Mailcow on Home Server while using a vps and vpn to proxy email and gui ports

[awptechnologies]

Contribution guidelines

• [X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

I have mailcow set up on a host at my home. My ISP doesn't allow me to open port 25. Because of this i use a VPS to have a static public ip and open port 25. I use haproxy to proxy the incoming ports to my email server through a wireguard vpn. The haproxy on my vps has https support since i use it for my business website which uses same domain. The website is set up the same way. My domain points to the vps ip and then haproxy proxies through my vpn to my home server that is hosting my wordpress. My problem after setting up mailcow is the nginx proxy. No matter what i get 403 forbidden with my ip from my vps vpn interface. How do i force nginx to accept connections from this address. I know its because its not contacting the server through the domain but i know there is a way to allow it.

Logs:

The logs i had were deleted after i shut down the mailcow containers and removed it from frustration. I can redo it all and get logs but as stated above the nginx container had the error of 403 forbidden. all other containers in the mailcow stack were good no errors.

Steps to reproduce:

Cloned mailcow-dockerized
ran generate config
used my domain for my vps server
corrected ports to correspond to my tcp proxy on vps
After going to domain i never get a chance to log into gui as i get 403 forbidden.

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Debian 12

Server/VM specifications:

15GB 14 cores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

Proxmox

Docker version:

Docker version 27.1.1, build 6312585

docker-compose version or docker compose version:

Docker Compose version v2.29.1

mailcow version:

2024-07

Reverse proxy:

Haproxy

Logs of git diff:

Nothing

Logs of iptables -L -vn:

hain INPUT (policy ACCEPT 0 packets, 0 bytes)                                                                                                                                                                                                                                                                                                        
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                                                       

Chain FORWARD (policy DROP 0 packets, 0 bytes)                                                                                                                                                                                                                                                                                                        
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                                                       
70225   64M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                                       
70225   64M DOCKER-INGRESS  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                                    
  274 17440 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                          
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED                                                                                                                                                                                                                                 
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                                        
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                                      
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                                       
   80  5636 ACCEPT     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED                                                                                                                                                                                                                         
   68  4080 DOCKER     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                                
  126  7724 ACCEPT     all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                      
    0     0 DROP       all  --  docker_gwbridge docker_gwbridge  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                       

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)                                                                                                                                                                                                                                                                                                       
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                                                       

Chain DOCKER (2 references)                                                                                                                                                                                                                                                                                                                           
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                                                       
    0     0 ACCEPT     tcp  --  !docker_gwbridge docker_gwbridge  0.0.0.0/0            172.18.0.3           tcp dpt:80                                                                                                                                                                                                                                
   68  4080 ACCEPT     tcp  --  !docker_gwbridge docker_gwbridge  0.0.0.0/0            172.18.0.4           tcp dpt:80                                                                                                                                                                                                                                
    0     0 ACCEPT     tcp  --  !docker_gwbridge docker_gwbridge  0.0.0.0/0            172.18.0.5           tcp dpt:80

Logs of ip6tables -L -vn:

ipv6 disabled

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 34489 packets, 6089K bytes)                                                                                                                                                                                                                                                                                           
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                                                       
10353  869K DOCKER-INGRESS  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL                                                                                                                                                                                                                           
10355  870K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL                                                                                                                                                                                                                                

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)                                                                                                                                                                                                                                                                                                        
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                                                       

Chain OUTPUT (policy ACCEPT 8568 packets, 747K bytes)                                                                                                                                                                                                                                                                                                 
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                                                       
   63  3780 DOCKER-INGRESS  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL                                                                                                                                                                                                                           
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL                                                                                                                                                                                                                                

Chain POSTROUTING (policy ACCEPT 9323 packets, 793K bytes)                                                                                                                                                                                                                                                                                            
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                                                       
    0     0 MASQUERADE  all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type LOCAL                                                                                                                                                                                                                      
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0                                                                                                                                                                                                                                                                      
   84  5204 MASQUERADE  all  --  *      !docker_gwbridge  172.18.0.0/16        0.0.0.0/0                                                                                                                                                                                                                                                              
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.3           172.18.0.3           tcp dpt:80                                                                                                                                                                                                                                                  
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.4           172.18.0.4           tcp dpt:80                                                                                                                                                                                                                                                  
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.5           172.18.0.5           tcp dpt:80                                                                                                                                                                                                                                                  

Chain DOCKER (2 references)                                                                                                                                                                                                                                                                                                                           
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                                                                                                                       
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                                        
    0     0 RETURN     all  --  docker_gwbridge *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                                                                                                                
  468 28080 DNAT       tcp  --  !docker_gwbridge *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8050 to:172.18.0.3:80                                                                                                                                                                                                                      
  276 16560 DNAT       tcp  --  !docker_gwbridge *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8060 to:172.18.0.4:80                                                                                                                                                                                                                      
    0     0 DNAT       tcp  --  !docker_gwbridge *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8055 to:172.18.0.5:80

Logs of ip6tables -L -vn -t nat:

ipv6 disabled

DNS check:

not running containers until i find out if my config is possible

[milkmaker]

THIS IS A AUTOMATED MESSAGE!

It seems your issue is not a bug. Therefore we highly advise you to get support!

You can get support either by:

• ordering a paid support contract at Servercow (Directly from the developers) or
• using the community forum (Based on volunteers! NO guaranteed answer) or
• using the Telegram support channel (Based on volunteers! NO guaranteed answer)

This issue will be closed. If you think your reported issue is not a support case feel free to comment above and if so the issue will reopened.