postfix: DANE TLSA lookup problem: DANE is enforced for a domain

[rpasing]

Contribution guidelines

• [X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

I have trouble sending a mail to the @rwth-aachen.de domain. Apparently, postfix thinks this domain should have DANE and checks for a TLSA record, while this domain doesn't actually support it. It looks like that in the postfix logs: https://paste.xinu.at/5ik/

This appears to only affect the @rwth-aachen.de receiving domain for my mailcow instance. It looks like I can send to all other non-DANE domains without problems. And also sending to DANE-supporting domains is not an issue. It seems likely that for some reason I have some exceptional dane-only configuration for only this domain. But the thing is... I don't.

I already was in contact with guys in the #mailcow Libera irc channel and we digged through some different causes for this (especially thanks to FingerlessGloves), but couldn't really find the cause why postfix is trying to enforce DANE for that domain. I will list the things we checked now:

I have no outgoing TLS policy map overrides: https://paste.xinu.at/mCWQzB/

I have no encryption policy on my sending mailbox: https://paste.xinu.at/aFCYH/

The postfix config doesn't contain anything 'policy'-related, and the db table is also empty (like shown in the UI): https://paste.xinu.at/nsGN/

I have nowhere a "dane-only" configuration: https://paste.xinu.at/TOfR6/

Resolving mx1.rz.rwth-aachen.de works for unbound: https://paste.xinu.at/yoQ/

The TLSA record query answer from unbound also looks fine (empty): https://paste.xinu.at/CfSHoU/

I already restarted the postfix container, the whole mailcow stack, and even the host machine.

If I manually add a "may" TLS policy map override in the Mailcow UI, then the mails that were stuck in the queue will be send out! If I remove this override again, it will fall back to failing to send them out (as it's again requiring DANE).

Output of docker compose exec postfix-mailcow postconf smtp_tls_security_level = smtp_tls_security_level = dane (not dane-only).

smtp_tls_security_level is on the default mailcow values (as you also see further down for the git diff with origin/master): https://paste.xinu.at/eOKfI/

I still think this might be an issue on my end, but as we ran out of ideas in IRC, we thought I should create a bugreport here. Any help would really be appreciated. Thank you very much in advance!

Logs:

mailcow-postfix-mailcow-1    | May 24 03:34:36 f00f27c85c77 postfix/qmgr[377]: 7053A70F0F00: from=<rene@pasing.net>, size=856, nrcpt=1 (queue active)
mailcow-postfix-mailcow-1    | May 24 03:34:36 f00f27c85c77 postfix/smtp[408]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mx1.rz.rwth-aachen.de type=TLSA: Host not found, try again
mailcow-postfix-mailcow-1    | May 24 03:34:36 f00f27c85c77 postfix/smtp[409]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mx1.rz.rwth-aachen.de type=TLSA: Host not found, try again
mailcow-postfix-mailcow-1    | May 24 03:34:36 f00f27c85c77 postfix/smtp[408]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mx1.rz.rwth-aachen.de type=TLSA: Host not found, try again
mailcow-postfix-mailcow-1    | May 24 03:34:36 f00f27c85c77 postfix/smtp[408]: warning: TLS policy lookup for rwth-aachen.de/mx1.rz.rwth-aachen.de: TLSA lookup error for mx1.rz.rwth-aachen.de:25
mailcow-postfix-mailcow-1    | May 24 03:34:36 f00f27c85c77 postfix/smtp[409]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mx1.rz.rwth-aachen.de type=TLSA: Host not found, try again
mailcow-postfix-mailcow-1    | May 24 03:34:36 f00f27c85c77 postfix/smtp[409]: warning: TLS policy lookup for rwth-aachen.de/mx1.rz.rwth-aachen.de: TLSA lookup error for mx1.rz.rwth-aachen.de:25
mailcow-postfix-mailcow-1    | May 24 03:34:36 f00f27c85c77 postfix/smtp[408]: 4188F70F3950: to=<rene.pasing@rwth-aachen.de>, relay=none, delay=517, delays=517/0.08/0.07/0, dsn=4.7.5, status=deferred (TLSA lookup error for mx1.rz.rwth-aachen.de:25)
mailcow-postfix-mailcow-1    | May 24 03:34:36 f00f27c85c77 postfix/smtp[409]: 7053A70F0F00: to=<rene.pasing@rwth-aachen.de>, relay=none, delay=1506, delays=1506/0.11/0.04/0, dsn=4.7.5, status=deferred (TLSA lookup error for mx1.rz.rwth-aachen.de:25)

Steps to reproduce:

1. Observe postfix logs
2. Send a test email to @rwth-aachen.de
3. See a DANE TLSA lookup problem in the mailcow logs
4. Mail has not been sent out

Which branch are you using?

master

Operating System:

Arch Linux

Server/VM specifications:

16 GiB memory, 4 core Intel Xeon

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

Docker :)

Docker version:

24.0.0

docker-compose version or docker compose version:

2.18.1

mailcow version:

2023-04b

Reverse proxy:

Nginx

Logs of git diff:

diff --git a/data/conf/nginx/templates/listen_plain.template b/data/conf/nginx/templates/listen_plain.template
index a044b22f..35b556b2 100644
--- a/data/conf/nginx/templates/listen_plain.template
+++ b/data/conf/nginx/templates/listen_plain.template
@@ -1,2 +1,3 @@
 listen ${HTTP_PORT};
 listen [::]:${HTTP_PORT};
+listen unix:/run/nginx/nginx.sock;
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index a445b60c..31bf02c5 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -198,3 +198,6 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks

 # DO NOT EDIT ANYTHING BELOW #
 # User overrides #
+
+myhostname = mail.renepasing.de
+
diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf
index 2c042c30..e3017019 100644
--- a/data/conf/sogo/sogo.conf
+++ b/data/conf/sogo/sogo.conf
@@ -26,10 +26,10 @@
     // Domains are isolated, you can define visibility options here.
     // Example:

-    // SOGoDomainsVisibility = (
-    //  (domain1.tld, domain5.tld),
-    //  (domain3.tld, domain2.tld)
-    // );
+    SOGoDomainsVisibility = (
+      (XXX1, YYY1, ZZZ1), // replaced with XXX due to privacy
+      (XXX2, YYY2, ZZZ2) // replaced with XXX due to privacy
+    );

     // self-signed is not trusted anymore
     WOPort = "0.0.0.0:20000";
@@ -45,7 +45,7 @@

     SOGoMaximumPingInterval = 3540;

-    SOGoInternalSyncInterval = 45;
+    SOGoInternalSyncInterval = 60;
     SOGoMaximumSyncInterval = 3540;

     // 100 seems to break some Android clients
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index 5e6d72e7..798a63a3 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -39,7 +39,7 @@ $autodiscover_config = array(
   'autodiscoverType' => 'activesync',
   // If autodiscoverType => activesync, also use ActiveSync (EAS) for Outlook desktop clients (>= Outlook 2013 on Windows)
   // Outlook for Mac does not support ActiveSync
-  'useEASforOutlook' => 'no',
+  'useEASforOutlook' => 'yes',
   // Please don't use STARTTLS-enabled service ports in the "port" variable.
   // The autodiscover service will always point to SMTPS and IMAPS (TLS-wrapped services).
   // The autoconfig service will additionally announce the STARTTLS-enabled ports, specified in the "tlsport" variable.
diff --git a/docker-compose.yml b/docker-compose.yml
index 23bd308f..d42778d4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -582,36 +582,6 @@ services:
           aliases:
             - ofelia

-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 21298 packets, 7626K bytes)
 pkts bytes target     prot opt in     out     source               destination
 136K   50M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
4071K 1987M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0
4070K 1987M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0
4070K 1987M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0
22026 3274K ACCEPT     0    --  *      br-287f08177fea  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 1706  102K DOCKER     0    --  *      br-287f08177fea  0.0.0.0/0            0.0.0.0/0
20556 4088K ACCEPT     0    --  br-287f08177fea !br-287f08177fea  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-287f08177fea br-287f08177fea  0.0.0.0/0            0.0.0.0/0
3209K  812M ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
73586 4866K DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 174K   60M ACCEPT     0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
71991 4771K ACCEPT     0    --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0
1311K  135M ACCEPT     0    --  *      br-e33a6a5335ce  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
45500 2647K DOCKER     0    --  *      br-e33a6a5335ce  0.0.0.0/0            0.0.0.0/0
1185K 2136M ACCEPT     0    --  br-e33a6a5335ce !br-e33a6a5335ce  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-e33a6a5335ce br-e33a6a5335ce  0.0.0.0/0            0.0.0.0/0
  445 3319K ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
  195 12141 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
 2573  603K ACCEPT     0    --  *      br-weechat  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      br-weechat  0.0.0.0/0            0.0.0.0/0
 4078  288K ACCEPT     0    --  br-weechat !br-weechat  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-weechat br-weechat  0.0.0.0/0            0.0.0.0/0
 1514 5362K ACCEPT     0    --  *      br-a80926d78d85  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      br-a80926d78d85  0.0.0.0/0            0.0.0.0/0
  750 42350 ACCEPT     0    --  br-a80926d78d85 !br-a80926d78d85  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-a80926d78d85 br-a80926d78d85  0.0.0.0/0            0.0.0.0/0
   14  6058 ACCEPT     0    --  *      br-84a8b69a8825  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      br-84a8b69a8825  0.0.0.0/0            0.0.0.0/0
   14  1546 ACCEPT     0    --  br-84a8b69a8825 !br-84a8b69a8825  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-84a8b69a8825 br-84a8b69a8825  0.0.0.0/0            0.0.0.0/0
  209 64563 ACCEPT     0    --  *      br-fad4006818a2  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   54  3240 DOCKER     0    --  *      br-fad4006818a2  0.0.0.0/0            0.0.0.0/0
   13  1566 ACCEPT     0    --  br-fad4006818a2 !br-fad4006818a2  0.0.0.0/0            0.0.0.0/0
   54  3240 ACCEPT     0    --  br-fad4006818a2 br-fad4006818a2  0.0.0.0/0            0.0.0.0/0
 116K   14M ACCEPT     0    --  *      br-6198109faaf1  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   11   448 DOCKER     0    --  *      br-6198109faaf1  0.0.0.0/0            0.0.0.0/0
 256K   63M ACCEPT     0    --  br-6198109faaf1 !br-6198109faaf1  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-6198109faaf1 br-6198109faaf1  0.0.0.0/0            0.0.0.0/0
10722 1296K ACCEPT     0    --  *      br-30d54b5a3c0c  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      br-30d54b5a3c0c  0.0.0.0/0            0.0.0.0/0
14544 1029K ACCEPT     0    --  br-30d54b5a3c0c !br-30d54b5a3c0c  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-30d54b5a3c0c br-30d54b5a3c0c  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      br-1c50e9e89b37  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      br-1c50e9e89b37  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-1c50e9e89b37 !br-1c50e9e89b37  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-1c50e9e89b37 br-1c50e9e89b37  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 29385 packets, 2700K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (11 references)
 pkts bytes target     prot opt in     out     source               destination
    2    92 ACCEPT     6    --  !br-6198109faaf1 br-6198109faaf1  0.0.0.0/0            192.168.0.2          tcp dpt:64738
    0     0 ACCEPT     6    --  !br-84a8b69a8825 br-84a8b69a8825  0.0.0.0/0            172.29.0.2           tcp dpt:8140
    9   356 ACCEPT     17   --  !br-6198109faaf1 br-6198109faaf1  0.0.0.0/0            192.168.0.2          udp dpt:64738
    0     0 ACCEPT     6    --  !br-fad4006818a2 br-fad4006818a2  0.0.0.0/0            172.28.0.3           tcp dpt:80
    0     0 ACCEPT     6    --  !br-weechat br-weechat  0.0.0.0/0            10.18.0.2            tcp dpt:12071
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.249          tcp dpt:6379
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.4            tcp dpt:8983
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.7            tcp dpt:3306
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.250          tcp dpt:12345
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.250          tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.250          tcp dpt:995
  850 51599 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.250          tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.10           tcp dpt:22443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.10           tcp dpt:22080
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.250          tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.250          tcp dpt:110
  113  6184 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.253          tcp dpt:587
  290 17308 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.253          tcp dpt:465
   88  5032 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            10.22.1.253          tcp dpt:25
 1706  102K ACCEPT     6    --  !br-287f08177fea br-287f08177fea  0.0.0.0/0            172.19.0.2           tcp dpt:22
25449 1477K ACCEPT     6    --  !br-e33a6a5335ce br-e33a6a5335ce  0.0.0.0/0            172.18.0.2           tcp dpt:443
  986 60629 ACCEPT     6    --  !br-e33a6a5335ce br-e33a6a5335ce  0.0.0.0/0            172.18.0.2           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
20556 4088K DOCKER-ISOLATION-STAGE-2  0    --  br-287f08177fea !br-287f08177fea  0.0.0.0/0            0.0.0.0/0
 174K   60M DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
1185K 2136M DOCKER-ISOLATION-STAGE-2  0    --  br-e33a6a5335ce !br-e33a6a5335ce  0.0.0.0/0            0.0.0.0/0
  195 12141 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 4078  288K DOCKER-ISOLATION-STAGE-2  0    --  br-weechat !br-weechat  0.0.0.0/0            0.0.0.0/0
  750 42350 DOCKER-ISOLATION-STAGE-2  0    --  br-a80926d78d85 !br-a80926d78d85  0.0.0.0/0            0.0.0.0/0
   14  1546 DOCKER-ISOLATION-STAGE-2  0    --  br-84a8b69a8825 !br-84a8b69a8825  0.0.0.0/0            0.0.0.0/0
   13  1566 DOCKER-ISOLATION-STAGE-2  0    --  br-fad4006818a2 !br-fad4006818a2  0.0.0.0/0            0.0.0.0/0
 256K   63M DOCKER-ISOLATION-STAGE-2  0    --  br-6198109faaf1 !br-6198109faaf1  0.0.0.0/0            0.0.0.0/0
14544 1029K DOCKER-ISOLATION-STAGE-2  0    --  br-30d54b5a3c0c !br-30d54b5a3c0c  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-1c50e9e89b37 !br-1c50e9e89b37  0.0.0.0/0            0.0.0.0/0
6513K 3259M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (11 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      br-287f08177fea  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-e33a6a5335ce  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-weechat  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-a80926d78d85  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-84a8b69a8825  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-fad4006818a2  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-6198109faaf1  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-30d54b5a3c0c  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-1c50e9e89b37  0.0.0.0/0            0.0.0.0/0
1680K 2269M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
6513K 3259M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination
  214 12768 REJECT     0    --  *      *       141.98.10.0/24       0.0.0.0/0            reject-with icmp-port-unreachable

Logs of ip6tables -L -vn:

Chain INPUT (policy ACCEPT 38540 packets, 3024K bytes)
 pkts bytes target     prot opt in     out     source               destination
39982 3195K MAILCOW    0    --  *      *       ::/0                 ::/0

Chain FORWARD (policy DROP 1 packets, 56 bytes)
 pkts bytes target     prot opt in     out     source               destination
1636K  932M DOCKER-USER  0    --  *      *       ::/0                 ::/0
1641K  935M MAILCOW    0    --  *      *       ::/0                 ::/0
1641K  935M DOCKER-ISOLATION-STAGE-1  0    --  *      *       ::/0                 ::/0
    0     0 ACCEPT     0    --  *      br-287f08177fea  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      br-287f08177fea  ::/0                 ::/0
    0     0 ACCEPT     0    --  br-287f08177fea !br-287f08177fea  ::/0                 ::/0
    0     0 ACCEPT     0    --  br-287f08177fea br-287f08177fea  ::/0                 ::/0
 356K  417M ACCEPT     0    --  *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
43771 3085K DOCKER     0    --  *      br-mailcow  ::/0                 ::/0
18185 1819K ACCEPT     0    --  br-mailcow !br-mailcow  ::/0                 ::/0
43609 3074K ACCEPT     0    --  br-mailcow br-mailcow  ::/0                 ::/0
 218K   25M ACCEPT     0    --  *      br-e33a6a5335ce  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 3373  260K DOCKER     0    --  *      br-e33a6a5335ce  ::/0                 ::/0
 206K  614M ACCEPT     0    --  br-e33a6a5335ce !br-e33a6a5335ce  ::/0                 ::/0
    0     0 ACCEPT     0    --  br-e33a6a5335ce br-e33a6a5335ce  ::/0                 ::/0
    2   458 ACCEPT     0    --  *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  ::/0                 ::/0
    2   176 ACCEPT     0    --  docker0 !docker0  ::/0                 ::/0
    0     0 ACCEPT     0    --  docker0 docker0  ::/0                 ::/0
  134 14232 ACCEPT     0    --  *      br-weechat  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    4   320 DOCKER     0    --  *      br-weechat  ::/0                 ::/0
  129  217K ACCEPT     0    --  br-weechat !br-weechat  ::/0                 ::/0
    0     0 ACCEPT     0    --  br-weechat br-weechat  ::/0                 ::/0
  193 54220 ACCEPT     0    --  *      br-fad4006818a2  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
  592 37488 DOCKER     0    --  *      br-fad4006818a2  ::/0                 ::/0
    8  1136 ACCEPT     0    --  br-fad4006818a2 !br-fad4006818a2  ::/0                 ::/0
  592 37488 ACCEPT     0    --  br-fad4006818a2 br-fad4006818a2  ::/0                 ::/0
 445K  113M ACCEPT     0    --  *      br-6198109faaf1  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    8   496 DOCKER     0    --  *      br-6198109faaf1  ::/0                 ::/0
 662K  146M ACCEPT     0    --  br-6198109faaf1 !br-6198109faaf1  ::/0                 ::/0
    0     0 ACCEPT     0    --  br-6198109faaf1 br-6198109faaf1  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 36986 packets, 9661K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (7 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     6    --  !br-287f08177fea br-287f08177fea  ::/0                 fdb9:71ec:4c32:543f::2  tcp dpt:22
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd9f:58bc:3ec9:2a4d::e  tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd9f:58bc:3ec9:2a4d::e  tcp dpt:993
   73  5248 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd9f:58bc:3ec9:2a4d::d  tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd9f:58bc:3ec9:2a4d::d  tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd9f:58bc:3ec9:2a4d::d  tcp dpt:587
    3   240 ACCEPT     6    --  !br-weechat br-weechat  ::/0                 fd19:3ab7:5ee0:27fb::2  tcp dpt:12071
    6   352 ACCEPT     17   --  !br-6198109faaf1 br-6198109faaf1  ::/0                 fd43:6925:678e:f6d7::2  udp dpt:64738
    2   144 ACCEPT     6    --  !br-6198109faaf1 br-6198109faaf1  ::/0                 fd43:6925:678e:f6d7::2  tcp dpt:64738
