Hello @all,
I am currently trying to get my Mailcow instance up and running. So far everything is working, but I am currently struggling with SNAT. Mailcrow is using the wrong IP address to send emails. This causes the SPF record test to fail. On the new MAilcow UI are also the wrong IPs shown, same as at the DNS Setting on the Domains. IPv6 seems working but It feels more lucky then applying the SNAT6 rules. If I remove the SNAT6 parameter from the mailcow.conf then mailcow uses also the right IPv6 and not the primary one.

I have already tried the following steps:

  • in mailcow.conf, set the SNAT and SNAT6 items with the IP address.
  • I have tested both the Docker Compose as a plugin and as a standalone variant.
  • Checked that all IP addresses are in the /etc/hosts of the host with their FQDN.
  • Docker, docker-compose and mailcow are on the latest version.

mailcow.conf: Pastebin Icon # ------------------------------# mailcow web ui configuration# ------------ - Pastebin.com

Pastebin Icon Pastebin
# ------------------------------# mailcow web ui configuration# ------------ - Pastebin.com
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Pastebin

iptables -L -vn -t nat @ host

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  420 42137 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1036 76512 MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.7           172.22.1.7           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.8           172.22.1.8           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.11          172.22.1.11          tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.11          172.22.1.11          tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.7:8983
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.8:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            1.2.3.4        tcp dpt:4190 to:172.22.1.250:4190
    7   420 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            1.2.3.4        tcp dpt:587 to:172.22.1.253:587
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            1.2.3.4        tcp dpt:995 to:172.22.1.250:995
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            1.2.3.4        tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            1.2.3.4        tcp dpt:25 to:172.22.1.253:25
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            1.2.3.4        tcp dpt:993 to:172.22.1.250:993
    2   120 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            1.2.3.4        tcp dpt:143 to:172.22.1.250:143
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            1.2.3.4        tcp dpt:110 to:172.22.1.250:110
    6   304 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            1.2.3.4        tcp dpt:443 to:172.22.1.11:443
    2    92 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            1.2.3.4        tcp dpt:80 to:172.22.1.11:80

@ mailcow-netfilter-mailcow-1

Chain PREROUTING (policy ACCEPT 80590 packets, 5765K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 2942 packets, 150K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 32 packets, 2001 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 77644 packets, 5615K bytes)
 pkts bytes target     prot opt in     out     source               destination   
```      


docker compose logs --tail=200 netfilter-mailcow

mailcow-netfilter-mailcow-1 | Clearing all bans
mailcow-netfilter-mailcow-1 | Initializing mailcow netfilter chain
mailcow-netfilter-mailcow-1 | Watching Redis channel F2B_CHANNEL
mailcow-netfilter-mailcow-1 | <IPv6> matched rule id 3 (warning: unknown[<IPv6>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
mailcow-netfilter-mailcow-1 | 4 more attempts in the next 3600 seconds until <IPv6>/128 is banned
mailcow-netfilter-mailcow-1 | <IPv6> matched rule id 3 (warning: unknown[<IPv6>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
mailcow-netfilter-mailcow-1 | 3 more attempts in the next 3600 seconds until <IPv6>/128 is banned
mailcow-netfilter-mailcow-1 | <IPv6> matched rule id 3 (warning: unknown[<IPv6>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
mailcow-netfilter-mailcow-1 | 2 more attempts in the next 3600 seconds until <IPv6>/128 is banned
mailcow-netfilter-mailcow-1 | <IPv6> matched rule id 3 (warning: unknown[<IPv6>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
mailcow-netfilter-mailcow-1 | 1 more attempts in the next 3600 seconds until <IPv6>/128 is banned
mailcow-netfilter-mailcow-1 | <IPv6> matched rule id 3 (warning: unknown[<IPv6>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
mailcow-netfilter-mailcow-1 | Banning <IPv6>/128 for 120 minutes
mailcow-netfilter-mailcow-1 | <IPv4> matched rule id 3 (warning: XX.com[<IPv4>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)



Host Information:

uname -a:
Linux docker-host 10 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64 GNU/Linux

docker version:
Client: Docker Engine - Community
Version: 20.10.22
API version: 1.41
Go version: go1.18.9
Git commit: 3a2c30b
Built: Thu Dec 15 22:28:22 2022
OS/Arch: linux/amd64
Context: default
Experimental: true

Server: Docker Engine - Community
Engine:
Version: 20.10.22
API version: 1.41 (minimum version 1.12)
Go version: go1.18.9
Git commit: 42c8b31
Built: Thu Dec 15 22:26:14 2022
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: 1.6.14
GitCommit: 9ba4b250366a5ddde94bb7c9d1def331423aa323
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0

docker-compose version:
Docker Compose version v2.14.2

docker compose version:
Docker Compose version v2.14.1

I’ts not possible to edit this posting again. 🙄
And the tags are not working properly as no markdown support ist available. It’s hard to write a good looking ticket…

After the docker-compose.override.yml file was changed as follows, Mailcow no longer starts. Unfortunately, I don’t know if I should look for the problem with Docker or with Mailcow.

Error response from daemon: user specified IP address is supported only when connecting to networks with user configured subnets

networks:
mailcow-network:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_ip_masquerade: 'false'

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

No one is typing