Dear Community, recently I have ran the update.sh and got this error. No other errors have been reported during the update process. Of course mailcow doesn't work. I reverted to the previous snapshot of the system and have the 2023-09 mailcow running without issues. I have also pfsense as local resolver. Mailcow is configured to use the pfsense as resolver and it worked for more than a year without issues. I use the docker-compose command. My mailcow VM has 20 GB RAM and 4 cores from Xeon v2699v4. I would appreciate any help. [upl-image-preview url=https://community.mailcow.email/assets/files/2023-10-16/1697451844-346418-bildschirmfoto-2023-10-16-um-111535.png] [upl-image-preview url=https://community.mailcow.email/assets/files/2023-10-16/1697451844-491755-bildschirmfoto-2023-10-16-um-111554.png]

Solved. I had to additionally add: forward-zone: name: "." forward-addr: 192.168.3.1 to my unbound.conf The official documentation is inconsistent. It offers either Method A and Method B. Instead it both A and B have to be done to use an external DNS. https://docs.mailcow.email/manual-guides/Unbound/u_e-unbound-fwd/

You don't have any unbound logs? or docker (compose) logs?

@"esackbauer"#p10969 docker compose logs are: root@mailcow:/opt/mailcow-dockerized# docker logs mailcowdockerized-unbound-mailcow-1 Setting console permissions... Receiving anchor key... Receiving root hints... ######################################################################## 100.0% setup in directory /etc/unbound Certificate request self-signature ok subject=CN = unbound-control removing artifacts Setup success. Certificates created. Enable in unbound.conf file to use [1697404471] unbound[1:0] notice: init module 0: validator [1697404471] unbound[1:0] notice: init module 1: iterator [1697404471] unbound[1:0] info: start of service (unbound 1.17.1). root@mailcow:/opt/mailcow-dockerized# I don't have the unbound logs. I reverted to the previous version but I can start over again. How can I get the unbound logs?

Timestamps? is that from the failed try? And btw that is not the docker compose log. I guess you need to check there for the reason why dependency is not met and then search from there. e.g. why is unbound unhealthy? It is somewhere in the logs.

@"esackbauer"#p10971 Done it again. Hope the logs can help: mailcowdockerized-unbound-mailcow-1 | Setting console permissions... mailcowdockerized-unbound-mailcow-1 | Receiving anchor key... mailcowdockerized-unbound-mailcow-1 | Receiving root hints... ######################################################################## 100.0% mailcowdockerized-unbound-mailcow-1 | setup in directory /etc/unbound mailcowdockerized-unbound-mailcow-1 | Certificate request self-signature ok mailcowdockerized-unbound-mailcow-1 | subject=CN = unbound-control mailcowdockerized-unbound-mailcow-1 | removing artifacts mailcowdockerized-unbound-mailcow-1 | Setup success. Certificates created. Enable in unbound.conf file to use mailcowdockerized-unbound-mailcow-1 | [1697462461] unbound[1:0] notice: init module 0: validator mailcowdockerized-unbound-mailcow-1 | [1697462461] unbound[1:0] notice: init module 1: iterator mailcowdockerized-unbound-mailcow-1 | [1697462461] unbound[1:0] info: start of service (unbound 1.17.1).

That is again not the docker compose log... Its the log from within the docker cointainer. And by the way, there is a reason why unbound should NOT use any forwarders: https://docs.mailcow.email/manual-guides/u_e-why_unbound/ https://docs.mailcow.email/manual-guides/Unbound/u_e-unbound-fwd/ Read the boxes.

@"esackbauer"#p10974 I have pfBlockerNG running on Pfsense with DNSBL. It should filter spammy IPs and hosts or am I missing something? I am getting the above output by using "docker-compose logs". Sorry for nooby questions and thank you for your help!

> @"vigorio"#p10976 I have pfBlockerNG running on Pfsense with DNSBL. It should filter spammy IPs and hosts or am I missing something? Oh dear. A mailserver is not a browser. Remove the DNS forwarders and let unbound and netfilter do its job. Don't tweak settings you do not fully understand.

@"esackbauer"#p10978 Settings have been reverted to default and the rules in pfsense regarding DNS were disabled too. My system is configured to use strictly pfsense as DNS resolver for all clients inside the network. Still getting the same error with the 2023-10a. BTW it seems like unbound is starting version 1.17.1 instead of updated 18 could this be the clue? > @"esackbauer"#p10978 Don’t tweak settings you do not fully understand. This is a bit confusing since I was not able to install mailcow in my network due to strict firewall rules for DNS. > @"esackbauer"#p10978 Don’t tweak settings you do not fully understand. This is a bit confusing since I was not able to install mailcow in my network due to strict firewall rules for DNS.

