Mailcow Unbound unhealthy

DocFraggle · 4 Jan

Must be a firewall issue. Did you try to disable ufw and restart the stack?

docker compose down
docker compose up -d

cnc24 · 4 Jan

yes, the mailcow unbound stays unhealthy and the behaviour is the same as decribed above.

esackbauer · 4 Jan

What OS is your root server running on? Was it updated lately?
Looks like its not forwarding ICMP packets.
Have you tried updating docker versions manually?

cnc24 · 4 Jan

I’m running Debian 11 Bullseye. down here the uname -a and dpkg -l Outputs:

root@mail:~# uname -a Linux mail.senditout.de 5.10.0-33-amd64 root@mail:~# dpkg -l | grep linux- ii binutils-x86-64-linux-gnu 2.35.2-2 ii firmware-linux-free 20200122-1 ii linux-base 4.6 rc linux-image-5.10.0-10-amd64 5.10.84-1 rc linux-image-5.10.0-11-amd64 5.10.92-2 rc linux-image-5.10.0-12-amd64 5.10.103-1 rc linux-image-5.10.0-13-amd64 5.10.106-1 rc linux-image-5.10.0-14-amd64 5.10.113-1 rc linux-image-5.10.0-15-amd64 5.10.120-1 rc linux-image-5.10.0-16-amd64 5.10.127-2 rc linux-image-5.10.0-17-amd64 5.10.136-1 rc linux-image-5.10.0-18-amd64 5.10.140-1 rc linux-image-5.10.0-19-amd64 5.10.149-2 rc linux-image-5.10.0-20-amd64 5.10.158-2 rc linux-image-5.10.0-21-amd64 5.10.162-1 rc linux-image-5.10.0-22-amd64 5.10.178-3 rc linux-image-5.10.0-23-amd64 5.10.179-3 rc linux-image-5.10.0-24-amd64 5.10.179-5 rc linux-image-5.10.0-25-amd64 5.10.191-1 rc linux-image-5.10.0-26-amd64 5.10.197-1 rc linux-image-5.10.0-27-amd64 5.10.205-2 rc linux-image-5.10.0-28-amd64 5.10.209-2 rc linux-image-5.10.0-29-amd64 5.10.216-1 ii linux-image-5.10.0-32-amd64 5.10.223-1 ii linux-image-5.10.0-33-amd64 5.10.226-1 rc linux-image-5.10.0-8-amd64 5.10.46-5 rc linux-image-5.10.0-9-amd64 5.10.70-1 ii linux-image-amd64 5.10.226-1 ii util-linux-locales 2.36.1-8+deb11u2 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux amd64 GNU binary utilities, for x86-64-linux-gnu target all Binary firmware for various drivers in the Linux kernel all Linux image base package amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux 5.10 for 64-bit PCs (signed) amd64 Linux for 64-bit PCs (meta-package) all locales files for util-linux

Last Update was at October i think.

cnc24 · 4 Jan

The docker versions are:

docker compose version Docker Compose version v2.32.1

docker --version Docker version 27.4.1, build b9d17ea

esackbauer · 4 Jan

Are you using firewalld, UFW, or SELinux? if yes, disable them.

cnc24 · 4 Jan

I use ufw but i get the same issue without ufw enabled

DocFraggle · 4 Jan

With ufw disabled and after restarting the stack, please post the output of

iptables -L
iptables -t nat -L

cnc24 · 4 Jan

Here the output:
`root@mail:/opt/mailcow-dockerized# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhere

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain MAILCOW (2 references)
target prot opt source destination
DROP all – 212.70.149.71 anywhere
DROP tcp – anywhere anywhere /* mailcow isolation */

Chain ufw-after-forward (1 references)
target prot opt source destination

Chain ufw-after-input (1 references)
target prot opt source destination

Chain ufw-after-logging-forward (1 references)
target prot opt source destination

Chain ufw-after-logging-input (1 references)
target prot opt source destination

Chain ufw-after-logging-output (1 references)
target prot opt source destination

Chain ufw-after-output (1 references)
target prot opt source destination

Chain ufw-before-forward (1 references)
target prot opt source destination

Chain ufw-before-input (1 references)
target prot opt source destination

Chain ufw-before-logging-forward (1 references)
target prot opt source destination

Chain ufw-before-logging-input (1 references)
target prot opt source destination

Chain ufw-before-logging-output (1 references)
target prot opt source destination

Chain ufw-before-output (1 references)
target prot opt source destination

Chain ufw-reject-forward (1 references)
target prot opt source destination

Chain ufw-reject-input (1 references)
target prot opt source destination

Chain ufw-reject-output (1 references)
target prot opt source destination

Chain ufw-track-forward (1 references)
target prot opt source destination

Chain ufw-track-input (1 references)
target prot opt source destination

Chain ufw-track-output (1 references)
target prot opt source destination `

and the output of the other comand

`root@mail:/opt/mailcow-dockerized# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 172.17.0.0/16 anywhere
MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

Chain DOCKER (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345`

DocFraggle · 4 Jan

ufw is still enabled…

cnc24 · 4 Jan

strange here again the output with ufw status command before
root@mail:~# ufw status
Status: inactive
root@mail:~# ^C
root@mail:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere