv2rvhkmxDNj4QIDAQABAoICAQC1pN10/L1zh2OS6AgZJME+
+IXxynPEfZZCmePkQbgGj0OMDlZ5B+T9SREcIuOh5hCNqK8OMHRoXOqJaXglaN89K
+tMUrrGqGyt6W40+RCiq5B5xlsxdx99ba9tkpkBX9dHdw268fRtaOG9K2jFFVCQcB
+j22x3dKzYh3WsHElcz4n6lFc+2zlMLmxD4u/JORsXFXpllP3+zg84wa5lQNYpq1a
+JwZqSo4GYUcKUtwvIduCK7mGPN3Jm6XvJZVE+sAbuwL5bitXcESXlUtY4GxahuR5
+mzq1A4NqfywKU0AGr4FJputCoP6/bV5CPWd8vdX90p0UpSGLuMHT/Fs6aVGRUHhA
+J1iAAOReXsGLXybXrwdi+AVwzHJESL8ipl5Q/a1mhxFZ0Gl7QWzMBU/9IpHUiPQb
+cS5WdT9WKodA31ooGYj9REaBX7A0AOWAdkVMfoxOB+RE7vc2FqueboC3HAZya48S
+QDdMHbizjd4heCYJqnyNcbnE+14X5ieOq+NgT+9C9NuX4swO1VuuczyPBwW/3D+G
+YUbdqWWHH09BytkpWwDYQvwL0mOeeRB2owY5BGwFrbHa+S6hYezBrxVeOR65ymW2
+gUhnhZjewn4pttpu8hNc0w5abrQ/XaoaJ908oJDbBKTYRu3z5hJPxILoOTwQfQpb
+NGEmqP4onD7lPgoAXF4ZvQKCAQEA/5sD9xDRHy0nuZoPmMMKB7BeuqKlBd29Ned7
+JLjJlVn01P1NEOTQNdKMDonc8eXAWViMv+NBosS5jW5DWsKG+aJj5xOyrvhVc2iT
+WtQ2PLI+1aKWCDGKMsLOdiCVcYDnkse/LjxOh/wCcbvB+tTrb+zqDQBCtvALqp88
+chYQZVENNu3gfIFS8iyE2kPQyndKL3Q0DAmvs61464LXHFTtZqSZjGbL/3YmzvDD
+3Y8EtoX/VhYR68N3wGhb6gd9my7rQ0PQlmQR1fblWcAOwpPQ8ZlOeKCxw65bYhJr
+hQ4OmOkQXPsl+zDP5wSV6QMFbjNT5Nza1urKyLL5XzQ1F0arCwKCAQEA26xlUGvZ
+9uLFzq6je9W3m3B1WT3d7yt4Xd+LzcOdV1D54dPlWSCeXfYfPWms3pKFmkqdM0qM
+yhSY/rZxKdh4+tBwK4aLe7xuOaLNYRgnD/ebG2OyAS7PF8698Z1OfmUPCdi9Htch
+EDJDl+zOsIhLtYs62UEAksRaBa7UfEsLk5WxHSZ64ATuQH8sk/FgodNs80U3ZS9v
+U5tl6XUVsX1RyNQUyk4kJAFJyneuZ3YsBojWNH+85KXyutDgQW+YrnIrsCtm8IZO
+cztCSvktTEZvokjLSLx7AJ0G8T3SZX0UtiJi+4UoXMtSDTLGPEGD/JulgtZKeFa5
+GIetS7lzBAHgQwKCAQEAitiZ/suTzWup+JhHgKPx/ts/mgJfwiABeBaWPgxi9E45
+QLmX82VX9OS6T+tzqbM0GVSQoGvCa7iRUtJipBqnV1NvEUcR+RnM0TQtV1mPXMk2
+eLYo6ap/d7N6k5B/nXh4UrNOlr8LqbKrYTys0qR2gAYh3Y4Wr2kV7UkyfIafwWmV
+1BDDsN5PQF4OjMHp2RGTqtNksmVQnDnPRZ99WlaH3wnqnun4RnzX9/Gxc9kMplmD
+qi+y7G7xzgLiau5GvNVv1sovtIIHbkL/sxEw82F4TsUIa15fMfy0h0GaRlyscUOp
+L9j9eMW7KbLD/B84A/S9zcRq2/QO05bk/2JMtKgeoQKCAQA/ZdeviBDVwcjYx2oD
+OUDOKXyUjthYSDFq1jNg5Q2pv4L+e8r7GADcmUWW0cLEUYEhcFtCDEfpolwtVrX+
+H616pWFaDnB++3jMRYIEfZX4c7teAj3DPaEi+9Wxv3aB3+ShMN4T4n52UCtV01Ar
+foprEI2hWbMyqFxau4Qzgu0KYO9GvG5F7OZd0tYotEbxLTWKV/WOzEvS00xsPhBO
+sx5BWYPOhxLDGWQUfMnmriIymJdJe3wmeQY+iD3QZMapweV96GjDDd/iPb36KUO7
+ebCKI3wXt92/5ZG1WeQ4ygqKLg5nDJ0DeuJpULgJd9cBtmHkCrhfVpgAzldjPVhG
+VcxFAoIBAQDNjQlcbDm0KAo42g+uqaDbbCYegeKzfhG0kern14gFGZCLihIU9qsr
+8KZhfzfMjN7IsL0l3udMbTJMGUTyl0mx1Cdf7e50VyZguAzKdD1fvHCNdW9LdtI7
+vBGRnKHJK8EDEYBawMrCOowGqZzg7KlPXCm8Tw0VeU4AgoFUuAV3Aq7aOwweFAy4
+zIahaw3mIDDAucnlXnvgg+NsrQXr8Cu0fHmpDyLclX/JybTAci2biIL1y/fwU5fh
+c9hSXFv+WeeVQV9Z56pUNUvSM4Dv2qQ/XZ62xzYIbufXHquGMsymQAWyuWdliSaO
+jhNxl6UKzO8bV89Wt0Y74SR8Ch95FMkQ
+-----END PRIVATE KEY-----
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index a445b60c..bc293d1a 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -1,200 +1,291 @@
-# --------------------------------------------------------------------------
-# Please create a file "extra.cf" for persistent overrides to main.cf
-# --------------------------------------------------------------------------
-biff = no
-append_dot_mydomain = no
-smtpd_tls_cert_file = /etc/ssl/mail/cert.pem
-smtpd_tls_key_file = /etc/ssl/mail/key.pem
-tls_server_sni_maps = hash:/opt/postfix/conf/sni.map
-smtpd_tls_received_header = yes
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtpd_relay_restrictions = permit_mynetworks,
-  permit_sasl_authenticated,
-  defer_unauth_destination
-# alias maps are auto-generated in postfix.sh on startup
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
-relayhost =
-mynetworks_style = subnet
-mailbox_size_limit = 0
-recipient_delimiter = +
-inet_interfaces = all
-inet_protocols = all
-bounce_queue_lifetime = 1d
-broken_sasl_auth_clients = yes
-disable_vrfy_command = yes
-maximal_backoff_time = 1800s
-maximal_queue_lifetime = 5d
-delay_warning_time = 4h
-message_size_limit = 104857600
-milter_default_action = tempfail
-milter_protocol = 6
-minimal_backoff_time = 300s
-plaintext_reject_code = 550
