• DocFraggle

    • Community Hero
    Moolevel 245

Can you ping from the host system?

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

  • cnc24

      Moolevel 1

    yes i could ping an dig from the host system without problems

    • DocFraggle

      • Community Hero
      Moolevel 245

    Must be a firewall issue. Did you try to disable ufw and restart the stack?

    docker compose down
    docker compose up -d
    • cnc24

        Moolevel 1

      yes, the mailcow unbound stays unhealthy and the behaviour is the same as decribed above.

      • esackbauer

        • Community Hero
        Moolevel 347
      • Edited

      What OS is your root server running on? Was it updated lately?
      Looks like its not forwarding ICMP packets.
      Have you tried updating docker versions manually?

      • cnc24

          Moolevel 1
        • Edited

        I’m running Debian 11 Bullseye. down here the uname -a and dpkg -l Outputs:

        root@mail:~# uname -a
        Linux mail.senditout.de 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux
        root@mail:~# dpkg -l | grep linux-
        ii binutils-x86-64-linux-gnu 2.35.2-2 amd64 GNU binary utilities, for x86-64-linux-gnu target
        ii firmware-linux-free 20200122-1 all Binary firmware for various drivers in the Linux kernel
        ii linux-base 4.6 all Linux image base package
        rc linux-image-5.10.0-10-amd64 5.10.84-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-11-amd64 5.10.92-2 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-12-amd64 5.10.103-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-13-amd64 5.10.106-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-14-amd64 5.10.113-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-15-amd64 5.10.120-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-16-amd64 5.10.127-2 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-17-amd64 5.10.136-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-18-amd64 5.10.140-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-19-amd64 5.10.149-2 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-20-amd64 5.10.158-2 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-21-amd64 5.10.162-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-22-amd64 5.10.178-3 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-23-amd64 5.10.179-3 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-24-amd64 5.10.179-5 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-25-amd64 5.10.191-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-26-amd64 5.10.197-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-27-amd64 5.10.205-2 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-28-amd64 5.10.209-2 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-29-amd64 5.10.216-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        ii linux-image-5.10.0-32-amd64 5.10.223-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        ii linux-image-5.10.0-33-amd64 5.10.226-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-8-amd64 5.10.46-5 amd64 Linux 5.10 for 64-bit PCs (signed)
        rc linux-image-5.10.0-9-amd64 5.10.70-1 amd64 Linux 5.10 for 64-bit PCs (signed)
        ii linux-image-amd64 5.10.226-1 amd64 Linux for 64-bit PCs (meta-package)
        ii util-linux-locales 2.36.1-8+deb11u2 all locales files for util-linux

        Last Update was at October i think.

        • cnc24

            Moolevel 1

          The docker versions are:

          docker compose version
          Docker Compose version v2.32.1

          docker --version
          Docker version 27.4.1, build b9d17ea

          • esackbauer

            • Community Hero
            Moolevel 347
          • Edited

          Are you using firewalld, UFW, or SELinux? if yes, disable them.

          • cnc24

              Moolevel 1

            I use ufw but i get the same issue without ufw enabled

            • DocFraggle

              • Community Hero
              Moolevel 245

            With ufw disabled and after restarting the stack, please post the output of

            iptables -L
            iptables -t nat -L
            • cnc24

                Moolevel 1

              Here the output:
              `root@mail:/opt/mailcow-dockerized# iptables -L
              Chain INPUT (policy ACCEPT)
              target prot opt source destination
              MAILCOW all – anywhere anywhere /* mailcow */
              ufw-before-logging-input all – anywhere anywhere
              ufw-before-input all – anywhere anywhere
              ufw-after-input all – anywhere anywhere
              ufw-after-logging-input all – anywhere anywhere
              ufw-reject-input all – anywhere anywhere
              ufw-track-input all – anywhere anywhere

              Chain FORWARD (policy ACCEPT)
              target prot opt source destination
              MAILCOW all – anywhere anywhere /* mailcow */
              DOCKER-USER all – anywhere anywhere
              DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
              ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
              DOCKER all – anywhere anywhere
              ACCEPT all – anywhere anywhere
              ACCEPT all – anywhere anywhere
              ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
              DOCKER all – anywhere anywhere
              ACCEPT all – anywhere anywhere
              ACCEPT all – anywhere anywhere
              ufw-before-logging-forward all – anywhere anywhere
              ufw-before-forward all – anywhere anywhere
              ufw-after-forward all – anywhere anywhere
              ufw-after-logging-forward all – anywhere anywhere
              ufw-reject-forward all – anywhere anywhere
              ufw-track-forward all – anywhere anywhere

              Chain OUTPUT (policy ACCEPT)
              target prot opt source destination
              ufw-before-logging-output all – anywhere anywhere
              ufw-before-output all – anywhere anywhere
              ufw-after-output all – anywhere anywhere
              ufw-after-logging-output all – anywhere anywhere
              ufw-reject-output all – anywhere anywhere
              ufw-track-output all – anywhere anywhere

              Chain DOCKER (2 references)
              target prot opt source destination
              ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
              ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
              ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

              Chain DOCKER-ISOLATION-STAGE-1 (1 references)
              target prot opt source destination
              DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
              DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
              RETURN all – anywhere anywhere

              Chain DOCKER-ISOLATION-STAGE-2 (2 references)
              target prot opt source destination
              DROP all – anywhere anywhere
              DROP all – anywhere anywhere
              RETURN all – anywhere anywhere

              Chain DOCKER-USER (1 references)
              target prot opt source destination
              RETURN all – anywhere anywhere

              Chain MAILCOW (2 references)
              target prot opt source destination
              DROP all – 212.70.149.71 anywhere
              DROP tcp – anywhere anywhere /* mailcow isolation */

              Chain ufw-after-forward (1 references)
              target prot opt source destination

              Chain ufw-after-input (1 references)
              target prot opt source destination

              Chain ufw-after-logging-forward (1 references)
              target prot opt source destination

              Chain ufw-after-logging-input (1 references)
              target prot opt source destination

              Chain ufw-after-logging-output (1 references)
              target prot opt source destination

              Chain ufw-after-output (1 references)
              target prot opt source destination

              Chain ufw-before-forward (1 references)
              target prot opt source destination

              Chain ufw-before-input (1 references)
              target prot opt source destination

              Chain ufw-before-logging-forward (1 references)
              target prot opt source destination

              Chain ufw-before-logging-input (1 references)
              target prot opt source destination

              Chain ufw-before-logging-output (1 references)
              target prot opt source destination

              Chain ufw-before-output (1 references)
              target prot opt source destination

              Chain ufw-reject-forward (1 references)
              target prot opt source destination

              Chain ufw-reject-input (1 references)
              target prot opt source destination

              Chain ufw-reject-output (1 references)
              target prot opt source destination

              Chain ufw-track-forward (1 references)
              target prot opt source destination

              Chain ufw-track-input (1 references)
              target prot opt source destination

              Chain ufw-track-output (1 references)
              target prot opt source destination `

              and the output of the other comand

              `root@mail:/opt/mailcow-dockerized# iptables -t nat -L
              Chain PREROUTING (policy ACCEPT)
              target prot opt source destination
              DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

              Chain INPUT (policy ACCEPT)
              target prot opt source destination

              Chain OUTPUT (policy ACCEPT)
              target prot opt source destination
              DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

              Chain POSTROUTING (policy ACCEPT)
              target prot opt source destination
              MASQUERADE all – 172.17.0.0/16 anywhere
              MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
              MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
              MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

              Chain DOCKER (2 references)
              target prot opt source destination
              RETURN all – anywhere anywhere
              RETURN all – anywhere anywhere
              DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
              DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
              DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
              DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
              DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
              DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
              DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
              DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
              DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345`

              • DocFraggle

                • Community Hero
                Moolevel 245

              ufw is still enabled…

              • cnc24

                  Moolevel 1
                • Edited

                strange here again the output with ufw status command before
                root@mail:~# ufw status
                Status: inactive
                root@mail:~# C
                root@mail:~# iptables -L
                Chain INPUT (policy ACCEPT)
                target prot opt source destination
                MAILCOW all – anywhere anywhere /* mailcow */
                ufw-before-logging-input all – anywhere anywhere
                ufw-before-input all – anywhere anywhere
                ufw-after-input all – anywhere anywhere
                ufw-after-logging-input all – anywhere anywhere
                ufw-reject-input all – anywhere anywhere
                ufw-track-input all – anywhere anywhere

                Chain FORWARD (policy ACCEPT)
                target prot opt source destination
                MAILCOW all – anywhere anywhere /* mailcow */
                DOCKER-USER all – anywhere anywhere
                DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
                ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
                DOCKER all – anywhere anywhere
                ACCEPT all – anywhere anywhere
                ACCEPT all – anywhere anywhere
                ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
                DOCKER all – anywhere anywhere
                ACCEPT all – anywhere anywhere
                ACCEPT all – anywhere anywhere
                ufw-before-logging-forward all – anywhere anywhere
                ufw-before-forward all – anywhere anywhere
                ufw-after-forward all – anywhere anywhere
                ufw-after-logging-forward all – anywhere anywhere
                ufw-reject-forward all – anywhere anywhere
                ufw-track-forward all – anywhere anywhere

                Chain OUTPUT (policy ACCEPT)
                target prot opt source destination
                ufw-before-logging-output all – anywhere anywhere
                ufw-before-output all – anywhere anywhere
                ufw-after-output all – anywhere anywhere
                ufw-after-logging-output all – anywhere anywhere
                ufw-reject-output all – anywhere anywhere
                ufw-track-output all – anywhere anywhere

                Chain DOCKER (2 references)
                target prot opt source destination
                ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
                ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
                ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
                ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

                Chain DOCKER-ISOLATION-STAGE-1 (1 references)
                target prot opt source destination
                DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
                DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
                RETURN all – anywhere anywhere

                Chain DOCKER-ISOLATION-STAGE-2 (2 references)
                target prot opt source destination
                DROP all – anywhere anywhere
                DROP all – anywhere anywhere
                RETURN all – anywhere anywhere

                Chain DOCKER-USER (1 references)
                target prot opt source destination
                RETURN all – anywhere anywhere

                Chain MAILCOW (2 references)
                target prot opt source destination
                DROP all – 212.70.149.71 anywhere
                DROP tcp – anywhere anywhere /* mailcow isolation */

                Chain ufw-after-forward (1 references)
                target prot opt source destination

                Chain ufw-after-input (1 references)
                target prot opt source destination

                Chain ufw-after-logging-forward (1 references)
                target prot opt source destination

                Chain ufw-after-logging-input (1 references)
                target prot opt source destination

                Chain ufw-after-logging-output (1 references)
                target prot opt source destination

                Chain ufw-after-output (1 references)
                target prot opt source destination

                Chain ufw-before-forward (1 references)
                target prot opt source destination

                Chain ufw-before-input (1 references)
                target prot opt source destination

                Chain ufw-before-logging-forward (1 references)
                target prot opt source destination

                Chain ufw-before-logging-input (1 references)
                target prot opt source destination

                Chain ufw-before-logging-output (1 references)
                target prot opt source destination

                Chain ufw-before-output (1 references)
                target prot opt source destination

                Chain ufw-reject-forward (1 references)
                target prot opt source destination

                Chain ufw-reject-input (1 references)
                target prot opt source destination

                Chain ufw-reject-output (1 references)
                target prot opt source destination

                Chain ufw-track-forward (1 references)
                target prot opt source destination

                Chain ufw-track-input (1 references)
                target prot opt source destination

                Chain ufw-track-output (1 references)
                target prot opt source destination
                root@mail:~# iptables -t nat -L
                Chain PREROUTING (policy ACCEPT)
                target prot opt source destination
                DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

                Chain INPUT (policy ACCEPT)
                target prot opt source destination

                Chain OUTPUT (policy ACCEPT)
                target prot opt source destination
                DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

                Chain POSTROUTING (policy ACCEPT)
                target prot opt source destination
                MASQUERADE all – 172.17.0.0/16 anywhere
                MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
                MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
                MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
                MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

                Chain DOCKER (2 references)
                target prot opt source destination
                RETURN all – anywhere anywhere
                RETURN all – anywhere anywhere
                DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
                DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
                DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
                DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
                DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
                DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
                DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
                DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
                DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345
                root@mail:~#

                I don’t know what happend excatly, but suddenly after 9 minitues the unbound container startet to get healthy 😃

                Now i’m getting again emails! 🙂

                I try to activate now ufw again, or what do you prefer?

                • DocFraggle

                  • Community Hero
                  Moolevel 245

                You should disable it completely, see the docs.

                systemctl disable ufw

                And reboot afterwards

                • cnc24

                    Moolevel 1

                  but then would my server be open in the internet, because there is no other security feature?

                  No one is typing