netfilter Address family not supported by protocol

[VladoPortos]

Contribution guidelines

• [X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

netfilter docker container is not working / restarting all the time trying to do something with IPv6 despite IPv6 being removed, not used at all.

Logs:

Using IPTables backend
Clearing all bans
Traceback (most recent call last):
  File "/app/main.py", line 417, in <module>
    clear()
  File "/app/main.py", line 220, in clear
    tables.clearIPv6Table()
  File "/app/modules/IPTables.py", line 72, in clearIPv6Table
    self.clearTable(iptc.Table6(iptc.Table6.FILTER))
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/iptc/ip6tc.py", line 589, in __new__
    obj._init(name, autocommit)
  File "/usr/lib/python3.11/site-packages/iptc/ip6tc.py", line 606, in _init
    self.refresh()
  File "/usr/lib/python3.11/site-packages/iptc/ip4tc.py", line 1634, in refresh
    raise IPTCError("can't initialize %s: %s" % (self.name,
iptc.ip4tc.IPTCError: can't initialize filter: b'Address family not supported by protocol'

Steps to reproduce:

1. Follow guide to install
2. Follow guide to disable ipv6

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Ubuntu 22.04.4 LTS

Server/VM specifications:

12

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

NO

Docker version:

26.1.4, build 5650f9b

docker-compose version or docker compose version:

v2.27.1

mailcow version:

2024-04

Reverse proxy:

Traefik

Logs of git diff:

diff --git a/data/assets/ssl-example/cert.pem b/data/assets/ssl-example/cert.pem
index 96d16bec..5e98d615 100644
--- a/data/assets/ssl-example/cert.pem
+++ b/data/assets/ssl-example/cert.pem
@@ -1,19 +1,33 @@
 -----BEGIN CERTIFICATE-----
-MIIDBDCCAe6gAwIBAgIQeJMoL/3dxhxhT9EwuRTL/DALBgkqhkiG9w0BAQswEjEQ
-MA4GA1UEChMHbWFpbGNvdzAeFw0xNjEyMTMxMDExMDBaFw0xOTExMjgxMDExMDBa
-MC0xEDAOBgNVBAoTB21haWxjb3cxGTAXBgNVBAMTEG1haWwuZXhhbXBsZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRg0xT3At9DSb3H5OMp3K1
-MpXAgYyotSK6TS61fC0QEHy2fMXiws7Agcye6Ln7CG63Fe1eN2jkdlefy9xJivS8
-y5w0M8i168v5znzC8fnylL2iOiSYfK/B/oEqfU7YH4RcegO53oDDIUZmi4Frgnu7
-39VVOU1ZyHEVqGJ2H2aAIkoZRjGzumD9Ym4LWGidtKJzBgFt/qmhUeWXipM8w281
-XkQnJU79+x2ywnJSvEZ3r/ZVJC7kbjiVw+/k15k9Cxk6Ik8wmJ0X/+xWxoZomHQI
-1LM0VKAS/iaU95dn2bplvL6jTiiyWAbrMjSKs4XbPt/fIbOicNkj6+CFy0MVfyyH
-AgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIAqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
-KwYBBQUHAwEwDAYDVR0TAQH/BAIwADALBgkqhkiG9w0BAQsDggEBAI/jBJa1P8nB
-eHUN5muQmjBVDVOYyWAAEapOe2HYsBcpjaB2H8Iw3DQzJtz6peYeYSCmHRVqFLCm
-VPrq36l9mPUotyPDPlQQAxCj9R2+WbGaJO+N/E1F8FQ94dr3jqwUyfjVPoqEjmIH
-NFkvbA0RJOeBm9oYGdhM0wjOBV9c9MTHFG82nQ/zQeTuPb7GXuKIOXYCxoLNOZMw
-UJ02Cqjv5ImrgOhcstAKX3Ip0urSvZUGvtPla4CGh+M6yDFJ08GzX6OiMIH207RW
-jAbUXXERSUv/7hysdDjGo5HZjCeMzVu9KAxoZXqnmvkk8g2swKWtWBRcoeU1VGx0
-Bx4Q4KMjuYQ=
+MIIFtzCCA5+gAwIBAgIUdVQ6M1P84dYfo9aquHU83s642DswDQYJKoZIhvcNAQEL
+BQAwazELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEQMA4GA1UEBwwHV2lsbGlj
+aDEQMA4GA1UECgwHbWFpbGNvdzEQMA4GA1UECwwHbWFpbGNvdzEYMBYGA1UEAwwP
+bWFpbC5wb3N0Ym94LnNrMB4XDTI0MDYwNDA1MTQwOVoXDTI1MDYwNDA1MTQwOVow
+azELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEQMA4GA1UEBwwHV2lsbGljaDEQ
+MA4GA1UECgwHbWFpbGNvdzEQMA4GA1UECwwHbWFpbGNvdzEYMBYGA1UEAwwPbWFp
+bC5wb3N0Ym94LnNrMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1JiH
+S3xlwamBL99Ux9QcyEgKWzULIN+ILQ2dQAE1ADjiS21gS6+SM7dYtUN5mVifwDKv
+33B6I+vHE8VwOwpYWwteqDHU9MmuMcS6V5mPvJNc+VXLzQHEb56Z0AnGgtU+kYtz
+nLFt1xbwfQQFf/QbR/3eXAS1wYelzE31oY0dm8sW2N6n6RYDH4uxW6t1/jU7qfZ8
+tSIIRjaqBvqhxHH87ZpsEmcUG6lqYCfaWvFFrfXi5tD5oU71CsFSojgF3K2PSjdG
+L74jZugnz+0QFicEeP6LihijL+aMOVZX94oSgoQ75eR8zdxuOJRgbIPX6soVjIOp
+ueZ1RvMP0Me+QNlEXn5mFlErgslA/s8qdjk0XEyRxJbHpAC3A7TeQBHgJclgQLCJ
+QCa5oL3q71jvGMHgaFYeegbkpNKnSWppBX3tUj0XSi3M0u6ecaL0/lTfhRQdAVE8
+JXY91kntnaGXlJHvALXY7Iq6DnSIAM0AIsXtBIbIyTYnnQJCDCPOnC8D6o3gpvyZ
+MwP8wQvDxoQ1HVAmAPn5L47RM7I/uNYi1FGmgbzlDKwYXWjVwMb13lB6kF+j/IfR
+CQOQSsVi7BDFLwsYaBu4OyoZpJVSA8/9VDwxQxFqRDKc7774c46u4tPBTlXISJMp
+qZtbpwr2PuSaiPGO9Ly8e3Uhbj1V/UDGGojjHzsCAwEAAaNTMFEwHQYDVR0OBBYE
+FOVwr2x5NYaaO8hktvrFMYHFH4wPMB8GA1UdIwQYMBaAFOVwr2x5NYaaO8hktvrF
+MYHFH4wPMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKUdU9mo
+5iNDq13qEsF7e9gfeK/88ZbOfnWYib0li2pNmi61PqrK3FuVyolDxuhtyFh7JUf0
+3NS0+oBZLa6LhbMlb/UjVP2ScRB1pqbkW1d5WlKhUPbUtf0cBd3/PRrt86s9G7XG
+yBag+H/nM3W5MNwGZHj7+1826IFcx+WDyvZAxIolXv2HIiXFsCBPTA0Mkk4dSlWD
+mYpBOpw7y1xWBti+pdltbhl/FrIV1mZScnZASgls2HLcMjiB5KQA0Asmi7FowAFB
+ClwPebR7LoS3U6WmjB2XLlqWfYOTnl4ZzaT9Mm7eg8TOHi5q3iWLqyPASdfGv/Cw
+Ta3w9frC9c8g4k416D3y/3zdedS1GUnf15PEl5pVYQ72G5sZrPCuu0Zuk7f2fqOc
+dtntOU2GAMGxMsjoAD3/75vJXndhr0yeoBSuX3cwTQIzn/aNw/rZGTFO8RwQw1My
+Qbbo1R47skzk7++qmSeWa1oGLG4TvFKqJOtRtZyTa3dSV2ia2k6qankF9LU22jtP
+9UPW0r5SM57FtxvYywbmpUD26RlZLaU8Hjn/+igvzDu2Tdu5zTquh+BVQ52JHrOp
+xnaiZnPIYZm4nrEPMeJs9g4KUa5+aJoucji2XyRKzIMrTkrreqRs0/p4Q7vzC8io
+7TwJdXayw93FBjFRY/IHjxi6RiCDVFClXPMZ
 -----END CERTIFICATE-----
diff --git a/data/assets/ssl-example/key.pem b/data/assets/ssl-example/key.pem
index cedf35a0..07c84cc9 100644
--- a/data/assets/ssl-example/key.pem
+++ b/data/assets/ssl-example/key.pem
@@ -1,27 +1,52 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0YNMU9wLfQ0m9x+TjKdytTKVwIGMqLUiuk0utXwtEBB8tnzF
-4sLOwIHMnui5+whutxXtXjdo5HZXn8vcSYr0vMucNDPItevL+c58wvH58pS9ojok
-mHyvwf6BKn1O2B+EXHoDud6AwyFGZouBa4J7u9/VVTlNWchxFahidh9mgCJKGUYx
-s7pg/WJuC1honbSicwYBbf6poVHll4qTPMNvNV5EJyVO/fsdssJyUrxGd6/2VSQu
-5G44lcPv5NeZPQsZOiJPMJidF//sVsaGaJh0CNSzNFSgEv4mlPeXZ9m6Zby+o04o
-slgG6zI0irOF2z7f3yGzonDZI+vghctDFX8shwIDAQABAoIBAQC9kiLnIgxXGyZt
-pmmYdA6re1jatZ2zLSp+DcY8ul3/0hs195IKCyCOOSQPiR520Pt0t+duP46uYZIJ
-aakp9gxaI5Vz+oMacH/AyaBDuDTj1Mf9WMSyIOfbDVCMRJOppGLcVh62+Gfjp2EO
-+h2hTJBuvypFkbK2kVIZOaHVpbXWKw1oYuEcTftk9XfxxvfSMw1HQ12/P2CAcbaa
-jPmVbisunv6kpXtewSBTcaLSYWJf1MYD5Hi8fzkD2FJSXYbfQd8RKvT2rj6FA7ux
-CDMzbYhdnd7lc63OARCIjfCRNtDT1cZ3gR1CQHD98lWxmPQIZukv+w7s/bSrFgnQ
-ROZ0ghBJAoGBAOmE/3d5FDmp0aJNxXynKcRGdpEEM4O40RIdqa2eR6Pa7aTRosao
-z0qVgdFuJrqjlB3jgedxXEX1M0abCUzzM9Q5F7JLl+KsjwRwpkIOkPiyUncLp7LK
-QbY3tvYBIdpjlF1USOMGRL4j11hqr4vQC/yPBF7jj81kCZDTbmZhp82jAoGBAOWu
-ql5QFUOlmqkuWIAFkiLEZhOu+ptqkE+zG50CCGMJIX0dJ2PHXFyNGInomAeT0nbI
-pbnK3x7KeEKiGrAqZFNCTHhApTwkrIj0L/RQbMDZ7u7j1AEUVNFEhIm62kg84FtG
-xtfxVxredE+NQc/tyV3hXegdNZxegALirlcMKIvNAoGAWFwIxk48Ru1o8z72QQqH
-lUsMRicOzwK5qV8r+xPvC6MlVL42F3F8rj4QFwzU/r4yp3SUjNyqC5aSRl8Xj9Re
-gijwPHi6Cf09SHLPliMo29GtvnnchJxfbPF7+23GP3p6gy4HPk/65u9s5nnH3uFk
-B7ad8sGsgg0eSXyXQ4okEn0CgYEAnogPuedGthlxBgMiPMMbmfm7hyyId4t3Ljuu
-/JExnsHnpobf8EPjoVIWNOIhRWGnrCtUEEhR9tvDZCKljyDDfKBPTdU496lMmX8K
-NnToi7gg7iy84T3aSVMktDgPgDrclMPmbZh8CeSvnVUfrtgu3Ci4+4Rlw5eKffNe
-aGDQ/6UCgYAbUq9mRT2WOXIo+Dchi9VzDWgtfOw5VEyqkSpb7hPiIYx5jNaENnVK
-cAi3iqbBgPJBuMlTrKmmaxdmssGOEZNJLuuXLDbCU+f5cpu5PQ4crC6UtRI5rlhp
-8Yc+oiv3HWbSw3sVRpMFB6NP4DnvgFW3B2Wdfb/lNzPCKWqBsX7gWw==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDUmIdLfGXBqYEv
+31TH1BzISApbNQsg34gtDZ1AATUAOOJLbWBLr5Izt1i1Q3mZWJ/AMq/fcHoj68cT
+xXA7ClhbC16oMdT0ya4xxLpXmY+8k1z5VcvNAcRvnpnQCcaC1T6Ri3OcsW3XFvB9
+BAV/9BtH/d5cBLXBh6XMTfWhjR2byxbY3qfpFgMfi7Fbq3X+NTup9ny1IghGNqoG
++qHEcfztmmwSZxQbqWpgJ9pa8UWt9eLm0PmhTvUKwVKiOAXcrY9KN0YvviNm6CfP
+7RAWJwR4/ouKGKMv5ow5Vlf3ihKChDvl5HzN3G44lGBsg9fqyhWMg6m55nVG8w/Q
+x75A2URefmYWUSuCyUD+zyp2OTRcTJHElsekALcDtN5AEeAlyWBAsIlAJrmgverv
+WO8YweBoVh56BuSk0qdJamkFfe1SPRdKLczS7p5xovT+VN+FFB0BUTwldj3WSe2d
+oZeUke8AtdjsiroOdIgAzQAixe0EhsjJNiedAkIMI86cLwPqjeCm/JkzA/zBC8PG
+hDUdUCYA+fkvjtEzsj+41iLUUaaBvOUMrBhdaNXAxvXeUHqQX6P8h9EJA5BKxWLs
+EMUvCxhoG7g7KhmklVIDz/1UPDFDEWpEMpzvvvhzjq7i08FOVchIkympm1unCvY+
+5JqI8Y70vLx7dSFuPVX9QMYaiOMfOwIDAQABAoICAB9z8ZBZdzSPv201vXVTDG8V
+OXMFBgB3Ec6YlQtDInRF9jTymayY7Sh5l8Y5lWP6mKf2185W9bsaxvlF3LTfcvMF
+W5vGw5rzu7HhSTBsp7delgLNjrll6YoaDOeaiqQQqJEf8JreJUINQsc8MRQdKWwd
+QyiaCcn4J69yWUTte9Pw2BB94Jm7h/rC0Bqf43UYqxsaPJkPz+mTbNRbgFNwCdud
+XR/b4D23cuWG/+c0ivqRxmAfys7yv443y+H0J+neQ7TXOKsXlmVDM6CvkhG09BRy
+lHJ58qrDkTtqatlUtChbKAF7LHvIgQYd7aYgW3GBNG71i8bVMcStcUmSQ7OUcWjE
+YRysvo6UAkJuyQWCojBPMJIlYd3J3HzCy60E+ZybLIweO7gdvF607txRrZeL4wuV
+yJ/NXTboWrLpGrh5TRBTPx8402Y3LMRULpE+kBXNfJ4WvECZC91srjORgY3HJ2co
+g+84Pa3dyTa9xIHZRsOAlUGffGOLQYGnLRrupNGwQxK6t+xgAQksU4Iyb4+2GxNL
+gui31L8s6K003qWCnWHIRr4PhNhV/UK2sOOx6QBjC5XYiQoyh4lkggUSdz2vSwW4
+ZFPeyTYEfEb1UZNlzLSao817RpvtWdQGZtNdj9RTJAHONGYc3TwXITRBJjaaWx3d
+tczF9/r3sHP3IbHyy+8BAoIBAQD4Js+d0H3zU8nTMAVOq03zPqvJ9R684utTRyCs
+nsOSTPVtBpCPcua241MYPdrl55aZv6NXKWqFaCqk3oH287i2CFJuxeDpMwFryelA
+vZI/beMLza4NZckUY4gxv3QX2kyoVi6r2nIJKpSpfY5Nk+wW3JsY3adMF78K34gn
+NMW0CladLPLIN+b3G2HgpSttuH2SIgk/EDkNJyODH92gY8tXNJdh4OTulVUF66yp
+zr+9UTIh/EdRtpm3D1B9AMsBjRec+FgK6RqQPyJGa45mMa8gs4lP0+naktNcxIxp
+agY+KKA0NYvwS99hGeZAPsDZL6zpSXsioQlRCClAJ4xkmpytAoIBAQDbUdX3Ent5
+Y75AHIulDTPo7oU1548YC67KIhxr1uLvBL0J2fa76QnVqw/81wSUTLAhORgBw5BV
+OwVTHyv5u6tDD1M00b40O2YNRSFnvbboeZW73WAJCv8K/PtA0WL+KyMoQQ8UmwOd
+ctjxyY91lgMfAT525i72PjzQuqPF6ivl9lcwrEZcXYiedilXDcalT7GzSzWoiJv5
+YI3I+4IQp/uHQnSzwCJvivaiGz1n0IG943QcWwVnCESXvc9rT17Lo0LjBoijEZLz
+sWrJ+k7vV5f4hKrbfufLUig3HuKM5ZhHI8BkSBFiUC1bW5+M2QrTd/zSFcmEOWYy
++QgvXGodlICHAoIBAQDZKdXdjRz8OeJRACBU5VNVQQ5DslDRCmDYw1FT36jVOqY5
+YFpYPzyq5qvMdi0/r3k7WdtPJv6Ce1N+bv8bp9SI8SV6rY8TZcCjnNKVBpGbEsZ0
+iO396YqcXjJNHvgw+6jEVI+Jc6UCYpIw9aD4QTCGHU9Z5nhG/i0BDffwH5243qdH
+65MYJtvoer0gREuKPL8fiMvAtajH2u2YDeX9O/gye+LTFGYkaOk8QjAbdsSToCAY
+X9fmKb/B1RQiIPSHifsVMryR58eIXsfXCr9WrbpOCvBqvNBVqNJxx8v9YHzQHut8
+ZTPu+ecl6e13YbORHcjba6Pn/TfTAypea33QeQINAoIBABpfr/RDM7f4R6OcCyrw
++IIVVM2TqACDPyStj29kauvFTRpHLMWSE42vQX/tN27B/hgwrnNf2hZ1v4EsaXRh
+ngm1aRMb+dx8HBySaJ76EGnKXTg3Odo8iUj//RLhWx8nftXTZQXcUkX3zqDc1TSV
+spBi7OkNay5Pc67CEvm03EyOIBQJU3i+ArTTjssaK/4rJDpkW/KFYwRNGR/HJu/r
+03KDilcnTrzNIDWEQxEd4Mw98vOJ+o9WTjFVMQE9jS+91UhJu9qoPVyyxB2/zQg5
+J1xKT+WPUD6CBbYDL8kzvuknInast/Jzo9CtpvUgEI43ip6U4iPVZzXP/qz7VwNx
+nTcCggEBAItkJ+e6peA184zlbxkPN0IP3Wl+o8WcAmurlNeHYpq0AynAI5ybGxPJ
+aBi7jBc8dCtfQzD8CWxJoviap67om76fNnFrTL8vw3pf3qqS7aVAf2Xb7C79FlOe
+RzRsaThrA8dkbRQ53IJco4PFSfMwQhWA8C1CPVX0yF7YjLwwVDtBBDjMAm8rmCu7
+O8tsQueO1jev0rOAzkGj5eEdbf+5FP+WyWpEX4j8pS2vyRJepaFjORh99sSKTJS1
+28TD4AvDP2Ye6aHDgSN/5cD735/0VFDdmxLhfm9KVlZja5gbVslcCn9Od5exy2Uu
+QHdUw02b+rgYR0/k6wQsIjmZ31xPjL8=
+-----END PRIVATE KEY-----
diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index 729686fb..6b7b2fa6 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -164,7 +164,7 @@ service lmtp {
   }
   user = vmail
 }
-listen = *,[::]
+listen = *
 ssl_cert = </etc/ssl/mail/cert.pem
 ssl_key = </etc/ssl/mail/key.pem
 userdb {
diff --git a/data/conf/nginx/dynmaps.conf b/data/conf/nginx/dynmaps.conf
index 99c0c6aa..91ecba07 100644
--- a/data/conf/nginx/dynmaps.conf
+++ b/data/conf/nginx/dynmaps.conf
@@ -1,6 +1,5 @@
 server {
   listen 8081;
-  listen [::]:8081;
   index index.php index.html;
   server_name _;
   error_log  /var/log/nginx/error.log;
diff --git a/data/conf/nginx/templates/listen_plain.template b/data/conf/nginx/templates/listen_plain.template
index a044b22f..68133480 100644
--- a/data/conf/nginx/templates/listen_plain.template
+++ b/data/conf/nginx/templates/listen_plain.template
@@ -1,2 +1 @@
 listen ${HTTP_PORT};
-listen [::]:${HTTP_PORT};
diff --git a/data/conf/nginx/templates/listen_ssl.template b/data/conf/nginx/templates/listen_ssl.template
index 40c402d0..413b20db 100644
--- a/data/conf/nginx/templates/listen_ssl.template
+++ b/data/conf/nginx/templates/listen_ssl.template
@@ -1,3 +1,2 @@
 listen ${HTTPS_PORT} ssl;
-listen [::]:${HTTPS_PORT} ssl;
 http2 on;
diff --git a/data/conf/phpfpm/php-fpm.d/pools.conf b/data/conf/phpfpm/php-fpm.d/pools.conf
index 605e686c..d6df1243 100644
--- a/data/conf/phpfpm/php-fpm.d/pools.conf
+++ b/data/conf/phpfpm/php-fpm.d/pools.conf
@@ -6,7 +6,7 @@ pm.max_children = 15
 pm.start_servers = 2
 pm.min_spare_servers = 2
 pm.max_spare_servers = 4
-listen = [::]:9001
+listen = 9001
 access.log = /proc/self/fd/2
 clear_env = no
 catch_workers_output = yes
@@ -21,7 +21,7 @@ pm.max_children = 50
 pm.start_servers = 10
 pm.min_spare_servers = 10
 pm.max_spare_servers = 15
-listen = [::]:9002
+listen = 9002
 access.log = /proc/self/fd/2
 clear_env = no
 catch_workers_output = yes
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 572300db..933af98d 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -173,3 +173,37 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks

 # DO NOT EDIT ANYTHING BELOW #
 # Overrides #
+
+postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
+  hostkarma.junkemailfilter.com=127.0.0.1*-2
+  list.dnswl.org=127.0.[0..255].0*-2
+  list.dnswl.org=127.0.[0..255].1*-4
+  list.dnswl.org=127.0.[0..255].2*-6
+  list.dnswl.org=127.0.[0..255].3*-8
+  ix.dnsbl.manitu.net*2
+  bl.spamcop.net*2
+  bl.suomispam.net*2
+  hostkarma.junkemailfilter.com=127.0.0.2*3
+  hostkarma.junkemailfilter.com=127.0.0.4*2
+  hostkarma.junkemailfilter.com=127.0.1.2*1
+  backscatter.spameatingmonkey.net*2
+  bl.ipv6.spameatingmonkey.net*2
+  bl.spameatingmonkey.net*2
+  b.barracudacentral.org=127.0.0.2*7
+  bl.mailspike.net=127.0.0.2*5
+  bl.mailspike.net=127.0.0.[10;11;12]*4
+  dnsbl.sorbs.net=127.0.0.10*8
+  dnsbl.sorbs.net=127.0.0.5*6
+  dnsbl.sorbs.net=127.0.0.7*3
+  dnsbl.sorbs.net=127.0.0.8*2
+  dnsbl.sorbs.net=127.0.0.6*2
+  dnsbl.sorbs.net=127.0.0.9*2
+  zen.spamhaus.org=127.0.0.[10;11]*8
+  zen.spamhaus.org=127.0.0.[4..7]*6
+  zen.spamhaus.org=127.0.0.3*4
+  zen.spamhaus.org=127.0.0.2*3
+
+# User Overrides
+myhostname = mail.postbox.sk
+smtp_address_preference = ipv4
+inet_protocols = ipv4
diff --git a/data/conf/unbound/unbound.conf b/data/conf/unbound/unbound.conf
index 27110c04..341a5592 100644
--- a/data/conf/unbound/unbound.conf
+++ b/data/conf/unbound/unbound.conf
@@ -1,10 +1,10 @@
 server:
   verbosity: 1
   interface: 0.0.0.0
-  interface: ::0
+#  interface: ::0
   logfile: /dev/console
   do-ip4: yes
-  do-ip6: yes
+  do-ip6: no
   do-udp: yes
   do-tcp: yes
   do-daemonize: no
@@ -12,8 +12,8 @@ server:
   access-control: 10.0.0.0/8 allow
   access-control: 172.16.0.0/12 allow
   access-control: 192.168.0.0/16 allow
-  access-control: fc00::/7 allow
-  access-control: fe80::/10 allow
+#  access-control: fc00::/7 allow
+#  access-control: fe80::/10 allow
   #access-control: ::0/0 allow
   directory: "/etc/unbound"
   username: unbound
diff --git a/docker-compose.yml b/docker-compose.yml
index 3efd6a42..1f561706 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,4 @@
-version: '2.1'
 services:
-
     unbound-mailcow:
       image: mailcow/unbound:1.21
       environment:
@@ -13,12 +11,18 @@ services:
       tty: true
       networks:
         mailcow-network:
-          ipv4_address: ${IPV4_NETWORK:-172.22.1}.254
+          ipv4_address: ${IPV4_NETWORK:-172.30.1}.254
           aliases:
             - unbound

