Too many SPAM false positives

tyarmas

I am having a tough time getting rspamd-mailcow to not flag good mail as spam and putting it in the junk folder.
I have many emails going to junk when they should not. Even when I move those messages to my inbox, future emails still get flagged as spam. I even have white listed those senders and yet the emails still get rejected or put into the junk folder.
Some of these emails are from my bank, for instance, so they really should not be labeled as junk.

Here is a log snippet from one example of an email where I have whitelisted the sender but still it is flagged:
Score
[ 27.66 / 40 ]
Symbols
DMARC_POLICY_REJECT (16) [sliceglobal.com : No valid SPF, reject]
R_SPF_FAIL (8) [-all]
R_DKIM_REJECT (8) [sliceglobal.com:s=s1]
FORGED_W_BAD_POLICY (3)
URIBL_GREY (2.5) [sendgrid.net:url]
SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE (1)
MID_RHS_NOT_FQDN (0.5)
MV_CASE (0.5)
MIME_HTML_ONLY (0.2)
BAYES_HAM (-5.178923) [99.25%]
LOCAL_FUZZY_WHITE (-4.719406) [13:30f6169004:0.90:txt]
IP_REPUTATION_HAM (-1.033108) [asn: 398019(-0.39), country: US(-0.01), ip: 72.51.58.38(-0.64)]
I had this email sent again and the second time it did not reject it but did but it in the junk folder. In the log it lsted the Action as “Add header” instead of “Reject”

Not sure what to look for to resolve these types of false positives. I thought moving said emails to the inbox or whitelisting them would prevent these actions.

Any insight is appreciated.

DocFraggle

tyarmas DMARC_POLICY_REJECT (16) [sliceglobal.com : No valid SPF, reject]
R_SPF_FAIL (8) [-all]
R_DKIM_REJECT (8) [sliceglobal.com:s=s1]
FORGED_W_BAD_POLICY (3)
URIBL_GREY (2.5) [sendgrid.net:url]

This looks like the sender really f*cked up their mailserver config… do you really trust them?

Then go to System -> Configuration -> Global filter maps

Check the box at “I will be careful!” and head over to “Header-From: Allowlist”

Add the domain like

/.+sliceglobal\.com/i

Click “Validate” and then “Save changes”

tyarmas

DocFraggle

Still having issues with rspamd flagging emails it should not. I am not sure why things are going this way and am wondering why I would need to edit the Global filter maps. Why is whitelisting the domains or he sender enough?

[unknown]

And for that matter, I thought moving messages from the junk folder to the inbox would allow rspamd to learn and no longer mark those as spam. Am I wrong?

tyarmas

Thanks very much for the reply. Yes I do trust them, but do not have a way to make them change their config 😉 Ironically, this is their way of doing 2FA and they do not have other options.

I did see a post about doing ht you suggest, but I am wondering why the white listing and/or moving to the inbox does not change behavior. Am I missing something? Bug?

tyarmas

I looked into it a bit more and according to mxtoolbox.com and a dns query, this domain has a valid SPF record. So not sure why RSPAMD is not seeing it.

DocFraggle

Are you running mailcow at home with some kind of reverse proxy?

tyarmas

no, it is hosted at a cloud provider

tyarmas

seeing this on too many domains. Symbols
R_SPF_FAIL (8) [-all]
R_DKIM_REJECT (8) [alignedortho.com:s=selector-1653576630, aro365532573.onmicrosoft.com:s=selector2-aro365532573-onmicrosoft-com]
DMARC_POLICY_QUARANTINE (8) [alignedortho.com : No valid SPF, quarantine]
EMPTY_SUBJECT (1)
FROM_NAME_EXCESS_SPACE (1)
ARC_REJECT (0.1) [signature check failed: fail, {[1] = sig:microsoft.com:reject}]
BAYES_HAM (-1.707842) [86.39%]

But that domain does have valid SPF records.

and again, mxtoolbox.com shows no errors or warnings for mail server

DocFraggle

Ok, there’s definitely something off with your mailcow setup… anything special? Is unbound working at all? Errors in the logs anywhere?