-postscreen_access_list = permit_mynetworks,
-  cidr:/opt/postfix/conf/custom_postscreen_whitelist.cidr,
-  cidr:/opt/postfix/conf/postscreen_access.cidr,
-  tcp:127.0.0.1:10027
-postscreen_bare_newline_enable = no
-postscreen_blacklist_action = drop
-postscreen_cache_cleanup_interval = 24h
-postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
-postscreen_dnsbl_action = enforce
-postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
-  hostkarma.junkemailfilter.com=127.0.0.1*-2
-  list.dnswl.org=127.0.[0..255].0*-2
-  list.dnswl.org=127.0.[0..255].1*-4
-  list.dnswl.org=127.0.[0..255].2*-6
-  list.dnswl.org=127.0.[0..255].3*-8
-  ix.dnsbl.manitu.net*2
-  bl.spamcop.net*2
-  bl.suomispam.net*2
-  hostkarma.junkemailfilter.com=127.0.0.2*3
-  hostkarma.junkemailfilter.com=127.0.0.4*2
-  hostkarma.junkemailfilter.com=127.0.1.2*1
-  backscatter.spameatingmonkey.net*2
-  bl.ipv6.spameatingmonkey.net*2
-  bl.spameatingmonkey.net*2
-  b.barracudacentral.org=127.0.0.2*7
-  bl.mailspike.net=127.0.0.2*5
-  bl.mailspike.net=127.0.0.[10;11;12]*4
-  dnsbl.sorbs.net=127.0.0.10*8
-  dnsbl.sorbs.net=127.0.0.5*6
-  dnsbl.sorbs.net=127.0.0.7*3
-  dnsbl.sorbs.net=127.0.0.8*2
-  dnsbl.sorbs.net=127.0.0.6*2
-  dnsbl.sorbs.net=127.0.0.9*2
-  zen.spamhaus.org=127.0.0.[10;11]*8
-  zen.spamhaus.org=127.0.0.[4..7]*6
-  zen.spamhaus.org=127.0.0.3*4
-  zen.spamhaus.org=127.0.0.2*3
-postscreen_dnsbl_threshold = 6
-postscreen_dnsbl_ttl = 5m
-postscreen_greet_action = enforce
-postscreen_greet_banner = $smtpd_banner
-postscreen_greet_ttl = 2d
-postscreen_greet_wait = 3s
-postscreen_non_smtp_command_enable = no
-postscreen_pipelining_enable = no
-proxy_read_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf,
-  proxy:mysql:/opt/postfix/conf/sql/mysql_mbr_access_maps.cf,
-  proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
-  $sender_dependent_default_transport_maps,
-  $smtp_tls_policy_maps,
-  $local_recipient_maps,
-  $mydestination,
-  $virtual_alias_maps,
-  $virtual_alias_domains,
-  $virtual_mailbox_maps,
-  $virtual_mailbox_domains,
-  $relay_recipient_maps,
-  $relay_domains,
-  $canonical_maps,
-  $sender_canonical_maps,
-  $sender_bcc_maps,
-  $recipient_bcc_maps,
-  $recipient_canonical_maps,
-  $relocated_maps,
-  $transport_maps,
-  $mynetworks,
-  $smtpd_sender_login_maps,
-  $smtp_sasl_password_maps
-queue_run_delay = 300s
-relay_domains = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf
-relay_recipient_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
-sender_dependent_default_transport_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf
-smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
-smtp_tls_cert_file = /etc/ssl/mail/cert.pem
-smtp_tls_key_file = /etc/ssl/mail/key.pem
-smtp_tls_loglevel = 1
-smtp_dns_support_level = dnssec
-smtp_tls_security_level = dane
-smtpd_data_restrictions = reject_unauth_pipelining, permit
-smtpd_delay_reject = yes
-smtpd_error_sleep_time = 10s
-smtpd_hard_error_limit = ${stress?1}${stress:5}
-smtpd_helo_required = yes
-smtpd_proxy_timeout = 600s
-smtpd_recipient_restrictions = check_recipient_mx_access proxy:mysql:/opt/postfix/conf/sql/mysql_mbr_access_maps.cf,
-  permit_sasl_authenticated,
-  permit_mynetworks,
-  check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
-  reject_invalid_helo_hostname,
-  reject_unauth_destination
-smtpd_sasl_auth_enable = yes
-smtpd_sasl_authenticated_header = yes
-smtpd_sasl_path = inet:dovecot:10001
-smtpd_sasl_type = dovecot
-smtpd_sender_login_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
-smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
-  permit_mynetworks,
-  permit_sasl_authenticated,
-  reject_unlisted_sender,
-  reject_unknown_sender_domain
-smtpd_soft_error_limit = 3
-smtpd_tls_auth_only = yes
-smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
-smtpd_tls_eecdh_grade = auto
-smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
-smtpd_tls_loglevel = 1
-
-# Mandatory protocols and ciphers are used when a connections is enforced to use TLS
-# Does _not_ apply to enforced incoming TLS settings per mailbox
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_mandatory_ciphers = high
-
-smtp_tls_protocols = !SSLv2, !SSLv3
-lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_protocols = !SSLv2, !SSLv3
-
-smtpd_tls_security_level = may
-tls_preempt_cipherlist = yes
-tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
-virtual_alias_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_alias_maps.cf,
-  proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_resource_maps.cf,
-  proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_spamalias_maps.cf,
-  proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_alias_domain_maps.cf
-virtual_gid_maps = static:5000
-virtual_mailbox_base = /var/vmail/
-virtual_mailbox_domains = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_domains_maps.cf
-# -- moved to rspamd on 2021-06-01
-#recipient_bcc_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_recipient_bcc_maps.cf
-#sender_bcc_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sender_bcc_maps.cf
-recipient_canonical_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_recipient_canonical_maps.cf
-recipient_canonical_classes = envelope_recipient
-virtual_mailbox_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_mailbox_maps.cf
-virtual_minimum_uid = 104
-virtual_transport = lmtp:inet:dovecot:24
-virtual_uid_maps = static:5000
-smtpd_milters = inet:rspamd:9900
-non_smtpd_milters = inet:rspamd:9900
-milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
-mydestination = localhost.localdomain, localhost
-smtp_address_preference = any
-smtp_sender_dependent_authentication = yes
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
-smtp_sasl_security_options =
-smtp_sasl_mechanism_filter = plain, login
-smtp_tls_policy_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
-smtp_header_checks = pcre:/opt/postfix/conf/anonymize_headers.pcre
-mail_name = Postcow
-# local_transport map catches local destinations and prevents routing local dests when the next map would route "*"
-# Use custom_transport.pcre for custom transports
-transport_maps = pcre:/opt/postfix/conf/custom_transport.pcre,
-  pcre:/opt/postfix/conf/local_transport,
-  proxy:mysql:/opt/postfix/conf/sql/mysql_relay_ne.cf,
-  proxy:mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf
-smtp_sasl_auth_soft_bounce = no
-postscreen_discard_ehlo_keywords = silent-discard, dsn
+myhostname = mail.example.net
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64  192.168.64.0/24
+
+myhostname = mail.example.net
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64  192.168.64.0/24
 compatibility_level = 2
-smtputf8_enable = no
-# Define protocols for SMTPS and submission service
-submission_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,qmqpd_authorized_clients
-
-# DO NOT EDIT ANYTHING BELOW #
-# User overrides #
+
+myhostname = mail.example.net
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64  192.168.64.0/24
diff --git a/data/conf/unbound/unbound.conf b/data/conf/unbound/unbound.conf
index 27110c04..dd39d13e 100644
--- a/data/conf/unbound/unbound.conf
+++ b/data/conf/unbound/unbound.conf
@@ -4,7 +4,8 @@ server:
   interface: ::0
   logfile: /dev/console
   do-ip4: yes
-  do-ip6: yes
+  #do-ip6: yes
+  do-ip6: no
   do-udp: yes
   do-tcp: yes
   do-daemonize: no
diff --git a/docker-compose.yml b/docker-compose.yml
index 40d22ce0..bf57aac1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -617,7 +617,8 @@ networks:
     driver: bridge
     driver_opts:
       com.docker.network.bridge.name: br-mailcow
-    enable_ipv6: true
+    #enable_ipv6: true
+    enable_ipv6: false
     ipam:
       driver: default
       config:

