Hello @all,
I am currently trying to get my Mailcow instance up and running. So far everything is working, but I am currently struggling with SNAT. Mailcrow is using the wrong IP address to send emails. This causes the SPF record test to fail. On the new MAilcow UI are also the wrong IPs shown, same as at the DNS Setting on the Domains. IPv6 seems working but It feels more lucky then applying the SNAT6 rules. If I remove the SNAT6 parameter from the mailcow.conf then mailcow uses also the right IPv6 and not the primary one.
I have already tried the following steps:
- in mailcow.conf, set the SNAT and SNAT6 items with the IP address.
- I have tested both the Docker Compose as a plugin and as a standalone variant.
- Checked that all IP addresses are in the /etc/hosts of the host with their FQDN.
- Docker, docker-compose and mailcow are on the latest version.
mailcow.conf: https://pastebin.com/i3Ff5eL9
iptables -L -vn -t nat @ host
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
420 42137 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1036 76512 MASQUERADE all -- * !br-mailcow 172.22.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.22.1.249 172.22.1.249 tcp dpt:6379
0 0 MASQUERADE tcp -- * * 172.22.1.7 172.22.1.7 tcp dpt:8983
0 0 MASQUERADE tcp -- * * 172.22.1.8 172.22.1.8 tcp dpt:3306
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:12345
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:4190
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:587
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:995
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:465
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:25
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:993
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:143
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:110
0 0 MASQUERADE tcp -- * * 172.22.1.11 172.22.1.11 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.22.1.11 172.22.1.11 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- br-mailcow * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:18983 to:172.22.1.7:8983
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.8:3306
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 1.2.3.4 tcp dpt:4190 to:172.22.1.250:4190
7 420 DNAT tcp -- !br-mailcow * 0.0.0.0/0 1.2.3.4 tcp dpt:587 to:172.22.1.253:587
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 1.2.3.4 tcp dpt:995 to:172.22.1.250:995
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 1.2.3.4 tcp dpt:465 to:172.22.1.253:465
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 1.2.3.4 tcp dpt:25 to:172.22.1.253:25
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 1.2.3.4 tcp dpt:993 to:172.22.1.250:993
2 120 DNAT tcp -- !br-mailcow * 0.0.0.0/0 1.2.3.4 tcp dpt:143 to:172.22.1.250:143
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 1.2.3.4 tcp dpt:110 to:172.22.1.250:110
6 304 DNAT tcp -- !br-mailcow * 0.0.0.0/0 1.2.3.4 tcp dpt:443 to:172.22.1.11:443
2 92 DNAT tcp -- !br-mailcow * 0.0.0.0/0 1.2.3.4 tcp dpt:80 to:172.22.1.11:80
@ mailcow-netfilter-mailcow-1
Chain PREROUTING (policy ACCEPT 80590 packets, 5765K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 2942 packets, 150K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 32 packets, 2001 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 77644 packets, 5615K bytes)
pkts bytes target prot opt in out source destination
```
docker compose logs --tail=200 netfilter-mailcow
mailcow-netfilter-mailcow-1 | Clearing all bans
mailcow-netfilter-mailcow-1 | Initializing mailcow netfilter chain
mailcow-netfilter-mailcow-1 | Watching Redis channel F2B_CHANNEL
mailcow-netfilter-mailcow-1 | <IPv6> matched rule id 3 (warning: unknown[<IPv6>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
mailcow-netfilter-mailcow-1 | 4 more attempts in the next 3600 seconds until <IPv6>/128 is banned
mailcow-netfilter-mailcow-1 | <IPv6> matched rule id 3 (warning: unknown[<IPv6>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
mailcow-netfilter-mailcow-1 | 3 more attempts in the next 3600 seconds until <IPv6>/128 is banned
mailcow-netfilter-mailcow-1 | <IPv6> matched rule id 3 (warning: unknown[<IPv6>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
mailcow-netfilter-mailcow-1 | 2 more attempts in the next 3600 seconds until <IPv6>/128 is banned
mailcow-netfilter-mailcow-1 | <IPv6> matched rule id 3 (warning: unknown[<IPv6>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
mailcow-netfilter-mailcow-1 | 1 more attempts in the next 3600 seconds until <IPv6>/128 is banned
mailcow-netfilter-mailcow-1 | <IPv6> matched rule id 3 (warning: unknown[<IPv6>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
mailcow-netfilter-mailcow-1 | Banning <IPv6>/128 for 120 minutes
mailcow-netfilter-mailcow-1 | <IPv4> matched rule id 3 (warning: XX.com[<IPv4>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6)
…
Host Information:
uname -a:
Linux docker-host 10 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64 GNU/Linux
docker version:
Client: Docker Engine - Community
Version: 20.10.22
API version: 1.41
Go version: go1.18.9
Git commit: 3a2c30b
Built: Thu Dec 15 22:28:22 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.22
API version: 1.41 (minimum version 1.12)
Go version: go1.18.9
Git commit: 42c8b31
Built: Thu Dec 15 22:26:14 2022
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: 1.6.14
GitCommit: 9ba4b250366a5ddde94bb7c9d1def331423aa323
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker-compose version:
Docker Compose version v2.14.2
docker compose version:
Docker Compose version v2.14.1