I love the product and the excellent community, many thanks, especially @"DocFraggle"#1599 for diagnostus profundus :-) Unfortunately it looks like I have run into a no-go, and am not sure there is any way to do the job, which is to set up an authenticated SMTP relay going to a Microsoft 365 tenant. I have to have Mailcow sit on a machine behind a non-reporting NAT, which means that all inbound connections to Mailcow, appear (to Mailcow) to be coming from the router/firewall. There is no passthrough DMZ capability in the router/firewall (Watchguard). Probably as a result, I am seeing the following: 1. The closest thing I've come to function, is using TLS/465 and not STARTTLS/587, with Unbound forwarders to 9.9.9.9 (not recommended and I get that, but Quad9 does have its own blacklist setup). Sometimes has worked and sometimes has connected and frozen, TCP port disconnected. 2. The next best result has been a weird behavior where it freezes or fails the first time, and then works well repeatedly after that. Then if I try it again in a half hour or so, same behavior. Happens for both TLS and STARTTLS. This is my primary reason for thinking this is NAT-related. 3. Oddly, Unbound fails its automatic tests. 'dig' does not fail the tests, either from the host or within the container. Quite the stumper that. Have a great day everyone.

Anyone running behind a non-reporting (not DMZ) NAT?

jonathanbrickman0000

I love the product and the excellent community, many thanks, especially @DocFraggle for diagnostus profundus :-) Unfortunately it looks like I have run into a no-go, and am not sure there is any way to do the job, which is to set up an authenticated SMTP relay going to a Microsoft 365 tenant. I have to have Mailcow sit on a machine behind a non-reporting NAT, which means that all inbound connections to Mailcow, appear (to Mailcow) to be coming from the router/firewall. There is no passthrough DMZ capability in the router/firewall (Watchguard). Probably as a result, I am seeing the following:

The closest thing I’ve come to function, is using TLS/465 and not STARTTLS/587, with Unbound forwarders to 9.9.9.9 (not recommended and I get that, but Quad9 does have its own blacklist setup). Sometimes has worked and sometimes has connected and frozen, TCP port disconnected.
The next best result has been a weird behavior where it freezes or fails the first time, and then works well repeatedly after that. Then if I try it again in a half hour or so, same behavior. Happens for both TLS and STARTTLS. This is my primary reason for thinking this is NAT-related.
Oddly, Unbound fails its automatic tests. ‘dig’ does not fail the tests, either from the host or within the container. Quite the stumper that.

Have a great day everyone.

DocFraggle

jonathanbrickman0000 Oddly, Unbound fails its automatic tests. ‘dig’ does not fail the tests, either from the host or within the container. Quite the stumper that.

You can disable the healthcheck by setting

SKIP_UNBOUND_HEALTHCHECK=y

in your mailcow.conf

Can’t really help you with the rest…