Logs of iptables -L -vn:

root@mail:~/mailcow-dockerized# iptables -L -vn
Chain INPUT (policy ACCEPT 279 packets, 91862 bytes)
 pkts bytes target     prot opt in     out     source               destination
42313   10M MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 180K   29M MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0
 180K   29M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 180K   29M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 151K   26M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
13943  870K DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
15377 2255K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
13126  822K ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 314 packets, 19671 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.6           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:3306
   47  2724 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:443
   15   748 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    1    52 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    4   232 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    2   104 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    3   180 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    1    52 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
15377 2255K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 608K  350M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
75242   19M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 608K  350M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of ip6tables -L -vn:

root@mail:~/mailcow-dockerized# ip6tables -L -vn
Chain INPUT (policy ACCEPT 2 packets, 98 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2    98 MAILCOW    all      *      *       ::/0                 ::/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MAILCOW    all      *      *       ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 341 packets, 20618 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

root@mail:~/mailcow-dockerized# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 525 packets, 29330 bytes)
 pkts bytes target     prot opt in     out     source               destination
46484 2101K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 251 packets, 11848 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  388 30525 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 253 packets, 15675 bytes)
 pkts bytes target     prot opt in     out     source               destination
   18  1060 MASQUERADE  all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type LOCAL
 2948  223K MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type LOCAL
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.6           172.22.1.6           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.8           172.22.1.8           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.10          172.22.1.10          tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.10          172.22.1.10          tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.6:8983
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.8:3306
   48  2784 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.10:443
   16   808 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.10:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    1    52 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    5   292 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    2   104 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
   10   600 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    1    52 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25

Logs of ip6tables -L -vn -t nat:

root@mail:~/mailcow-dockerized# ip6tables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

DNS check:

root@mail:~/mailcow-dockerized# docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254
151.101.65.69
151.101.193.69
151.101.129.69
151.101.1.69

[MAGICCC]

We don't provide support here on GitHub Either ask in our telegram channel or in our forum

[laymonk]

I think it's wrong to consider this a support issue. This is vleat;y a bug on TLS usage in postfix that is not dependent on user configuration.

[laymonk]

This is resolved now, thankls to MAGIC from the forum ... not sure how I ended up having data/conf/postfix/main.cf replaced by contents of extra.cf ...

Stopping postfix-mailcow, and recreateing data/conf/postfix/main.cf and then restarting postfix-mailcow has fixed it.

[SimonBiggs]

@laymonk, your private key is posted above. You should re-create your private key.

[laymonk]

Yeah, I recreated it immediately after posting that ...

Thanks for the heads up.

On Mon, 3 Apr 2023 at 05:25, Simon Biggs @.***> wrote:

@laymonk https://github.com/laymonk, your private key is posted above. You should re-create your private key.

— Reply to this email directly, view it on GitHub https://github.com/mailcow/mailcow-dockerized/issues/5156#issuecomment-1493644268, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAPEMHOYK6OUOBOBCRAKGMDW7JGMRANCNFSM6AAAAAAWMSK3M4 . You are receiving this because you were mentioned.Message ID: @.***>