Postfix: bad numerical configuration after 2024-11 (or earlier)

[cyberdust2k]

Contribution guidelines

• [X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

After upgrading to Mailcow 2024-11 and trying to send a mail reminder, postfix seems to crash indefinitely. This is persistent after a restart of the full container stack.

Logs:

postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/postscreen[361]: CONNECT from [172.22.1.8]:51228 to [172.22.1.253]:25
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/postscreen[361]: ALLOWLISTED [172.22.1.8]:51228
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: connect from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8]
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: warning: connect to Milter service inet:rspamd:9900: Connection refused
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: NOQUEUE: milter-reject: CONNECT from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: NOQUEUE: milter-reject: EHLO from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<mail.example.com>
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: warning: non-SMTP command from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8]: \026\003\001\001&\001\000\001"\003\003\320\357k$\306\005\006u\302G\267\344A\b\254\023\260f\345oc\334
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: disconnect from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8] ehlo=1 starttls=0/1 unknown=0/1 commands=1/3
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/postscreen[361]: CONNECT from [172.22.1.8]:51234 to [172.22.1.253]:25
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/postscreen[361]: ALLOWLISTED [172.22.1.8]:51234
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: connect from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8]
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: warning: connect to Milter service inet:rspamd:9900: Connection refused
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: NOQUEUE: milter-reject: CONNECT from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: NOQUEUE: milter-reject: EHLO from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<mail.example.com>
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: warning: non-SMTP command from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8]: \026\003\001\001&\001\000\001"\003\003h\3430\307+\027@\027\264\323\177\314\366\037\v\225u\373\300\23
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: disconnect from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8] ehlo=1 starttls=0/1 unknown=0/1 commands=1/3
postfix-mailcow-1  | Nov  7 12:29:41 a321679273f8 postfix/sogo/smtpd[379]: connect from mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248]
postfix-mailcow-1  | Nov  7 12:29:41 a321679273f8 postfix/sogo/smtpd[379]: 6BEFEE4983: client=mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248], sasl_method=PLAIN, sasl_username=rzjzlf8k2hls1szd@mailcow.local
postfix-mailcow-1  | Nov  7 12:29:41 a321679273f8 postfix/cleanup[381]: 6BEFEE4983: replace: header Received: from 5460ba3f6fc0 (mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network [172.22.1.248])??(Authenticated sender: rzjzlf8k2hls1szd@mailcow.local)??by mail.cyberdust-net.de (Postc from mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248]; from=<dustinstratmann@cyberdust-net.de> to=<dustinstratmann@cyberdust-net.de> proto=ESMTP helo=<5460ba3f6fc0>: Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPA id 6BEFEE4983??for <dustinstratmann@cyberdust-net.de>; Thu,  7 Nov 2024 12:29:41 +0100 (CET)
postfix-mailcow-1  | Nov  7 12:29:41 a321679273f8 postfix/cleanup[381]: 6BEFEE4983: message-id=<a7-672ca4a5-1-610ca07a@189699689>
postfix-mailcow-1  | Nov  7 12:29:42 a321679273f8 postfix/qmgr[357]: 6BEFEE4983: from=<dustinstratmann@cyberdust-net.de>, size=2050, nrcpt=1 (queue active)
postfix-mailcow-1  | Nov  7 12:29:42 a321679273f8 postfix/sogo/smtpd[379]: disconnect from mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
postfix-mailcow-1  | Nov  7 12:29:42 a321679273f8 postfix/qmgr[357]: fatal: bad numerical configuration: lmtp_destination_recipient_limit = 1    postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2      hostkarma.junkemailfilter.com=127.0.0.1*-2      list.dnswl.org=127.0.[0..255].0*-2      list.dnswl.org=127.0.[0..255].1*-4      list.dnswl.org=127.0.[0..255].2*-6      list.dnswl.org=127.0.[0..255].3*-8      ix.dnsbl.manitu.net*2      bl.spamcop.net*2      bl.suomispam.net*2      hostkarma.junkemailfilter.com=127.0.0.2*3      hostkarma.junkemailfilter.com=127.0.0.4*2      hostkarma.junkemailfilter.com=127.0.1.2*1      backscatter.spameatingmonkey.net*2      bl.ipv6.spameatingmonkey.net*2      bl.spameatingmonkey.net*2      b.barracudacentral.org=127.0.0.2*7      bl.mailspike.net=127.0.0.2*5      bl.mailspike.net=127.0.0.[10;11;12]*4      dnsbl.sorbs.net=127.0.0.10*8      dnsbl.sorbs.net=127.0.0.5*6      dnsbl.sorbs.net=127.0.0.7*3      dnsbl.sorbs.net=127.0.0.8*2      dnsbl.sorbs.net=127.0.0.6*2      dnsbl.sorbs.net=127.0.0.9*2      zen.spamhaus.org=127.0.0.[10;11]*8      zen.spamhaus.org=127.0.0.[4..7]*6      zen.spamhaus.org=127.0.0.3*4      zen.spamhaus.org=127.0.0.2*3  zen.spamhaus.org=127.0.0.[10;11]*8  zen.spamhaus.org=127.0.0.[4..7]*6  zen.spamhaus.org=127.0.0.3*4  zen.spamhaus.org=127.0.0.2*3
postfix-mailcow-1  | Nov  7 12:29:43 a321679273f8 postfix/master[355]: warning: process /usr/lib/postfix/sbin/qmgr pid 357 exit status 1
postfix-mailcow-1  | Nov  7 12:30:43 a321679273f8 postfix/qmgr[386]: 6BEFEE4983: from=<dustinstratmann@cyberdust-net.de>, size=2050, nrcpt=1 (queue active)
postfix-mailcow-1  | Nov  7 12:30:43 a321679273f8 postfix/qmgr[386]: fatal: bad numerical configuration: lmtp_destination_recipient_limit = 1    postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2      hostkarma.junkemailfilter.com=127.0.0.1*-2      list.dnswl.org=127.0.[0..255].0*-2      list.dnswl.org=127.0.[0..255].1*-4      list.dnswl.org=127.0.[0..255].2*-6      list.dnswl.org=127.0.[0..255].3*-8      ix.dnsbl.manitu.net*2      bl.spamcop.net*2      bl.suomispam.net*2      hostkarma.junkemailfilter.com=127.0.0.2*3      hostkarma.junkemailfilter.com=127.0.0.4*2      hostkarma.junkemailfilter.com=127.0.1.2*1      backscatter.spameatingmonkey.net*2      bl.ipv6.spameatingmonkey.net*2      bl.spameatingmonkey.net*2      b.barracudacentral.org=127.0.0.2*7      bl.mailspike.net=127.0.0.2*5      bl.mailspike.net=127.0.0.[10;11;12]*4      dnsbl.sorbs.net=127.0.0.10*8      dnsbl.sorbs.net=127.0.0.5*6      dnsbl.sorbs.net=127.0.0.7*3      dnsbl.sorbs.net=127.0.0.8*2      dnsbl.sorbs.net=127.0.0.6*2      dnsbl.sorbs.net=127.0.0.9*2      zen.spamhaus.org=127.0.0.[10;11]*8      zen.spamhaus.org=127.0.0.[4..7]*6      zen.spamhaus.org=127.0.0.3*4      zen.spamhaus.org=127.0.0.2*3  zen.spamhaus.org=127.0.0.[10;11]*8  zen.spamhaus.org=127.0.0.[4..7]*6  zen.spamhaus.org=127.0.0.3*4  zen.spamhaus.org=127.0.0.2*3
postfix-mailcow-1  | Nov  7 12:30:44 a321679273f8 postfix/master[355]: warning: process /usr/lib/postfix/sbin/qmgr pid 386 exit status 1
postfix-mailcow-1  | Nov  7 12:30:44 a321679273f8 postfix/master[355]: warning: /usr/lib/postfix/sbin/qmgr: bad command startup -- throttling

Steps to reproduce:

1. Set an appointment in the calendar with SoGO.
2. Set a reminder for any amount of time, and select "Send as Mail"
3. wait for the reminder window to arrive

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Ubuntu 22.04 LTS

Server/VM specifications:

8GB RAM 4 vCores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

27.3.1

docker-compose version or docker compose version:

2.29.7

mailcow version:

2024-11

Reverse proxy:

not applicable

Logs of git diff:

diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 6721204c..398f0b7a 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -175,3 +175,41 @@ lmtp_destination_recipient_limit=1

 # DO NOT EDIT ANYTHING BELOW #
 # Overrides #
+
+    # Autogenerated by mailcow
+    postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
+      hostkarma.junkemailfilter.com=127.0.0.1*-2
+      list.dnswl.org=127.0.[0..255].0*-2
+      list.dnswl.org=127.0.[0..255].1*-4
+      list.dnswl.org=127.0.[0..255].2*-6
+      list.dnswl.org=127.0.[0..255].3*-8
+      ix.dnsbl.manitu.net*2
+      bl.spamcop.net*2
+      bl.suomispam.net*2
+      hostkarma.junkemailfilter.com=127.0.0.2*3
+      hostkarma.junkemailfilter.com=127.0.0.4*2
+      hostkarma.junkemailfilter.com=127.0.1.2*1
+      backscatter.spameatingmonkey.net*2
+      bl.ipv6.spameatingmonkey.net*2
+      bl.spameatingmonkey.net*2
+      b.barracudacentral.org=127.0.0.2*7
+      bl.mailspike.net=127.0.0.2*5
+      bl.mailspike.net=127.0.0.[10;11;12]*4
+      dnsbl.sorbs.net=127.0.0.10*8
+      dnsbl.sorbs.net=127.0.0.5*6
+      dnsbl.sorbs.net=127.0.0.7*3
+      dnsbl.sorbs.net=127.0.0.8*2
+      dnsbl.sorbs.net=127.0.0.6*2
+      dnsbl.sorbs.net=127.0.0.9*2
+      zen.spamhaus.org=127.0.0.[10;11]*8
+      zen.spamhaus.org=127.0.0.[4..7]*6
+      zen.spamhaus.org=127.0.0.3*4
+      zen.spamhaus.org=127.0.0.2*3
+  zen.spamhaus.org=127.0.0.[10;11]*8
+  zen.spamhaus.org=127.0.0.[4..7]*6
+  zen.spamhaus.org=127.0.0.3*4
+  zen.spamhaus.org=127.0.0.2*3
+
+# User Overrides
+myhostname = mail.cyberdust-net.de
+
diff --git a/data/web/robots.txt b/data/web/robots.txt
index 1f53798b..75fc1a14 100644
--- a/data/web/robots.txt
+++ b/data/web/robots.txt
@@ -1,2 +1,3 @@
-User-agent: *
+user-agent: *
+Allow: /$
 Disallow: /
diff --git a/docker-compose.yml b/docker-compose.yml
index c462ba88..1a330f2c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -614,36 +614,6 @@ services:
           aliases:
             - ofelia

-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge

Logs of iptables -L -vn:

Chain INPUT (policy DROP 215K packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination
 4815  860K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
10005  646K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 208
4175K 1996M ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4175K 1996M ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 217K   11M ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 215K   11M ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 215K   11M ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 215K   11M ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2576 1225K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
 2576 1225K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2576 1225K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1154 1050K ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   39  1708 DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 1383  173K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      wg0     0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 80 packets, 3944 bytes)
 pkts bytes target     prot opt in     out     source               destination
3874K   16G ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3874K   16G ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 6327  500K ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 6327  500K ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 6327  500K ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 6327  500K ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.6           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    5   292 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    3   156 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
   30  1200 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.13          tcp dpt:80
    1    60 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.13          tcp dpt:443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1383  173K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
  11M 5470M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
6004K 1259M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  11M 5470M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       80.76.51.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       208.67.106.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       85.217.145.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       206.189.208.52       0.0.0.0/0
    0     0 DROP       all  --  *      *       45.81.39.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       84.54.50.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       195.206.105.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       71.6.128.0/17        0.0.0.0/0
    0     0 DROP       all  --  *      *       45.128.36.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       154.216.19.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       91.202.233.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       185.165.191.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       45.14.165.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       104.237.158.143      0.0.0.0/0
    0     0 DROP       all  --  *      *       185.225.74.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       85.31.44.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       185.233.19.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       45.133.192.210       0.0.0.0/0
    0     0 DROP       all  --  *      *       147.78.103.211       0.0.0.0/0
    0     0 DROP       all  --  *      *       64.225.64.0/20       0.0.0.0/0
    0     0 DROP       all  --  *      *       194.180.48.0/24      0.0.0.0/0
    1    60 DROP       all  --  *      *       167.94.146.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       185.165.190.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       156.253.128.0/17     0.0.0.0/0
    0     0 DROP       all  --  *      *       199.229.250.133      0.0.0.0/0
    0     0 DROP       all  --  *      *       185.225.73.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       103.171.0.0/23       0.0.0.0/0
    0     0 DROP       all  --  *      *       154.216.17.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       163.123.143.0/24     0.0.0.0/0
    1    44 DROP       all  --  *      *       137.184.0.0/20       0.0.0.0/0
    0     0 DROP       all  --  *      *       147.182.240.0/20     0.0.0.0/0
    0     0 DROP       all  --  *      *       66.240.192.0/18      0.0.0.0/0
    0     0 DROP       all  --  *      *       194.180.49.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       37.139.128.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       185.180.143.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       93.177.75.50         0.0.0.0/0
    0     0 DROP       all  --  *      *       141.98.8.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       45.125.66.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       165.227.176.0/20     0.0.0.0/0
    0     0 DROP       all  --  *      *       154.89.5.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       167.94.145.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       137.184.80.0/20      0.0.0.0/0
    0     0 DROP       all  --  *      *       45.128.234.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       79.110.63.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       91.215.85.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       27.115.124.6         0.0.0.0/0
    1    44 DROP       all  --  *      *       193.163.125.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       164.92.96.0/19       0.0.0.0/0
    0     0 DROP       all  --  *      *       128.1.0.0/16         0.0.0.0/0
    0     0 DROP       all  --  *      *       187.150.241.98       0.0.0.0/0
    0     0 DROP       all  --  *      *       185.254.37.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       154.216.20.0/24      0.0.0.0/0
    1    40 DROP       all  --  *      *       95.214.27.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       193.47.61.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       79.110.62.0/24       0.0.0.0/0
    1    60 DROP       all  --  *      *       199.45.154.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       45.12.253.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       87.120.84.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       147.182.224.0/20     0.0.0.0/0
    0     0 DROP       all  --  *      *       147.139.0.0/17       0.0.0.0/0
    0     0 DROP       all  --  *      *       167.99.103.222       0.0.0.0/0
    0     0 DROP       all  --  *      *       87.236.176.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       195.178.120.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       45.133.192.230       0.0.0.0/0
    0     0 DROP       all  --  *      *       194.87.151.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       194.31.96.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       183.230.128.0/17     0.0.0.0/0
    0     0 DROP       all  --  *      *       213.109.202.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       154.216.16.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       139.59.224.0/20      0.0.0.0/0
    0     0 DROP       all  --  *      *       154.216.18.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       68.183.160.0/20      0.0.0.0/0
    0     0 DROP       all  --  *      *       195.170.172.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       195.133.40.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       208.100.0.0/18       0.0.0.0/0
    0     0 DROP       all  --  *      *       85.208.136.0/24      0.0.0.0/0
    1   860 DROP       all  --  *      *       165.227.96.0/20      0.0.0.0/0
    1    60 DROP       all  --  *      *       206.168.34.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       162.240.0.0/15       0.0.0.0/0
    0     0 DROP       all  --  *      *       199.45.155.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       92.118.39.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       5.188.62.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       81.161.229.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       104.200.146.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       185.226.173.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       137.184.176.0/20     0.0.0.0/0
    0     0 DROP       all  --  *      *       109.206.243.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       193.31.6.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       143.198.224.0/20     0.0.0.0/0
    0     0 DROP       all  --  *      *       185.216.71.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       162.142.125.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       165.227.160.0/20     0.0.0.0/0
    0     0 DROP       all  --  *      *       77.81.139.82         0.0.0.0/0
    0     0 DROP       all  --  *      *       152.89.196.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       206.189.218.112      0.0.0.0/0
    0     0 DROP       all  --  *      *       62.197.136.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       87.121.105.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       128.1.40.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       94.156.177.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       5.34.207.0/24        0.0.0.0/0
    1    44 DROP       all  --  *      *       134.209.80.0/20      0.0.0.0/0
    0     0 DROP       all  --  *      *       45.125.65.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       45.9.251.182         0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       208.67.104.0/22      0.0.0.0/0
    0     0 DROP       all  --  *      *       178.128.32.0/20      0.0.0.0/0
    1    44 DROP       all  --  *      *       159.89.112.0/20      0.0.0.0/0
    0     0 DROP       all  --  *      *       141.98.11.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       106.75.160.0/20      0.0.0.0/0
    0     0 DROP       all  --  *      *       93.177.75.26         0.0.0.0/0
    0     0 DROP       all  --  *      *       83.97.73.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       45.88.67.0/24        0.0.0.0/0
    0     0 DROP       all  --  *      *       94.141.120.77        0.0.0.0/0
    0     0 DROP       all  --  *      *       147.182.192.0/20     0.0.0.0/0
    0     0 DROP       all  --  *      *       89.249.73.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       141.98.10.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       89.249.64.0/20       0.0.0.0/0
    0     0 DROP       all  --  *      *       139.59.160.0/20      0.0.0.0/0
    0     0 DROP       all  --  *      *       137.184.112.0/20     0.0.0.0/0
    0     0 DROP       all  --  *      *       194.169.175.0/24     0.0.0.0/0
    1    60 DROP       all  --  *      *       167.94.138.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       106.75.144.0/20      0.0.0.0/0
    0     0 DROP       all  --  *      *       207.195.92.64        0.0.0.0/0
    0     0 DROP       all  --  *      *       45.66.230.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       185.246.220.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       178.215.236.0/24     0.0.0.0/0
    0     0 DROP       all  --  *      *       45.141.87.0/24       0.0.0.0/0
    2    88 DROP       all  --  *      *       207.90.244.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       45.148.10.0/24       0.0.0.0/0
    0     0 DROP       tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  148 11544 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    4   112 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
  213  9312 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
 1656 83924 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    6   168 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    4   112 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
   21  2982 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
 111K 5565K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   336 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
3934K 1983M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 2790  137K ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 2790  137K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
20730 1289K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
 217K   11M ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
 217K   11M ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   336 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
3868K   16G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 6327  500K ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination
 2677  132K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
   58  2492 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination
 217K   11M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
   21  2982 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination
 2052  108K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  195 11700 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 6052  485K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   37  6408 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820
   36  2572 ACCEPT     tcp  --  *      *       10.69.69.2           0.0.0.0/0            tcp dpt:208
    0     0 ACCEPT     udp  --  *      *       10.69.69.2           0.0.0.0/0            udp dpt:208
    4   220 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,80,443,465,993,995,4190

