Container mailcowdockerized-unbound-mailcow-1 is unhealthy

horst_16

Hi,

I reinstalled my mailserver today on Debian 12 using the normal mail cow docs but this happened:

root@mail:/opt/mailcow-dockerized# docker-compose up -d [+] Running 13/13 ✔ Container mailcowdockerized-dockerapi-mailcow-1 Running 0.0s ✔ Container mailcowdockerized-olefy-mailcow-1 Running 0.0s ✔ Container mailcowdockerized-memcached-mailcow-1 Running 0.0s ✔ Container mailcowdockerized-netfilter-mailcow-1 Running 0.0s ✔ Container mailcowdockerized-sogo-mailcow-1 Running 0.0s ✘ Container mailcowdockerized-unbound-mailcow-1 Error 0.5s ✔ Container mailcowdockerized-redis-mailcow-1 Running 0.0s ✔ Container mailcowdockerized-solr-mailcow-1 Running 0.0s ✔ Container mailcowdockerized-mysql-mailcow-1 Running 0.0s ✔ Container mailcowdockerized-php-fpm-mailcow-1 Running 0.0s ✔ Container mailcowdockerized-dovecot-mailcow-1 Running 0.0s ✔ Container mailcowdockerized-ofelia-mailcow-1 Running 0.0s ✔ Container mailcowdockerized-nginx-mailcow-1 Started 0.0s dependency failed to start: container mailcowdockerized-unbound-mailcow-1 is unhealthy root@mail:/opt/mailcow-dockerized#

Logs:
root@mail:/opt/mailcow-dockerized# docker logs mailcowdockerized-unbound-mailcow-1 Setting console permissions... Receiving anchor key... Receiving root hints... ######################################################################## 100.0% setup in directory /etc/unbound Certificate request self-signature ok subject=CN=unbound-control removing artifacts Setup success. Certificates created. Enable in unbound.conf file to use 2025-01-09 14:47:05,010 INFO Set uid to user 0 succeeded 2025-01-09 14:47:05,014 INFO supervisord started with pid 1 2025-01-09 14:47:06,017 INFO spawned: 'processes' with pid 23 2025-01-09 14:47:06,020 INFO spawned: 'syslog-ng' with pid 24 2025-01-09 14:47:06,022 INFO spawned: 'unbound' with pid 25 2025-01-09 14:47:06,025 INFO spawned: 'unbound-healthcheck' with pid 26 [1736430426] unbound[25:0] notice: init module 0: validator [1736430426] unbound[25:0] notice: init module 1: iterator Jan 9 14:47:06 c48a6b503c39 syslog-ng[24]: syslog-ng starting up; version='4.7.1' [1736430426] unbound[25:0] info: start of service (unbound 1.20.0). 2025-01-09 14:47:07,051 INFO success: processes entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2025-01-09 14:47:07,051 INFO success: syslog-ng entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2025-01-09 14:47:07,051 INFO success: unbound entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2025-01-09 14:47:07,051 INFO success: unbound-healthcheck entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) [1736430430] unbound[25:0] info: generate keytag query _ta-4f66. NULL IN 2025-01-09 14:47:14: Healthcheck: DNS Resolution Failed on attempt 1 for fuzzy.mailcow.email! Trying again... 2025-01-09 14:47:16: Healthcheck: DNS Resolution Failed on attempt 2 for fuzzy.mailcow.email! Trying again... 2025-01-09 14:47:18: Healthcheck: DNS Resolution Failed on attempt 3 for fuzzy.mailcow.email! Trying again... 2025-01-09 14:47:18: Healthcheck: DNS Resolution not possible after 3 attempts for fuzzy.mailcow.email... Gave up! 2025-01-09 14:47:20: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again... 2025-01-09 14:47:22: Healthcheck: DNS Resolution Failed on attempt 2 for github.com! Trying again... 2025-01-09 14:47:24: Healthcheck: DNS Resolution Failed on attempt 3 for github.com! Trying again... 2025-01-09 14:47:24: Healthcheck: DNS Resolution not possible after 3 attempts for github.com... Gave up! 2025-01-09 14:47:26: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again... 2025-01-09 14:47:28: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again... 2025-01-09 14:47:30: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again... 2025-01-09 14:47:30: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up! 2025-01-09 14:47:30: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy...

for info i use a normal server and right now i don’t use a firewall can someone help me?

esackbauer

horst_16 for info i use a normal server and right now i don’t use a firewall can someone help me?

Please give us more details. What is a “normal server”? Where is it hosted? Hetzner for example has a firewall in front.
Have you firewalld, UFW or SELinux enabled? then please disable it, and restart everything using docker compose.
Does DNS resolution work from Debian 12?

horst_16

esackbauer
By normal server in this case I mean a server (no virtual machine on my pc) hosted by a server hoster called (dashserv), where normally there is no firewall in front of the server and no local firewall running.

Edit: I have never dealt with the DNS resolution, how can I check this?

DocFraggle

horst_16 I have never dealt with the DNS resolution, how can I check this?

Run

dig fuzzy.mailcow.email +short
dig github.com +short
dig hub.docker.com +short

on your host system.

Do you have selinux enabled? And please use “docker compose” instead of “docker-compose”. The command “docker-compose” is the standalone version and may not be compatible with your docker version

horst_16

DocFraggle

Output:
root@mail:/opt/mailcow-dockerized# dig fuzzy.mailcow.email +short 95.217.129.125 root@mail:/opt/mailcow-dockerized# dig github.com +short 140.82.121.3 root@mail:/opt/mailcow-dockerized# dig hub.docker.com +short elb-default.us-east-1.aws.dckr.io. 54.156.140.159 52.44.227.212 44.221.37.199

And unbound stills unhealthy with “docker compose” command

DocFraggle

DocFraggle Do you have selinux enabled?

👆️

Please paste the output of

iptables -L
iptables -t nat -L

horst_16

DocFraggle

iptables -L
Output:
`root@mail:/opt/mailcow-dockerized# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:smtp
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submissions
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submission

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain MAILCOW (1 references)
target prot opt source destination
DROP tcp – anywhere anywhere /* mailcow isolation */
root@mail:/opt/mailcow-dockerized#`

iptables -t nat -L
Output:
`root@mail:/opt/mailcow-dockerized# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 172.22.1.0/24 anywhere
MASQUERADE all – 172.17.0.0/16 anywhere
MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345
MASQUERADE tcp – 172.22.1.253 172.22.1.253 tcp dpt:smtp
MASQUERADE tcp – 172.22.1.253 172.22.1.253 tcp dpt:submissions
MASQUERADE tcp – 172.22.1.253 172.22.1.253 tcp dpt:submission

Chain DOCKER (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345
DNAT tcp – anywhere anywhere tcp dpt:smtp to:172.22.1.253:25
DNAT tcp – anywhere anywhere tcp dpt:submissions to:172.22.1.253:465
DNAT tcp – anywhere anywhere tcp dpt:submission to:172.22.1.253:587
root@mail:/opt/mailcow-dockerized#`

DocFraggle

Hm, that looks okay. But why do you ignore my question for selinux? 😃

Do you have selinux enabled? If yes, please disable it.

Maybe try to shutdown the stack, reboot the system and fire it up again

docker compose down

reboot

docker compose up -d

horst_16

DocFraggle

Sorry I don’t have selinux enabled and after rebooting mailcow and the server it still doesn’t work

DocFraggle

OK… please post the output of

docker exec mailcowdockerized-unbound-mailcow-1 dig fuzzy.mailcow.email +trace

to show whats going on from inside the container

horst_16

DocFraggle
Output:
`root@mail:/opt/mailcow-dockerized# docker exec mailcowdockerized-unbound-mailcow-1 dig fuzzy.mailcow.email +trace

; <<>> DiG 9.18.27 <<>> fuzzy.mailcow.email +trace
;; global options: +cmd
. 512987 IN NS a.root-servers.net.
. 512987 IN NS b.root-servers.net.
. 512987 IN NS c.root-servers.net.
. 512987 IN NS d.root-servers.net.
. 512987 IN NS e.root-servers.net.
. 512987 IN NS f.root-servers.net.
. 512987 IN NS g.root-servers.net.
. 512987 IN NS h.root-servers.net.
. 512987 IN NS i.root-servers.net.
. 512987 IN NS j.root-servers.net.
. 512987 IN NS k.root-servers.net.
. 512987 IN NS l.root-servers.net.
. 512987 IN NS m.root-servers.net.
. 512987 IN RRSIG NS 8 0 518400 20250122050000 20250109040000 26470 . fCi0bd1Nz+rH7oLSkpyNLACAIuBAd7oWCYPIrX0cCj0UYtT1Ly/YMmH2 ItjyRjXRXi/OHG401734HkGsis9+zLxf0cVG7+xg+e9xHGEMHGOOEPDn 9i6DwedWAp6OJE2Lq6wfZDHwdnDJBz8DplCF3lv2za/ATDpXZvTEJF2v OXu4DJwGXAxE+cOGt9Y91zokrCkCHGci89fOU+sXNhnjK//3MnDL/+/0 WQjCZu7mofpbW4JKXMmqlHw1VX0udz2JDJntglwW0fQT5tP+K5rGFOys ZdLXGxl7N4JT0PHW3FbARVXD0pA4HZ/KL7jdGmUSMXp2GHtznMEH2Jwd EVDrXA==
;; Received 525 bytes from 127.0.0.11#53(127.0.0.11) in 4 ms

;; UDP setup with 2001:500:9f::42#53(2001:500:9f::42) for fuzzy.mailcow.email failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2001:500:9f::42#53(2001:500:9f::42) for fuzzy.mailcow.email failed: network unreachable.
;; UDP setup with 2801:1b8:10::b#53(2801:1b8:10::b) for fuzzy.mailcow.email failed: network unreachable.
;; communications error to 192.112.36.4#53: timed out
;; UDP setup with 2001:500:2d::d#53(2001:500:2d::d) for fuzzy.mailcow.email failed: network unreachable.
;; communications error to 192.58.128.30#53: timed out
;; UDP setup with 2001:500:2::c#53(2001:500:2::c) for fuzzy.mailcow.email failed: network unreachable.
;; communications error to 192.36.148.17#53: timed out
;; UDP setup with 2001:500:1::53#53(2001:500:1::53) for fuzzy.mailcow.email failed: network unreachable.
;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for fuzzy.mailcow.email failed: network unreachable.
;; communications error to 198.41.0.4#53: timed out
;; UDP setup with 2001:7fd::1#53(2001:7fd::1) for fuzzy.mailcow.email failed: network unreachable.
email. 172800 IN NS v0n0.nic.email.
email. 172800 IN NS v0n1.nic.email.
email. 172800 IN NS v0n2.nic.email.
email. 172800 IN NS v0n3.nic.email.
email. 172800 IN NS v2n0.nic.email.
email. 172800 IN NS v2n1.nic.email.
email. 86400 IN DS 62422 8 2 92A9DA686674B9BC30EE72224130A7C761D5B01902DA9A5A62038C79 6A16BD33
email. 86400 IN RRSIG DS 8 1 86400 20250122050000 20250109040000 26470 . LfRI1vK3lQfS0MXFH8j09yXXPk38g2shVIDzCpg6meStf+HgzQhcNQw9 3lEF5ubkQ0ycYO2BNAzrrCCzn9MNp33tuN2Pr3O1p+bN1f2E7Gt23uUo D/S3XMjyNOoFjaLuaJfSNIj7XeEypXOQ9LvS60FUMk9eHKdL/ejw6aMZ gGsbL4R2N6ZXBP5iqhOaGsMY0stf7qzw1ZtOtqsLxTl6/ahUxHGPjjFd sC95y4LNH2LHEARjkbyMfEVW5iDbxKehoSM6DE/6wf4JvWcvKk5QRpY3 ZvdFYRChAAE8yBVA1qjp/m6hgizGrmzt0o1pJMjE6HWhD1URzvx5W64u bQfE4g==
;; Received 765 bytes from 192.5.5.241#53(f.root-servers.net) in 0 ms

;; communications error to 65.22.26.35#53: timed out
;; UDP setup with 2a01:8840:f6::35#53(2a01:8840:f6::35) for fuzzy.mailcow.email failed: network unreachable.
;; UDP setup with 2a01:8840:1c::35#53(2a01:8840:1c::35) for fuzzy.mailcow.email failed: network unreachable.
;; UDP setup with 2a01:8840:1a::35#53(2a01:8840:1a::35) for fuzzy.mailcow.email failed: network unreachable.
;; UDP setup with 2a01:8840:1d::35#53(2a01:8840:1d::35) for fuzzy.mailcow.email failed: network unreachable.
;; UDP setup with 2a01:8840:f7::35#53(2a01:8840:f7::35) for fuzzy.mailcow.email failed: network unreachable.
;; UDP setup with 2a01:8840:1b::35#53(2a01:8840:1b::35) for fuzzy.mailcow.email failed: network unreachable.
;; communications error to 161.232.13.35#53: timed out
;; communications error to 161.232.12.35#53: timed out
;; communications error to 65.22.24.35#53: timed out
;; communications error to 65.22.25.35#53: timed out
;; communications error to 65.22.27.35#53: timed out
;; no servers could be reached`

DocFraggle

OK… I have to admit I have no idea what’s wrong with your setup… my mailcow is running on Debian 12 as well without problems.
Is this a plain installation of Debian and mailcow or did you setup any specials?
Any docker overrides?

horst_16

DocFraggle

I dont’t have any docker overrides or specials it is the normal installation from Mailcow Docs.

esackbauer

horst_16
I am using Debian 12 as well with no problems. Something must be wrong on your side or you are maybe using a predefined image from your hoster which has some features enabled like UFW, firewalld or SELinux.

A typical error is that both docker-compose (standalone) and docker compose (plugin, native) are installed and you keep using both of them. You shall always use only one of the two, and never use the other one.
Which one is referenced in your mailcow.conf?

horst_16

esackbauer

mailcow.conf refers to native (compose plugin) and there is no UFW, firewalld or SELinux installed.

DocFraggle

Please post the output of these commands:

docker network inspect bridge
docker network inspect mailcowdockerized_mailcow-network 
ip a s
ip r s

And please try this:

docker exec mailcowdockerized-unbound-mailcow-1 dig @8.8.8.8 fuzzy.mailcow.email

ETNyx

Hello try to disable IPv6 .