• DocFraggle

    • Community Hero
    Moolevel 245

Must be a firewall issue. Did you try to disable ufw and restart the stack?

docker compose down
docker compose up -d
  • cnc24

      Moolevel 1

    yes, the mailcow unbound stays unhealthy and the behaviour is the same as decribed above.

    • esackbauer

      • Community Hero
      Moolevel 347
    • Edited

    What OS is your root server running on? Was it updated lately?
    Looks like its not forwarding ICMP packets.
    Have you tried updating docker versions manually?

    • cnc24

        Moolevel 1
      • Edited

      I’m running Debian 11 Bullseye. down here the uname -a and dpkg -l Outputs:

      root@mail:~# uname -a
      Linux mail.senditout.de 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux
      root@mail:~# dpkg -l | grep linux-
      ii binutils-x86-64-linux-gnu 2.35.2-2 amd64 GNU binary utilities, for x86-64-linux-gnu target
      ii firmware-linux-free 20200122-1 all Binary firmware for various drivers in the Linux kernel
      ii linux-base 4.6 all Linux image base package
      rc linux-image-5.10.0-10-amd64 5.10.84-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-11-amd64 5.10.92-2 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-12-amd64 5.10.103-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-13-amd64 5.10.106-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-14-amd64 5.10.113-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-15-amd64 5.10.120-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-16-amd64 5.10.127-2 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-17-amd64 5.10.136-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-18-amd64 5.10.140-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-19-amd64 5.10.149-2 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-20-amd64 5.10.158-2 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-21-amd64 5.10.162-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-22-amd64 5.10.178-3 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-23-amd64 5.10.179-3 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-24-amd64 5.10.179-5 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-25-amd64 5.10.191-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-26-amd64 5.10.197-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-27-amd64 5.10.205-2 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-28-amd64 5.10.209-2 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-29-amd64 5.10.216-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      ii linux-image-5.10.0-32-amd64 5.10.223-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      ii linux-image-5.10.0-33-amd64 5.10.226-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-8-amd64 5.10.46-5 amd64 Linux 5.10 for 64-bit PCs (signed)
      rc linux-image-5.10.0-9-amd64 5.10.70-1 amd64 Linux 5.10 for 64-bit PCs (signed)
      ii linux-image-amd64 5.10.226-1 amd64 Linux for 64-bit PCs (meta-package)
      ii util-linux-locales 2.36.1-8+deb11u2 all locales files for util-linux

      Last Update was at October i think.

      • cnc24

          Moolevel 1

        The docker versions are:

        docker compose version
        Docker Compose version v2.32.1

        docker --version
        Docker version 27.4.1, build b9d17ea

        • esackbauer

          • Community Hero
          Moolevel 347
        • Edited

        Are you using firewalld, UFW, or SELinux? if yes, disable them.

        • cnc24

            Moolevel 1

          I use ufw but i get the same issue without ufw enabled

          • DocFraggle

            • Community Hero
            Moolevel 245

          With ufw disabled and after restarting the stack, please post the output of

          iptables -L
          iptables -t nat -L
          • cnc24

              Moolevel 1

            Here the output:
            `root@mail:/opt/mailcow-dockerized# iptables -L
            Chain INPUT (policy ACCEPT)
            target prot opt source destination
            MAILCOW all – anywhere anywhere /* mailcow */
            ufw-before-logging-input all – anywhere anywhere
            ufw-before-input all – anywhere anywhere
            ufw-after-input all – anywhere anywhere
            ufw-after-logging-input all – anywhere anywhere
            ufw-reject-input all – anywhere anywhere
            ufw-track-input all – anywhere anywhere

            Chain FORWARD (policy ACCEPT)
            target prot opt source destination
            MAILCOW all – anywhere anywhere /* mailcow */
            DOCKER-USER all – anywhere anywhere
            DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
            ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
            DOCKER all – anywhere anywhere
            ACCEPT all – anywhere anywhere
            ACCEPT all – anywhere anywhere
            ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
            DOCKER all – anywhere anywhere
            ACCEPT all – anywhere anywhere
            ACCEPT all – anywhere anywhere
            ufw-before-logging-forward all – anywhere anywhere
            ufw-before-forward all – anywhere anywhere
            ufw-after-forward all – anywhere anywhere
            ufw-after-logging-forward all – anywhere anywhere
            ufw-reject-forward all – anywhere anywhere
            ufw-track-forward all – anywhere anywhere