    0     0 ACCEPT     6    --  !br-fad4006818a2 br-fad4006818a2  ::/0                 fd6b:1dd1:2285:1ba0::3  tcp dpt:80
 2180  168K ACCEPT     6    --  !br-e33a6a5335ce br-e33a6a5335ce  ::/0                 fdcb:c299:a6:87b2::2  tcp dpt:443
   25  1896 ACCEPT     6    --  !br-e33a6a5335ce br-e33a6a5335ce  ::/0                 fdcb:c299:a6:87b2::2  tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
 140K  411M DOCKER-ISOLATION-STAGE-2  0    --  br-e33a6a5335ce !br-e33a6a5335ce  ::/0                 ::/0
 662K  146M DOCKER-ISOLATION-STAGE-2  0    --  br-6198109faaf1 !br-6198109faaf1  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-287f08177fea !br-287f08177fea  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-fad4006818a2 !br-fad4006818a2  ::/0                 ::/0
  107  194K DOCKER-ISOLATION-STAGE-2  0    --  br-weechat !br-weechat  ::/0                 ::/0
 9568  985K DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  ::/0                 ::/0
1636K  932M RETURN     0    --  *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (7 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      br-e33a6a5335ce  ::/0                 ::/0
    0     0 DROP       0    --  *      br-6198109faaf1  ::/0                 ::/0
    0     0 DROP       0    --  *      br-287f08177fea  ::/0                 ::/0
    0     0 DROP       0    --  *      docker0  ::/0                 ::/0
    0     0 DROP       0    --  *      br-fad4006818a2  ::/0                 ::/0
    0     0 DROP       0    --  *      br-weechat  ::/0                 ::/0
    0     0 DROP       0    --  *      br-mailcow  ::/0                 ::/0
 812K  558M RETURN     0    --  *      *       ::/0                 ::/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
1960K 1323M RETURN     0    --  *      *       ::/0                 ::/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 82577 packets, 5849K bytes)
 pkts bytes target     prot opt in     out     source               destination
59770 3512K DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 2981 packets, 194K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2746 packets, 173K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 73110 packets, 4586K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      !br-287f08177fea  172.19.0.0/16        0.0.0.0/0
68805 5277K MASQUERADE  0    --  *      !br-mailcow  10.22.1.0/24         0.0.0.0/0
  638 38176 MASQUERADE  0    --  *      !br-e33a6a5335ce  172.18.0.0/16        0.0.0.0/0
    3   196 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    3   182 MASQUERADE  0    --  *      !br-weechat  10.18.0.0/24         0.0.0.0/0
   19  1209 MASQUERADE  0    --  *      !br-a80926d78d85  172.27.0.0/16        0.0.0.0/0
    2   124 MASQUERADE  0    --  *      !br-84a8b69a8825  172.29.0.0/16        0.0.0.0/0
    3   192 MASQUERADE  0    --  *      !br-fad4006818a2  172.28.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  0    --  *      !br-6198109faaf1  192.168.0.0/20       0.0.0.0/0
   25  1680 MASQUERADE  0    --  *      !br-30d54b5a3c0c  192.168.16.0/20      0.0.0.0/0
    0     0 MASQUERADE  0    --  *      !br-1c50e9e89b37  192.168.144.0/20     0.0.0.0/0
    0     0 MASQUERADE  6    --  *      *       192.168.0.2          192.168.0.2          tcp dpt:64738
    0     0 MASQUERADE  6    --  *      *       172.29.0.2           172.29.0.2           tcp dpt:8140
    0     0 MASQUERADE  17   --  *      *       192.168.0.2          192.168.0.2          udp dpt:64738
    0     0 MASQUERADE  6    --  *      *       172.28.0.3           172.28.0.3           tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       10.18.0.2            10.18.0.2            tcp dpt:12071
    0     0 MASQUERADE  6    --  *      *       10.22.1.249          10.22.1.249          tcp dpt:6379
    0     0 MASQUERADE  6    --  *      *       10.22.1.4            10.22.1.4            tcp dpt:8983
    0     0 MASQUERADE  6    --  *      *       10.22.1.7            10.22.1.7            tcp dpt:3306
    0     0 MASQUERADE  6    --  *      *       10.22.1.250          10.22.1.250          tcp dpt:12345
    0     0 MASQUERADE  6    --  *      *       10.22.1.250          10.22.1.250          tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       10.22.1.250          10.22.1.250          tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       10.22.1.250          10.22.1.250          tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       10.22.1.10           10.22.1.10           tcp dpt:22443
    0     0 MASQUERADE  6    --  *      *       10.22.1.10           10.22.1.10           tcp dpt:22080
    0     0 MASQUERADE  6    --  *      *       10.22.1.250          10.22.1.250          tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       10.22.1.250          10.22.1.250          tcp dpt:110
    0     0 MASQUERADE  6    --  *      *       10.22.1.253          10.22.1.253          tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       10.22.1.253          10.22.1.253          tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       10.22.1.253          10.22.1.253          tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       172.19.0.2           172.19.0.2           tcp dpt:22
    0     0 MASQUERADE  6    --  *      *       172.18.0.2           172.18.0.2           tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       172.18.0.2           172.18.0.2           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  br-287f08177fea *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
   43  2580 RETURN     0    --  br-e33a6a5335ce *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-weechat *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-a80926d78d85 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-84a8b69a8825 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-fad4006818a2 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-6198109faaf1 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-30d54b5a3c0c *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-1c50e9e89b37 *       0.0.0.0/0            0.0.0.0/0
    2    92 DNAT       6    --  !br-6198109faaf1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:64738 to:192.168.0.2:64738
    0     0 DNAT       6    --  !br-84a8b69a8825 *       0.0.0.0/0            127.0.0.1            tcp dpt:8140 to:172.29.0.2:8140
    9   356 DNAT       17   --  !br-6198109faaf1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:64738 to:192.168.0.2:64738
    0     0 DNAT       6    --  !br-fad4006818a2 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:11580 to:172.28.0.3:80
    0     0 DNAT       6    --  !br-weechat *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12071 to:10.18.0.2:12071
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:10.22.1.249:6379
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:10.22.1.4:8983
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:10.22.1.7:3306
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:10.22.1.250:12345
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:10.22.1.250:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:995 to:10.22.1.250:995
  850 51599 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:10.22.1.250:993
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:22443 to:10.22.1.10:22443
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:22080 to:10.22.1.10:22080
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:143 to:10.22.1.250:143
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:110 to:10.22.1.250:110
  117  6400 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:10.22.1.253:587
 1341 80368 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:10.22.1.253:465
   91  5188 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:10.22.1.253:25
 1710  103K DNAT       6    --  !br-287f08177fea *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1622 to:172.19.0.2:22
25467 1478K DNAT       6    --  !br-e33a6a5335ce *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.18.0.2:443
  986 60629 DNAT       6    --  !br-e33a6a5335ce *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.18.0.2:80

