Mailcow Unbound unhealthy

cnc24 · 4 Jan

Hi guys,

I’m hosting a mailcow instance on netcup VPS Rootserver. Everything is running fine until mailcow version 2024-11b. At this popint i can’t update anymore, because mailcow unbound is Unhealthy. It seems to be that the ping-check fails, but the dig command works. It doesn’t matter if on the host system ufw is enabled or diabled.

Now I’m really unhappy about this fact, that i can’t update to a working mailcow dockerized instance, maybe you could help me out:

Thats what i tried inside the cointainer:
`bash
root@mail:/opt/mailcow-dockerized# docker compose exec unbound-mailcow /bin/bash
99d2b1464fd4:/# ping google.de
PING google.de (216.58.206.67): 56 data bytes
^C
— google.de ping statistics —
4 packets transmitted, 0 packets received, 100% packet loss
99d2b1464fd4:/# dig google.de

; <<>> DiG 9.18.27 <<>> google.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5000
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.de. IN A

;; ANSWER SECTION:
google.de. 280 IN A 216.58.206.67

;; Query time: 15 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Sat Jan 04 12:23:21 CET 2025
;; MSG SIZE rcvd: 54

99d2b1464fd4:/# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.11:43893 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN -
tcp 0 0 :::53 :::* LISTEN -
udp 0 0 127.0.0.11:48254 0.0.0.0:* -
udp 0 0 0.0.0.0:53 0.0.0.0:* -
udp 0 0 :::53 :::* -
99d2b1464fd4:/# exit
exit
`

Please give me some advise what else i could looking for, to find any solution.

Greetings

DocFraggle · 4 Jan

Can you ping from the host system?

cnc24 · 4 Jan

yes i could ping an dig from the host system without problems

DocFraggle · 4 Jan

Must be a firewall issue. Did you try to disable ufw and restart the stack?

docker compose down
docker compose up -d

cnc24 · 4 Jan

yes, the mailcow unbound stays unhealthy and the behaviour is the same as decribed above.

esackbauer · 4 Jan

What OS is your root server running on? Was it updated lately?
Looks like its not forwarding ICMP packets.
Have you tried updating docker versions manually?

cnc24 · 4 Jan

I’m running Debian 11 Bullseye. down here the uname -a and dpkg -l Outputs:

root@mail:~# uname -a Linux mail.senditout.de 5.10.0-33-amd64 root@mail:~# dpkg -l | grep linux- ii binutils-x86-64-linux-gnu 2.35.2-2 ii firmware-linux-free 20200122-1 ii linux-base 4.6 rc linux-image-5.10.0-10-amd64 5.10.84-1 rc linux-image-5.10.0-11-amd64 5.10.92-2 rc linux-image-5.10.0-12-amd64 5.10.103-1 rc linux-image-5.10.0-13-amd64 5.10.106-1 rc linux-image-5.10.0-14-amd64 5.10.113-1 rc linux-image-5.10.0-15-amd64 5.10.120-1 rc linux-image-5.10.0-16-amd64 5.10.127-2 rc linux-image-5.10.0-17-amd64 5.10.136-1 rc linux-image-5.10.0-18-amd64 5.10.140-1 rc linux-image-5.10.0-19-amd64 5.10.149-2 rc linux-image-5.10.0-20-amd64 5.10.158-2 rc linux-image-5.10.0-21-amd64 5.10.162-1 rc linux-image-5.10.0-22-amd64 5.10.178-3 rc linux-image-5.10.0-23-amd64 5.10.179-3 rc linux-image-5.10.0-24-amd64 5.10.179-5 rc linux-image-5.10.0-25-amd64 5.10.191-1 rc linux-image-5.10.0-26-amd64 5.10.197-1 rc linux-image-5.10.0-27-amd64 5.10.205-2 rc linux-image-5.10.0-28-amd64 5.10.209-2 rc linux-image-5.10.0-29-amd64 5.10.216-1 ii linux-image-5.10.0-32-amd64 5.10.223-1 ii linux-image-5.10.0-33-amd64 5.10.226-1 rc linux-image-5.10.0-8-amd64 5.10.46-5 rc linux-image-5.10.0-9-amd64 5.10.70-1 ii linux-image-amd64 5.10.226-1 ii util-linux-locales 2.36.1-8+deb11u2 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux amd64 GNU binary utilities, for x86-64-linux-gnu target all Binary firmware for various drivers in the Linux kernel all Linux image base package amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux for 64-bit PCs (meta-package) all locales files for util-linux

Last Update was at October i think.

cnc24 · 4 Jan

The docker versions are:

docker compose version Docker Compose version v2.32.1

docker --version Docker version 27.4.1, build b9d17ea

esackbauer · 4 Jan

Are you using firewalld, UFW, or SELinux? if yes, disable them.

cnc24 · 4 Jan

I use ufw but i get the same issue without ufw enabled

DocFraggle · 4 Jan

With ufw disabled and after restarting the stack, please post the output of

iptables -L
iptables -t nat -L

cnc24 · 4 Jan

Here the output:
`root@mail:/opt/mailcow-dockerized# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhere

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain MAILCOW (2 references)
target prot opt source destination
DROP all – 212.70.149.71 anywhere
DROP tcp – anywhere anywhere /* mailcow isolation */

Chain ufw-after-forward (1 references)
target prot opt source destination

Chain ufw-after-input (1 references)
target prot opt source destination

Chain ufw-after-logging-forward (1 references)
target prot opt source destination

Chain ufw-after-logging-input (1 references)
target prot opt source destination

Chain ufw-after-logging-output (1 references)
target prot opt source destination

Chain ufw-after-output (1 references)
target prot opt source destination

Chain ufw-before-forward (1 references)
target prot opt source destination

Chain ufw-before-input (1 references)
target prot opt source destination

Chain ufw-before-logging-forward (1 references)
target prot opt source destination

Chain ufw-before-logging-input (1 references)
target prot opt source destination

Chain ufw-before-logging-output (1 references)
target prot opt source destination

Chain ufw-before-output (1 references)
target prot opt source destination

Chain ufw-reject-forward (1 references)
target prot opt source destination

Chain ufw-reject-input (1 references)
target prot opt source destination

Chain ufw-reject-output (1 references)
target prot opt source destination

Chain ufw-track-forward (1 references)
target prot opt source destination

Chain ufw-track-input (1 references)
target prot opt source destination

Chain ufw-track-output (1 references)
target prot opt source destination `

and the output of the other comand

`root@mail:/opt/mailcow-dockerized# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 172.17.0.0/16 anywhere
MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

Chain DOCKER (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345`

DocFraggle · 4 Jan

ufw is still enabled…

cnc24 · 4 Jan

strange here again the output with ufw status command before
root@mail:~# ufw status
Status: inactive
root@mail:~# ^C
root@mail:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere