Fail2Ban not working on Rspamd UI

[bundyland]

Contribution guidelines

• [X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Fail2ban doesn't seem to work on the Rspamd UI. Unsuccessful login attempts are not logged in the netfilter protocol and the attacking IP address is not blocked. I tried this on two different instances.
A reset of the netfilter entries in the UI hasn't fixed the problem.

I don't know if it's related, but in the logs I see:

 redis.exceptions.ConnectionError: Error 111 connecting to 172.22.1.249:6379. Connection refused.

Can the problem be related to this?

Logs:

mailcowdockerized-netfilter-mailcow-1  |     response = self._execute(conn, try_read)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/client.py", line 1507, in _execute
mailcowdockerized-netfilter-mailcow-1  |     return conn.retry.call_with_retry(
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/retry.py", line 49, in call_with_retry
mailcowdockerized-netfilter-mailcow-1  |     fail(error)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/client.py", line 1509, in <lambda>
mailcowdockerized-netfilter-mailcow-1  |     lambda error: self._disconnect_raise_connect(conn, error),
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/client.py", line 1496, in _disconnect_raise_connect
mailcowdockerized-netfilter-mailcow-1  |     raise error
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/retry.py", line 46, in call_with_retry
mailcowdockerized-netfilter-mailcow-1  |     return do()
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/client.py", line 1508, in <lambda>
mailcowdockerized-netfilter-mailcow-1  |     lambda: command(*args, **kwargs),
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/client.py", line 1529, in try_read
mailcowdockerized-netfilter-mailcow-1  |     return conn.read_response()
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 865, in read_response
mailcowdockerized-netfilter-mailcow-1  |     response = self._parser.read_response(disable_decoding=disable_decoding)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 346, in read_response
mailcowdockerized-netfilter-mailcow-1  |     result = self._read_response(disable_decoding=disable_decoding)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 356, in _read_response
mailcowdockerized-netfilter-mailcow-1  |     raw = self._buffer.readline()
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 259, in readline
mailcowdockerized-netfilter-mailcow-1  |     self._read_from_socket()
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 212, in _read_from_socket
mailcowdockerized-netfilter-mailcow-1  |     raise ConnectionError(SERVER_CLOSED_CONNECTION_ERROR)
mailcowdockerized-netfilter-mailcow-1  | redis.exceptions.ConnectionError: Connection closed by server.
mailcowdockerized-netfilter-mailcow-1  |
mailcowdockerized-netfilter-mailcow-1  | During handling of the above exception, another exception occurred:
mailcowdockerized-netfilter-mailcow-1  |
mailcowdockerized-netfilter-mailcow-1  | Traceback (most recent call last):
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 1448, in get_connection
mailcowdockerized-netfilter-mailcow-1  |     if connection.can_read():
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 854, in can_read
mailcowdockerized-netfilter-mailcow-1  |     return self._parser.can_read(timeout)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 341, in can_read
mailcowdockerized-netfilter-mailcow-1  |     return self._buffer and self._buffer.can_read(timeout)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 239, in can_read
mailcowdockerized-netfilter-mailcow-1  |     return bool(self.unread_bytes()) or self._read_from_socket(
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 212, in _read_from_socket
mailcowdockerized-netfilter-mailcow-1  |     raise ConnectionError(SERVER_CLOSED_CONNECTION_ERROR)
mailcowdockerized-netfilter-mailcow-1  | redis.exceptions.ConnectionError: Connection closed by server.
mailcowdockerized-netfilter-mailcow-1  |
mailcowdockerized-netfilter-mailcow-1  | During handling of the above exception, another exception occurred:
mailcowdockerized-netfilter-mailcow-1  |
mailcowdockerized-netfilter-mailcow-1  | Traceback (most recent call last):
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 698, in connect
mailcowdockerized-netfilter-mailcow-1  |     sock = self.retry.call_with_retry(
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/retry.py", line 46, in call_with_retry
mailcowdockerized-netfilter-mailcow-1  |     return do()
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 699, in <lambda>
mailcowdockerized-netfilter-mailcow-1  |     lambda: self._connect(), lambda error: self.disconnect(error)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 987, in _connect
mailcowdockerized-netfilter-mailcow-1  |     raise err
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 975, in _connect
mailcowdockerized-netfilter-mailcow-1  |     sock.connect(socket_address)
mailcowdockerized-netfilter-mailcow-1  | ConnectionRefusedError: [Errno 111] Connection refused
mailcowdockerized-netfilter-mailcow-1  |
mailcowdockerized-netfilter-mailcow-1  | During handling of the above exception, another exception occurred:
mailcowdockerized-netfilter-mailcow-1  |
mailcowdockerized-netfilter-mailcow-1  | Traceback (most recent call last):
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/threading.py", line 1016, in _bootstrap_inner
mailcowdockerized-netfilter-mailcow-1  |     self.run()
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/threading.py", line 953, in run
mailcowdockerized-netfilter-mailcow-1  |     self._target(*self._args, **self._kwargs)
mailcowdockerized-netfilter-mailcow-1  |   File "/server.py", line 345, in watch
mailcowdockerized-netfilter-mailcow-1  |     logWarn('Error reading log line from pubsub: %s' % ex)
mailcowdockerized-netfilter-mailcow-1  |   File "/server.py", line 55, in logWarn
mailcowdockerized-netfilter-mailcow-1  |     log('warn', message)
mailcowdockerized-netfilter-mailcow-1  |   File "/server.py", line 51, in log
mailcowdockerized-netfilter-mailcow-1  |     r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/commands/core.py", line 2695, in lpush
mailcowdockerized-netfilter-mailcow-1  |     return self.execute_command("LPUSH", name, *values)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/client.py", line 1255, in execute_command
mailcowdockerized-netfilter-mailcow-1  |     conn = self.connection or pool.get_connection(command_name, **options)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 1452, in get_connection
mailcowdockerized-netfilter-mailcow-1  |     connection.connect()
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 704, in connect
mailcowdockerized-netfilter-mailcow-1  |     raise ConnectionError(self._error_message(e))
mailcowdockerized-netfilter-mailcow-1  | redis.exceptions.ConnectionError: Error 111 connecting to 172.22.1.249:6379. Connection refused.
mailcowdockerized-netfilter-mailcow-1  | Exception ignored in atexit callback: <function clear at 0x7ff1d3c46320>
mailcowdockerized-netfilter-mailcow-1  | Traceback (most recent call last):
mailcowdockerized-netfilter-mailcow-1  |   File "/server.py", line 292, in clear
mailcowdockerized-netfilter-mailcow-1  |     logInfo('Clearing all bans')
mailcowdockerized-netfilter-mailcow-1  |   File "/server.py", line 61, in logInfo
mailcowdockerized-netfilter-mailcow-1  |     log('info', message)
mailcowdockerized-netfilter-mailcow-1  |   File "/server.py", line 51, in log
mailcowdockerized-netfilter-mailcow-1  |     r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/commands/core.py", line 2695, in lpush
mailcowdockerized-netfilter-mailcow-1  |     return self.execute_command("LPUSH", name, *values)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/client.py", line 1255, in execute_command
mailcowdockerized-netfilter-mailcow-1  |     conn = self.connection or pool.get_connection(command_name, **options)
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 1442, in get_connection
mailcowdockerized-netfilter-mailcow-1  |     connection.connect()
mailcowdockerized-netfilter-mailcow-1  |   File "/usr/lib/python3.10/site-packages/redis/connection.py", line 704, in connect
mailcowdockerized-netfilter-mailcow-1  |     raise ConnectionError(self._error_message(e))
mailcowdockerized-netfilter-mailcow-1  | redis.exceptions.ConnectionError: Error 111 connecting to 172.22.1.249:6379. Connection refused.
mailcowdockerized-netfilter-mailcow-1  | Clearing all bans
mailcowdockerized-netfilter-mailcow-1  | Initializing mailcow netfilter chain
mailcowdockerized-netfilter-mailcow-1  | Watching Redis channel F2B_CHANNEL
mailcowdockerized-netfilter-mailcow-1  | Whitelist was changed, it has 1 entries

Steps to reproduce:

1. open mailcow.host.tld/rspamd
2. enter wrong password several times
3. check netfilter logs and see that nothing happens

Which branch are you using?

master

Operating System:

Debian 11

Server/VM specifications:

Intel(R) Xeon(R) Gold 6240 CPU @ 2.60GHz / 8GB RAM

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

24.0.2

docker-compose version or docker compose version:

v2.18.1

mailcow version:

2023-05

Reverse proxy:

no

Logs of git diff:

nothing worth mentioning

Logs of iptables -L -vn:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 2 packets, 120 bytes)
 pkts bytes target     prot opt in     out     source               destination
1166K  443M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1165K  443M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
  16M 4849M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
1055K   66M DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
2685K 1080M ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
 971K   60M ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    3   180 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.4           tcp dpt:3306
    2   100 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
  449 26904 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.9           tcp dpt:8983
    2   100 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
 3210  192K ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.12          tcp dpt:443
    3   192 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
  427 22732 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.12          tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
   14   804 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.86          tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.88          tcp dpt:443
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.85          tcp dpt:5000

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 170K   63M DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
1165K  443M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 170K   63M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1847  256K DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries src
 1748 88656 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set blocked src
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:63588 ! match-set ssh-allowed src

Logs of ip6tables -L -vn:

# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 161K  158M DOCKER-USER  all      *      *       ::/0                 ::/0
 161K  157M DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0
    0     0 ACCEPT     all      *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      docker0  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 !docker0  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 docker0  ::/0                 ::/0
1897K 1910M ACCEPT     all      *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 273K   20M DOCKER     all      *      br-mailcow  ::/0                 ::/0
 110K   29M ACCEPT     all      br-mailcow !br-mailcow  ::/0                 ::/0
 272K   19M ACCEPT     all      br-mailcow br-mailcow  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::4  tcp dpt:587
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::4  tcp dpt:465
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::a  tcp dpt:4190
   19  1520 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::4  tcp dpt:25
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::a  tcp dpt:995
   82  6724 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::13  tcp dpt:443
    1    72 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::a  tcp dpt:993
    4   320 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::13  tcp dpt:80
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::a  tcp dpt:143
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::a  tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all      docker0 !docker0  ::/0                 ::/0
 8624 1664K DOCKER-ISOLATION-STAGE-2  all      br-mailcow !br-mailcow  ::/0                 ::/0
 161K  157M RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      docker0  ::/0                 ::/0
    0     0 DROP       all      *      br-mailcow  ::/0                 ::/0
 8624 1664K RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1173  283K DROP       all      eth0   *       ::/0                 ::/0                 match-set countries6 src
    8   640 DROP       all      eth0   *       ::/0                 ::/0                 match-set blocked6 src
2280K 1958M RETURN     all      *      *       ::/0                 ::/0

Logs of iptables -L -vn -t nat:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 8908  483K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
 361K   28M MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.4           172.22.1.4           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.9           172.22.1.9           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.12          172.22.1.12          tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.12          172.22.1.12          tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.86          172.22.1.86          tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.88          172.22.1.88          tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.85          172.22.1.85          tcp dpt:5000

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
   10   600 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    4   224 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.4:3306
    3   144 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
  543 31660 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.9:8983
    3   144 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
 3311  197K DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.12:443
    5   280 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
  481 25524 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.12:80
    1    60 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
   15   848 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:8555 to:172.22.1.86:80
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:8443 to:172.22.1.88:443
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:5000 to:172.22.1.85:5000

Logs of ip6tables -L -vn -t nat:

# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  205 15276 DOCKER     all      *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all      *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all      *      !docker0  fd00:dead:beef:c0::/80  ::/0
77046 7467K MASQUERADE  all      *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::4  fd4d:6169:6c63:6f77::4  tcp dpt:587
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::4  fd4d:6169:6c63:6f77::4  tcp dpt:465
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::a  fd4d:6169:6c63:6f77::a  tcp dpt:4190
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::4  fd4d:6169:6c63:6f77::4  tcp dpt:25
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::a  fd4d:6169:6c63:6f77::a  tcp dpt:995
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::13  fd4d:6169:6c63:6f77::13  tcp dpt:443
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::a  fd4d:6169:6c63:6f77::a  tcp dpt:993
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::13  fd4d:6169:6c63:6f77::13  tcp dpt:80
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::a  fd4d:6169:6c63:6f77::a  tcp dpt:143
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::a  fd4d:6169:6c63:6f77::a  tcp dpt:110

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all      docker0 *       ::/0                 ::/0
   30  2400 RETURN     all      br-mailcow *       ::/0                 ::/0
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::4]:587
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::4]:465
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::a]:4190
   19  1520 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::4]:25
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::a]:995
   83  6792 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:443 to:[fd4d:6169:6c63:6f77::13]:443
    1    72 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::a]:993
    4   320 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:80 to:[fd4d:6169:6c63:6f77::13]:80
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::a]:143
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::a]:110

DNS check:

151.101.193.69
151.101.129.69
151.101.65.69
151.101.1.69

[bundyland]

Addition: This is what I see if I enter a wrong password in the Rspamd UI:

[MAGICCC]

Indeed, but I couldn't find any hints where a possible log could be written to..

[MAGICCC]

@jrust-ES can you try to use https://github.com/mailcow/mailcow-dockerized/pull/5262?

https://patch-diff.githubusercontent.com/raw/mailcow/mailcow-dockerized/pull/5262.patch

[bundyland]

@MAGICCC

Hi Peter, thank you very much. The netfilter for Rspamd UI works again with your patch.

There are still the "undefined" and "Request failed" error messages if you enter a wrong password on the Rspamd UI, but that may just be a cosmetic issue. Thanks again!!!

[MAGICCC]

I guess that's an rspamd thing... All should have the same

[MAGICCC]

Fixed in https://github.com/rspamd/rspamd/pull/4504 then :)