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of ip6tables -L -vn:

Chain INPUT (policy DROP 7695 packets, 512K bytes)
 pkts bytes target     prot opt in     out     source               destination
 2236  403K MAILCOW    all      *      *       ::/0                 ::/0                 /* mailcow */
9301K 1936M ufw6-before-logging-input  all      *      *       ::/0                 ::/0
9301K 1936M ufw6-before-input  all      *      *       ::/0                 ::/0
 7744  515K ufw6-after-input  all      *      *       ::/0                 ::/0
 7695  512K ufw6-after-logging-input  all      *      *       ::/0                 ::/0
 7695  512K ufw6-reject-input  all      *      *       ::/0                 ::/0
 7695  512K ufw6-track-input  all      *      *       ::/0                 ::/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  420  118K MAILCOW    all      *      *       ::/0                 ::/0                 /* mailcow */
  420  118K DOCKER-USER  all      *      *       ::/0                 ::/0
  420  118K DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0
  205 97875 ACCEPT     all      *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      br-mailcow  ::/0                 ::/0
  215 20489 ACCEPT     all      br-mailcow !br-mailcow  ::/0                 ::/0
    0     0 ACCEPT     all      br-mailcow br-mailcow  ::/0                 ::/0
    0     0 ACCEPT     all      *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      docker0  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 !docker0  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 docker0  ::/0                 ::/0
    0     0 ufw6-before-logging-forward  all      *      *       ::/0                 ::/0
    0     0 ufw6-before-forward  all      *      *       ::/0                 ::/0
    0     0 ufw6-after-forward  all      *      *       ::/0                 ::/0
    0     0 ufw6-after-logging-forward  all      *      *       ::/0                 ::/0
    0     0 ufw6-reject-forward  all      *      *       ::/0                 ::/0
    0     0 ufw6-track-forward  all      *      *       ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 429 packets, 41824 bytes)
 pkts bytes target     prot opt in     out     source               destination
6526K  387M ufw6-before-logging-output  all      *      *       ::/0                 ::/0
6526K  387M ufw6-before-output  all      *      *       ::/0                 ::/0
 3687  311K ufw6-after-output  all      *      *       ::/0                 ::/0
 3687  311K ufw6-after-logging-output  all      *      *       ::/0                 ::/0
 3687  311K ufw6-reject-output  all      *      *       ::/0                 ::/0
 3687  311K ufw6-track-output  all      *      *       ::/0                 ::/0

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:110
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:993
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:995
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:4190
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:25
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:465
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:587
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::12  tcp dpt:80
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::12  tcp dpt:443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  215 20489 DOCKER-ISOLATION-STAGE-2  all      br-mailcow !br-mailcow  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  all      docker0 !docker0  ::/0                 ::/0
 754K  297M RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      br-mailcow  ::/0                 ::/0
    0     0 DROP       all      *      docker0  ::/0                 ::/0
 390K  211M RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 754K  297M RETURN     all      *      *       ::/0                 ::/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      *       240b:4005:18:3b00::/64  ::/0
    0     0 DROP       all      *      *       2a06:4880::/32       ::/0

Chain ufw6-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   392 ufw6-skip-to-policy-input  udp      *      *       ::/0                 ::/0                 udp dpt:137
    0     0 ufw6-skip-to-policy-input  udp      *      *       ::/0                 ::/0                 udp dpt:138
    8   520 ufw6-skip-to-policy-input  tcp      *      *       ::/0                 ::/0                 tcp dpt:139
   37  2320 ufw6-skip-to-policy-input  tcp      *      *       ::/0                 ::/0                 tcp dpt:445
    0     0 ufw6-skip-to-policy-input  udp      *      *       ::/0                 ::/0                 udp dpt:546
    0     0 ufw6-skip-to-policy-input  udp      *      *       ::/0                 ::/0                 udp dpt:547

Chain ufw6-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw6-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
 4913  342K LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw6-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
    0     0 ufw6-user-forward  all      *      *       ::/0                 ::/0

Chain ufw6-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
1279K 1434M ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
   61  4169 ufw6-logging-deny  all      *      *       ::/0                 ::/0                 ctstate INVALID
   61  4169 DROP       all      *      *       ::/0                 ::/0                 ctstate INVALID
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
5086K  285M ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
11091  621K ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133 HL match HL == 255
 108K   14M ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134 HL match HL == 255
2700K  194M ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135 HL match HL == 255
 109K 7177K ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 141 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 142 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 130
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 131
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 132
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 143
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 148 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 149 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 151 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 152 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 153 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 144
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 145
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 146
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 147
    0     0 ACCEPT     udp      *      *       fe80::/10            fe80::/10            udp spt:547 dpt:546
    0     0 ACCEPT     udp      *      *       ::/0                 ff02::fb             udp dpt:5353
    0     0 ACCEPT     udp      *      *       ::/0                 ff02::f              udp dpt:1900
 7919  529K ufw6-user-input  all      *      *       ::/0                 ::/0

Chain ufw6-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      lo      ::/0                 ::/0
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
6251K  368M ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    5   714 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133 HL match HL == 255
82730 5296K ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136 HL match HL == 255
 188K   14M ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 141 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 142 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 130
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 131
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 132
  777 88652 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 143
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 148 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 149 HL match HL == 255
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 151 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 152 HL match HL == 1
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 153 HL match HL == 1
 3687  311K ufw6-user-output  all      *      *       ::/0                 ::/0

Chain ufw6-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw6-logging-deny (1 references)
 pkts bytes target     prot opt in     out     source               destination
   36  2569 RETURN     all      *      *       ::/0                 ::/0                 ctstate INVALID limit: avg 3/min burst 10
   10   640 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw6-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain ufw6-skip-to-policy-input (6 references)
 pkts bytes target     prot opt in     out     source               destination
   49  3232 DROP       all      *      *       ::/0                 ::/0

Chain ufw6-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      *       ::/0                 ::/0

Chain ufw6-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2757  221K ACCEPT     tcp      *      *       ::/0                 ::/0                 ctstate NEW
  501 48824 ACCEPT     udp      *      *       ::/0                 ::/0                 ctstate NEW

Chain ufw6-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 udp dpt:51820
  175 14000 ACCEPT     tcp      *      *       ::/0                 ::/0                 multiport dports 25,80,443,465,993,995,4190

Chain ufw6-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all      *      *       ::/0                 ::/0                 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable

Chain ufw6-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      *       ::/0                 ::/0

Chain ufw6-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw6-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

There was an error creating your issue: body is too long (maximum is 65536 characters).

Logs of ip6tables -L -vn -t nat:

There was an error creating your issue: body is too long (maximum is 65536 characters).

DNS check:

172.64.155.249
104.18.32.7

[cyberdust2k]

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 657K   32M DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  524 38432 MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
 5657  434K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.5           172.22.1.5           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.6           172.22.1.6           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.13          172.22.1.13          tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.13          172.22.1.13          tcp dpt:443

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.5:8983
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.6:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    5   292 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    3   156 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
   30  1200 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.13:80
    3   164 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.13:443

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
5104K  286M DOCKER     all      *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all      *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  208 19034 MASQUERADE  all      *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0
    0     0 MASQUERADE  all      *      !docker0  fd00:dead:beef:c0::/80  ::/0
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:110
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:993
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:995
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:4190
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:25
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:465
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:587
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::12  fd4d:6169:6c63:6f77::12  tcp dpt:80
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::12  fd4d:6169:6c63:6f77::12  tcp dpt:443

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    6   480 RETURN     all      br-mailcow *       ::/0                 ::/0
    0     0 RETURN     all      docker0 *       ::/0                 ::/0
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::b]:110
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::b]:143
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::b]:993
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::b]:995
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::b]:4190
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::d]:25
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::d]:465
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::d]:587
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:80 to:[fd4d:6169:6c63:6f77::12]:80
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:443 to:[fd4d:6169:6c63:6f77::12]:443

[cyberdust2k]

Update: This is happening with every mail, even after manually clearing the queue with postsuper -d ALL, not just calendar notifications as suspected first.

[1castro]

I have the same error after the 2024-11 update! Had to restore backup because Mailcow couldn't be used.

[chriscroome]

I've done the update on two servers and haven't had this issue, could you paste your data/conf/postfix/main.cf file and the data/conf/postfix/extra.cf file if that exists, here?

[FreddleSpl0it]

in your setup, postfix cant connect to rspamd, as it seems.

postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: warning: connect to Milter service inet:rspamd:9900: Connection refused
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: NOQUEUE: milter-reject: CONNECT from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
postfix-mailcow-1  | Nov  7 12:25:47 a321679273f8 postfix/smtpd[363]: NOQUEUE: milter-reject: EHLO from mailcowdockerized-acme-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.8]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<mail.example.com>

is rspamd running?

[cyberdust2k]

Yes, rspamd is running and correctly scanning the email.

These are main.cf and extra.cf respectively after the update:

# --------------------------------------------------------------------------
# Please create a file "extra.cf" for persistent overrides to main.cf
# --------------------------------------------------------------------------
biff = no
append_dot_mydomain = no
smtpd_tls_cert_file = /etc/ssl/mail/cert.pem
smtpd_tls_key_file = /etc/ssl/mail/key.pem
tls_server_sni_maps = hash:/opt/postfix/conf/sni.map
smtpd_tls_received_header = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks,
  permit_sasl_authenticated,
  defer_unauth_destination
smtpd_forbid_bare_newline = yes
# alias maps are auto-generated in postfix.sh on startup
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost =
mynetworks_style = subnet
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
disable_vrfy_command = yes
maximal_backoff_time = 1800s
maximal_queue_lifetime = 5d
delay_warning_time = 4h
message_size_limit = 104857600
milter_default_action = tempfail
milter_protocol = 6
minimal_backoff_time = 300s
plaintext_reject_code = 550
postscreen_access_list = permit_mynetworks,
  cidr:/opt/postfix/conf/custom_postscreen_whitelist.cidr,
  cidr:/opt/postfix/conf/postscreen_access.cidr,
  tcp:127.0.0.1:10027
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 24h
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 6
postscreen_dnsbl_ttl = 5m
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 2d
postscreen_greet_wait = 3s
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
proxy_read_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_mbr_access_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
  $sender_dependent_default_transport_maps,
  $smtp_tls_policy_maps,
  $local_recipient_maps,
  $mydestination,
  $virtual_alias_maps,
  $virtual_alias_domains,
  $virtual_mailbox_maps,
  $virtual_mailbox_domains,
  $relay_recipient_maps,
  $relay_domains,
  $canonical_maps,
  $sender_canonical_maps,
  $sender_bcc_maps,
  $recipient_bcc_maps,
  $recipient_canonical_maps,
  $relocated_maps,
  $transport_maps,
  $mynetworks,
  $smtpd_sender_login_maps,
  $smtp_sasl_password_maps
queue_run_delay = 300s
relay_domains = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf
relay_recipient_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
sender_dependent_default_transport_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/ssl/mail/cert.pem
smtp_tls_key_file = /etc/ssl/mail/key.pem
smtp_tls_loglevel = 1
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 10s
smtpd_forbid_bare_newline = yes
smtpd_hard_error_limit = ${stress?1}${stress:5}
smtpd_helo_required = yes
smtpd_proxy_timeout = 600s
smtpd_recipient_restrictions = check_recipient_mx_access proxy:mysql:/opt/postfix/conf/sql/mysql_mbr_access_maps.cf,
  permit_sasl_authenticated,
  permit_mynetworks,
  check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
  reject_invalid_helo_hostname,
  reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = inet:dovecot:10001
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unlisted_sender,
  reject_unknown_sender_domain
smtpd_soft_error_limit = 3
smtpd_tls_auth_only = yes
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
smtpd_tls_eecdh_grade = auto
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
smtpd_tls_loglevel = 1

# Mandatory protocols and ciphers are used when a connections is enforced to use TLS
# Does _not_ apply to enforced incoming TLS settings per mailbox
smtp_tls_mandatory_protocols = >=TLSv1.2
lmtp_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_mandatory_ciphers = high

smtp_tls_protocols = >=TLSv1.2
lmtp_tls_protocols = >=TLSv1.2
smtpd_tls_protocols = >=TLSv1.2

smtpd_tls_security_level = may
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
virtual_alias_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_alias_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_resource_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_spamalias_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_alias_domain_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_domains_maps.cf
# -- moved to rspamd on 2021-06-01
#recipient_bcc_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_recipient_bcc_maps.cf
#sender_bcc_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sender_bcc_maps.cf
recipient_canonical_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_recipient_canonical_maps.cf
recipient_canonical_classes = envelope_recipient
virtual_mailbox_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_transport = lmtp:inet:dovecot:24
virtual_uid_maps = static:5000
smtpd_milters = inet:rspamd:9900
non_smtpd_milters = inet:rspamd:9900
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
mydestination = localhost.localdomain, localhost
smtp_address_preference = any
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
smtp_sasl_security_options =
smtp_sasl_mechanism_filter = plain, login
smtp_tls_policy_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
smtp_header_checks = pcre:/opt/postfix/conf/anonymize_headers.pcre
mail_name = Postcow
# local_transport map catches local destinations and prevents routing local dests when the next map would route "*"
# Use custom_transport.pcre for custom transports
transport_maps = pcre:/opt/postfix/conf/custom_transport.pcre,
  pcre:/opt/postfix/conf/local_transport,
  proxy:mysql:/opt/postfix/conf/sql/mysql_relay_ne.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf
smtp_sasl_auth_soft_bounce = no
postscreen_discard_ehlo_keywords = silent-discard, dsn, chunking
smtpd_discard_ehlo_keywords = chunking, silent-discard
compatibility_level = 3.7
smtputf8_enable = no
# Define protocols for SMTPS and submission service
submission_smtpd_tls_mandatory_protocols = >=TLSv1.2
smtps_smtpd_tls_mandatory_protocols = >=TLSv1.2
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,qmqpd_authorized_clients
# This Option is added to correctly set the X-Original-To Header when mails are send to lmtp (dovecot)
lmtp_destination_recipient_limit=1

# DO NOT EDIT ANYTHING BELOW #
# Overrides #

    # Autogenerated by mailcow
    postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
      hostkarma.junkemailfilter.com=127.0.0.1*-2
      list.dnswl.org=127.0.[0..255].0*-2
      list.dnswl.org=127.0.[0..255].1*-4
      list.dnswl.org=127.0.[0..255].2*-6
      list.dnswl.org=127.0.[0..255].3*-8
      ix.dnsbl.manitu.net*2
      bl.spamcop.net*2
      bl.suomispam.net*2
      hostkarma.junkemailfilter.com=127.0.0.2*3
      hostkarma.junkemailfilter.com=127.0.0.4*2
      hostkarma.junkemailfilter.com=127.0.1.2*1
      backscatter.spameatingmonkey.net*2
      bl.ipv6.spameatingmonkey.net*2
      bl.spameatingmonkey.net*2
      b.barracudacentral.org=127.0.0.2*7
      bl.mailspike.net=127.0.0.2*5
      bl.mailspike.net=127.0.0.[10;11;12]*4
      dnsbl.sorbs.net=127.0.0.10*8
      dnsbl.sorbs.net=127.0.0.5*6
      dnsbl.sorbs.net=127.0.0.7*3
      dnsbl.sorbs.net=127.0.0.8*2
      dnsbl.sorbs.net=127.0.0.6*2
      dnsbl.sorbs.net=127.0.0.9*2
      zen.spamhaus.org=127.0.0.[10;11]*8
      zen.spamhaus.org=127.0.0.[4..7]*6
      zen.spamhaus.org=127.0.0.3*4
      zen.spamhaus.org=127.0.0.2*3
  zen.spamhaus.org=127.0.0.[10;11]*8
  zen.spamhaus.org=127.0.0.[4..7]*6
  zen.spamhaus.org=127.0.0.3*4
  zen.spamhaus.org=127.0.0.2*3

# User Overrides
myhostname = mail.cyberdust-net.de

myhostname = mail.cyberdust-net.de

[DerLinkman]

There is something broken with your postfix config. Any own settings?

[cyberdust2k]

I updated my comment accordingly with the respective postfix configs.

[DerLinkman]

What does your master.cf look like? @cyberdust2k

[FreddleSpl0it]

did you edited the file data/postfix/conf/dns_blocklists.cf? If not please delete it and restart postfix

[cyberdust2k]

did you edited the file data/postfix/conf/dns_blocklists.cf? If not please delete it and restart postfix

This seems to have done the trick, which is confusing because I am very positive I didn't touch anything postfix related.

[FreddleSpl0it]

from what version did you upgraded to 2024-11?

[cyberdust2k]

from what version did you upgraded to 2024-11?

Initially it was from 2024-10a, but I rolled back to a snapshot which had 2024-08 on it, and both behaved the same after upgrading. Since I've been running this server since December 2022 and migrating hosters once i cannot rule out the possibility that maybe something broke along the way.

However it would be interesting to see @1castro s part of the story.

[cyberdust2k]

What does your master.cf look like? @cyberdust2k

# inter-mx with postscreen on 25/tcp
smtp       inet  n       -       n       -       1       postscreen
10025      inet  n       -       n       -       1       postscreen
  -o postscreen_upstream_proxy_protocol=haproxy
  -o syslog_name=haproxy
smtpd      pass  -       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=no
  -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain

# smtpd tls-wrapped (smtps) on 465/tcp
# TLS protocol can be modified by setting smtps_smtpd_tls_mandatory_protocols in extra.cf
smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/smtps
10465    inet  n       -       n       -       -       smtpd
  -o smtpd_upstream_proxy_protocol=haproxy
  -o smtpd_tls_wrappermode=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/smtps-haproxy

# smtpd with starttls on 587/tcp
# TLS protocol can be modified by setting submission_smtpd_tls_mandatory_protocols in extra.cf
submission inet n       -       n       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/submission
10587      inet n       -       n       -       -       smtpd
  -o smtpd_upstream_proxy_protocol=haproxy
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/submission-haproxy

# used by SOGo
# smtpd_sender_restrictions should match main.cf, but with check_sasl_access prepended for login-as-mailbox-user function
588 inet n      -       n       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_tls_auth_only=no
  -o smtpd_sender_restrictions=check_sasl_access,regexp:/opt/postfix/conf/allow_mailcow_local.regexp,reject_authenticated_sender_login_mismatch,permit_mynetworks,permit_sasl_authenticated,reject_unlisted_sender,reject_unknown_sender_domain
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/sogo

# used to reinject quarantine mails
590 inet n      -       n       -       -       smtpd
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_tls_auth_only=no
  -o smtpd_milters=
  -o non_smtpd_milters=
  -o syslog_name=postfix/quarantine

# used to send bcc mails
591 inet n      -       n       -       -       smtpd
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_tls_auth_only=no
  -o smtpd_milters=
  -o non_smtpd_milters=
  -o syslog_name=postfix/bcc

# enforced smtp connector
smtp_enforced_tls      unix  -       -       n       -       -       smtp
  -o smtp_tls_security_level=encrypt
  -o syslog_name=enforced-tls-smtp
  -o smtp_delivery_status_filter=pcre:/opt/postfix/conf/smtp_dsn_filter

# smtp connector used, when a transport map matched
# this helps to have different sasl maps than we have with sender dependent transport maps
smtp_via_transport_maps      unix  -       -       n       -       -       smtp
  -o smtp_sasl_password_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf

tlsproxy   unix  -       -       n       -       0       tlsproxy
dnsblog    unix  -       -       n       -       0       dnsblog
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp flags=O
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}

# used to anonymize sender IP
smtp_sender_cleanup unix n - y - 0 cleanup
  -o header_checks=$smtp_header_checks

# start whitelist_fwd
127.0.0.1:10027 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/whitelist_forwardinghosts.sh
# end whitelist_fwd

# start watchdog-specific
# logs to local7 (hidden)
589 inet n      -       n       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o syslog_name=watchdog
  -o syslog_facility=local7
  -o smtpd_milters=
  -o cleanup_service_name=watchdog_cleanup
  -o non_smtpd_milters=
watchdog_cleanup unix  n       -       n       -       0       cleanup
  -o syslog_name=watchdog
  -o syslog_facility=local7
  -o queue_service_name=watchdog_qmgr
watchdog_qmgr fifo  n       -       n       300     1       qmgr
  -o syslog_facility=local7
  -o syslog_name=watchdog
  -o rewrite_service_name=watchdog_rewrite
watchdog_rewrite    unix  -       -       n       -       -       trivial-rewrite
   -o syslog_facility=local7
   -o syslog_name=watchdog
   -o local_transport=watchdog_discard
watchdog_discard    unix  -       -       n       -       -       discard
   -o syslog_facility=local7
   -o syslog_name=watchdog
# end watchdog-specific

[1castro]

from what version did you upgraded to 2024-11?

Initially it was from 2024-10a, but I rolled back to a snapshot which had 2024-08 on it, and both behaved the same after upgrading. Since I've been running this server since December 2022 and migrating hosters once i cannot rule out the possibility that maybe something broke along the way.

However it would be interesting to see @1castro s part of the story.

long story short

I upgraded from version 2024-8a. Since I immediately reverted to 2024-8a (server snapshot) after upgrading to 2024-11 and encountering the error, I am now having difficulty pulling the logs.

I'll recall my memories

• rspamd was running
• according to rspamd, emails came in and were sent, but nothing was ever seen in the mailbox
• many error messages (red) in the postfix log

[cyberdust2k]

Double-checking the tags, I realized there was no 2024-10a, that explains why my snapshot from yesterday was still on that version. So disregard what I said about a "2024-10a" it was 2024-08a for both tries.

[mdiavm]

I have the same error after the 2024-11 update!

[FreddleSpl0it]

I have the same error after the 2024-11 update!

did you edited the file data/postfix/conf/dns_blocklists.cf? If not please delete it and restart postfix

[mdiavm]

I have the same error after the 2024-11 update!

did you edited the file data/postfix/conf/dns_blocklists.cf? If not please delete it and restart postfix

Worked for me ;)

[DerLinkman]

Not a bug per se

[DerLinkman]

For solution see comment: https://github.com/mailcow/mailcow-dockerized/issues/6143#issuecomment-2462230942