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 16999 packets, 1503K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3599  277K DOCKER     0    --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 13 packets, 992 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1060 packets, 88427 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 11690 packets, 931K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      br-287f08177fea  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
    0     0 MASQUERADE  0    --  *      !br-287f08177fea  fdb9:71ec:4c32:543f::/64  ::/0
    0     0 MASQUERADE  0    --  *      br-mailcow  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
15901 1531K MASQUERADE  0    --  *      !br-mailcow  fd9f:58bc:3ec9:2a4d::/64  ::/0
    0     0 MASQUERADE  0    --  *      br-e33a6a5335ce  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
  201 17412 MASQUERADE  0    --  *      !br-e33a6a5335ce  fdcb:c299:a6:87b2::/64  ::/0
    0     0 MASQUERADE  0    --  *      docker0  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
    0     0 MASQUERADE  0    --  *      br-fad4006818a2  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
    0     0 MASQUERADE  0    --  *      br-weechat  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
    0     0 MASQUERADE  0    --  *      br-6198109faaf1  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
    1    88 MASQUERADE  0    --  *      !docker0  fddb:c186:b84:cc0a::/64  ::/0
    0     0 MASQUERADE  0    --  *      !br-weechat  fd19:3ab7:5ee0:27fb::/64  ::/0
    2   138 MASQUERADE  0    --  *      !br-fad4006818a2  fd6b:1dd1:2285:1ba0::/64  ::/0
    0     0 MASQUERADE  0    --  *      !br-6198109faaf1  fd43:6925:678e:f6d7::/64  ::/0
    0     0 MASQUERADE  6    --  *      *       fd43:6925:678e:f6d7::2  fd43:6925:678e:f6d7::2  tcp dpt:64738
    0     0 MASQUERADE  17   --  *      *       fd43:6925:678e:f6d7::2  fd43:6925:678e:f6d7::2  udp dpt:64738
    0     0 MASQUERADE  6    --  *      *       fd6b:1dd1:2285:1ba0::3  fd6b:1dd1:2285:1ba0::3  tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       fd19:3ab7:5ee0:27fb::2  fd19:3ab7:5ee0:27fb::2  tcp dpt:12071
    0     0 MASQUERADE  6    --  *      *       fd9f:58bc:3ec9:2a4d::e  fd9f:58bc:3ec9:2a4d::e  tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       fd9f:58bc:3ec9:2a4d::e  fd9f:58bc:3ec9:2a4d::e  tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       fd9f:58bc:3ec9:2a4d::d  fd9f:58bc:3ec9:2a4d::d  tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       fd9f:58bc:3ec9:2a4d::d  fd9f:58bc:3ec9:2a4d::d  tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       fd9f:58bc:3ec9:2a4d::d  fd9f:58bc:3ec9:2a4d::d  tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       fdb9:71ec:4c32:543f::2  fdb9:71ec:4c32:543f::2  tcp dpt:22
    0     0 MASQUERADE  6    --  *      *       fdcb:c299:a6:87b2::2  fdcb:c299:a6:87b2::2  tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       fdcb:c299:a6:87b2::2  fdcb:c299:a6:87b2::2  tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    8   640 RETURN     0    --  br-e33a6a5335ce *       ::/0                 ::/0
    0     0 RETURN     0    --  br-6198109faaf1 *       ::/0                 ::/0
    0     0 RETURN     0    --  br-287f08177fea *       ::/0                 ::/0
    0     0 RETURN     0    --  docker0 *       ::/0                 ::/0
    0     0 RETURN     0    --  br-fad4006818a2 *       ::/0                 ::/0
    0     0 RETURN     0    --  br-weechat *       ::/0                 ::/0
    0     0 RETURN     0    --  br-mailcow *       ::/0                 ::/0
    0     0 DNAT       6    --  !br-287f08177fea *       ::/0                 ::/0                 tcp dpt:1622 to:[fdb9:71ec:4c32:543f::2]:22
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd9f:58bc:3ec9:2a4d::e]:4190
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd9f:58bc:3ec9:2a4d::e]:993
   73  5248 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd9f:58bc:3ec9:2a4d::d]:25
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd9f:58bc:3ec9:2a4d::d]:465
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd9f:58bc:3ec9:2a4d::d]:587
    3   240 DNAT       6    --  !br-weechat *       ::/0                 ::/0                 tcp dpt:12071 to:[fd19:3ab7:5ee0:27fb::2]:12071
    6   352 DNAT       17   --  !br-6198109faaf1 *       ::/0                 ::/0                 udp dpt:64738 to:[fd43:6925:678e:f6d7::2]:64738
    2   144 DNAT       6    --  !br-6198109faaf1 *       ::/0                 ::/0                 tcp dpt:64738 to:[fd43:6925:678e:f6d7::2]:64738
    0     0 DNAT       6    --  !br-fad4006818a2 *       ::/0                 ::/0                 tcp dpt:11580 to:[fd6b:1dd1:2285:1ba0::3]:80
 2180  168K DNAT       6    --  !br-e33a6a5335ce *       ::/0                 ::/0                 tcp dpt:443 to:[fdcb:c299:a6:87b2::2]:443
   25  1896 DNAT       6    --  !br-e33a6a5335ce *       ::/0                 ::/0                 tcp dpt:80 to:[fdcb:c299:a6:87b2::2]:80

DNS check:

151.101.129.69
151.101.65.69
151.101.1.69
151.101.193.69

[FreddleSpl0it]

please update docker https://github.com/mailcow/mailcow-dockerized/issues/5239