Mailcow seems to be blocking incoming port 25 from external network

pollywinters

Hello Mailcow community. I am trying to set up a Mailcow system on a home server, but incoming connections on port 25 from the external network appear to be being blocked within the Mailcow itself.

I am quite sure that it is not my ISP blocking the port as I have used wireshark running on my server to inspect the network traffic and can observe a SYN packet arriving into the system on port 25 when I send an email to my Mailcow domain from gmail:

The wireshark trace shows the SYN arriving from 209.85.219.173, no ACK is returned, the SYN is retransmitted nine times by the external email server, all with no ACK being sent from the Mailcow server.

If I try making an incoming telnet connection on port 25 from an external network, I see a similar behaviour - see wireshark trace:

Making the telnet connection from a device on the local network I do get a connection - see trace:
Hence it appears that the block is not caused by external filtering of port 25 by my ISP, but internal filtering dependent upon the originating IP address after the port 25 SYN has been received at my server ethernet interface.

For clarity, using SoGo (running locally either on my server, or on any other device on my local network) to send emails from my Mailcow server seems to work fine - I can send from my Mailcow domain to my gmail account with no problem, but sending replies back from gmail results in the behaviour of SYN’s arriving via my ISP on port 25, but no ACK’s being generated by the Mailcow server, as described above.

I am not aware of any origin-dependent block of port 25 being caused by my firewall.
Here is the listing of my iptables settings:
`root@horizon1:/opt/mailcow-dockerized# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhere

Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.18.0.2 tcp dpt:8000
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:smtp
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submissions
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submission
ACCEPT tcp – anywhere 172.22.1.13 tcp dpt:45443
ACCEPT tcp – anywhere 172.22.1.13 tcp dpt:45480

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
ufw-user-forward all – anywhere anywhere
RETURN all – 10.0.0.0/8 anywhere
RETURN all – 172.16.0.0/12 anywhere
RETURN all – 192.168.0.0/16 anywhere
RETURN udp – anywhere anywhere udp spt:domain dpts:1024:65535
ufw-docker-logging-deny tcp – anywhere 192.168.0.0/16 tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny tcp – anywhere 10.0.0.0/8 tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny tcp – anywhere 172.16.0.0/12 tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny udp – anywhere 192.168.0.0/16 udp dpts:0:32767
ufw-docker-logging-deny udp – anywhere 10.0.0.0/8 udp dpts:0:32767
ufw-docker-logging-deny udp – anywhere 172.16.0.0/12 udp dpts:0:32767
RETURN all – anywhere anywhere

Chain MAILCOW (2 references)
target prot opt source destination
DROP tcp – anywhere anywhere /* mailcow isolation */

Chain ufw-after-forward (1 references)
target prot opt source destination

Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp – anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp – anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all – anywhere anywhere ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix “[UFW BLOCK] ”

Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix “[UFW BLOCK] ”

Chain ufw-after-logging-output (1 references)
target prot opt source destination

Chain ufw-after-output (1 references)
target prot opt source destination

Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere icmp destination-unreachable
ACCEPT icmp – anywhere anywhere icmp time-exceeded
ACCEPT icmp – anywhere anywhere icmp parameter-problem
ACCEPT icmp – anywhere anywhere icmp echo-request
ufw-user-forward all – anywhere anywhere

Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all – anywhere anywhere ctstate INVALID
DROP all – anywhere anywhere ctstate INVALID
ACCEPT icmp – anywhere anywhere icmp destination-unreachable
ACCEPT icmp – anywhere anywhere icmp time-exceeded
ACCEPT icmp – anywhere anywhere icmp parameter-problem
ACCEPT icmp – anywhere anywhere icmp echo-request
ACCEPT udp – anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all – anywhere anywhere
ACCEPT udp – anywhere mdns.mcast.net udp dpt:mdns
ACCEPT udp – anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all – anywhere anywhere

Chain ufw-before-logging-forward (1 references)
target prot opt source destination

Chain ufw-before-logging-input (1 references)
target prot opt source destination

Chain ufw-before-logging-output (1 references)
target prot opt source destination

Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all – anywhere anywhere

Chain ufw-docker-logging-deny (6 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix “[UFW DOCKER BLOCK] ”
DROP all – anywhere anywhere

Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix “[UFW ALLOW] ”

Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all – anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix “[UFW BLOCK] ”

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all – anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all – anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all – anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all – anywhere anywhere limit: avg 3/min burst 10
DROP all – anywhere anywhere

Chain ufw-reject-forward (1 references)
target prot opt source destination

Chain ufw-reject-input (1 references)
target prot opt source destination

Chain ufw-reject-output (1 references)
target prot opt source destination

Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all – anywhere anywhere

Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all – anywhere anywhere

Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all – anywhere anywhere

Chain ufw-track-forward (1 references)
target prot opt source destination

Chain ufw-track-input (1 references)
target prot opt source destination

Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere ctstate NEW
ACCEPT udp – anywhere anywhere ctstate NEW

Chain ufw-user-forward (2 references)
target prot opt source destination

Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp dpt:45300
DROP tcp – anywhere anywhere tcp dpt:45200
ACCEPT tcp – anywhere anywhere tcp dpt:5900
ACCEPT udp – anywhere anywhere udp dpt:5900
ACCEPT tcp – anywhere anywhere tcp dpt:smtp
ACCEPT tcp – anywhere anywhere tcp dpt:pop3
ACCEPT tcp – anywhere anywhere tcp dpt:imap2
ACCEPT tcp – anywhere anywhere tcp dpt:submissions
ACCEPT tcp – anywhere anywhere tcp dpt:submission
ACCEPT tcp – anywhere anywhere tcp dpt:imaps
ACCEPT tcp – anywhere anywhere tcp dpt:pop3s
ACCEPT tcp – anywhere anywhere tcp dpt:sieve
ACCEPT udp – anywhere anywhere udp dpt:4190
ACCEPT tcp – anywhere anywhere multiport dports http,https
ACCEPT udp – anywhere anywhere multiport dports netbios-ns,netbios-dgm
ACCEPT tcp – anywhere anywhere multiport dports netbios-ssn,microsoft-ds
ACCEPT tcp – anywhere anywhere tcp dpt:ssh

Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix “[UFW LIMIT BLOCK] ”
REJECT all – anywhere anywhere reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all – anywhere anywhere

Chain ufw-user-logging-forward (0 references)
target prot opt source destination

Chain ufw-user-logging-input (0 references)
target prot opt source destination

Chain ufw-user-logging-output (0 references)
target prot opt source destination

Chain ufw-user-output (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp dpt:smtp
ACCEPT tcp – anywhere anywhere tcp dpt:pop3
ACCEPT tcp – anywhere anywhere tcp dpt:imap2
ACCEPT tcp – anywhere anywhere tcp dpt:submissions
ACCEPT tcp – anywhere anywhere tcp dpt:submission
ACCEPT tcp – anywhere anywhere tcp dpt:imaps
ACCEPT tcp – anywhere anywhere tcp dpt:pop3s
ACCEPT tcp – anywhere anywhere multiport dports http,https
ACCEPT udp – anywhere anywhere multiport dports netbios-ns,netbios-dgm
ACCEPT tcp – anywhere anywhere multiport dports netbios-ssn,microsoft-ds
root@horizon1:/opt/mailcow-dockerized#
`
I don’t recognise anything there that should be blocking the port 25 connection.
Also within the “Forwarding Hosts” table in the Mailcow UI, I have explicitly included the IP addresses of the gmail server and the external network telnet client, so these should not be subject to any blacklisting.

Is there some additional firewalling or IP blacklisting mechanism within Mailcow that I am not aware of?
Is there any mechanism for temporarily disabling all firewalling mechanisms within the Mailcow docker containers, and disabling all the address blacklisting features, so that I can try to diagnose where the fault is occuring?
I am aware of many other community postings here regarding port 25 being blocked, but they all seem to be a case of the external ISP doing the blocking. Where here my wireshark traces seem to show that the ISP is passing through the SYN request to open the port 25 connection, and the blockage is within my system, dependent upon the originating network IP.
Hoping that somebody can help please.

DocFraggle

What’s the output of

netstat -tulpen

Check if a local sendmail/postfix service is running on port 25! If so, you have to stop and disable it

pollywinters

Hi DocFraggle. Output of netstat -tulpen:

root@horizon1:/opt/mailcow-dockerized# Active Internet connections Proto Recv-Q Send-Q Local Address tcp 0 0 127.0.0.1:18983 tcp 0 0 127.0.0.1:3306 tcp 0 0 127.0.0.1:19991 tcp 0 0 127.0.0.1:631 tcp 0 0 127.0.0.53:53 tcp 0 0 127.0.0.1:7654 tcp 0 0 0.0.0.0:45102 tcp 0 0 0.0.0.0:45103 tcp 0 0 0.0.0.0:45100 tcp 0 0 0.0.0.0:45101 tcp 0 0 0.0.0.0:45300 tcp 0 0 127.0.0.1:27017 tcp 0 0 0.0.0.0:465 tcp 0 0 0.0.0.0:443 tcp 0 0 0.0.0.0:445 tcp 0 0 0.0.0.0:80 tcp 0 0 0.0.0.0:110 tcp 0 0 0.0.0.0:25 tcp 0 0 0.0.0.0:139 tcp 0 0 0.0.0.0:143 tcp 0 0 0.0.0.0:995 tcp 0 0 0.0.0.0:993 tcp 0 0 0.0.0.0:587 tcp 0 0 127.0.0.1:45443 tcp 0 0 127.0.0.1:45480 tcp 0 0 0.0.0.0:5900 tcp 0 0 127.0.0.1:13306 tcp 0 0 0.0.0.0:4190 tcp6 0 0 :::45000 tcp6 0 0 ::1:631 tcp6 0 0 :::45300 tcp6 0 0 :::45200 tcp6 0 0 :::1716 tcp6 0 0 :::465 tcp6 0 0 :::443 tcp6 0 0 :::445 tcp6 0 0 :::110 tcp6 0 0 :::25 tcp6 0 0 :::139 tcp6 0 0 :::143 tcp6 0 0 :::995 tcp6 0 0 :::993 tcp6 0 0 :::587 tcp6 0 0 :::5900 tcp6 0 0 :::4190 udp 0 0 127.0.0.53:53 udp 0 0 172.22.1.255:137 udp 0 0 172.22.1.1:137 udp 0 0 172.18.255.255:137 udp 0 0 172.18.0.1:137 udp 0 0 172.17.255.255:137 udp 0 0 172.17.0.1:137 udp 0 0 192.168.1.255:137 udp 0 0 192.168.1.177:137 udp 0 0 0.0.0.0:137 udp 0 0 172.22.1.255:138 udp 0 0 172.22.1.1:138 udp 0 0 172.18.255.255:138 udp 0 0 172.18.0.1:138 udp 0 0 172.17.255.255:138 udp 0 0 172.17.0.1:138 udp 0 0 192.168.1.255:138 udp 0 0 192.168.1.177:138 udp 0 0 0.0.0.0:138 udp 0 0 0.0.0.0:5353 udp 0 0 0.0.0.0:57525 udp6 0 0 :::1716 udp6 0 0 :::5353 udp6 0 0 :::59394 root@horizon1:/opt/mailcow-docker Shows that port 25 is open for LISTEN by I then down’ed the Mailcow root@horizon1:/opt/mailcow-dockerized# Active Internet connections Proto Recv-Q Send-Q Local Address tcp 0 0 127.0.0.1:3306 tcp 0 0 127.0.0.1:631 tcp 0 0 127.0.0.53:53 tcp 0 0 0.0.0.0:45102 tcp 0 0 0.0.0.0:45103 tcp 0 0 0.0.0.0:45100 tcp 0 0 0.0.0.0:45101 tcp 0 0 0.0.0.0:45300 tcp 0 0 127.0.0.1:27017 tcp 0 0 0.0.0.0:443 tcp 0 0 0.0.0.0:445 tcp 0 0 0.0.0.0:80 tcp 0 0 0.0.0.0:139 tcp 0 0 0.0.0.0:5900 tcp6 0 0 :::45000 tcp6 0 0 ::1:631 tcp6 0 0 :::45300 tcp6 0 0 :::45200 tcp6 0 0 :::1716 tcp6 0 0 :::443 tcp6 0 0 :::445 tcp6 0 0 :::139 tcp6 0 0 :::5900 udp 0 0 127.0.0.53:53 udp 0 0 172.18.255.255:137 udp 0 0 172.18.0.1:137 udp 0 0 172.17.255.255:137 udp 0 0 172.17.0.1:137 udp 0 0 192.168.1.255:137 udp 0 0 192.168.1.177:137 udp 0 0 0.0.0.0:137 udp 0 0 172.18.255.255:138 udp 0 0 172.18.0.1:138 udp 0 0 172.17.255.255:138 udp 0 0 172.17.0.1:138 udp 0 0 192.168.1.255:138 udp 0 0 192.168.1.177:138 udp 0 0 0.0.0.0:138 udp 0 0 0.0.0.0:5353 udp 0 0 0.0.0.0:57525 udp6 0 0 :::1716 udp6 0 0 :::5353 udp6 0 0 :::59394 root@horizon1:/opt/mailcow-docker So it does seem that it With the Mailcow docker pauline@colossus:~$ Trying 192.168.1.177... Connected to 192.168.1.177. Escape character is '^]'. 220 mailcow.thehorizonsedge.co.uk 220 mailcow.thehorizonsedge.co.uk So the connection is being Telnet to my server from $ telnet mailcow.thehorizonsedge.co.uk Trying 94.196.140.206... Connected to mailcow.thehorizonse Escape character is '^]'. and then after a couple (94.196.140.206 is the correct netstat -tulpen (only servers) Foreign Address State User Inode PID/Program name 0.0.0.0:* LISTEN 0 18288821 521192/docker-proxy 0.0.0.0:* LISTEN 129 12954 1475/mariadbd 0.0.0.0:* LISTEN 0 18282481 521733/docker-proxy 0.0.0.0:* LISTEN 0 17336380 308986/cupsd 0.0.0.0:* LISTEN 101 8914 911/systemd-resolve 0.0.0.0:* LISTEN 0 18292058 521124/docker-proxy 0.0.0.0:* LISTEN 1000 18646 1417/./node/bin/nod 0.0.0.0:* LISTEN 1000 8059 1416/./node/bin/nod 0.0.0.0:* LISTEN 1000 15197 1415/./node/bin/nod 0.0.0.0:* LISTEN 1000 17643 1414/./node/bin/nod 0.0.0.0:* LISTEN 0 20789 2651/docker-proxy 0.0.0.0:* LISTEN 128 8081 2267/mongod 0.0.0.0:* LISTEN 0 18335187 525044/docker-proxy 0.0.0.0:* LISTEN 0 17889395 443151/nginx: maste 0.0.0.0:* LISTEN 0 20678 2302/smbd 0.0.0.0:* LISTEN 0 17889394 443151/nginx: maste 0.0.0.0:* LISTEN 0 18284233 521645/docker-proxy 0.0.0.0:* LISTEN 0 18344987 525029/docker-proxy 0.0.0.0:* LISTEN 0 20679 2302/smbd 0.0.0.0:* LISTEN 0 18284238 521660/docker-proxy 0.0.0.0:* LISTEN 0 18295857 521700/docker-proxy 0.0.0.0:* LISTEN 0 18294105 521676/docker-proxy 0.0.0.0:* LISTEN 0 18339808 525057/docker-proxy 0.0.0.0:* LISTEN 0 18340741 525653/docker-proxy 0.0.0.0:* LISTEN 0 18349295 525660/docker-proxy 0.0.0.0:* LISTEN 0 23270 3084/x11vnc 0.0.0.0:* LISTEN 0 18283272 521404/docker-proxy 0.0.0.0:* LISTEN 0 18293469 521715/docker-proxy :::* LISTEN 0 15067 1534/apache2 :::* LISTEN 0 17336379 308986/cupsd :::* LISTEN 0 6111 2660/docker-proxy :::* LISTEN 1000 26652 2870/node /home/pol :::* LISTEN 1000 21916 3795/kdeconnectd :::* LISTEN 0 18336410 525050/docker-proxy :::* LISTEN 0 17889396 443151/nginx: maste :::* LISTEN 0 20676 2302/smbd :::* LISTEN 0 18294096 521651/docker-proxy :::* LISTEN 0 18344992 525036/docker-proxy :::* LISTEN 0 20677 2302/smbd :::* LISTEN 0 18293464 521668/docker-proxy :::* LISTEN 0 18294110 521709/docker-proxy :::* LISTEN 0 18295182 521692/docker-proxy :::* LISTEN 0 18343077 525067/docker-proxy :::* LISTEN 0 23271 3084/x11vnc :::* LISTEN 0 18287390 521724/docker-proxy 0.0.0.0:* 101 8913 911/systemd-resolve 0.0.0.0:* 0 18170544 2268/nmbd 0.0.0.0:* 0 18170543 2268/nmbd 0.0.0.0:* 0 40968 2268/nmbd 0.0.0.0:* 0 40967 2268/nmbd 0.0.0.0:* 0 40964 2268/nmbd 0.0.0.0:* 0 40963 2268/nmbd 0.0.0.0:* 0 18695 2268/nmbd 0.0.0.0:* 0 18694 2268/nmbd 0.0.0.0:* 0 18682 2268/nmbd 0.0.0.0:* 0 18170546 2268/nmbd 0.0.0.0:* 0 18170545 2268/nmbd 0.0.0.0:* 0 40970 2268/nmbd 0.0.0.0:* 0 40969 2268/nmbd 0.0.0.0:* 0 40966 2268/nmbd 0.0.0.0:* 0 40965 2268/nmbd 0.0.0.0:* 0 18697 2268/nmbd 0.0.0.0:* 0 18696 2268/nmbd 0.0.0.0:* 0 18683 2268/nmbd 0.0.0.0:* 114 16386 1002/avahi-daemon: 0.0.0.0:* 114 16388 1002/avahi-daemon: :::* 1000 21915 3795/kdeconnectd :::* 114 16387 1002/avahi-daemon: :::* 114 16389 1002/avahi-daemon: ized# 525029/docker-proxy. docker and repeated the netstat, getting the output: netstat -tulpen (only servers) Foreign Address State User Inode PID/Program name 0.0.0.0:* LISTEN 129 12954 1475/mariadbd 0.0.0.0:* LISTEN 0 17336380 308986/cupsd 0.0.0.0:* LISTEN 101 8914 911/systemd-resolve 0.0.0.0:* LISTEN 1000 18646 1417/./node/bin/nod 0.0.0.0:* LISTEN 1000 8059 1416/./node/bin/nod 0.0.0.0:* LISTEN 1000 15197 1415/./node/bin/nod 0.0.0.0:* LISTEN 1000 17643 1414/./node/bin/nod 0.0.0.0:* LISTEN 0 20789 2651/docker-proxy 0.0.0.0:* LISTEN 128 8081 2267/mongod 0.0.0.0:* LISTEN 0 17889395 443151/nginx: maste 0.0.0.0:* LISTEN 0 20678 2302/smbd 0.0.0.0:* LISTEN 0 17889394 443151/nginx: maste 0.0.0.0:* LISTEN 0 20679 2302/smbd 0.0.0.0:* LISTEN 0 23270 3084/x11vnc :::* LISTEN 0 15067 1534/apache2 :::* LISTEN 0 17336379 308986/cupsd :::* LISTEN 0 6111 2660/docker-proxy :::* LISTEN 1000 26652 2870/node /home/pol :::* LISTEN 1000 21916 3795/kdeconnectd :::* LISTEN 0 17889396 443151/nginx: maste :::* LISTEN 0 20676 2302/smbd :::* LISTEN 0 20677 2302/smbd :::* LISTEN 0 23271 3084/x11vnc 0.0.0.0:* 101 8913 911/systemd-resolve 0.0.0.0:* 0 40968 2268/nmbd 0.0.0.0:* 0 40967 2268/nmbd 0.0.0.0:* 0 40964 2268/nmbd 0.0.0.0:* 0 40963 2268/nmbd 0.0.0.0:* 0 18695 2268/nmbd 0.0.0.0:* 0 18694 2268/nmbd 0.0.0.0:* 0 18682 2268/nmbd 0.0.0.0:* 0 40970 2268/nmbd 0.0.0.0:* 0 40969 2268/nmbd 0.0.0.0:* 0 40966 2268/nmbd 0.0.0.0:* 0 40965 2268/nmbd 0.0.0.0:* 0 18697 2268/nmbd 0.0.0.0:* 0 18696 2268/nmbd 0.0.0.0:* 0 18683 2268/nmbd 0.0.0.0:* 114 16386 1002/avahi-daemon: 0.0.0.0:* 114 16388 1002/avahi-daemon: :::* 1000 21915 3795/kdeconnectd :::* 114 16387 1002/avahi-daemon: :::* 114 16389 1002/avahi-daemon: ized# is only the Mailcow that is using port 25. back up, when I telnet into port 25 from another device on my local network, the output I get is: telnet 192.168.1.177 25 ESMTP Postcow ESMTP Postcow
made with my Mailcow instance.
an external device gives:
25
dge.co.uk.
of minutes with nothing else, says “Connection closed by foreign host.”
external IP for my router, which is configured to forward all the ports required for email to my server on 192.168.1.177 internally). As previously established, telnet from the external device does send the opening SYN for port 25 to my server, but it seems to be filtered internally and no ACK is returned.

DocFraggle

I can’t reach any of your mail services (25, 465, 587, 143)… I suggest checking the port forwarding of your router, as this seems to be no mailcow problem.

root@mailserver:/opt/mailcow-dockerized# telnet mailcow.thehorizonsedge.co.uk 25
Trying 94.196.140.206...
^C
root@mailserver:/opt/mailcow-dockerized# telnet mailcow.thehorizonsedge.co.uk 143
Trying 94.196.140.206...
^C
root@mailserver:/opt/mailcow-dockerized# telnet mailcow.thehorizonsedge.co.uk 587
Trying 94.196.140.206...
^C
root@mailserver:/opt/mailcow-dockerized# telnet mailcow.thehorizonsedge.co.uk 465
Trying 94.196.140.206...
^C

pollywinters

Hi DocFraggle,
The problem seems to be something to do with the proxy that forwards packets received from the enp1s0 ethernet interface of my server to the br-mailcow virtual interface. I have run a pair of wireshark sessions side by side, showing the activity on the pair of interfaces. In the following screenshots, the left hand WS session shows the receive/transmit for port 25 on the external enp1s0 interface, the right hand WS session shows the resulting traffic of the packets through the br-mailcow bridge interface.
First image here shows activity when making a telnet connection to port 25 from a device on the local network:

As you can see the activity commences at time 0.000000000 with a [SYN] received on enp1s0, source 192.168.1.85:40642, destination 192.168.1.177:25. This packet is forwarded to the br-mailcow bridge as source 192.168.1.85:40642, destination 172.22.1.253:25. At time 0.000033675 on the mailcow-br we see the reply packet [SYN, ACK] 172.22.1.253:25 back to 192.168.1.85:48642. This then reaches the enp1s0 interface at time 0.000089945 as source 192.168.1.177:25 to destination 192.168.1.85:40642. Subsequent packets then follow going to and from the interfaces exactly as one would expect, resulting in an active connection and the text line “mailcow.thehorizonsedge.co.uk ESMTP Postcow” being sent back to the telnet client on the remote device.
The image below now shows the activity captured making the telnet connection using the same device, but moved out of the local network:

What we now see is the same reception of a [SYN] on the enp1s0 network at time 0.000000000, but this is now source 82.132.247.40:57782 going to 192.168.1.177:25. There is no forwarding of the packet onto the mailcow-br bridge interface, hence no possibility of any reply. The remote device just retransmits the [SYN] at intervals.
The issue is clearly nothing to do with the external ISP or configuration of port forwarding on my router, as the [SYN] for destination 192.168.1.177:25 is received into my server PC from the ethernet interface the same way in both instances. However the packet is only forwarded to the mailcow-br bridge when the source IP is within the local network.
Your tests of all the Mailcow related ports of my server seem to show that the same effect is occurring for all these ports - packets only being forwarded from the enp1s0 external interface to the mailcow-br interface if the source IP in on the local network.
So, is there some configuration file that I can inspect that controls the packet forwarding from the external ethernet interface to the mailcow-br bridge? My “iptables - L” output is in the messages above, is there any other useful info that I can collect relating to packet forwarding/firewalling within my server?
Best regards, Polly

DocFraggle

Please disable ufw, restart the stack and try again. As the docs state, you shouldn’t use ufw as it can cause severe problems, and I have a feeling that this may be the problem here

pollywinters

Hi DocFraggle, yes that seems to have fixed it, emails are now flowing correctly, telnet connections to port 25 from outside the local network are working correctly. It does seem that the interaction of the rules added into iptables by ufw, docker and mailcow causes some contradiction that is not immediately obvious just from inspection of the iptables saved rules.
I now need to do a permanent disable of ufw on my server, then figure out some safe set of iptables rules to use in order to provide safe firewalling for the other services of my server. The mailcow docs link that you provided gives me somewhere to start, but I can see the need to do some deep diving into iptables operation and command syntax in the near future. Possibly I should write up an article if I manage to figure it all out!
Thank you for your help. Best regards, Polly.