I try to deploy mailcow on my home server and I have some error with the UNBOUND container. I previosly bypassed it to correct others problème, using SWAG reverse proxy and setting SMTP2GO. But now I need to correct it. When it start, the container stuck with this loop of message in logs: 2026-01-07 09:00:08: Healthcheck: DNS Resolution Failed on attempt 1 for fuzzy.mailcow.email! Trying again... 2026-01-07 09:00:08: Healthcheck: DNS Resolution Failed on attempt 2 for fuzzy.mailcow.email! Trying again... 2026-01-07 09:00:09: Healthcheck: DNS Resolution Failed on attempt 3 for fuzzy.mailcow.email! Trying again... 2026-01-07 09:00:09: Healthcheck: DNS Resolution not possible after 3 attempts for fuzzy.mailcow.email... Gave up! 2026-01-07 09:00:09: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again... 2026-01-07 09:00:09: Healthcheck: DNS Resolution Failed on attempt 2 for github.com! Trying again... 2026-01-07 09:00:09: Healthcheck: DNS Resolution Failed on attempt 3 for github.com! Trying again... 2026-01-07 09:00:09: Healthcheck: DNS Resolution not possible after 3 attempts for github.com... Gave up! 2026-01-07 09:00:09: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again... 2026-01-07 09:00:09: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again... 2026-01-07 09:00:09: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again... 2026-01-07 09:00:09: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up! 2026-01-07 09:00:09: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy... I tried to define a foward-zone like mentioned in documentation but this don't resolve the problème. I suspect SWAG create another problème but I don't know why. I also disabled IPv6. I also added UNBOUND_DNS=1.1.1.1,8.8.8.8 Because UNBOUND cannot resolve DNS, others container, like nginx cannot start.

Currently I bypass Healthcheck because I have another problem to set smtp relay.

Now I can send email but not recevie them. I saw they were rejected because postfix cannot resolve DNS. But it use Unbound and unbound are not able to résolve DNS. Someone can help me? Thanks NOQUEUE: reject: RCPT from unknown[52.103.20.95]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=

Sorry with that little information about your setup we cannot help (which hoster, which firewall, which OS, IPv4 or also IPv6 etc). Check the logs of the unbound container. Check if you meet all prerequisites (DNS port 53 outgoing open for TCP **and** UDP, check with your hosting provider). Check if you can `dig` from within your unbound container. Use forum search to find other threads that explain things to try and narrow down the error.

I validate fierwall also I disabled IPv6 but I see somthing strange in logs. After disabled Healthcheck I see in logs the container or the application seems reboot with this logs: Setting console permissions... Receiving anchor key... Receiving root hints... ######################################################################## 100.0% setup in directory /etc/unbound removing artifacts Setup success. Certificates created. Enable in unbound.conf file to use 2026-01-14 14:47:05,892 INFO Set uid to user 0 succeeded 2026-01-14 14:47:05,895 INFO supervisord started with pid 1 2026-01-14 14:47:06,898 INFO spawned: 'processes' with pid 17 2026-01-14 14:47:06,901 INFO spawned: 'syslog-ng' with pid 18 2026-01-14 14:47:06,903 INFO spawned: 'unbound' with pid 19 2026-01-14 14:47:06,905 INFO spawned: 'unbound-healthcheck' with pid 20 2026-01-14 14:47:06: Healthcheck: ALL CHECKS WERE SKIPPED! Unbound is healthy! [1768420026] unbound[19:0] notice: init module 0: subnetcache [1768420026] unbound[19:0] notice: init module 1: validator [1768420026] unbound[19:0] notice: init module 2: iterator Jan 14 14:47:06 7f49191ceb3b syslog-ng[18]: syslog-ng starting up; version='4.8.1' [1768420026] unbound[19:0] info: start of service (unbound 1.22.0). 2026-01-14 14:47:07,928 INFO success: processes entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2026-01-14 14:47:07,928 INFO success: syslog-ng entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2026-01-14 14:47:07,928 INFO success: unbound entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2026-01-14 14:47:07,928 INFO success: unbound-healthcheck entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2026-01-14 14:53:33,402 WARN received SIGTERM indicating exit request 2026-01-14 14:53:33,402 INFO waiting for processes, syslog-ng, unbound, unbound-healthcheck to die 2026-01-14 14:53:34,404 WARN stopped: unbound-healthcheck (terminated by SIGTERM) [1768420414] unbound[19:0] info: service stopped (unbound 1.22.0). [1768420414] unbound[19:0] info: server stats for thread 0: 132 queries, 32 answers from cache, 100 recursions, 0 prefetch, 0 rejected by ip ratelimiting [1768420414] unbound[19:0] info: server stats for thread 0: requestlist max 20 avg 8.79 exceeded 24 jostled 0 [1768420414] unbound[19:0] info: average recursion processing time 0.000000 sec [1768420414] unbound[19:0] info: histogram of recursion processing times [1768420414] unbound[19:0] info: [25%]=2.5e-07 median[50%]=5e-07 [75%]=7.5e-07 [1768420414] unbound[19:0] info: lower(secs) upper(secs) recursions [1768420414] unbound[19:0] info: 0.000000 0.000001 76 2026-01-14 14:53:34,417 INFO stopped: unbound (exit status 0) 2026-01-14 14:53:34,417 WARN received SIGQUIT indicating exit request Jan 14 14:53:34 7f49191ceb3b syslog-ng[18]: syslog-ng shutting down; version='4.8.1' 2026-01-14 14:53:34,528 INFO stopped: syslog-ng (exit status 0) 2026-01-14 14:53:34,529 WARN stopped: processes (terminated by SIGTERM)