Then its a better idea to run the mail server in a DMZ... > @"vigorio"#p10979 BTW it seems like unbound is starting version 1.17.1 instead of updated 18 could this be the clue? Maybe thats from the last start (before the upgrade)

> @"esackbauer"#p10983 Then its a better idea to run the mail server in a DMZ… I don't want to buy a 10Gb switch with the VLAN functionality and to pay extra for the electricity. It is expensive in Austria where I am from. I think we are missing the point. If there is a command I can execute to get the desired logs please paste it. Thank you for your help! > @"esackbauer"#p10983 Maybe thats from the last start (before the upgrade) No, I have deleted the images and the containers of unbound manually after the upgrade and pulled them back by docker-compose up -d. I get the 1.17.1 in logs instead of 18. For me it starts to seem like rather a bug in mailcow than a misconfig on my side because I have updated over the year without any problems and didn't touch the docker-compose.override.yml from the very beginning of using the mailcow a year ago.

ontainer mailcowdockerized-unbound-mailcow-1 Error

esackbauer

You are still using local resolver 127.0.0.53….
Try nslookup community.mailcow.email 8.8.8.8

crahier

It works

`xtophe@mail:~$ nslookup community.mailcow.email 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
community.mailcow.email canonical name = web01.kernstock.net.
Name: web01.kernstock.net
Address: 5.1.87.87`

but I don’t know how to change it in my server.

esackbauer

Great, so nothing is blocking DNS requests.
Then you should be good installing mailcow according to the official documentation.

crahier

I followed the documentation bu I still have this issue 😭

I’ll become crazy …

esackbauer

Check the other threads to this topic:
https://community.mailcow.email/?q=unbound%20is%20unhealthy

Sub-7

Allow ICMP protocol in the firewall helped me, server tried to ping 1.1.1.1 which didn’t work before.
I didn’t make any changes in the “unbound.conf”.

pozzo-balbi

Hi, I ran into the same problem. This is the solution I found: https://community.mailcow.email/d/2977-container-unbound-unhealthy/18

DocFraggle

They added an ICMP check to the healthcheck.sh script for the unbound container which unfortunately wasn’t announced clearly. So if you allow ICMP to external addresses through your firewall it should work again

pozzo-balbi

Further investigation showed that ipv6nat is constantly restarting. I disabled it and ipv6 is working fine inside the containers. I don’t really know what is causing the problems, but maybe it is something related to ipv6nat restarting, unbound not able to switch to healthy status during boot, postfix not seeing unbound healthy and refusing to start…
My setup involves podman instead of docker and mailcow running in a KVM behind NAT and NAT6. I’m no expert in docker/podman, so I don’t quiet understand what is going on at boot time but. The healthcheck script is never executed inside unbound. If I run it manually a logfile is created inside unbound-mailcow is saying that “ALL CHECKS WERE SUCCESSFUL”.

DocFraggle

pozzo-balbi Well, since Podman isn’t officially supported and mailcow is developed and tested with Docker only I guess this can lead to problems…

pozzo-balbi I’m no expert in docker/podman

So why do you use podman in the first place if I may ask? I guess nearly all of the users in this forum are running their mailcow with Docker and won’t be able to assist you with podman…

pozzo-balbi

So why do you use podman in the first place if I may ask?

I started my Linux adventure with Fedora and switched - due to missing stability - to Scientific Linux 6 (first available Red Hat 6 clone at that time). Since then I use primary Red Hat clones (now mostly Rocky Linux 9). Over the years I started to like the “Red Hat” way in the sense that their solutions are secure and stable. Downside, you don’t have a variety as with eg. Debian. Hence, I try to find solutions that use as much “Red Hat” as possible and “Red Hat” uses podman instead of docker. So I follow their way… Yes, I know, things got worse after the takeover from IBM…

On the upside, ipv6 seems to work well with podman so that I had to disable ipv6nat.

I guess nearly all of the users in this forum are running their mailcow with Docker and won’t be able to assist you with podman…

The same could be said about any custom setup. Would you forgo harden your system so that you have the same setup as 90% of all mailcow users?

DocFraggle

pozzo-balbi I’m using Rocky 8 myself for my mailcow, but I installed Docker CE.
In my company we started with Openshift 8 years ago, but when they switched from Docker to Podman we ran into a lot of problems and stopped using it, just saying…

I don’t know how many users in this forum have a running Podman setup with mailcow, but maybe someone can help you.

pozzo-balbi

Thanks for the advice. My setup had other problems like KVM, NAT and NAT6, firewalled ports, etc. The learning curve was a little bit steeper but I managed to get it all working and I shared my experience for others. Nice piece of software, if I may add.

« Previous Page