I’ve just executed the ./update.sh
helper and got asked the “question” Native IPv6 implementation available.
. After proceeding with enabling this experimental feature, I’ve noticed broken IPv6 connectivity when trying to connect to the containers from the outside.
IPv6 connectivity was fine prior to this operation.
Command output:
./update.sh
Checking internet connection... OK
Checking for newer update script...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 6 (delta 4), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (6/6), 1.43 KiB | 366.00 KiB/s, done.
From https://github.com/mailcow/mailcow-dockerized
6ef8b90c..b0679b1c staging -> origin/staging
Updated 0 paths from 746631df
Are you sure you want to update mailcow: dockerized? All containers will be stopped. [y/N] y
Native IPv6 implementation available.
This will enable experimental features in the Docker daemon and configure Docker to do the IPv6 NATing instead of ipv6nat-mailcow.
!!! This step is recommended !!!
mailcow will try to roll back the changes if starting Docker fails after modifying the daemon.json configuration file.
Should we try to enable the native IPv6 implementation in Docker now (recommended)? [y/N] y
Working on IPv6 NAT, please wait...
Great! Native IPv6 NAT is active.
Validating docker-compose stack configuration...
Checking for conflicting bridges...
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Saving diff to update_diffs/diff_before_update_2022-01-16-12-27-04...
Prefetching images...
1.14: Pulling from mailcow/unbound
Digest: sha256:aec01d477cc707b754a5815cd8a1038f2646f046c161a535da171ef285269bf9
Status: Image is up to date for mailcow/unbound:1.14
docker.io/mailcow/unbound:1.14
10.5: Pulling from library/mariadb
Digest: sha256:4766f321f60d25c07e7ea5cedc9251ccb7a464f86801a198926cc642e038303d
Status: Image is up to date for mariadb:10.5
docker.io/library/mariadb:10.5
6-alpine: Pulling from library/redis
Digest: sha256:4bed291aa5efb9f0d77b76ff7d4ab71eee410962965d052552db1fb80576431d
Status: Image is up to date for redis:6-alpine
docker.io/library/redis:6-alpine
1.42: Pulling from mailcow/clamd
Digest: sha256:193676da48f61ecf4e40890eebd053375453f85c7e2cc9e28cc2d3d52a761cce
Status: Image is up to date for mailcow/clamd:1.42
docker.io/mailcow/clamd:1.42
1.79: Pulling from mailcow/rspamd
Digest: sha256:de1b8c3cc99cd37eff605409453270c5bf554732920ed2e96ddae998203d545f
Status: Image is up to date for mailcow/rspamd:1.79
docker.io/mailcow/rspamd:1.79
1.78: Pulling from mailcow/phpfpm
Digest: sha256:90638cac6b57ee93f5d310d506b25f722c11abf209dbcfacdf012a283c44db38
Status: Image is up to date for mailcow/phpfpm:1.78
docker.io/mailcow/phpfpm:1.78
1.104: Pulling from mailcow/sogo
Digest: sha256:bcd0824519881ae18b0c48788444274426c2e8ed6468d8d4905375197a49650c
Status: Image is up to date for mailcow/sogo:1.104
docker.io/mailcow/sogo:1.104
1.158: Pulling from mailcow/dovecot
Digest: sha256:c3900160e4c81e96b673eb45a9864b48a8c7e2366625ed8a60b20c514d8ef392
Status: Image is up to date for mailcow/dovecot:1.158
docker.io/mailcow/dovecot:1.158
1.66: Pulling from mailcow/postfix
Digest: sha256:d21cd375c75db7e57c78b08a07a4f0a82000abe29c1a698de62b1856b2f75bfc
Status: Image is up to date for mailcow/postfix:1.66
docker.io/mailcow/postfix:1.66
alpine: Pulling from library/memcached
Digest: sha256:0305bbea17dcbade2c3edf45124f300772d9b4ddacdcadf248f3b2b031d59a58
Status: Image is up to date for memcached:alpine
docker.io/library/memcached:alpine
mainline-alpine: Pulling from library/nginx
Digest: sha256:eb05700fe7baa6890b74278e39b66b2ed1326831f9ec3ed4bdc6361a4ac2f333
Status: Image is up to date for nginx:mainline-alpine
docker.io/library/nginx:mainline-alpine
1.80: Pulling from mailcow/acme
Digest: sha256:698f25f1ba29b2aa1eb21c71a30961bd29e4757bb4aaec95a8fe5aa47139029b
Status: Image is up to date for mailcow/acme:1.80
docker.io/mailcow/acme:1.80
1.45: Pulling from mailcow/netfilter
Digest: sha256:8ae5b621991ca2e131d2af07e53a381081536b3151f09c95eceea5e288c4747c
Status: Image is up to date for mailcow/netfilter:1.45
docker.io/mailcow/netfilter:1.45
1.95: Pulling from mailcow/watchdog
Digest: sha256:c3f3c851012dc0f7307c5bdf6fb69052a6546e053b386b704e83538baac1ba25
Status: Image is up to date for mailcow/watchdog:1.95
docker.io/mailcow/watchdog:1.95
1.40: Pulling from mailcow/dockerapi
Digest: sha256:7b6b94cc250372faadc71198fdb3d1aa8536cf95ebb8eebc76a665e905812eb5
Status: Image is up to date for mailcow/dockerapi:1.40
docker.io/mailcow/dockerapi:1.40
1.8: Pulling from mailcow/solr
Digest: sha256:6829fb5b6b7398ad2e27005f2ae22094d226cbe4858e6ef5dac18406a403c677
Status: Image is up to date for mailcow/solr:1.8
docker.io/mailcow/solr:1.8
1.8: Pulling from mailcow/olefy
Digest: sha256:6b40c48f03cc50b6237c55c6ef3136accfdac2e3228a9e21e06a690d33656ae9
Status: Image is up to date for mailcow/olefy:1.8
docker.io/mailcow/olefy:1.8
latest: Pulling from mcuadros/ofelia
Digest: sha256:4d67a32724f5a57393c9aca0b6731cce60b6a5b91bd369b8e41cbede2e09a3e1
Status: Image is up to date for mcuadros/ofelia:latest
docker.io/mcuadros/ofelia:latest
Stopping mailcow...
Stopping mailcowdockerized_acme-mailcow_1 ... done
Stopping mailcowdockerized_nginx-mailcow_1 ... done
Stopping mailcowdockerized_ofelia-mailcow_1 ... done
Stopping mailcowdockerized_sogo-mailcow_1 ... done
Stopping mailcowdockerized_rspamd-mailcow_1 ... done
Stopping mailcowdockerized_dovecot-mailcow_1 ... done
Stopping mailcowdockerized_postfix-mailcow_1 ... done
Stopping mailcowdockerized_mysql-mailcow_1 ... done
Stopping mailcowdockerized_php-fpm-mailcow_1 ... done
Stopping mailcowdockerized_watchdog-mailcow_1 ... done
Stopping mailcowdockerized_unbound-mailcow_1 ... done
Stopping mailcowdockerized_netfilter-mailcow_1 ... done
Stopping mailcowdockerized_redis-mailcow_1 ... done
Stopping mailcowdockerized_solr-mailcow_1 ... done
Stopping mailcowdockerized_clamd-mailcow_1 ... done
Stopping mailcowdockerized_memcached-mailcow_1 ... done
Stopping mailcowdockerized_olefy-mailcow_1 ... done
Stopping mailcowdockerized_dockerapi-mailcow_1 ... done
WARNING: Found orphan containers (mailcowdockerized_ipv6nat-mailcow_1) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
Removing mailcowdockerized_acme-mailcow_1 ... done
Removing mailcowdockerized_nginx-mailcow_1 ... done
Removing mailcowdockerized_ofelia-mailcow_1 ... done
Removing mailcowdockerized_sogo-mailcow_1 ... done
Removing mailcowdockerized_rspamd-mailcow_1 ... done
Removing mailcowdockerized_dovecot-mailcow_1 ... done
Removing mailcowdockerized_postfix-mailcow_1 ... done
Removing mailcowdockerized_mysql-mailcow_1 ... done
Removing mailcowdockerized_php-fpm-mailcow_1 ... done
Removing mailcowdockerized_watchdog-mailcow_1 ... done
Removing mailcowdockerized_unbound-mailcow_1 ... done
Removing mailcowdockerized_netfilter-mailcow_1 ... done
Removing mailcowdockerized_redis-mailcow_1 ... done
Removing mailcowdockerized_solr-mailcow_1 ... done
Removing mailcowdockerized_clamd-mailcow_1 ... done
Removing mailcowdockerized_memcached-mailcow_1 ... done
Removing mailcowdockerized_olefy-mailcow_1 ... done
Removing mailcowdockerized_dockerapi-mailcow_1 ... done
Removing network mailcowdockerized_mailcow-network
Checking for remaining containers...
Committing current status...
Fetching updated code from remote...
Merging local with remote code (recursive, strategy: "theirs", options: "patience"...
Already up to date.
Fetching new docker-compose version...
Trying to determine GLIBC version...
Fetching new images, if any...
Pulling watchdog-mailcow ... done
Pulling clamd-mailcow ... done
Pulling unbound-mailcow ... done
Pulling mysql-mailcow ... done
Pulling dovecot-mailcow ... done
Pulling rspamd-mailcow ... done
Pulling olefy-mailcow ... done
Pulling solr-mailcow ... done
Pulling dockerapi-mailcow ... done
Pulling sogo-mailcow ... done
Pulling ofelia-mailcow ... done
Pulling memcached-mailcow ... done
Pulling postfix-mailcow ... done
Pulling redis-mailcow ... done
Pulling php-fpm-mailcow ... done
Pulling nginx-mailcow ... done
Pulling acme-mailcow ... done
Pulling netfilter-mailcow ... done
Checking IPv6 settings...
Starting mailcow...
Creating network "mailcowdockerized_mailcow-network" with driver "bridge"
Removing orphan container "mailcowdockerized_ipv6nat-mailcow_1"
Creating mailcowdockerized_sogo-mailcow_1 ... done
Creating mailcowdockerized_olefy-mailcow_1 ... done
Creating mailcowdockerized_dockerapi-mailcow_1 ... done
Creating mailcowdockerized_unbound-mailcow_1 ... done
Creating mailcowdockerized_watchdog-mailcow_1 ... done
Creating mailcowdockerized_redis-mailcow_1 ... done
Creating mailcowdockerized_clamd-mailcow_1 ... done
Creating mailcowdockerized_solr-mailcow_1 ... done
Creating mailcowdockerized_memcached-mailcow_1 ... done
Creating mailcowdockerized_mysql-mailcow_1 ... done
Creating mailcowdockerized_php-fpm-mailcow_1 ... done
Creating mailcowdockerized_postfix-mailcow_1 ... done
Creating mailcowdockerized_dovecot-mailcow_1 ... done
Creating mailcowdockerized_nginx-mailcow_1 ... done
Creating mailcowdockerized_netfilter-mailcow_1 ... done
Creating mailcowdockerized_rspamd-mailcow_1 ... done
Creating mailcowdockerized_acme-mailcow_1 ... done
Creating mailcowdockerized_ofelia-mailcow_1 ... done
Collecting garbage...
I’ve tried to troubleshoot this a bit further but I am a little lost on how to remedy my situation here. I guess it is a problem with the firewall (iptables) but I can’t make out the error …
So, any help would be greatly appreciated.
Checking IPv6 Connectivity
ip6tables
# ip6tables --list
# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-ISOLATION-STAGE-1 all anywhere anywhere
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
DOCKER-USER all anywhere anywhere
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp anywhere fd4d:6169:6c63:6f77::e tcp dpt:submission
ACCEPT tcp anywhere fd4d:6169:6c63:6f77::e tcp dpt:submissions
ACCEPT tcp anywhere fd4d:6169:6c63:6f77::f tcp dpt:sieve
ACCEPT tcp anywhere fd4d:6169:6c63:6f77::e tcp dpt:smtp
ACCEPT tcp anywhere fd4d:6169:6c63:6f77::f tcp dpt:pop3s
ACCEPT tcp anywhere fd4d:6169:6c63:6f77::f tcp dpt:imaps
ACCEPT tcp anywhere fd4d:6169:6c63:6f77::f tcp dpt:imap2
ACCEPT tcp anywhere fd4d:6169:6c63:6f77::f tcp dpt:pop3
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
RETURN all anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all anywhere anywhere
DROP all anywhere anywhere
RETURN all anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all anywhere anywhere
Netstat
netstat -tulpn | grep tcp6
tcp6 0 0 :::25 :::* LISTEN 3691250/docker-prox
tcp6 0 0 :::443 :::* LISTEN 3188390/nginx: mast
tcp6 0 0 :::4190 :::* LISTEN 3691216/docker-prox
tcp6 0 0 :::993 :::* LISTEN 3691328/docker-prox
tcp6 0 0 :::995 :::* LISTEN 3691273/docker-prox
tcp6 0 0 :::587 :::* LISTEN 3691113/docker-prox
tcp6 0 0 :::110 :::* LISTEN 3691418/docker-prox
tcp6 0 0 :::143 :::* LISTEN 3691388/docker-prox
tcp6 0 0 :::80 :::* LISTEN 3188390/nginx: mast
tcp6 0 0 :::465 :::* LISTEN 3691153/docker-prox
Ping From Host
$ ping6 ipv6.google.com
PING ipv6.google.com(prg03s11-in-x0e.1e100.net (2a00:1450:4014:80b::200e)) 56 data bytes
64 bytes from prg03s11-in-x0e.1e100.net (2a00:1450:4014:80b::200e): icmp_seq=1 ttl=117 time=7.70 ms
$ ping6 fd4d:6169:6c63:6f77::e # IPv6 of postfix-mailcow docker container
PING fd4d:6169:6c63:6f77::e(fd4d:6169:6c63:6f77::e) 56 data bytes
64 bytes from fd4d:6169:6c63:6f77::e: icmp_seq=1 ttl=64 time=0.764 ms
Checking From Remote
$ ping6 $MAILCOW_HOSTNAME
PING {$MAILCOW_HOSTNAME}({$MAILCOW_HOSTNAME_PTR} (2a00:xxxx:yyyy:zzzz::)) 56 data bytes
64 bytes from {$MAILCOW_HOSTNAME_PTR} (2a00:xxxx:yyyy:zzzz::): icmp_seq=1 ttl=57 time=38.70 ms
$ nmap -6 -p 465 $MAILCOW_HOSTNAME # Trying to connect to Postfix container
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-16 15:02 Mitteleuropäische Zeit
Nmap scan report for {$MAILCOW_HOSTNAME} (2a00:xxxx:yyyy:zzzz::)
Host is up (0.033s latency).
PORT STATE SERVICE
465/tcp filtered smtps
Nmap done: 1 IP address (1 host up) scanned in 13.39 seconds
$ nmap -6 -p 443 $MAILCOW_HOSTNAME # Trying to connect to Nginx proxy (outside Docker)
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-16 15:02 Mitteleuropäische Zeit
Nmap scan report for {$MAILCOW_HOSTNAME} (2a00:xxxx:yyyy:zzzz::)
Host is up (0.061s latency).
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 13.20 seconds