> @"BisonOpiniatre"#p30003 2026-01-14 14:53:33,402 WARN received SIGTERM indicating exit request You need to find out why the unbound container gets the SIGTERM signal (request to shutdown). Look at other logs, e.g. form healthcheck container and correlate what happens at that time.

@"esackbauer"#p30016 I will investigate, I will come back with what I will find. Thanks

Sorry I didn't have a lot of time this week but easily I found who reboot my container, it's the watchdog and is because Unbound cannot resolve any DNS. So All comeback to this problem. I suspect it's a problem with IPV6. Maybe the domains who try to reach dont have IPv6 address or, it's more probable, a routing problem between my host and the container network. When I will have time I will continue to investigate.

Ok I disabled IPv6 on mailcow.conf and unbound.conf. Also I removed all DBNS definition on docker-compose.override.yml and others confs (sugested by AI). I juste define default dns in daemon.json of docker config. In watchdog console I saw DNSSEC Failed log and a message about Unbound container who reach error limit. So I decided to reactivate Healthcheck on startup because is clear I have a problèm of DNS résolution. So on startup I see these errors: 2026-01-21 08:10:06: Healthcheck: DNS Resolution Failed on attempt 1 for fuzzy.mailcow.email! Trying again... 2026-01-21 08:10:08: Healthcheck: DNS Resolution Failed on attempt 2 for fuzzy.mailcow.email! Trying again... 2026-01-21 08:10:10: Healthcheck: DNS Resolution Failed on attempt 3 for fuzzy.mailcow.email! Trying again... 2026-01-21 08:10:10: Healthcheck: DNS Resolution not possible after 3 attempts for fuzzy.mailcow.email... Gave up! 2026-01-21 08:10:12: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again... 2026-01-21 08:10:14: Healthcheck: DNS Resolution Failed on attempt 2 for github.com! Trying again... 2026-01-21 08:10:16: Healthcheck: DNS Resolution Failed on attempt 3 for github.com! Trying again... 2026-01-21 08:10:16: Healthcheck: DNS Resolution not possible after 3 attempts for github.com... Gave up! 2026-01-21 08:10:18: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again... 2026-01-21 08:10:20: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again... 2026-01-21 08:10:22: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again... 2026-01-21 08:10:22: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up! 2026-01-21 08:10:22: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy... So like sugested by esackbauer, I use dig to resolve DNS for these three domains. dig fuzzy.mailcow.email ; DiG 9.18.34 fuzzy.mailcow.email ;; global options: +cmd ;; Got answer: ;; ->>HEADERHEADERHEADER

@"DocFraggle"#p30221 dig +trace fuzzy.mailcow.email ; DiG 9.18.34 +trace fuzzy.mailcow.email ;; global options: +cmd ;; Received 17 bytes from 127.0.0.11#53(127.0.0.11) in 4000 ms I dont know if is good.

UNBOUND_MAILCOW Healthcheck problème

DocFraggle

BisonOpiniatre So my router have rules to forward port, (53 is define to reach my server)

Why? Do you have a DNS server running on your host?

BisonOpiniatre

DocFraggle
Removed now.

BisonOpiniatre

I’m not quite sure how work iptables but I see the drop rules for MAILCOW. I supposed that I needed to add rules to permit 53 trafic.

BisonOpiniatre

I don’t understand why I can ping google.com from Unbound container but dig return timeout.
Also I dont understand why dig try to connect to 127.0.0.11 when it have only 2 interface, 127.0.0.1 and 172.22.1.254.
Also I can try dig @127.0.0.1 of dig @172.22.1.254 but timeout occured everytime.

Also, I can dig google.com from my host but dig +trace don’t work.

BisonOpiniatre

BisonOpiniatre
I think is a problem in my unbound.conf

server:
  verbosity: 1
  #interface: 0.0.0.0
  interface: 127.0.0.11
  #interface: ::0
  logfile: /dev/console
  do-ip4: yes
  do-ip6: no
  do-udp: yes
  do-tcp: yes
  do-daemonize: no
  do-not-query-localhost: no
  val-permissive-mode: yes
  #auto-trust-anchor-file: "/etc/unbound/root.key"
  access-control: 0.0.0.0/0 allow
  access-control: 127.0.0.0/8 allow
  access-control: 172.22.1.0/24 allow
  access-control: 10.0.0.0/8 allow
  access-control: 172.16.0.0/12 allow
  access-control: 192.168.0.0/16 allow
  #access-control: fc00::/7 allow
  #access-control: fe80::/10 allow
  #access-control: ::0/0 allow
  directory: "/etc/unbound"
  username: unbound
  auto-trust-anchor-file: trusted-key.key
  #private-address: 10.0.0.0/8
  #private-address: 172.16.0.0/12
  #private-address: 192.168.0.0/16
  #private-address: 169.254.0.0/16
  #private-address: fc00::/7
  #private-address: fe80::/10
  # cache-min-ttl needs to be less or equal to cache-max-negative-ttl
  cache-min-ttl: 5
  cache-max-negative-ttl: 60
  root-hints: "/etc/unbound/root.hints"
  hide-identity: yes
  hide-version: yes
  max-udp-size: 4096
  msg-buffer-size: 65552
  unwanted-reply-threshold: 10000
  ipsecmod-enabled: no

remote-control:
  control-enable: yes
  control-interface: 127.0.0.1
  control-port: 8953
  server-key-file: "/etc/unbound/unbound_server.key"
  server-cert-file: "/etc/unbound/unbound_server.pem"
  control-key-file: "/etc/unbound/unbound_control.key"
  control-cert-file: "/etc/unbound/unbound_control.pem"

BisonOpiniatre

I just see now that my host il listening on port 53 with syatemd-resolved and avahi-daemon. I don’t know why I dont see it before with the tlpn CMD. So It’s posible that bloc the trafic from Unbound container?
I supposed that Docker flag an error when a port isn’t available.

BisonOpiniatre

It’s clear I have some conflict between my host and the Docker image. So I decided to make a fresh install of MailCow and retry to run Unbound, but it seems to have conflict again.
I decided to change of linux OS. It was planned for later but I think I will do it now.
But I planned to use Fedora uCore OS (immutable OS), but it comes with a preloaded Docker engine, the Moby Engine. I know Mailcow cannot run over any kind of Docker installation, but can I install it on Moby Engine?

esackbauer

I would strongly suggest you try it on a Debian install, without ufw.

BisonOpiniatre

esackbauer
Minimal Install?

DocFraggle

BisonOpiniatre I’m running the normal Debian 13 version, I guess you can use the minimal installation as well

esackbauer

I always use the “netinst” variant which only installs very basic features. The only optional feature I select in the installer is typically only “SSH Server”.

BisonOpiniatre

So I completed I new instalation. Now I run on debian with basic installation. No desktop, no firewall.
So I had some problème to start all previous container (swag and other services) because it seems an Alpine linux only use port 53/udp for some application, like curl. and my swag needed to update a mod to be able to install my certbot version. I resolved this issue with a custon swag build BUT the real problem is my ISP bloc 53/udp, not TCP.
I validate that with dig cmd on my host and on the undound container. dig +tcp work fine, not dig (+udp).

UDP:

# dig fuzzy.mailcow.email
;; communications error to 127.0.0.11#53: timed out
;; communications error to 127.0.0.11#53: timed out
;; communications error to 127.0.0.11#53: timed out

; <<>> DiG 9.18.34 <<>> fuzzy.mailcow.email
;; global options: +cmd
;; no servers could be reached

TCP:

/ # dig +tcp fuzzy.mailcow.email

; <<>> DiG 9.18.34 <<>> +tcp fuzzy.mailcow.email
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31744
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fuzzy.mailcow.email.           IN      A

;; ANSWER SECTION:
fuzzy.mailcow.email.    62077   IN      A       178.156.167.240

;; Query time: 11 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (TCP)
;; WHEN: Fri Feb 06 10:20:58 EST 2026
;; MSG SIZE  rcvd: 64

I tried with other DNS server (1.1.1.1, 8.8.8.8, etc) same behaviour.
I added Options use-vc on the resolv.conf. It`s work for my host but not in container.

/ # cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.11
options use-vc ndots:0

# Based on host file: '/etc/resolv.conf' (internal resolver)
# ExtServers: [1.1.1.1 8.8.8.8 9.9.9.9]
# Overrides: [nameservers options]
# Option ndots from: internal

On unbound.conf I saw do-udp: yes and I tried to put it to no but no effect.

So if you have any idea I will listen them.

BisonOpiniatre

I tried to user forward-zone to forward request to Quad9 port 9953. dig work with this command but it’s seems health check don’t use the forward zone.

My last idea is to use stubby to forward DNS request throw DoT or dnsmasq to forward DNS request to port 9953 of Quad9.

So can I have stubby of dnsmasq on my host without conflit with unbound container. I suppose unbound don’t map port 53 on host because all container use same Docker network.

I ask to AIs but I don’t trust them answer.

On docker-compose.yml to port is mapped for on unbound service.

No power semme to be mapped on port 53 with unbound service

BisonOpiniatre

I installed stubby on my host and use it as dns server/relay. Now dig work fin with dig google.com or fuzzy.mailcow.emal. but the health check doesn’t work anymore. I try with dig +dnssec and dig +trace. At this moment I saw something.
During trace it try a direct access to many DSN server using 53. So at this moment stubby is not in use. Stubby cannot resolve this need.
If Unbound does the same thing to trace DNS, it’s sure that it will not work with port UDP 53 blocked.
So I have 2 solutions: ISP unblocks my port, and I use VPN.

DocFraggle

BisonOpiniatre If Unbound does the same thing to trace DNS

That’s exactly what I told you:

DocFraggle Unbound resolves DNS recursively beginning with the root hints. If you just use dig it will query a DNS server directly, you have to use dig +trace to simulate this behavior.

BisonOpiniatre

DocFraggle That the reason why test that. Because you told me. But I understood this just now.
😩

BisonOpiniatre

Forward-zone can be a solution? My ISP confirm that they will not unblock the port. Maybe I can use the the DNS of my domain provider.

BisonOpiniatre

So I decided to use a VPN. I used Gluetun container because it is maintained and supports a lot of VPN providers. I also decided to use ProtonVPN because it is possible to have a free account, perfect for my test.
I created a new service named gluten on docker-compose.override.yml like that:

services:
  gluetun:
    image: qmcgaw/gluetun
    #networks:
    #  - mailcow-network
    network_mode: "service:unbound-mailcow"
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ./gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=openvpn
      - OPENVPN_MSSFIX=1360
      - OPENVPN_FRAGMENT=1360
      - OPENVPN_USER=<OpenVPN user generated by Proton>
      - OPENVPN_PASSWORD=<OpenVPN password generated by Proton>
      - SERVER_COUNTRIES=canada
      - DNS_SERVER=off
      - FREE_ONLY=on

I was planning to use network_mode in the unbound-mailcow service to map on the Gluten container but it’s not possible to redefine network mode in the override file. So it’s Gluetun who uses the unbound mailbox net stack. On startup, Unbound will have some health check failures until Gluetun sets the VPN.

Now all DNS requests work fine, not unbound reboot because the watchdog sees too many failures. And now all mail services work fine.

Thanks for support.

« Previous Page