            Chain OUTPUT (policy ACCEPT)
            target prot opt source destination
            ufw-before-logging-output all – anywhere anywhere
            ufw-before-output all – anywhere anywhere
            ufw-after-output all – anywhere anywhere
            ufw-after-logging-output all – anywhere anywhere
            ufw-reject-output all – anywhere anywhere
            ufw-track-output all – anywhere anywhere

            Chain DOCKER (2 references)
            target prot opt source destination
            ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
            ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
            ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

            Chain DOCKER-ISOLATION-STAGE-1 (1 references)
            target prot opt source destination
            DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
            DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
            RETURN all – anywhere anywhere

            Chain DOCKER-ISOLATION-STAGE-2 (2 references)
            target prot opt source destination
            DROP all – anywhere anywhere
            DROP all – anywhere anywhere
            RETURN all – anywhere anywhere

            Chain DOCKER-USER (1 references)
            target prot opt source destination
            RETURN all – anywhere anywhere

            Chain MAILCOW (2 references)
            target prot opt source destination
            DROP all – 212.70.149.71 anywhere
            DROP tcp – anywhere anywhere /* mailcow isolation */

            Chain ufw-after-forward (1 references)
            target prot opt source destination

            Chain ufw-after-input (1 references)
            target prot opt source destination

            Chain ufw-after-logging-forward (1 references)
            target prot opt source destination

            Chain ufw-after-logging-input (1 references)
            target prot opt source destination

            Chain ufw-after-logging-output (1 references)
            target prot opt source destination

            Chain ufw-after-output (1 references)
            target prot opt source destination

            Chain ufw-before-forward (1 references)
            target prot opt source destination

            Chain ufw-before-input (1 references)
            target prot opt source destination

            Chain ufw-before-logging-forward (1 references)
            target prot opt source destination

            Chain ufw-before-logging-input (1 references)
            target prot opt source destination

            Chain ufw-before-logging-output (1 references)
            target prot opt source destination

            Chain ufw-before-output (1 references)
            target prot opt source destination

            Chain ufw-reject-forward (1 references)
            target prot opt source destination

            Chain ufw-reject-input (1 references)
            target prot opt source destination

            Chain ufw-reject-output (1 references)
            target prot opt source destination

            Chain ufw-track-forward (1 references)
            target prot opt source destination

            Chain ufw-track-input (1 references)
            target prot opt source destination

            Chain ufw-track-output (1 references)
            target prot opt source destination `

            and the output of the other comand

            `root@mail:/opt/mailcow-dockerized# iptables -t nat -L
            Chain PREROUTING (policy ACCEPT)
            target prot opt source destination
            DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

            Chain INPUT (policy ACCEPT)
            target prot opt source destination

            Chain OUTPUT (policy ACCEPT)
            target prot opt source destination
            DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

            Chain POSTROUTING (policy ACCEPT)
            target prot opt source destination
            MASQUERADE all – 172.17.0.0/16 anywhere
            MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
            MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
            MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

            Chain DOCKER (2 references)
            target prot opt source destination
            RETURN all – anywhere anywhere
            RETURN all – anywhere anywhere
            DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
            DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
            DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
            DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
            DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
            DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
            DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
            DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
            DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345`

            • DocFraggle

              • Community Hero
              Moolevel 245

            ufw is still enabled…

            • cnc24

                Moolevel 1
              • Edited

              strange here again the output with ufw status command before
              root@mail:~# ufw status
              Status: inactive
              root@mail:~# C
              root@mail:~# iptables -L
              Chain INPUT (policy ACCEPT)
              target prot opt source destination
              MAILCOW all – anywhere anywhere /* mailcow */
              ufw-before-logging-input all – anywhere anywhere
              ufw-before-input all – anywhere anywhere
              ufw-after-input all – anywhere anywhere
              ufw-after-logging-input all – anywhere anywhere
              ufw-reject-input all – anywhere anywhere
              ufw-track-input all – anywhere anywhere

