Hello Mailcow community. I am trying to set up a Mailcow system on a home server, but incoming connections on port 25 from the external network appear to be being blocked within the Mailcow itself.

I am quite sure that it is not my ISP blocking the port as I have used wireshark running on my server to inspect the network traffic and can observe a SYN packet arriving into the system on port 25 when I send an email to my Mailcow domain from gmail:

The wireshark trace shows the SYN arriving from 209.85.219.173, no ACK is returned, the SYN is retransmitted nine times by the external email server, all with no ACK being sent from the Mailcow server.

If I try making an incoming telnet connection on port 25 from an external network, I see a similar behaviour - see wireshark trace:

Making the telnet connection from a device on the local network I do get a connection - see trace:
Hence it appears that the block is not caused by external filtering of port 25 by my ISP, but internal filtering dependent upon the originating IP address after the port 25 SYN has been received at my server ethernet interface.

For clarity, using SoGo (running locally either on my server, or on any other device on my local network) to send emails from my Mailcow server seems to work fine - I can send from my Mailcow domain to my gmail account with no problem, but sending replies back from gmail results in the behaviour of SYN’s arriving via my ISP on port 25, but no ACK’s being generated by the Mailcow server, as described above.

I am not aware of any origin-dependent block of port 25 being caused by my firewall.
Here is the listing of my iptables settings:
`root@horizon1:/opt/mailcow-dockerized# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhere

Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.18.0.2 tcp dpt:8000
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:smtp
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submissions
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submission
ACCEPT tcp – anywhere 172.22.1.13 tcp dpt:45443
ACCEPT tcp – anywhere 172.22.1.13 tcp dpt:45480

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
ufw-user-forward all – anywhere anywhere
RETURN all – 10.0.0.0/8 anywhere
RETURN all – 172.16.0.0/12 anywhere
RETURN all – 192.168.0.0/16 anywhere
RETURN udp – anywhere anywhere udp spt:domain dpts:1024:65535
ufw-docker-logging-deny tcp – anywhere 192.168.0.0/16 tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny tcp – anywhere 10.0.0.0/8 tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny tcp – anywhere 172.16.0.0/12 tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny udp – anywhere 192.168.0.0/16 udp dpts:0:32767
ufw-docker-logging-deny udp – anywhere 10.0.0.0/8 udp dpts:0:32767
ufw-docker-logging-deny udp – anywhere 172.16.0.0/12 udp dpts:0:32767
RETURN all – anywhere anywhere

Chain MAILCOW (2 references)
target prot opt source destination
DROP tcp – anywhere anywhere /* mailcow isolation */

Chain ufw-after-forward (1 references)
target prot opt source destination

Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp – anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp – anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all – anywhere anywhere ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix “[UFW BLOCK] ”

Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix “[UFW BLOCK] ”

Chain ufw-after-logging-output (1 references)
target prot opt source destination

Chain ufw-after-output (1 references)
target prot opt source destination

Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere icmp destination-unreachable
ACCEPT icmp – anywhere anywhere icmp time-exceeded
ACCEPT icmp – anywhere anywhere icmp parameter-problem
ACCEPT icmp – anywhere anywhere icmp echo-request
ufw-user-forward all – anywhere anywhere

Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all – anywhere anywhere ctstate INVALID
DROP all – anywhere anywhere ctstate INVALID
ACCEPT icmp – anywhere anywhere icmp destination-unreachable
ACCEPT icmp – anywhere anywhere icmp time-exceeded
ACCEPT icmp – anywhere anywhere icmp parameter-problem
ACCEPT icmp – anywhere anywhere icmp echo-request
ACCEPT udp – anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all – anywhere anywhere
ACCEPT udp – anywhere mdns.mcast.net udp dpt:mdns
ACCEPT udp – anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all – anywhere anywhere

Chain ufw-before-logging-forward (1 references)
target prot opt source destination

Chain ufw-before-logging-input (1 references)
target prot opt source destination

Chain ufw-before-logging-output (1 references)
target prot opt source destination

Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all – anywhere anywhere

Chain ufw-docker-logging-deny (6 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix “[UFW DOCKER BLOCK] ”
DROP all – anywhere anywhere

Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix “[UFW ALLOW] ”

Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all – anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix “[UFW BLOCK] ”

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all – anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all – anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all – anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all – anywhere anywhere limit: avg 3/min burst 10
DROP all – anywhere anywhere