     mysql-mailcow:
       image: mariadb:10.5
+      environment:
+        - TZ=${TZ}
+        - MYSQL_ROOT_PASSWORD=${DBROOT}
+        - MYSQL_DATABASE=${DBNAME}
+        - MYSQL_USER=${DBUSER}
+        - MYSQL_PASSWORD=${DBPASS}
       depends_on:
         - unbound-mailcow
         - netfilter-mailcow
@@ -27,13 +31,6 @@ services:
         - mysql-vol-1:/var/lib/mysql/
         - mysql-socket-vol-1:/var/run/mysqld/
         - ./data/conf/mysql/:/etc/mysql/conf.d/:ro,Z
-      environment:
-        - TZ=${TZ}
-        - MYSQL_ROOT_PASSWORD=${DBROOT}
-        - MYSQL_DATABASE=${DBNAME}
-        - MYSQL_USER=${DBUSER}
-        - MYSQL_PASSWORD=${DBPASS}
-        - MYSQL_INITDB_SKIP_TZINFO=1
       restart: always
       ports:
         - "${SQL_PORT:-127.0.0.1:13306}:3306"
@@ -57,7 +54,7 @@ services:
         - net.core.somaxconn=4096
       networks:
         mailcow-network:
-          ipv4_address: ${IPV4_NETWORK:-172.22.1}.249
+          ipv4_address: ${IPV4_NETWORK:-172.30.1}.249
           aliases:
             - redis

@@ -68,7 +65,7 @@ services:
         unbound-mailcow:
           condition: service_healthy
       dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
+        - ${IPV4_NETWORK:-172.30.1}.254
       environment:
         - TZ=${TZ}
         - SKIP_CLAMD=${SKIP_CLAMD:-n}
@@ -87,8 +84,8 @@ services:
         - dovecot-mailcow
       environment:
         - TZ=${TZ}
-        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
-        - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
+        - IPV4_NETWORK=${IPV4_NETWORK:-172.30.1}
+       #- IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
         - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
         - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
       volumes:
@@ -104,7 +101,7 @@ services:
       restart: always
       hostname: rspamd
       dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
+        - 8.8.8.8
       networks:
         mailcow-network:
           aliases:
@@ -134,7 +131,7 @@ services:
         - ./data/assets/templates:/tpls:z
         - ./data/conf/nginx/:/etc/nginx/conf.d/:z
       dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
+        - 8.8.8.8
       environment:
         - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
         - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
@@ -150,8 +147,7 @@ services:
         - POP_PORT=${POP_PORT:-110}
         - POPS_PORT=${POPS_PORT:-995}
         - SIEVE_PORT=${SIEVE_PORT:-4190}
-        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
-        - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
+        - IPV4_NETWORK=${IPV4_NETWORK:-172.30.1}
         - SUBMISSION_PORT=${SUBMISSION_PORT:-587}
         - SMTPS_PORT=${SMTPS_PORT:-465}
         - SMTP_PORT=${SMTP_PORT:-25}
@@ -186,14 +182,14 @@ services:
         - MAILCOW_PASS_SCHEME=${MAILCOW_PASS_SCHEME:-BLF-CRYPT}
         - ACL_ANYONE=${ACL_ANYONE:-disallow}
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
-        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
+        - IPV4_NETWORK=${IPV4_NETWORK:-172.30.1}
         - SOGO_EXPIRE_SESSION=${SOGO_EXPIRE_SESSION:-480}
         - SKIP_SOGO=${SKIP_SOGO:-n}
         - MASTER=${MASTER:-y}
         - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
         - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
       dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
+        - 8.8.8.8
       volumes:
         - ./data/hooks/sogo:/hooks:Z
         - ./data/conf/sogo/:/etc/sogo/:z
@@ -217,7 +213,7 @@ services:
       restart: always
       networks:
         mailcow-network:
-          ipv4_address: ${IPV4_NETWORK:-172.22.1}.248
+          ipv4_address: ${IPV4_NETWORK:-172.30.1}.248
           aliases:
             - sogo

@@ -227,7 +223,7 @@ services:
         - mysql-mailcow
         - netfilter-mailcow
       dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
+        - 8.8.8.8
       cap_add:
         - NET_BIND_SERVICE
       volumes:
@@ -255,7 +251,7 @@ services:
         - TZ=${TZ}
         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
         - MAILCOW_PASS_SCHEME=${MAILCOW_PASS_SCHEME:-BLF-CRYPT}
-        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
+        - IPV4_NETWORK=${IPV4_NETWORK:-172.30.1}
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
         - MAILDIR_GC_TIME=${MAILDIR_GC_TIME:-7200}
         - ACL_ANYONE=${ACL_ANYONE:-disallow}
@@ -300,7 +296,7 @@ services:
           hard: 40000
       networks:
         mailcow-network:
-          ipv4_address: ${IPV4_NETWORK:-172.22.1}.250
+          ipv4_address: ${IPV4_NETWORK:-172.30.1}.250
           aliases:
             - dovecot

@@ -337,10 +333,10 @@ services:
         - "${SUBMISSION_PORT:-587}:587"
       restart: always
       dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
+        - 8.8.8.8
       networks:
         mailcow-network:
-          ipv4_address: ${IPV4_NETWORK:-172.22.1}.253
+          ipv4_address: ${IPV4_NETWORK:-172.30.1}.253
           aliases:
             - postfix

@@ -361,7 +357,7 @@ services:
         - redis-mailcow
       image: nginx:mainline-alpine
       dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
+        - 8.8.8.8
       command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
         envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
         envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
@@ -378,7 +374,7 @@ services:
         - HTTPS_PORT=${HTTPS_PORT:-443}
         - HTTP_PORT=${HTTP_PORT:-80}
         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
-        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
+        - IPV4_NETWORK=${IPV4_NETWORK:-172.30.1}
         - TZ=${TZ}
         - SKIP_SOGO=${SKIP_SOGO:-n}
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
@@ -407,7 +403,7 @@ services:
           condition: service_healthy
       image: mailcow/acme:1.87
       dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
+        - 8.8.8.8
       environment:
         - LOG_LINES=${LOG_LINES:-9999}
         - ACME_CONTACT=${ACME_CONTACT:-}
@@ -444,13 +440,13 @@ services:
       image: mailcow/netfilter:1.58
       stop_grace_period: 30s
       restart: always
+      dns:
+        - 8.8.8.8
       privileged: true
       environment:
         - TZ=${TZ}
-        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
-        - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
+        - IPV4_NETWORK=${IPV4_NETWORK:-172.30.1}
         - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
-        - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
         - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
         - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
         - MAILCOW_REPLICA_IP=${MAILCOW_REPLICA_IP:-}
@@ -462,7 +458,7 @@ services:
     watchdog-mailcow:
       image: mailcow/watchdog:2.02
       dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
+        - ${IPV4_NETWORK:-172.30.1}.254
       tmpfs:
         - /tmp
       volumes:
@@ -479,7 +475,6 @@ services:
         - redis-mailcow

       environment:
-        - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
         - LOG_LINES=${LOG_LINES:-9999}
         - TZ=${TZ}
         - DBNAME=${DBNAME}
@@ -498,7 +493,7 @@ services:
         - WATCHDOG_VERBOSE=${WATCHDOG_VERBOSE:-n}
         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
         - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
-        - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
+        - IPV4_NETWORK=${IPV4_NETWORK:-172.30.1}
         - IP_BY_DOCKER_API=${IP_BY_DOCKER_API:-0}
         - CHECK_UNBOUND=${CHECK_UNBOUND:-1}
         - SKIP_CLAMD=${SKIP_CLAMD:-n}
@@ -537,7 +532,7 @@ services:
         - label=disable
       restart: always
       dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
+        - 8.8.8.8
       environment:
         - DBROOT=${DBROOT}
         - TZ=${TZ}
@@ -550,7 +545,7 @@ services:
           aliases:
             - dockerapi

-    
+
     ##### Will be removed soon #####
     solr-mailcow:
       image: mailcow/solr:1.8.2
@@ -644,12 +639,11 @@ networks:
     driver: bridge
     driver_opts:
       com.docker.network.bridge.name: br-mailcow
-    enable_ipv6: true
+    enable_ipv6: false
     ipam:
       driver: default
       config:
-        - subnet: ${IPV4_NETWORK:-172.22.1}.0/24
-        - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
+        - subnet: ${IPV4_NETWORK:-172.30.1}.0/24

 volumes:
   vmail-vol-1:

Logs of iptables -L -vn:

root@forge /home/vladoportos/mailcow-dockerized # iptables -L -vn
Chain INPUT (policy ACCEPT 8806 packets, 1108K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 137K  369M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 137K  369M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
62415  269M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 1248 75063 DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
42692 3171K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 1248 75063 ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-7fc9d34b15b9  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-7fc9d34b15b9  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-7fc9d34b15b9 !br-7fc9d34b15b9  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-7fc9d34b15b9 br-7fc9d34b15b9  0.0.0.0/0            0.0.0.0/0           
50341  154M ACCEPT     all  --  *      br-cee82eb3092d  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  489 29104 DOCKER     all  --  *      br-cee82eb3092d  0.0.0.0/0            0.0.0.0/0           
 6023   13M ACCEPT     all  --  br-cee82eb3092d !br-cee82eb3092d  0.0.0.0/0            0.0.0.0/0           
  344 20640 ACCEPT     all  --  br-cee82eb3092d br-cee82eb3092d  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 10349 packets, 8842K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (4 references)
 pkts bytes target     prot opt in     out     source               destination         
  112  6588 ACCEPT     tcp  --  !br-cee82eb3092d br-cee82eb3092d  0.0.0.0/0            172.22.0.4           tcp dpt:443
   32  1816 ACCEPT     tcp  --  !br-cee82eb3092d br-cee82eb3092d  0.0.0.0/0            172.22.0.4           tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.5           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.6           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.250         tcp dpt:4190
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.250         tcp dpt:995
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.250         tcp dpt:993
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.250         tcp dpt:143
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.250         tcp dpt:110
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.8           tcp dpt:8443
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.8           tcp dpt:8080
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.253         tcp dpt:587
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.253         tcp dpt:465
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.30.1.253         tcp dpt:25

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
42692 3171K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-7fc9d34b15b9 !br-7fc9d34b15b9  0.0.0.0/0            0.0.0.0/0           
 6023   13M DOCKER-ISOLATION-STAGE-2  all  --  br-cee82eb3092d !br-cee82eb3092d  0.0.0.0/0            0.0.0.0/0           
 170K  440M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-7fc9d34b15b9  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-cee82eb3092d  0.0.0.0/0            0.0.0.0/0           
49476   16M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 170K  440M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Logs of ip6tables -L -vn:

root@forge /home/vladoportos/mailcow-dockerized # ip6tables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

root@forge /home/vladoportos/mailcow-dockerized # iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 1861 packets, 115K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  410 22342 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 180 packets, 9009 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 86 packets, 6532 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1506 packets, 91647 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  515 37516 MASQUERADE  all  --  *      !br-mailcow  172.30.1.0/24        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-7fc9d34b15b9  172.18.0.0/16        0.0.0.0/0           
    3   180 MASQUERADE  all  --  *      !br-cee82eb3092d  172.22.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.22.0.4           172.22.0.4           tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.22.0.4           172.22.0.4           tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.5           172.30.1.5           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.249         172.30.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.6           172.30.1.6           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.250         172.30.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.250         172.30.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.250         172.30.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.250         172.30.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.250         172.30.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.250         172.30.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.8           172.30.1.8           tcp dpt:8443
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.8           172.30.1.8           tcp dpt:8080
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.253         172.30.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.253         172.30.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.30.1.253         172.30.1.253         tcp dpt:25

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-7fc9d34b15b9 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-cee82eb3092d *       0.0.0.0/0            0.0.0.0/0           
  114  6700 DNAT       tcp  --  !br-cee82eb3092d *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.0.4:443
   32  1816 DNAT       tcp  --  !br-cee82eb3092d *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.0.4:80
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.30.1.5:8983
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.30.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.30.1.6:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.30.1.250:12345
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.30.1.250:4190
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.30.1.250:995
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.30.1.250:993
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.30.1.250:143
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.30.1.250:110
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:8443 to:172.30.1.8:8443
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:8080 to:172.30.1.8:8080
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.30.1.253:587
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.30.1.253:465
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.30.1.253:25

Logs of ip6tables -L -vn -t nat:

root@forge /home/vladoportos/mailcow-dockerized # ip6tables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

DNS check:

root@forge /home/vladoportos/mailcow-dockerized # docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @8.8.8.8
104.18.32.7
172.64.155.249

[VladoPortos]

After bit of digging:

in netfilter/main.py

  # Reinit MAILCOW chain
  # Is called before threads start, no locking
  logger.logInfo("Initializing mailcow netfilter chain")
  tables.initChainIPv4()
  tables.initChainIPv6()

There is no check if ipv6 is even there, straight to init ipv6 with tables.initChainIPv6()

  def initChainIPv6(self):
    if not iptc.Chain(iptc.Table6(iptc.Table6.FILTER), self.chain_name) in iptc.Table6(iptc.Table6.FILTER).chains:
      iptc.Table6(iptc.Table6.FILTER).create_chain(self.chain_name)
    for c in ['FORWARD', 'INPUT']:
      chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), c)
      rule = iptc.Rule6()
      rule.src = '::/0'
      rule.dst = '::/0'
      target = iptc.Target(rule, self.chain_name)
      rule.target = target
      if rule not in chain.rules:
        chain.insert_rule(rule)

Above part will fail if there is no IPv6

[VladoPortos]

Going more over the code the IPv6 stuff is hardcoded left and right :(

[VladoPortos]

Quick and dirty fix. Edit: data/Dockerfiles/netfilter/main.py and replace with:

#!/usr/bin/env python3

import re
import os
import sys
import time
import atexit
import signal
import ipaddress
from collections import Counter
from random import randint
from threading import Thread
from threading import Lock
import redis
import json
import dns.resolver
import dns.exception
import uuid
from modules.Logger import Logger
from modules.IPTables import IPTables
from modules.NFTables import NFTables

# globals
WHITELIST = []
BLACKLIST= []
bans = {}
quit_now = False
exit_code = 0
lock = Lock()
chain_name = "MAILCOW"
r = None
pubsub = None
clear_before_quit = False
# Check if IPv6 should be disabled
disable_ipv6 = os.getenv('DISABLE_IPV6', 'no').lower() in ('y', 'yes')

def refreshF2boptions():
  global f2boptions
  global quit_now
  global exit_code

  f2boptions = {}

  if not r.get('F2B_OPTIONS'):
    f2boptions['ban_time'] = r.get('F2B_BAN_TIME')
    f2boptions['max_ban_time'] = r.get('F2B_MAX_BAN_TIME')
    f2boptions['ban_time_increment'] = r.get('F2B_BAN_TIME_INCREMENT')
    f2boptions['max_attempts'] = r.get('F2B_MAX_ATTEMPTS')
    f2boptions['retry_window'] = r.get('F2B_RETRY_WINDOW')
    f2boptions['netban_ipv4'] = r.get('F2B_NETBAN_IPV4')
    f2boptions['netban_ipv6'] = r.get('F2B_NETBAN_IPV6')
  else:
    try:
      f2boptions = json.loads(r.get('F2B_OPTIONS'))
    except ValueError:
      logger.logCrit('Error loading F2B options: F2B_OPTIONS is not json')
      quit_now = True
      exit_code = 2

  verifyF2boptions(f2boptions)
  r.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))

def verifyF2boptions(f2boptions):
  verifyF2boption(f2boptions,'ban_time', 1800)
  verifyF2boption(f2boptions,'max_ban_time', 10000)
  verifyF2boption(f2boptions,'ban_time_increment', True)
  verifyF2boption(f2boptions,'max_attempts', 10)
  verifyF2boption(f2boptions,'retry_window', 600)
  verifyF2boption(f2boptions,'netban_ipv4', 32)
  verifyF2boption(f2boptions,'netban_ipv6', 128)
  verifyF2boption(f2boptions,'banlist_id', str(uuid.uuid4()))
  verifyF2boption(f2boptions,'manage_external', 0)

def verifyF2boption(f2boptions, f2boption, f2bdefault):
  f2boptions[f2boption] = f2boptions[f2boption] if f2boption in f2boptions and f2boptions[f2boption] is not None else f2bdefault

def refreshF2bregex():
  global f2bregex
  global quit_now
  global exit_code
  if not r.get('F2B_REGEX'):
    f2bregex = {}
    f2bregex[1] = 'mailcow UI: Invalid password for .+ by ([0-9a-f\.:]+)'
    f2bregex[2] = 'Rspamd UI: Invalid password by ([0-9a-f\.:]+)'
    f2bregex[3] = 'warning: .*\[([0-9a-f\.:]+)\]: SASL .+ authentication failed: (?!.*Connection lost to authentication server).+'
    f2bregex[4] = 'warning: non-SMTP command from .*\[([0-9a-f\.:]+)]:.+'
    f2bregex[5] = 'NOQUEUE: reject: RCPT from \[([0-9a-f\.:]+)].+Protocol error.+'
    f2bregex[6] = '-login: Disconnected.+ \(auth failed, .+\): user=.*, method=.+, rip=([0-9a-f\.:]+),'
    f2bregex[7] = '-login: Aborted login.+ \(auth failed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
    f2bregex[8] = '-login: Aborted login.+ \(tried to use disallowed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
    f2bregex[9] = 'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
    f2bregex[10] = '([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
    r.set('F2B_REGEX', json.dumps(f2bregex, ensure_ascii=False))
  else:
    try:
      f2bregex = {}
      f2bregex = json.loads(r.get('F2B_REGEX'))
    except ValueError:
      logger.logCrit('Error loading F2B options: F2B_REGEX is not json')
      quit_now = True
      exit_code = 2

def get_ip(address):
  ip = ipaddress.ip_address(address)
  if type(ip) is ipaddress.IPv6Address and ip.ipv4_mapped:
    ip = ip.ipv4_mapped
  if ip.is_private or ip.is_loopback:
    return False

  return ip

def ban(address):
  global f2boptions
  global lock

  refreshF2boptions()
  MAX_ATTEMPTS = int(f2boptions['max_attempts'])
  RETRY_WINDOW = int(f2boptions['retry_window'])
  NETBAN_IPV4 = '/' + str(f2boptions['netban_ipv4'])
  NETBAN_IPV6 = '/' + str(f2boptions['netban_ipv6'])

  ip = get_ip(address)
  if not ip: return
  address = str(ip)
  self_network = ipaddress.ip_network(address)

  with lock:
    temp_whitelist = set(WHITELIST)
  if temp_whitelist:
    for wl_key in temp_whitelist:
      wl_net = ipaddress.ip_network(wl_key, False)
      if wl_net.overlaps(self_network):
        logger.logInfo('Address %s is whitelisted by rule %s' % (self_network, wl_net))
        return

  net = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)
  net = str(net)

  if not net in bans:
    bans[net] = {'attempts': 0, 'last_attempt': 0, 'ban_counter': 0}

  current_attempt = time.time()
  if current_attempt - bans[net]['last_attempt'] > RETRY_WINDOW:
    bans[net]['attempts'] = 0

  bans[net]['attempts'] += 1
  bans[net]['last_attempt'] = current_attempt

  if bans[net]['attempts'] >= MAX_ATTEMPTS:
    cur_time = int(round(time.time()))
    NET_BAN_TIME = calcNetBanTime(bans[net]['ban_counter'])
    logger.logCrit('Banning %s for %d minutes' % (net, NET_BAN_TIME / 60 ))
    if type(ip) is ipaddress.IPv4Address and int(f2boptions['manage_external']) != 1:
      with lock:
        tables.banIPv4(net)
    elif not disable_ipv6 and int(f2boptions['manage_external']) != 1:
      with lock:
        tables.banIPv6(net)

    r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
  else:
    logger.logWarn('%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))

def unban(net):
  global lock

  if not net in bans:
   logger.logInfo('%s is not banned, skipping unban and deleting from queue (if any)' % net)
   r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
   return

  logger.logInfo('Unbanning %s' % net)
  if type(ipaddress.ip_network(net)) is ipaddress.IPv4Network:
    with lock:
      tables.unbanIPv4(net)
  else:
    with lock:
      tables.unbanIPv6(net)

  r.hdel('F2B_ACTIVE_BANS', '%s' % net)
  r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
  if net in bans:
    bans[net]['attempts'] = 0
    bans[net]['ban_counter'] += 1

def permBan(net, unban=False):
  global f2boptions
  global lock

  is_unbanned = False
  is_banned = False
  if type(ipaddress.ip_network(net, strict=False)) is ipaddress.IPv4Network:
    with lock:
      if unban:
        is_unbanned = tables.unbanIPv4(net)
      elif int(f2boptions['manage_external']) != 1:
        is_banned = tables.banIPv4(net)
  else:
    with lock:
      if unban:
        is_unbanned = tables.unbanIPv6(net)
      elif int(f2boptions['manage_external']) != 1:
        is_banned = tables.banIPv6(net)

  if is_unbanned:
    r.hdel('F2B_PERM_BANS', '%s' % net)
    logger.logCrit('Removed host/network %s from blacklist' % net)
  elif is_banned:
    r.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time())))
    logger.logCrit('Added host/network %s to blacklist' % net)

def clear():
  global lock
  logger.logInfo('Clearing all bans')
  for net in bans.copy():
    unban(net)
  with lock:
    tables.clearIPv4Table()
    if not disable_ipv6:
      tables.clearIPv6Table()
    try:
      if r is not None:
        r.delete('F2B_ACTIVE_BANS')
        r.delete('F2B_PERM_BANS')
    except Exception as ex:
      logger.logWarn('Error clearing redis keys F2B_ACTIVE_BANS and F2B_PERM_BANS: %s' % ex)

def watch():
  global pubsub
  global quit_now
  global exit_code

  logger.logInfo('Watching Redis channel F2B_CHANNEL')
  pubsub.subscribe('F2B_CHANNEL')

  while not quit_now:
    try:
      for item in pubsub.listen():
        refreshF2bregex()
        for rule_id, rule_regex in f2bregex.items():
          if item['data'] and item['type'] == 'message':
            try:
              result = re.search(rule_regex, item['data'])
            except re.error:
              result = False
            if result:
              addr = result.group(1)
              ip = ipaddress.ip_address(addr)
              if ip.is_private or ip.is_loopback:
                continue
              logger.logWarn('%s matched rule id %s (%s)' % (addr, rule_id, item['data']))
              ban(addr)
    except Exception as ex:
      logger.logWarn('Error reading log line from pubsub: %s' % ex)
      pubsub = None
      quit_now = True
      exit_code = 2

def snat4(snat_target):
  global lock
  global quit_now

  while not quit_now:
    time.sleep(10)
    with lock:
      tables.snat4(snat_target, os.getenv('IPV4_NETWORK', '172.22.1') + '.0/24')

def snat6(snat_target):
  global lock
  global quit_now

  while not quit_now:
    time.sleep(10)
    with lock:
      tables.snat6(snat_target, os.getenv('IPV6_NETWORK', 'fd4d:6169:6c63:6f77::/64'))

def autopurge():
  global f2boptions

  while not quit_now:
    time.sleep(10)
    refreshF2boptions()
    MAX_ATTEMPTS = int(f2boptions['max_attempts'])
    QUEUE_UNBAN = r.hgetall('F2B_QUEUE_UNBAN')
    if QUEUE_UNBAN:
      for net in QUEUE_UNBAN:
        unban(str(net))
    for net in bans.copy():
      if bans[net]['attempts'] >= MAX_ATTEMPTS:
        NET_BAN_TIME = calcNetBanTime(bans[net]['ban_counter'])
        TIME_SINCE_LAST_ATTEMPT = time.time() - bans[net]['last_attempt']
        if TIME_SINCE_LAST_ATTEMPT > NET_BAN_TIME:
          unban(net)

def mailcowChainOrder():
  global lock
  global quit_now
  global exit_code
  while not quit_now:
    time.sleep(10)
    with lock:
      quit_now, exit_code = tables.checkIPv4ChainOrder()
      if quit_now: return
      if not disable_ipv6:
        quit_now, exit_code = tables.checkIPv6ChainOrder()

def calcNetBanTime(ban_counter):
  global f2boptions

  BAN_TIME = int(f2boptions['ban_time'])
  MAX_BAN_TIME = int(f2boptions['max_ban_time'])
  BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])
  NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** ban_counter
  NET_BAN_TIME = max([BAN_TIME, min([NET_BAN_TIME, MAX_BAN_TIME])])
  return NET_BAN_TIME

def isIpNetwork(address):
  try:
    ipaddress.ip_network(address, False)
  except ValueError:
    return False
  return True

def genNetworkList(list):
  resolver = dns.resolver.Resolver()
  hostnames = []
  networks = []
  for key in list:
    if isIpNetwork(key):
      networks.append(key)
    else:
      hostnames.append(key)
  for hostname in hostnames:
    hostname_ips = []
    for rdtype in ['A', 'AAAA']:
      try:
        answer = resolver.resolve(qname=hostname, rdtype=rdtype, lifetime=3)
      except dns.exception.Timeout:
        logger.logInfo('Hostname %s timedout on resolve' % hostname)
        break
      except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
        continue
      except dns.exception.DNSException as dnsexception:
        logger.logInfo('%s' % dnsexception)
        continue
      for rdata in answer:
        hostname_ips.append(rdata.to_text())
    networks.extend(hostname_ips)
  return set(networks)

def whitelistUpdate():
  global lock
  global quit_now
  global WHITELIST
  while not quit_now:
    start_time = time.time()
    list = r.hgetall('F2B_WHITELIST')
    new_whitelist = []
    if list:
      new_whitelist = genNetworkList(list)
    with lock:
      if Counter(new_whitelist) != Counter(WHITELIST):
        WHITELIST = new_whitelist
        logger.logInfo('Whitelist was changed, it has %s entries' % len(WHITELIST))
    time.sleep(60.0 - ((time.time() - start_time) % 60.0))

def blacklistUpdate():
  global quit_now
  global BLACKLIST
  while not quit_now:
    start_time = time.time()
    list = r.hgetall('F2B_BLACKLIST')
    new_blacklist = []
    if list:
      new_blacklist = genNetworkList(list)
    if Counter(new_blacklist) != Counter(BLACKLIST):
      addban = set(new_blacklist).difference(BLACKLIST)
      delban = set(BLACKLIST).difference(new_blacklist)
      BLACKLIST = new_blacklist
      logger.logInfo('Blacklist was changed, it has %s entries' % len(BLACKLIST))
      if addban:
        for net in addban:
          permBan(net=net)
      if delban:
        for net in delban:
          permBan(net=net, unban=True)
    time.sleep(60.0 - ((time.time() - start_time) % 60.0))

def sigterm_quit(signum, frame):
  global clear_before_quit
  clear_before_quit = True
  sys.exit(exit_code)

def berfore_quit():
  if clear_before_quit:
    clear()
  if pubsub is not None:
    pubsub.unsubscribe()

if __name__ == '__main__':
  atexit.register(berfore_quit)
  signal.signal(signal.SIGTERM, sigterm_quit)

  # init Logger
  logger = Logger()

  # init backend
  backend = sys.argv[1]
  if backend == "nftables":
    logger.logInfo('Using NFTables backend')
    tables = NFTables(chain_name, logger)
  else:
    logger.logInfo('Using IPTables backend')
    tables = IPTables(chain_name, logger)

  # In case a previous session was killed without cleanup
  clear()

  # Reinit MAILCOW chain
  # Is called before threads start, no locking
  logger.logInfo("Initializing mailcow netfilter chain")
  tables.initChainIPv4()

  if not disable_ipv6:
      tables.initChainIPv6()

  if os.getenv("DISABLE_NETFILTER_ISOLATION_RULE").lower() in ("y", "yes"):
    logger.logInfo(f"Skipping {chain_name} isolation")
  else:
    logger.logInfo(f"Setting {chain_name} isolation")
    tables.create_mailcow_isolation_rule("br-mailcow", [3306, 6379, 8983, 12345], os.getenv("MAILCOW_REPLICA_IP"))

  # connect to redis
  while True:
    try:
      redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
      redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
      if "".__eq__(redis_slaveof_ip):
        r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0)
      else:
        r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0)
      r.ping()
      pubsub = r.pubsub()
    except Exception as ex:
      print('%s - trying again in 3 seconds'  % (ex))
      time.sleep(3)
    else:
      break
  logger.set_redis(r)

  # rename fail2ban to netfilter
  if r.exists('F2B_LOG'):
    r.rename('F2B_LOG', 'NETFILTER_LOG')
  # clear bans in redis
  r.delete('F2B_ACTIVE_BANS')
  r.delete('F2B_PERM_BANS')

  refreshF2boptions()

  watch_thread = Thread(target=watch)
  watch_thread.daemon = True
  watch_thread.start()

  if os.getenv('SNAT_TO_SOURCE') and os.getenv('SNAT_TO_SOURCE') != 'n':
    try:
      snat_ip = os.getenv('SNAT_TO_SOURCE')
      snat_ipo = ipaddress.ip_address(snat_ip)
      if type(snat_ipo) is ipaddress.IPv4Address:
        snat4_thread = Thread(target=snat4,args=(snat_ip,))
        snat4_thread.daemon = True
        snat4_thread.start()
    except ValueError:
      print(os.getenv('SNAT_TO_SOURCE') + ' is not a valid IPv4 address')

  if not disable_ipv6:
    if os.getenv('SNAT6_TO_SOURCE') and os.getenv('SNAT6_TO_SOURCE') != 'n':
      try:
        snat_ip = os.getenv('SNAT6_TO_SOURCE')
        snat_ipo = ipaddress.ip_address(snat_ip)
        if type(snat_ipo) is ipaddress.IPv6Address:
          snat6_thread = Thread(target=snat6,args=(snat_ip,))
          snat6_thread.daemon = True
          snat6_thread.start()
      except ValueError:
        print(os.getenv('SNAT6_TO_SOURCE') + ' is not a valid IPv6 address')

  autopurge_thread = Thread(target=autopurge)
  autopurge_thread.daemon = True
  autopurge_thread.start()

  mailcowchainwatch_thread = Thread(target=mailcowChainOrder)
  mailcowchainwatch_thread.daemon = True
  mailcowchainwatch_thread.start()

  blacklistupdate_thread = Thread(target=blacklistUpdate)
  blacklistupdate_thread.daemon = True
  blacklistupdate_thread.start()

  whitelistupdate_thread = Thread(target=whitelistUpdate)
  whitelistupdate_thread.daemon = True
  whitelistupdate_thread.start()

  while not quit_now:
    time.sleep(0.5)

  sys.exit(exit_code)

In docker docker-compose.yml change the netfilter-mailcow part a little to:

   netfilter-mailcow:
      #image: mailcow/netfilter:1.58
      build: ./data/Dockerfiles/netfilter
      stop_grace_period: 30s
      restart: always
      dns:
        - 8.8.8.8
      privileged: true
      environment:
        - TZ=${TZ}
        - DISABLE_IPV6=y
        - IPV4_NETWORK=${IPV4_NETWORK:-172.30.1}
        - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
        - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
        - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
        - MAILCOW_REPLICA_IP=${MAILCOW_REPLICA_IP:-}
        - DISABLE_NETFILTER_ISOLATION_RULE=${DISABLE_NETFILTER_ISOLATION_RULE:-n}
      network_mode: "host"
      volumes:
        - /lib/modules:/lib/modules:ro

docker compose up --build --force-recreate docker compose up -d

[kovacs-andras]

I did the same and the netfilter container is up for 4 weeks. Did you double-check this? https://docs.mailcow.email/post_installation/firststeps-disable_ipv6/

• Have you disabled ipv6 from grub?
• Do you have ipv6 addresses in the hosts's /etc/hosts file?
• what ip -6 a says on the host?

[VladoPortos]

@kovacs-andras yes i have disabled everything like mentioned in https://docs.mailcow.email/post_installation/firststeps-disable_ipv6/

But also, yes I have no IPv6 on server (on purpose), disabled in grub, there is no need for ipv6 for me.

[VladoPortos]

Oh man this is hardcoded in backup script as well....

For anybody who is reading this remove "--sysctl net.ipv6.conf.all.disable_ipv6=1" from this part in backup script:

    mysql|all)
      SQLIMAGE=$(grep -iEo '(mysql|mariadb)\:.+' ${COMPOSE_FILE})
      if [[ -z "${SQLIMAGE}" ]]; then
        echo "Could not determine SQL image version, skipping backup..."
        shift
        continue
      else
        echo "Using SQL image ${SQLIMAGE}, starting..."
        docker run --name mailcow-backup --rm \
          --network $(docker network ls -qf name=^${CMPS_PRJ}_mailcow-network$) \
          -v $(docker volume ls -qf name=^${CMPS_PRJ}_mysql-vol-1$):/var/lib/mysql/:ro,z \
          -t --entrypoint= \
          --sysctl net.ipv6.conf.all.disable_ipv6=1 \
          -v ${BACKUP_LOCATION}/mailcow-${DATE}:/backup:z \
          ${SQLIMAGE} /bin/sh -c "mariabackup --host mysql --user root --password ${DBROOT} --backup --rsync --target-dir=/backup_mariadb ; \
          mariabackup --prepare --target-dir=/backup_mariadb ; \
          chown -R 999:999 /backup_mariadb ; \
          /bin/tar --warning='no-file-ignored' --use-compress-program='gzip --rsyncable' -Pcvpf /backup/backup_mariadb.tar.gz /backup_mariadb ;"
      fi