              Chain FORWARD (policy ACCEPT)
              target prot opt source destination
              MAILCOW all – anywhere anywhere /* mailcow */
              DOCKER-USER all – anywhere anywhere
              DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
              ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
              DOCKER all – anywhere anywhere
              ACCEPT all – anywhere anywhere
              ACCEPT all – anywhere anywhere
              ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
              DOCKER all – anywhere anywhere
              ACCEPT all – anywhere anywhere
              ACCEPT all – anywhere anywhere
              ufw-before-logging-forward all – anywhere anywhere
              ufw-before-forward all – anywhere anywhere
              ufw-after-forward all – anywhere anywhere
              ufw-after-logging-forward all – anywhere anywhere
              ufw-reject-forward all – anywhere anywhere
              ufw-track-forward all – anywhere anywhere

              Chain OUTPUT (policy ACCEPT)
              target prot opt source destination
              ufw-before-logging-output all – anywhere anywhere
              ufw-before-output all – anywhere anywhere
              ufw-after-output all – anywhere anywhere
              ufw-after-logging-output all – anywhere anywhere
              ufw-reject-output all – anywhere anywhere
              ufw-track-output all – anywhere anywhere

              Chain DOCKER (2 references)
              target prot opt source destination
              ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
              ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
              ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
              ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

              Chain DOCKER-ISOLATION-STAGE-1 (1 references)
              target prot opt source destination
              DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
              DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
              RETURN all – anywhere anywhere

              Chain DOCKER-ISOLATION-STAGE-2 (2 references)
              target prot opt source destination
              DROP all – anywhere anywhere
              DROP all – anywhere anywhere
              RETURN all – anywhere anywhere

              Chain DOCKER-USER (1 references)
              target prot opt source destination
              RETURN all – anywhere anywhere

              Chain MAILCOW (2 references)
              target prot opt source destination
              DROP all – 212.70.149.71 anywhere
              DROP tcp – anywhere anywhere /* mailcow isolation */

              Chain ufw-after-forward (1 references)
              target prot opt source destination

              Chain ufw-after-input (1 references)
              target prot opt source destination

              Chain ufw-after-logging-forward (1 references)
              target prot opt source destination

              Chain ufw-after-logging-input (1 references)
              target prot opt source destination

              Chain ufw-after-logging-output (1 references)
              target prot opt source destination

              Chain ufw-after-output (1 references)
              target prot opt source destination

              Chain ufw-before-forward (1 references)
              target prot opt source destination

              Chain ufw-before-input (1 references)
              target prot opt source destination

              Chain ufw-before-logging-forward (1 references)
              target prot opt source destination

              Chain ufw-before-logging-input (1 references)
              target prot opt source destination

              Chain ufw-before-logging-output (1 references)
              target prot opt source destination

              Chain ufw-before-output (1 references)
              target prot opt source destination

              Chain ufw-reject-forward (1 references)
              target prot opt source destination

              Chain ufw-reject-input (1 references)
              target prot opt source destination

              Chain ufw-reject-output (1 references)
              target prot opt source destination

              Chain ufw-track-forward (1 references)
              target prot opt source destination

              Chain ufw-track-input (1 references)
              target prot opt source destination

              Chain ufw-track-output (1 references)
              target prot opt source destination
              root@mail:~# iptables -t nat -L
              Chain PREROUTING (policy ACCEPT)
              target prot opt source destination
              DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

              Chain INPUT (policy ACCEPT)
              target prot opt source destination

              Chain OUTPUT (policy ACCEPT)
              target prot opt source destination
              DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

              Chain POSTROUTING (policy ACCEPT)
              target prot opt source destination
              MASQUERADE all – 172.17.0.0/16 anywhere
              MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
              MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
              MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
              MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

              Chain DOCKER (2 references)
              target prot opt source destination
              RETURN all – anywhere anywhere
              RETURN all – anywhere anywhere
              DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
              DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
              DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
              DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
              DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
              DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
              DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
              DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
              DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345
              root@mail:~#

              I don’t know what happend excatly, but suddenly after 9 minitues the unbound container startet to get healthy 😃

              Now i’m getting again emails! 🙂

              I try to activate now ufw again, or what do you prefer?

              • DocFraggle

                • Community Hero
                Moolevel 245

              You should disable it completely, see the docs.

              systemctl disable ufw

              And reboot afterwards

              • cnc24

                  Moolevel 1

                but then would my server be open in the internet, because there is no other security feature?

                No one is typing