Mailcow Unbound unhealthy

cnc24

Hi guys,

I’m hosting a mailcow instance on netcup VPS Rootserver. Everything is running fine until mailcow version 2024-11b. At this popint i can’t update anymore, because mailcow unbound is Unhealthy. It seems to be that the ping-check fails, but the dig command works. It doesn’t matter if on the host system ufw is enabled or diabled.

Now I’m really unhappy about this fact, that i can’t update to a working mailcow dockerized instance, maybe you could help me out:

Thats what i tried inside the cointainer:
`bash
root@mail:/opt/mailcow-dockerized# docker compose exec unbound-mailcow /bin/bash
99d2b1464fd4:/# ping google.de
PING google.de (216.58.206.67): 56 data bytes
^C
— google.de ping statistics —
4 packets transmitted, 0 packets received, 100% packet loss
99d2b1464fd4:/# dig google.de

; <<>> DiG 9.18.27 <<>> google.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5000
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.de. IN A

;; ANSWER SECTION:
google.de. 280 IN A 216.58.206.67

;; Query time: 15 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Sat Jan 04 12:23:21 CET 2025
;; MSG SIZE rcvd: 54

99d2b1464fd4:/# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.11:43893 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN -
tcp 0 0 :::53 :::* LISTEN -
udp 0 0 127.0.0.11:48254 0.0.0.0:* -
udp 0 0 0.0.0.0:53 0.0.0.0:* -
udp 0 0 :::53 :::* -
99d2b1464fd4:/# exit
exit
`

Please give me some advise what else i could looking for, to find any solution.

Greetings

DocFraggle

Can you ping from the host system?

cnc24

yes i could ping an dig from the host system without problems

DocFraggle

Must be a firewall issue. Did you try to disable ufw and restart the stack?

docker compose down
docker compose up -d

cnc24

yes, the mailcow unbound stays unhealthy and the behaviour is the same as decribed above.

esackbauer

What OS is your root server running on? Was it updated lately?
Looks like its not forwarding ICMP packets.
Have you tried updating docker versions manually?

cnc24

I’m running Debian 11 Bullseye. down here the uname -a and dpkg -l Outputs:

root@mail:~# uname -a Linux mail.senditout.de 5.10.0-33-amd64 root@mail:~# dpkg -l | grep linux- ii binutils-x86-64-linux-gnu 2.35.2-2 ii firmware-linux-free 20200122-1 ii linux-base 4.6 rc linux-image-5.10.0-10-amd64 5.10.84-1 rc linux-image-5.10.0-11-amd64 5.10.92-2 rc linux-image-5.10.0-12-amd64 5.10.103-1 rc linux-image-5.10.0-13-amd64 5.10.106-1 rc linux-image-5.10.0-14-amd64 5.10.113-1 rc linux-image-5.10.0-15-amd64 5.10.120-1 rc linux-image-5.10.0-16-amd64 5.10.127-2 rc linux-image-5.10.0-17-amd64 5.10.136-1 rc linux-image-5.10.0-18-amd64 5.10.140-1 rc linux-image-5.10.0-19-amd64 5.10.149-2 rc linux-image-5.10.0-20-amd64 5.10.158-2 rc linux-image-5.10.0-21-amd64 5.10.162-1 rc linux-image-5.10.0-22-amd64 5.10.178-3 rc linux-image-5.10.0-23-amd64 5.10.179-3 rc linux-image-5.10.0-24-amd64 5.10.179-5 rc linux-image-5.10.0-25-amd64 5.10.191-1 rc linux-image-5.10.0-26-amd64 5.10.197-1 rc linux-image-5.10.0-27-amd64 5.10.205-2 rc linux-image-5.10.0-28-amd64 5.10.209-2 rc linux-image-5.10.0-29-amd64 5.10.216-1 ii linux-image-5.10.0-32-amd64 5.10.223-1 ii linux-image-5.10.0-33-amd64 5.10.226-1 rc linux-image-5.10.0-8-amd64 5.10.46-5 rc linux-image-5.10.0-9-amd64 5.10.70-1 ii linux-image-amd64 5.10.226-1 ii util-linux-locales 2.36.1-8+deb11u2 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux amd64 GNU binary utilities, for x86-64-linux-gnu target all Binary firmware for various drivers in the Linux kernel all Linux image base package amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux for 64-bit PCs (meta-package) all locales files for util-linux

Last Update was at October i think.

cnc24

The docker versions are:

docker compose version Docker Compose version v2.32.1

docker --version Docker version 27.4.1, build b9d17ea

esackbauer

Are you using firewalld, UFW, or SELinux? if yes, disable them.

cnc24

I use ufw but i get the same issue without ufw enabled

DocFraggle

With ufw disabled and after restarting the stack, please post the output of

iptables -L
iptables -t nat -L

cnc24

Here the output:
`root@mail:/opt/mailcow-dockerized# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhere

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain MAILCOW (2 references)
target prot opt source destination
DROP all – 212.70.149.71 anywhere
DROP tcp – anywhere anywhere /* mailcow isolation */

Chain ufw-after-forward (1 references)
target prot opt source destination

Chain ufw-after-input (1 references)
target prot opt source destination

Chain ufw-after-logging-forward (1 references)
target prot opt source destination

Chain ufw-after-logging-input (1 references)
target prot opt source destination

Chain ufw-after-logging-output (1 references)
target prot opt source destination

Chain ufw-after-output (1 references)
target prot opt source destination

Chain ufw-before-forward (1 references)
target prot opt source destination

Chain ufw-before-input (1 references)
target prot opt source destination

Chain ufw-before-logging-forward (1 references)
target prot opt source destination

Chain ufw-before-logging-input (1 references)
target prot opt source destination

Chain ufw-before-logging-output (1 references)
target prot opt source destination

Chain ufw-before-output (1 references)
target prot opt source destination

Chain ufw-reject-forward (1 references)
target prot opt source destination

Chain ufw-reject-input (1 references)
target prot opt source destination

Chain ufw-reject-output (1 references)
target prot opt source destination

Chain ufw-track-forward (1 references)
target prot opt source destination

Chain ufw-track-input (1 references)
target prot opt source destination

Chain ufw-track-output (1 references)
target prot opt source destination `

and the output of the other comand

`root@mail:/opt/mailcow-dockerized# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 172.17.0.0/16 anywhere
MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

Chain DOCKER (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345`

DocFraggle

ufw is still enabled…

cnc24

strange here again the output with ufw status command before
root@mail:~# ufw status
Status: inactive
root@mail:~# ^C
root@mail:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere