• cnc24

      Moolevel 1

    Hi guys,

    I’m hosting a mailcow instance on netcup VPS Rootserver. Everything is running fine until mailcow version 2024-11b. At this popint i can’t update anymore, because mailcow unbound is Unhealthy. It seems to be that the ping-check fails, but the dig command works. It doesn’t matter if on the host system ufw is enabled or diabled.

    Now I’m really unhappy about this fact, that i can’t update to a working mailcow dockerized instance, maybe you could help me out:

    Thats what i tried inside the cointainer:
    `bash
    root@mail:/opt/mailcow-dockerized# docker compose exec unbound-mailcow /bin/bash
    99d2b1464fd4:/# ping google.de
    PING google.de (216.58.206.67): 56 data bytes
    C
    — google.de ping statistics —
    4 packets transmitted, 0 packets received, 100% packet loss
    99d2b1464fd4:/# dig google.de

    ; <<>> DiG 9.18.27 <<>> google.de
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5000
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 65494
    ;; QUESTION SECTION:
    ;google.de. IN A

    ;; ANSWER SECTION:
    google.de. 280 IN A 216.58.206.67

    ;; Query time: 15 msec
    ;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
    ;; WHEN: Sat Jan 04 12:23:21 CET 2025
    ;; MSG SIZE rcvd: 54

    99d2b1464fd4:/# netstat -tulpn
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN -
    tcp 0 0 127.0.0.11:43893 0.0.0.0:* LISTEN -
    tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN -
    tcp 0 0 :::53 :::* LISTEN -
    udp 0 0 127.0.0.11:48254 0.0.0.0:* -
    udp 0 0 0.0.0.0:53 0.0.0.0:* -
    udp 0 0 :::53 :::* -
    99d2b1464fd4:/# exit
    exit
    `

    Please give me some advise what else i could looking for, to find any solution.

    Greetings

    • DocFraggle

      • Community Hero
      Moolevel 245

    Can you ping from the host system?

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    • cnc24

        Moolevel 1

      yes i could ping an dig from the host system without problems

      • DocFraggle

        • Community Hero
        Moolevel 245

      Must be a firewall issue. Did you try to disable ufw and restart the stack?

      docker compose down
      docker compose up -d
      • cnc24

          Moolevel 1

        yes, the mailcow unbound stays unhealthy and the behaviour is the same as decribed above.

        • esackbauer

          • Community Hero
          Moolevel 347
        • Edited

        What OS is your root server running on? Was it updated lately?
        Looks like its not forwarding ICMP packets.
        Have you tried updating docker versions manually?

        • cnc24

            Moolevel 1
          • Edited

          I’m running Debian 11 Bullseye. down here the uname -a and dpkg -l Outputs:

          root@mail:~# uname -a
          Linux mail.senditout.de 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux
          root@mail:~# dpkg -l | grep linux-
          ii binutils-x86-64-linux-gnu 2.35.2-2 amd64 GNU binary utilities, for x86-64-linux-gnu target
          ii firmware-linux-free 20200122-1 all Binary firmware for various drivers in the Linux kernel
          ii linux-base 4.6 all Linux image base package
          rc linux-image-5.10.0-10-amd64 5.10.84-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-11-amd64 5.10.92-2 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-12-amd64 5.10.103-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-13-amd64 5.10.106-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-14-amd64 5.10.113-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-15-amd64 5.10.120-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-16-amd64 5.10.127-2 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-17-amd64 5.10.136-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-18-amd64 5.10.140-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-19-amd64 5.10.149-2 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-20-amd64 5.10.158-2 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-21-amd64 5.10.162-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-22-amd64 5.10.178-3 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-23-amd64 5.10.179-3 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-24-amd64 5.10.179-5 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-25-amd64 5.10.191-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-26-amd64 5.10.197-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-27-amd64 5.10.205-2 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-28-amd64 5.10.209-2 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-29-amd64 5.10.216-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          ii linux-image-5.10.0-32-amd64 5.10.223-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          ii linux-image-5.10.0-33-amd64 5.10.226-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-8-amd64 5.10.46-5 amd64 Linux 5.10 for 64-bit PCs (signed)
          rc linux-image-5.10.0-9-amd64 5.10.70-1 amd64 Linux 5.10 for 64-bit PCs (signed)
          ii linux-image-amd64 5.10.226-1 amd64 Linux for 64-bit PCs (meta-package)
          ii util-linux-locales 2.36.1-8+deb11u2 all locales files for util-linux

          Last Update was at October i think.

          • cnc24

              Moolevel 1

            The docker versions are:

            docker compose version
            Docker Compose version v2.32.1

            docker --version
            Docker version 27.4.1, build b9d17ea

            • esackbauer

              • Community Hero
              Moolevel 347
            • Edited

            Are you using firewalld, UFW, or SELinux? if yes, disable them.

            • cnc24

                Moolevel 1

              I use ufw but i get the same issue without ufw enabled

              • DocFraggle

                • Community Hero
                Moolevel 245

              With ufw disabled and after restarting the stack, please post the output of

              iptables -L
              iptables -t nat -L
              • cnc24

                  Moolevel 1

                Here the output:
                `root@mail:/opt/mailcow-dockerized# iptables -L
                Chain INPUT (policy ACCEPT)
                target prot opt source destination
                MAILCOW all – anywhere anywhere /* mailcow */
                ufw-before-logging-input all – anywhere anywhere
                ufw-before-input all – anywhere anywhere
                ufw-after-input all – anywhere anywhere
                ufw-after-logging-input all – anywhere anywhere
                ufw-reject-input all – anywhere anywhere
                ufw-track-input all – anywhere anywhere

                Chain FORWARD (policy ACCEPT)
                target prot opt source destination
                MAILCOW all – anywhere anywhere /* mailcow */
                DOCKER-USER all – anywhere anywhere
                DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
                ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
                DOCKER all – anywhere anywhere
                ACCEPT all – anywhere anywhere
                ACCEPT all – anywhere anywhere
                ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
                DOCKER all – anywhere anywhere
                ACCEPT all – anywhere anywhere
                ACCEPT all – anywhere anywhere
                ufw-before-logging-forward all – anywhere anywhere
                ufw-before-forward all – anywhere anywhere
                ufw-after-forward all – anywhere anywhere
                ufw-after-logging-forward all – anywhere anywhere
                ufw-reject-forward all – anywhere anywhere
                ufw-track-forward all – anywhere anywhere

                Chain OUTPUT (policy ACCEPT)
                target prot opt source destination
                ufw-before-logging-output all – anywhere anywhere
                ufw-before-output all – anywhere anywhere
                ufw-after-output all – anywhere anywhere
                ufw-after-logging-output all – anywhere anywhere
                ufw-reject-output all – anywhere anywhere
                ufw-track-output all – anywhere anywhere

                Chain DOCKER (2 references)
                target prot opt source destination
                ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
                ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
                ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

                Chain DOCKER-ISOLATION-STAGE-1 (1 references)
                target prot opt source destination
                DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
                DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
                RETURN all – anywhere anywhere

                Chain DOCKER-ISOLATION-STAGE-2 (2 references)
                target prot opt source destination
                DROP all – anywhere anywhere
                DROP all – anywhere anywhere
                RETURN all – anywhere anywhere

                Chain DOCKER-USER (1 references)
                target prot opt source destination
                RETURN all – anywhere anywhere

                Chain MAILCOW (2 references)
                target prot opt source destination
                DROP all – 212.70.149.71 anywhere
                DROP tcp – anywhere anywhere /* mailcow isolation */

                Chain ufw-after-forward (1 references)
                target prot opt source destination

                Chain ufw-after-input (1 references)
                target prot opt source destination

                Chain ufw-after-logging-forward (1 references)
                target prot opt source destination

                Chain ufw-after-logging-input (1 references)
                target prot opt source destination

                Chain ufw-after-logging-output (1 references)
                target prot opt source destination

                Chain ufw-after-output (1 references)
                target prot opt source destination

                Chain ufw-before-forward (1 references)
                target prot opt source destination

                Chain ufw-before-input (1 references)
                target prot opt source destination

                Chain ufw-before-logging-forward (1 references)
                target prot opt source destination

                Chain ufw-before-logging-input (1 references)
                target prot opt source destination

                Chain ufw-before-logging-output (1 references)
                target prot opt source destination

                Chain ufw-before-output (1 references)
                target prot opt source destination

                Chain ufw-reject-forward (1 references)
                target prot opt source destination

                Chain ufw-reject-input (1 references)
                target prot opt source destination

                Chain ufw-reject-output (1 references)
                target prot opt source destination

                Chain ufw-track-forward (1 references)
                target prot opt source destination

                Chain ufw-track-input (1 references)
                target prot opt source destination

                Chain ufw-track-output (1 references)
                target prot opt source destination `

                and the output of the other comand

                `root@mail:/opt/mailcow-dockerized# iptables -t nat -L
                Chain PREROUTING (policy ACCEPT)
                target prot opt source destination
                DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

                Chain INPUT (policy ACCEPT)
                target prot opt source destination

                Chain OUTPUT (policy ACCEPT)
                target prot opt source destination
                DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

                Chain POSTROUTING (policy ACCEPT)
                target prot opt source destination
                MASQUERADE all – 172.17.0.0/16 anywhere
                MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
                MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
                MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

                Chain DOCKER (2 references)
                target prot opt source destination
                RETURN all – anywhere anywhere
                RETURN all – anywhere anywhere
                DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
                DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
                DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
                DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
                DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
                DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
                DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
                DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
                DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345`

                • DocFraggle

                  • Community Hero
                  Moolevel 245

                ufw is still enabled…

                • cnc24

                    Moolevel 1
                  • Edited

                  strange here again the output with ufw status command before
                  root@mail:~# ufw status
                  Status: inactive
                  root@mail:~# C
                  root@mail:~# iptables -L
                  Chain INPUT (policy ACCEPT)
                  target prot opt source destination
                  MAILCOW all – anywhere anywhere /* mailcow */
                  ufw-before-logging-input all – anywhere anywhere
                  ufw-before-input all – anywhere anywhere
                  ufw-after-input all – anywhere anywhere
                  ufw-after-logging-input all – anywhere anywhere
                  ufw-reject-input all – anywhere anywhere
                  ufw-track-input all – anywhere anywhere

                  Chain FORWARD (policy ACCEPT)
                  target prot opt source destination
                  MAILCOW all – anywhere anywhere /* mailcow */
                  DOCKER-USER all – anywhere anywhere
                  DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
                  ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
                  DOCKER all – anywhere anywhere
                  ACCEPT all – anywhere anywhere
                  ACCEPT all – anywhere anywhere
                  ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
                  DOCKER all – anywhere anywhere
                  ACCEPT all – anywhere anywhere
                  ACCEPT all – anywhere anywhere
                  ufw-before-logging-forward all – anywhere anywhere
                  ufw-before-forward all – anywhere anywhere
                  ufw-after-forward all – anywhere anywhere
                  ufw-after-logging-forward all – anywhere anywhere
                  ufw-reject-forward all – anywhere anywhere
                  ufw-track-forward all – anywhere anywhere

                  Chain OUTPUT (policy ACCEPT)
                  target prot opt source destination
                  ufw-before-logging-output all – anywhere anywhere
                  ufw-before-output all – anywhere anywhere
                  ufw-after-output all – anywhere anywhere
                  ufw-after-logging-output all – anywhere anywhere
                  ufw-reject-output all – anywhere anywhere
                  ufw-track-output all – anywhere anywhere

                  Chain DOCKER (2 references)
                  target prot opt source destination
                  ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
                  ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
                  ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
                  ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
                  ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
                  ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
                  ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
                  ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
                  ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

                  Chain DOCKER-ISOLATION-STAGE-1 (1 references)
                  target prot opt source destination
                  DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
                  DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
                  RETURN all – anywhere anywhere

                  Chain DOCKER-ISOLATION-STAGE-2 (2 references)
                  target prot opt source destination
                  DROP all – anywhere anywhere
                  DROP all – anywhere anywhere
                  RETURN all – anywhere anywhere

                  Chain DOCKER-USER (1 references)
                  target prot opt source destination
                  RETURN all – anywhere anywhere

                  Chain MAILCOW (2 references)
                  target prot opt source destination
                  DROP all – 212.70.149.71 anywhere
                  DROP tcp – anywhere anywhere /* mailcow isolation */

                  Chain ufw-after-forward (1 references)
                  target prot opt source destination

                  Chain ufw-after-input (1 references)
                  target prot opt source destination

                  Chain ufw-after-logging-forward (1 references)
                  target prot opt source destination

                  Chain ufw-after-logging-input (1 references)
                  target prot opt source destination

                  Chain ufw-after-logging-output (1 references)
                  target prot opt source destination

                  Chain ufw-after-output (1 references)
                  target prot opt source destination

                  Chain ufw-before-forward (1 references)
                  target prot opt source destination

                  Chain ufw-before-input (1 references)
                  target prot opt source destination

                  Chain ufw-before-logging-forward (1 references)
                  target prot opt source destination

                  Chain ufw-before-logging-input (1 references)
                  target prot opt source destination

                  Chain ufw-before-logging-output (1 references)
                  target prot opt source destination

                  Chain ufw-before-output (1 references)
                  target prot opt source destination

                  Chain ufw-reject-forward (1 references)
                  target prot opt source destination

                  Chain ufw-reject-input (1 references)
                  target prot opt source destination

                  Chain ufw-reject-output (1 references)
                  target prot opt source destination

                  Chain ufw-track-forward (1 references)
                  target prot opt source destination

                  Chain ufw-track-input (1 references)
                  target prot opt source destination

                  Chain ufw-track-output (1 references)
                  target prot opt source destination
                  root@mail:~# iptables -t nat -L
                  Chain PREROUTING (policy ACCEPT)
                  target prot opt source destination
                  DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

                  Chain INPUT (policy ACCEPT)
                  target prot opt source destination

                  Chain OUTPUT (policy ACCEPT)
                  target prot opt source destination
                  DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

                  Chain POSTROUTING (policy ACCEPT)
                  target prot opt source destination
                  MASQUERADE all – 172.17.0.0/16 anywhere
                  MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
                  MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
                  MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
                  MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
                  MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
                  MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
                  MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
                  MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
                  MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

                  Chain DOCKER (2 references)
                  target prot opt source destination
                  RETURN all – anywhere anywhere
                  RETURN all – anywhere anywhere
                  DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
                  DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
                  DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
                  DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
                  DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
                  DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
                  DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
                  DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
                  DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345
                  root@mail:~#

                  I don’t know what happend excatly, but suddenly after 9 minitues the unbound container startet to get healthy 😃

                  Now i’m getting again emails! 🙂

                  I try to activate now ufw again, or what do you prefer?

                  • DocFraggle

                    • Community Hero
                    Moolevel 245

                  You should disable it completely, see the docs.

                  systemctl disable ufw

                  And reboot afterwards

                  • cnc24

                      Moolevel 1

                    but then would my server be open in the internet, because there is no other security feature?

                    No one is typing