Chain ufw-reject-forward (1 references)
target prot opt source destination

Chain ufw-reject-input (1 references)
target prot opt source destination

Chain ufw-reject-output (1 references)
target prot opt source destination

Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all – anywhere anywhere

Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all – anywhere anywhere

Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all – anywhere anywhere

Chain ufw-track-forward (1 references)
target prot opt source destination

Chain ufw-track-input (1 references)
target prot opt source destination

Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere ctstate NEW
ACCEPT udp – anywhere anywhere ctstate NEW

Chain ufw-user-forward (2 references)
target prot opt source destination

Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp dpt:45300
DROP tcp – anywhere anywhere tcp dpt:45200
ACCEPT tcp – anywhere anywhere tcp dpt:5900
ACCEPT udp – anywhere anywhere udp dpt:5900
ACCEPT tcp – anywhere anywhere tcp dpt:smtp
ACCEPT tcp – anywhere anywhere tcp dpt:pop3
ACCEPT tcp – anywhere anywhere tcp dpt:imap2
ACCEPT tcp – anywhere anywhere tcp dpt:submissions
ACCEPT tcp – anywhere anywhere tcp dpt:submission
ACCEPT tcp – anywhere anywhere tcp dpt:imaps
ACCEPT tcp – anywhere anywhere tcp dpt:pop3s
ACCEPT tcp – anywhere anywhere tcp dpt:sieve
ACCEPT udp – anywhere anywhere udp dpt:4190
ACCEPT tcp – anywhere anywhere multiport dports http,https
ACCEPT udp – anywhere anywhere multiport dports netbios-ns,netbios-dgm
ACCEPT tcp – anywhere anywhere multiport dports netbios-ssn,microsoft-ds
ACCEPT tcp – anywhere anywhere tcp dpt:ssh

Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix “[UFW LIMIT BLOCK] ”
REJECT all – anywhere anywhere reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all – anywhere anywhere

Chain ufw-user-logging-forward (0 references)
target prot opt source destination

Chain ufw-user-logging-input (0 references)
target prot opt source destination

Chain ufw-user-logging-output (0 references)
target prot opt source destination

Chain ufw-user-output (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp dpt:smtp
ACCEPT tcp – anywhere anywhere tcp dpt:pop3
ACCEPT tcp – anywhere anywhere tcp dpt:imap2
ACCEPT tcp – anywhere anywhere tcp dpt:submissions
ACCEPT tcp – anywhere anywhere tcp dpt:submission
ACCEPT tcp – anywhere anywhere tcp dpt:imaps
ACCEPT tcp – anywhere anywhere tcp dpt:pop3s
ACCEPT tcp – anywhere anywhere multiport dports http,https
ACCEPT udp – anywhere anywhere multiport dports netbios-ns,netbios-dgm
ACCEPT tcp – anywhere anywhere multiport dports netbios-ssn,microsoft-ds
root@horizon1:/opt/mailcow-dockerized#
`
I don’t recognise anything there that should be blocking the port 25 connection.
Also within the “Forwarding Hosts” table in the Mailcow UI, I have explicitly included the IP addresses of the gmail server and the external network telnet client, so these should not be subject to any blacklisting.

Is there some additional firewalling or IP blacklisting mechanism within Mailcow that I am not aware of?
Is there any mechanism for temporarily disabling all firewalling mechanisms within the Mailcow docker containers, and disabling all the address blacklisting features, so that I can try to diagnose where the fault is occuring?
I am aware of many other community postings here regarding port 25 being blocked, but they all seem to be a case of the external ISP doing the blocking. Where here my wireshark traces seem to show that the ISP is passing through the SYN request to open the port 25 connection, and the blockage is within my system, dependent upon the originating network IP.
Hoping that somebody can help please.

  • Please disable ufw, restart the stack and try again. As the docs state, you shouldn’t use ufw as it can cause severe problems, and I have a feeling that this may be the problem here

What’s the output of

netstat -tulpen

Check if a local sendmail/postfix service is running on port 25! If so, you have to stop and disable it

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Hi DocFraggle. Output of netstat -tulpen:

root@horizon1:/opt/mailcow-dockerized# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:18983 0.0.0.0:* LISTEN 0 18288821 521192/docker-proxy
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 129 12954 1475/mariadbd
tcp 0 0 127.0.0.1:19991 0.0.0.0:* LISTEN 0 18282481 521733/docker-proxy
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 17336380 308986/cupsd
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 8914 911/systemd-resolve
tcp 0 0 127.0.0.1:7654 0.0.0.0:* LISTEN 0 18292058 521124/docker-proxy
tcp 0 0 0.0.0.0:45102 0.0.0.0:* LISTEN 1000 18646 1417/./node/bin/nod
tcp 0 0 0.0.0.0:45103 0.0.0.0:* LISTEN 1000 8059 1416/./node/bin/nod
tcp 0 0 0.0.0.0:45100 0.0.0.0:* LISTEN 1000 15197 1415/./node/bin/nod
tcp 0 0 0.0.0.0:45101 0.0.0.0:* LISTEN 1000 17643 1414/./node/bin/nod
tcp 0 0 0.0.0.0:45300 0.0.0.0:* LISTEN 0 20789 2651/docker-proxy
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 128 8081 2267/mongod
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 0 18335187 525044/docker-proxy
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 17889395 443151/nginx: maste
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 0 20678 2302/smbd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 17889394 443151/nginx: maste
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 0 18284233 521645/docker-proxy
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 18344987 525029/docker-proxy
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 0 20679 2302/smbd
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 0 18284238 521660/docker-proxy
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 0 18295857 521700/docker-proxy
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 0 18294105 521676/docker-proxy
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 0 18339808 525057/docker-proxy
tcp 0 0 127.0.0.1:45443 0.0.0.0:* LISTEN 0 18340741 525653/docker-proxy
tcp 0 0 127.0.0.1:45480 0.0.0.0:* LISTEN 0 18349295 525660/docker-proxy
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 0 23270 3084/x11vnc
tcp 0 0 127.0.0.1:13306 0.0.0.0:* LISTEN 0 18283272 521404/docker-proxy
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 0 18293469 521715/docker-proxy
tcp6 0 0 :::45000 :::* LISTEN 0 15067 1534/apache2
tcp6 0 0 ::1:631 :::* LISTEN 0 17336379 308986/cupsd
tcp6 0 0 :::45300 :::* LISTEN 0 6111 2660/docker-proxy
tcp6 0 0 :::45200 :::* LISTEN 1000 26652 2870/node /home/pol
tcp6 0 0 :::1716 :::* LISTEN 1000 21916 3795/kdeconnectd
tcp6 0 0 :::465 :::* LISTEN 0 18336410 525050/docker-proxy
tcp6 0 0 :::443 :::* LISTEN 0 17889396 443151/nginx: maste
tcp6 0 0 :::445 :::* LISTEN 0 20676 2302/smbd
tcp6 0 0 :::110 :::* LISTEN 0 18294096 521651/docker-proxy
tcp6 0 0 :::25 :::* LISTEN 0 18344992 525036/docker-proxy
tcp6 0 0 :::139 :::* LISTEN 0 20677 2302/smbd
tcp6 0 0 :::143 :::* LISTEN 0 18293464 521668/docker-proxy
tcp6 0 0 :::995 :::* LISTEN 0 18294110 521709/docker-proxy
tcp6 0 0 :::993 :::* LISTEN 0 18295182 521692/docker-proxy
tcp6 0 0 :::587 :::* LISTEN 0 18343077 525067/docker-proxy
tcp6 0 0 :::5900 :::* LISTEN 0 23271 3084/x11vnc
tcp6 0 0 :::4190 :::* LISTEN 0 18287390 521724/docker-proxy
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 8913 911/systemd-resolve
udp 0 0 172.22.1.255:137 0.0.0.0:* 0 18170544 2268/nmbd
udp 0 0 172.22.1.1:137 0.0.0.0:* 0 18170543 2268/nmbd
udp 0 0 172.18.255.255:137 0.0.0.0:* 0 40968 2268/nmbd
udp 0 0 172.18.0.1:137 0.0.0.0:* 0 40967 2268/nmbd
udp 0 0 172.17.255.255:137 0.0.0.0:* 0 40964 2268/nmbd
udp 0 0 172.17.0.1:137 0.0.0.0:* 0 40963 2268/nmbd
udp 0 0 192.168.1.255:137 0.0.0.0:* 0 18695 2268/nmbd
udp 0 0 192.168.1.177:137 0.0.0.0:* 0 18694 2268/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 0 18682 2268/nmbd
udp 0 0 172.22.1.255:138 0.0.0.0:* 0 18170546 2268/nmbd
udp 0 0 172.22.1.1:138 0.0.0.0:* 0 18170545 2268/nmbd
udp 0 0 172.18.255.255:138 0.0.0.0:* 0 40970 2268/nmbd
udp 0 0 172.18.0.1:138 0.0.0.0:* 0 40969 2268/nmbd
udp 0 0 172.17.255.255:138 0.0.0.0:* 0 40966 2268/nmbd
udp 0 0 172.17.0.1:138 0.0.0.0:* 0 40965 2268/nmbd
udp 0 0 192.168.1.255:138 0.0.0.0:* 0 18697 2268/nmbd
udp 0 0 192.168.1.177:138 0.0.0.0:* 0 18696 2268/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 0 18683 2268/nmbd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 114 16386 1002/avahi-daemon:
udp 0 0 0.0.0.0:57525 0.0.0.0:* 114 16388 1002/avahi-daemon:
udp6 0 0 :::1716 :::* 1000 21915 3795/kdeconnectd
udp6 0 0 :::5353 :::* 114 16387 1002/avahi-daemon:
udp6 0 0 :::59394 :::* 114 16389 1002/avahi-daemon:
root@horizon1:/opt/mailcow-dockerized#
Shows that port 25 is open for LISTEN by 525029/docker-proxy.
I then down’ed the Mailcow docker and repeated the netstat, getting the output:
root@horizon1:/opt/mailcow-dockerized# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 129 12954 1475/mariadbd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 17336380 308986/cupsd
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 8914 911/systemd-resolve
tcp 0 0 0.0.0.0:45102 0.0.0.0:* LISTEN 1000 18646 1417/./node/bin/nod
tcp 0 0 0.0.0.0:45103 0.0.0.0:* LISTEN 1000 8059 1416/./node/bin/nod
tcp 0 0 0.0.0.0:45100 0.0.0.0:* LISTEN 1000 15197 1415/./node/bin/nod
tcp 0 0 0.0.0.0:45101 0.0.0.0:* LISTEN 1000 17643 1414/./node/bin/nod
tcp 0 0 0.0.0.0:45300 0.0.0.0:* LISTEN 0 20789 2651/docker-proxy
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 128 8081 2267/mongod
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 17889395 443151/nginx: maste
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 0 20678 2302/smbd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 17889394 443151/nginx: maste
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 0 20679 2302/smbd
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 0 23270 3084/x11vnc
tcp6 0 0 :::45000 :::* LISTEN 0 15067 1534/apache2
tcp6 0 0 ::1:631 :::* LISTEN 0 17336379 308986/cupsd
tcp6 0 0 :::45300 :::* LISTEN 0 6111 2660/docker-proxy
tcp6 0 0 :::45200 :::* LISTEN 1000 26652 2870/node /home/pol
tcp6 0 0 :::1716 :::* LISTEN 1000 21916 3795/kdeconnectd
tcp6 0 0 :::443 :::* LISTEN 0 17889396 443151/nginx: maste
tcp6 0 0 :::445 :::* LISTEN 0 20676 2302/smbd
tcp6 0 0 :::139 :::* LISTEN 0 20677 2302/smbd
tcp6 0 0 :::5900 :::* LISTEN 0 23271 3084/x11vnc
udp 0 0 127.0.0.53:53 0.0.0.0:* 101 8913 911/systemd-resolve
udp 0 0 172.18.255.255:137 0.0.0.0:* 0 40968 2268/nmbd
udp 0 0 172.18.0.1:137 0.0.0.0:* 0 40967 2268/nmbd
udp 0 0 172.17.255.255:137 0.0.0.0:* 0 40964 2268/nmbd
udp 0 0 172.17.0.1:137 0.0.0.0:* 0 40963 2268/nmbd
udp 0 0 192.168.1.255:137 0.0.0.0:* 0 18695 2268/nmbd
udp 0 0 192.168.1.177:137 0.0.0.0:* 0 18694 2268/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 0 18682 2268/nmbd
udp 0 0 172.18.255.255:138 0.0.0.0:* 0 40970 2268/nmbd
udp 0 0 172.18.0.1:138 0.0.0.0:* 0 40969 2268/nmbd
udp 0 0 172.17.255.255:138 0.0.0.0:* 0 40966 2268/nmbd
udp 0 0 172.17.0.1:138 0.0.0.0:* 0 40965 2268/nmbd
udp 0 0 192.168.1.255:138 0.0.0.0:* 0 18697 2268/nmbd
udp 0 0 192.168.1.177:138 0.0.0.0:* 0 18696 2268/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 0 18683 2268/nmbd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 114 16386 1002/avahi-daemon:
udp 0 0 0.0.0.0:57525 0.0.0.0:* 114 16388 1002/avahi-daemon:
udp6 0 0 :::1716 :::* 1000 21915 3795/kdeconnectd
udp6 0 0 :::5353 :::* 114 16387 1002/avahi-daemon:
udp6 0 0 :::59394 :::* 114 16389 1002/avahi-daemon:
root@horizon1:/opt/mailcow-dockerized#
So it does seem that it is only the Mailcow that is using port 25.
With the Mailcow docker back up, when I telnet into port 25 from another device on my local network, the output I get is:
pauline@colossus:~$ telnet 192.168.1.177 25
Trying 192.168.1.177...
Connected to 192.168.1.177.
Escape character is '^]'.
220 mailcow.thehorizonsedge.co.uk ESMTP Postcow
220 mailcow.thehorizonsedge.co.uk ESMTP Postcow
So the connection is being made with my Mailcow instance.
Telnet to my server from an external device gives:
$ telnet mailcow.thehorizonsedge.co.uk 25
Trying 94.196.140.206...
Connected to mailcow.thehorizonsedge.co.uk.
Escape character is '^]'.
and then after a couple of minutes with nothing else, says “Connection closed by foreign host.”
(94.196.140.206 is the correct external IP for my router, which is configured to forward all the ports required for email to my server on 192.168.1.177 internally). As previously established, telnet from the external device does send the opening SYN for port 25 to my server, but it seems to be filtered internally and no ACK is returned.

I can’t reach any of your mail services (25, 465, 587, 143)… I suggest checking the port forwarding of your router, as this seems to be no mailcow problem.

root@mailserver:/opt/mailcow-dockerized# telnet mailcow.thehorizonsedge.co.uk 25
Trying 94.196.140.206...
^C
root@mailserver:/opt/mailcow-dockerized# telnet mailcow.thehorizonsedge.co.uk 143
Trying 94.196.140.206...
^C
root@mailserver:/opt/mailcow-dockerized# telnet mailcow.thehorizonsedge.co.uk 587
Trying 94.196.140.206...
^C
root@mailserver:/opt/mailcow-dockerized# telnet mailcow.thehorizonsedge.co.uk 465
Trying 94.196.140.206...
^C

Hi DocFraggle,
The problem seems to be something to do with the proxy that forwards packets received from the enp1s0 ethernet interface of my server to the br-mailcow virtual interface. I have run a pair of wireshark sessions side by side, showing the activity on the pair of interfaces. In the following screenshots, the left hand WS session shows the receive/transmit for port 25 on the external enp1s0 interface, the right hand WS session shows the resulting traffic of the packets through the br-mailcow bridge interface.
First image here shows activity when making a telnet connection to port 25 from a device on the local network:

As you can see the activity commences at time 0.000000000 with a [SYN] received on enp1s0, source 192.168.1.85:40642, destination 192.168.1.177:25. This packet is forwarded to the br-mailcow bridge as source 192.168.1.85:40642, destination 172.22.1.253:25. At time 0.000033675 on the mailcow-br we see the reply packet [SYN, ACK] 172.22.1.253:25 back to 192.168.1.85:48642. This then reaches the enp1s0 interface at time 0.000089945 as source 192.168.1.177:25 to destination 192.168.1.85:40642. Subsequent packets then follow going to and from the interfaces exactly as one would expect, resulting in an active connection and the text line “mailcow.thehorizonsedge.co.uk ESMTP Postcow” being sent back to the telnet client on the remote device.
The image below now shows the activity captured making the telnet connection using the same device, but moved out of the local network:

What we now see is the same reception of a [SYN] on the enp1s0 network at time 0.000000000, but this is now source 82.132.247.40:57782 going to 192.168.1.177:25. There is no forwarding of the packet onto the mailcow-br bridge interface, hence no possibility of any reply. The remote device just retransmits the [SYN] at intervals.
The issue is clearly nothing to do with the external ISP or configuration of port forwarding on my router, as the [SYN] for destination 192.168.1.177:25 is received into my server PC from the ethernet interface the same way in both instances. However the packet is only forwarded to the mailcow-br bridge when the source IP is within the local network.
Your tests of all the Mailcow related ports of my server seem to show that the same effect is occurring for all these ports - packets only being forwarded from the enp1s0 external interface to the mailcow-br interface if the source IP in on the local network.
So, is there some configuration file that I can inspect that controls the packet forwarding from the external ethernet interface to the mailcow-br bridge? My “iptables - L” output is in the messages above, is there any other useful info that I can collect relating to packet forwarding/firewalling within my server?
Best regards, Polly

Hi DocFraggle, yes that seems to have fixed it, emails are now flowing correctly, telnet connections to port 25 from outside the local network are working correctly. It does seem that the interaction of the rules added into iptables by ufw, docker and mailcow causes some contradiction that is not immediately obvious just from inspection of the iptables saved rules.
I now need to do a permanent disable of ufw on my server, then figure out some safe set of iptables rules to use in order to provide safe firewalling for the other services of my server. The mailcow docs link that you provided gives me somewhere to start, but I can see the need to do some deep diving into iptables operation and command syntax in the near future. Possibly I should write up an article if I manage to figure it all out!
Thank you for your help. Best regards, Polly.

No one is typing