EnglishHello,
As I can remember on the first versions of mailcow docs there was ufw tutorial persistent.
Since the start of the server 2-3 years ago I have ufw installed on the server and only opened the ports needed by mailcow (list in the docs) and never had any troubles with that.
Because of that I’m wondering why ufw now is better to disable 
Have something to say?
Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!
If you open the ports in the wrong chain or with wrong settings you can create an open relay.
There is a proper way though: Docker iptables filtering fixed in Docker 17.06
donnex.net
You can check if you created an open relay with this website: Email Server Test - Online SMTP diagnostics tool - MxToolbox
mxtoolbox.com
Thanks for your reply.
I have only opened the ports required by mailcow. Nothing else is running on this server, until now never has problems over the years.
I have just tested by the tester:
OK - Not an open relay
So no open relay.
I think I’m good with that.
Here some more informations on my setup.
Open Relay Test:
Connecting to 127.0.0.1
220-mx.domain.tld ESMTP Postcow
220 mx.domain.tld ESMTP Postcow [3643 ms]
EHLO keeper-us-east-1c.mxtoolbox.com
250-mx.domain.tld
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING [236 ms]
MAIL FROM:<supertool@mxtoolboxsmtpdiag.com>
250 2.1.0 Ok [251 ms]
RCPT TO:<test@mxtoolboxsmtpdiag.com>
554 5.7.1 <test@mxtoolboxsmtpdiag.com>: Relay access denied [266 ms]
LookupServer 5445msUFW status (active rules for IPv6 and IPv6):
ufw status
Status: active
To Action From
-- ------ ----
2218 ALLOW Anywhere
25 ALLOW Anywhere
80 ALLOW Anywhere
110 ALLOW Anywhere
143 ALLOW Anywhere
443 ALLOW Anywhere
465 ALLOW Anywhere
587 ALLOW Anywhere
993 ALLOW Anywhere
995 ALLOW Anywhere
4190 ALLOW Anywhere
2218 (v6) ALLOW Anywhere (v6)
25 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
110 (v6) ALLOW Anywhere (v6)
143 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
465 (v6) ALLOW Anywhere (v6)
587 (v6) ALLOW Anywhere (v6)
993 (v6) ALLOW Anywhere (v6)
995 (v6) ALLOW Anywhere (v6)
4190 (v6) ALLOW Anywhere (v6) IPtables -L (i have removed IPs):
Chain INPUT (policy DROP)
target prot opt source destination
MAILCOW all -- anywhere anywhere
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
MAILCOW all -- anywhere anywhere
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:12345
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:sieve
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:8983
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:pop3s
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:mysql
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:imaps
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:imap2
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:pop3
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:https
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:http
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:submission
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:6379
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:submissions
ACCEPT tcp -- anywhere IP_REPLACED tcp dpt:smtp
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain MAILCOW (2 references)
target prot opt source destination
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere IP_REPLACED udp dpt:mdns
ACCEPT udp -- anywhere IP_REPLACED udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:2218
ACCEPT udp -- anywhere anywhere udp dpt:2218
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:80
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT udp -- anywhere anywhere udp dpt:110
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT udp -- anywhere anywhere udp dpt:143
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:443
ACCEPT tcp -- anywhere anywhere tcp dpt:submissions
ACCEPT udp -- anywhere anywhere udp dpt:465
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT udp -- anywhere anywhere udp dpt:587
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT udp -- anywhere anywhere udp dpt:993
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT udp -- anywhere anywhere udp dpt:995
ACCEPT tcp -- anywhere anywhere tcp dpt:sieve
ACCEPT udp -- anywhere anywhere udp dpt:4190
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination Something bad here? 
As you see i don’t have created an open relay.