Connection to postfix using ipv6 not working

pierreyves258

I’m having trouble reaching postfix using ipv6.

IPV6 on host is properly configured, no issue reaching and be reached via IPV6, if I listen a port on host I can send data throug it via ipv6 only. (tested via netcat)

Seen not to be a firewall issue as with UFW disabled & netfilter container stopped the issue is still there.

IPV6 on mailcow seem properly configured, sending emails to ipv6 only servers is working fine (9/10 on https://www.email-security-scans.org/, the only issue is MTA-STS)

But with Mailcow, if a try a telnet via ipv6 on port 465, the connection times out.
If I telnet port 465 on client site and tcpdump on host I have this

host# tcpdump -vvv -i bond0 ip6 and port 465 tcpdump: listening on bond0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 10:56:12.351985 IP6 (flowlabel 0x99bb5, hlim 251, next-header TCP (6) payload length: 40) [client].40506 > [host].submissions: Flags [S], cksum 0x1d28 (correct), seq 1902229173, win 64800, options [mss 1432,sackOK,TS val 1238195374 ecr 0,nop,wscale 7], length 0 10:56:13.353711 IP6 (flowlabel 0x0e4f0, hlim 251, next-header TCP (6) payload length: 40) [client].40506 > [host].submissions: Flags [S], cksum 0x193e (correct), seq 1902229173, win 64800, options [mss 1432,sackOK,TS val 1238196376 ecr 0,nop,wscale 7], length 0 10:56:14.378433 IP6 (flowlabel 0x3c214, hlim 251, next-header TCP (6) payload length: 40) [client].40506 > [host].submissions: Flags [S], cksum 0x153e (correct), seq 1902229173, win 64800, options [mss 1432,sackOK,TS val 1238197400 ecr 0,nop,wscale 7], length 0

so connection reach the host but nothing on docker side

docker# tcpdump -vvv -i any ip6 and port 465 tcpdump: data link type LINUX_SLL2 tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

I can reach the port from host using local ipv6 address of the container
telnet fd4d:6169:6c63:6f77::d 465 Trying fd4d:6169:6c63:6f77::d... Connected to fd4d:6169:6c63:6f77::d. Escape character is '^]'.

Seem to be a docker / iptables issue but there is no entry in ufw.log or syslog while trying to connect I don’t know where to look.
I’m using ufw and ufw-docker chaifeng/ufw-docker and chaifeng/ufw-docker8
Here are my iptables

iptables.txt

31kB

and ufw status
`
465 (v6) ALLOW Anywhere (v6)

172.22.1.250 110/tcp ALLOW FWD Anywhere # allow mailcowdockerized-dovecot-mailcow-1 110/tcp mailcowdockerized_mailcow-network
172.22.1.250 12345/tcp ALLOW FWD Anywhere # allow mailcowdockerized-dovecot-mailcow-1 12345/tcp mailcowdockerized_mailcow-network
172.22.1.250 143/tcp ALLOW FWD Anywhere # allow mailcowdockerized-dovecot-mailcow-1 143/tcp mailcowdockerized_mailcow-network
172.22.1.250 4190/tcp ALLOW FWD Anywhere # allow mailcowdockerized-dovecot-mailcow-1 4190/tcp mailcowdockerized_mailcow-network
172.22.1.250 993/tcp ALLOW FWD Anywhere # allow mailcowdockerized-dovecot-mailcow-1 993/tcp mailcowdockerized_mailcow-network
172.22.1.250 995/tcp ALLOW FWD Anywhere # allow mailcowdockerized-dovecot-mailcow-1 995/tcp mailcowdockerized_mailcow-network
172.22.1.253 25/tcp ALLOW FWD Anywhere # allow mailcowdockerized-postfix-mailcow-1 25/tcp mailcowdockerized_mailcow-network
172.22.1.253 465/tcp ALLOW FWD Anywhere # allow mailcowdockerized-postfix-mailcow-1 465/tcp mailcowdockerized_mailcow-network
172.22.1.253 587/tcp ALLOW FWD Anywhere # allow mailcowdockerized-postfix-mailcow-1 587/tcp mailcowdockerized_mailcow-network
`

And comparaison between a working ipv6 container and postfix
`
host# iptables-save | grep 465
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp –dport 465 -j MASQUERADE
-A DOCKER ! -i br-mailcow -p tcp -m tcp –dport 465 -j DNAT –to-destination 172.22.1.253:465
-A DOCKER -p tcp -m tcp –dport 465 -j DNAT –to-destination 172.22.1.253:465
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp –dport 465 -j ACCEPT
-A ufw-user-forward -d 172.22.1.253/32 -p tcp -m tcp –dport 465 -j ACCEPT
-A ufw-user-input -p tcp -m tcp –dport 465 -j ACCEPT
-A ufw-user-input -p tcp -m tcp –dport 465 -j ACCEPT
-A ufw-user-input -p udp -m udp –dport 465 -j ACCEPT
=> this is not working

host# iptables-save | grep 25565
-A POSTROUTING -s 172.26.0.3/32 -d 172.26.0.3/32 -p tcp -m tcp –dport 25565 -j MASQUERADE
-A DOCKER ! -i br-2a8175cd2ac3 -p tcp -m tcp –dport 25565 -j DNAT –to-destination 172.26.0.3:25565
-A DOCKER -d 172.26.0.3/32 ! -i br-2a8175cd2ac3 -o br-2a8175cd2ac3 -p tcp -m tcp –dport 25565 -j ACCEPT
-A ufw-user-forward -d 172.26.0.3/32 -p tcp -m tcp –dpo
=> this is working
`

Can you help ?

Thanks in advance

DocFraggle

pierreyves258 Seen not to be a firewall issue as with UFW disabled & netfilter container stopped the issue is still there.

Don’t stop the netfilter container, disable ufw and restart the stack

docker compose down
docker compose up -d

Check if it’s working afterwards

pierreyves258

DocFraggle with ufw disable, then restart containers it not working anymore on ipv4 (and still not work on ipv6) but it seem ufw disable does not disable everything
I tried removing the added in /etc/ufw/after.rules & afterv6.rules but same result, firewall disabled = not working in ipv4 & v6

with the following in logs
[7436675.932973] [UFW DOCKER BLOCK] IN=bond0 OUT=br-mailcow MAC=00:1b:21:db:1f:cd:44:4c:a8:a5:32:b9:08:00 SRC=[client] DST=172.22.1.253 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=53652 DF PROTO=TCP SPT=40508 DPT=465 WINDOW=64240 RES=0x00 SYN URGP=0

So ufw after.rules seem to stay active after a disable

However this lead me to try this
ufw route allow 465

And now it’s working ! So my issue seem related to chaifeng/ufw-docker !
as the original rule was
ufw-docker allow mailcowdockerized-postfix-mailcow-1 and it allow (forward) only ipv4 but not ipv6

I now have
465 ALLOW FWD Anywhere 465 (v6) ALLOW FWD Anywhere (v6)
in ufw status instead of just
172.22.1.253 465/tcp ALLOW FWD Anywhere # allow mailcowdockerized-postfix-mailcow-1 465/tcp mailcowdockerized_mailcow-network