tyarmas

unbound is working, but I do see some errors in the log.
sudo docker logs -f mailcowdockerized-unbound-mailcow-1
Setting console permissions…
Receiving anchor key…
Receiving root hints…
######################################################################## 100.0%
setup in directory /etc/unbound
Certificate request self-signature ok
subject=CN=unbound-control
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use
2026-03-06 17:58:36,920 INFO Set uid to user 0 succeeded
2026-03-06 17:58:36,928 INFO supervisord started with pid 1
2026-03-06 17:58:37,934 INFO spawned: ‘processes’ with pid 23
2026-03-06 17:58:37,946 INFO spawned: ‘syslog-ng’ with pid 24
2026-03-06 17:58:37,958 INFO spawned: ‘unbound’ with pid 25
2026-03-06 17:58:37,986 INFO spawned: ‘unbound-healthcheck’ with pid 26
[1772837918] unbound[25:0] notice: init module 0: subnetcache
[1772837918] unbound[25:0] notice: init module 1: validator
[1772837918] unbound[25:0] notice: init module 2: iterator
Mar 6 17:58:38 e0b783a88285 syslog-ng[24]: syslog-ng starting up; version=‘4.8.1’
[1772837918] unbound[25:0] info: start of service (unbound 1.22.0).
2026-03-06 17:58:39,101 INFO success: processes entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2026-03-06 17:58:39,102 INFO success: syslog-ng entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2026-03-06 17:58:39,102 INFO success: unbound entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2026-03-06 17:58:39,102 INFO success: unbound-healthcheck entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
[1772837919] unbound[25:0] info: generate keytag query _ta-4f66-9728. NULL IN
2026-03-06 18:37:36: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again…
2026-03-06 18:47:20: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again…
2026-03-06 18:58:56: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again…
[1772878076] unbound[25:0] info: generate keytag query _ta-4f66-9728. NULL IN
2026-03-07 09:05:07: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again…
2026-03-07 10:01:01: Healthcheck: Failed to ping 9.9.9.9 on attempt 1. Trying again…

However when I attach to th container and try ping or dig on those, I do not get errors

DocFraggle

Which is your VPS provider? Any other firewall than the mailcow firewall in place?

tyarmas

dynu.com is VOS provider. No other firewalls as far as I know

playing around with dig and ping commands in rspamd vs unbound containers, I see some ping and dig failures in rspamd but not unbound. seems intermittent

tyarmas

well, I will continue to watch this but am confused.
got an email from sliceglobal.com and rspamd did a soft reject:
Score
[ 27.40 / 40 ]
Symbols
DMARC_POLICY_REJECT (16) [sliceglobal.com : No valid SPF, reject]
R_SPF_FAIL (8) [-all]
R_DKIM_REJECT (8) [sliceglobal.com:s=s1]
FORGED_W_BAD_POLICY (3)
URIBL_GREY (2.5) [sendgrid.net:url]
SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE (1)
MV_CASE (0.5)
MID_RHS_NOT_FQDN (0.5)
MIME_HTML_ONLY (0.2)
BAYES_HAM (-5.341788) [99.63%]
LOCAL_FUZZY_WHITE (-4.719406) [13:55ef3e5083:0.90:txt]
IP_REPUTATION_HAM (-1.12438) [asn: 398019(-0.39), country: US(-0.01), ip: 72.51.58.38(-0.73)]
RBL_SENDERSCORE_REPUT_9 (-1) [72.51.58.38:from]
MIME_GOOD (-0.1) [multipart/alternative]
MX_GOOD (-0.01) []
TO_DN_NONE (0)
FORGED_SENDER (0) [no-reply@sliceglobal.com, bounces@em7562.sliceglobal.com]
TO_MATCH_ENVRCPT_ALL (0)
RCVD_TLS_LAST (0)
MAILCOW_WHITE_EXCLUDE (0)
DKIM_TRACE (0) [sliceglobal.com:-]
ALIAS_RESOLVED (0)
TAGGED_FROM (0) [36365625-1a50-tom=yarmas.com]
GREYLIST (0) [greylisted, Mon, 09 Mar 2026 18:32:09 GMT, new record]
ASN (0) [asn:398019, ipnet:72.51.58.0/24, country:US]
MISSING_XM_UA (0)
FROM_HAS_DN (0)
REDIRECTOR_URL (0) [sendgrid.net]
FROM_NEQ_ENVFROM (0) [no-reply@sliceglobal.com, bounces@em7562.sliceglobal.com]
RCVD_COUNT_THREE (0) [3]
CLAM_VIRUS_FAIL (0) [failed to scan and retransmits exceed]
RCPT_MAILCOW_DOMAIN (0) [yarmas.com]
RCPT_COUNT_ONE (0) [1]
MIME_TRACE (0) [0:+, 1:~, 2:~]
ARC_NA (0)
ARC_SIGNED (0) [yarmas.com:s=dkim:i=1]

I also tried a dig command on that domain in the rspamd container and it reports a valid SPF record.
Then, as should be the case, the sender retried and rspamd has no issues with it and delivered it to my inbox. I will note that rspamd has never delivered an email from this domain to my inbox. It has always been put in the junk folder.
Score
[ 0.00 / 40 ]
Symbols
Msg size
18571
Scan Time
0.042
ID
acdQUU-wQnWAwd8IuazrQg@geopod-ismtpd-22
Authenticated user
unknown

Well, AI is teaching me something. I asked Perplexity and the analysis says it is not a mailcow problem, but the senders configuration:
DMARC failure, not SPF or unbound. Your symbols show DMARC_POLICY_REJECT (16) sliceglobal.com : No valid SPF, reject + R_SPF_FAIL (8) -all , meaning the sender failed both SPF alignment and sliceglobal.com’s DMARC policy demands rejection.
What happened
• SPF record exists and rspamadm dnstool parsed it fine (all “pass” networks).
• But the sender’s IP 72.51.58.38 was not in any of those SPF-allowed networks, so Rspamd scored R_SPF_FAIL .
• sliceglobal.com has DMARC p=reject , so DMARC check failed → DMARC_POLICY_REJECT (16 points) .
• Total score exceeded reject threshold → soft reject (temporary 4xx response).
• Sender retried → accepted second time (likely greylisted, as shown by GREYLIST (0) symbol).
Why second delivery worked
Soft reject + greylisting = standard MTA retry behavior. Legitimate senders automatically retry after ₅-30 minutes.
Root cause: sender misconfiguration
• no-reply@sliceglobal.com sent from IP 72.51.58.38 (ASN 398019).
• That IP isn’t authorized in sliceglobal.com’s SPF record.
• Their DKIM also failed ( R_DKIM_REJECT (8) sliceglobal.com:s=s1 ).
• This is their problem (wrong sending IP/server), not yours.

Thanks @[deleted] for your time.

DocFraggle

tyarmas No, I think your unbound problems are the issue here… Postfix and Rspamd try to query the records but don’t get an answer due to (maybe) firewall problems… does your VPS provider use a firewall? Hetzner is my provider, and I had to allow extra ports for unbound to work with the Hetzner firewall, maybe it’s the same case with your provider.

tyarmas

I don’t see anything like that at dynu.com and I am sure the ufw firewall in Ubuntu is disabled.

DocFraggle

What’s the output of

dig +trace google.com

from inside the unbound container?

tyarmas

sudo docker compose exec unbound-mailcow bash
e0b783a88285:/# dig +trace google.com

; <<>> DiG 9.18.34 <<>> +trace google.com
;; global options: +cmd
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; Received 239 bytes from 127.0.0.11#53(127.0.0.11) in 28 ms

com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20260322170000 20260309160000 21831 . NeNFN09DAaC1BnFeC0jU0wBT8SYh2avfxlfz5pE705cDeEg/1f29Ml7V gK0AKPgoj6Btrll/SvbftaV5jG7i8WX0Xacma2XTq3e4U1NqiFFyNJfp Cf4clt/dTXZTXVjFrbST4Cxa3TetCPuVi7tupnwOpRsrgowypRgnFJX1 Ns+oiR+HC+wxo1I+YPGOHwYsrowi7cxjlIXvkgHlg756wvqoMYS/4ttl CkVMR2ppJ7d5×5hC8JBD9H1bTPAIibSwy9hSARsF1nEui1B6sqeqT62R sSkC9lLciDTnD3Dalt0S4eFtESikcnOyrtyAW1oqYHv/0Dez+L3fblTZ 8qmsrw==
;; Received 1198 bytes from 192.36.148.17#53(i.root-servers.net) in 66 ms

google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20260315002635 20260307231635 35511 com. nn8qpgMVJ4BbD5Q2kQpWZjZw7RY9CuVwvwIUQCJalgcRypa/CeLaUgPO 37clgMfFM3KBqLGlPty+e4dsQb1BEg==
S84BOR4DK28HNHPLC218O483VOOOD5D8.com. 900 IN NSEC3 1 1 0 - S84BR9CIB2A20L3ETR1M2415ENPP99L8 NS DS RRSIG
S84BOR4DK28HNHPLC218O483VOOOD5D8.com. 900 IN RRSIG NSEC3 13 2 900 20260316012358 20260309001358 35511 com. QbC+taeOzxStQwLDJJs87Fnbx+E8lk2QuSATDuVM6C6b45NGBFZqVTYL tIaMYemSVfaKg98RVuR2sm+geKttCA==
;; Received 644 bytes from 2001:500:856e::30#53(d.gtld-servers.net) in 55 ms

google.com. 300 IN A 142.251.181.138
google.com. 300 IN A 142.251.181.113
google.com. 300 IN A 142.251.181.101
google.com. 300 IN A 142.251.181.139
google.com. 300 IN A 142.251.181.100
google.com. 300 IN A 142.251.181.102
;; Received 135 bytes from 216.239.38.10#53(ns4.google.com) in 59 ms

And from rspamd container:
sudo docker compose exec rspamd-mailcow bash
root@rspamd:/# dig +trace google.com

; <<>> DiG 9.20.15-1_deb13u1-Debian <<>> +trace google.com
;; global options: +cmd
. 78621 IN NS a.root-servers.net.
. 78621 IN NS b.root-servers.net.
. 78621 IN NS c.root-servers.net.
. 78621 IN NS d.root-servers.net.
. 78621 IN NS e.root-servers.net.
. 78621 IN NS f.root-servers.net.
. 78621 IN NS g.root-servers.net.
. 78621 IN NS h.root-servers.net.
. 78621 IN NS i.root-servers.net.
. 78621 IN NS j.root-servers.net.
. 78621 IN NS k.root-servers.net.
. 78621 IN NS l.root-servers.net.
. 78621 IN NS m.root-servers.net.
. 78621 IN RRSIG NS 8 0 518400 20260322170000 20260309160000 21831 . LUN5+PYsGmm1re0RgKKFu22G3yC2zN56Bx2M7QPCW0rKhF3eHGygxy8f IgGxiYuQMr2A+4YgIPG92TCwB0SrQlHAIqszPoRBJknCWjyir44ZsQYs KjKsSjlbNikv3jQMtfxUnU+uUMqe/4toMzhwwNJsruXRZgoH8CgrRy1T eqlHjpvzXVw+8gPwazuMG66JCwZmT159dPc7v8yMqHu8GlQcrdv0RtSM 9tSi9bY2IMgdLhNNrqNQnHjUnd5Xm5pJOlQgwl9S+0H+y1b+y7VEiafh ojF0u2i8j0vaiwAPNPMOaQ2OARVFMkIH0GVm1P5LcQnQNhnwSH6cHK1C e4dalQ==
;; Received 525 bytes from 127.0.0.11#53(127.0.0.11) in 3 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20260322170000 20260309160000 21831 . NeNFN09DAaC1BnFeC0jU0wBT8SYh2avfxlfz5pE705cDeEg/1f29Ml7V gK0AKPgoj6Btrll/SvbftaV5jG7i8WX0Xacma2XTq3e4U1NqiFFyNJfp Cf4clt/dTXZTXVjFrbST4Cxa3TetCPuVi7tupnwOpRsrgowypRgnFJX1 Ns+oiR+HC+wxo1I+YPGOHwYsrowi7cxjlIXvkgHlg756wvqoMYS/4ttl CkVMR2ppJ7d5×5hC8JBD9H1bTPAIibSwy9hSARsF1nEui1B6sqeqT62R sSkC9lLciDTnD3Dalt0S4eFtESikcnOyrtyAW1oqYHv/0Dez+L3fblTZ 8qmsrw==
;; Received 1170 bytes from 198.97.190.53#53(h.root-servers.net) in 61 ms

google.com. 300 IN A 142.251.181.138
google.com. 300 IN A 142.251.181.113
google.com. 300 IN A 142.251.181.100
google.com. 300 IN A 142.251.181.139
google.com. 300 IN A 142.251.181.102
google.com. 300 IN A 142.251.181.101
;; Received 135 bytes from 216.239.34.10#53(ns2.google.com) in 11 ms

DocFraggle

dig looks good so far

tyarmas sudo

May I ask if you are starting your stack with sudo, too? This could lead to problems as well. As stated in the docs, always control the mailcow stack directly as root user

tyarmas

yes, I use sudo.

DocFraggle

tyarmas OK, so stop and start the stack as root

sudo su -
cd /opt/mailcow-dockerized
docker compose down
docker compose up -d

and check if DNS resolution works.

Also, just to make sure, paste the output of these 4 commands:

  iptables -n -L
  iptables -n -L -t nat
  ip6tables -n -L
  ip6tables -n -L -t nat

tyarmas

iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
MAILCOW 0 – 0.0.0.0/0 0.0.0.0/0 /* mailcow */
DOCKER-USER 0 – 0.0.0.0/0 0.0.0.0/0
DOCKER-FORWARD 0 – 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT 6 – 0.0.0.0/0 172.22.1.12 tcp dpt:443
ACCEPT 6 – 0.0.0.0/0 172.22.1.12 tcp dpt:80
ACCEPT 6 – 0.0.0.0/0 172.22.1.253 tcp dpt:587
ACCEPT 6 – 0.0.0.0/0 172.22.1.253 tcp dpt:465
ACCEPT 6 – 0.0.0.0/0 172.22.1.253 tcp dpt:25
ACCEPT 6 – 0.0.0.0/0 172.22.1.250 tcp dpt:12345
ACCEPT 6 – 0.0.0.0/0 172.22.1.250 tcp dpt:4190
ACCEPT 6 – 0.0.0.0/0 172.22.1.250 tcp dpt:995
ACCEPT 6 – 0.0.0.0/0 172.22.1.250 tcp dpt:993
ACCEPT 6 – 0.0.0.0/0 172.22.1.250 tcp dpt:143
ACCEPT 6 – 0.0.0.0/0 172.22.1.250 tcp dpt:110
ACCEPT 6 – 0.0.0.0/0 172.22.1.6 tcp dpt:3306
ACCEPT 6 – 0.0.0.0/0 172.22.1.249 tcp dpt:6379
DROP 0 – 0.0.0.0/0 0.0.0.0/0
DROP 0 – 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-BRIDGE (1 references)
target prot opt source destination
DOCKER 0 – 0.0.0.0/0 0.0.0.0/0
DOCKER 0 – 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-CT (1 references)
target prot opt source destination
ACCEPT 0 – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT 0 – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target prot opt source destination
DOCKER-CT 0 – 0.0.0.0/0 0.0.0.0/0
DOCKER-INTERNAL 0 – 0.0.0.0/0 0.0.0.0/0
DOCKER-BRIDGE 0 – 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 – 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 – 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-INTERNAL (1 references)
target prot opt source destination

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN 0 – 0.0.0.0/0 0.0.0.0/0

Chain MAILCOW (1 references)
target prot opt source destination
DROP 0 – 87.120.93.10 0.0.0.0/0
DROP 0 – 87.120.93.11 0.0.0.0/0
DROP 6 – 0.0.0.0/0 0.0.0.0/0 /* mailcow isolation */
root@mailcow:~# iptables -n -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER 0 – 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER 0 – 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 – 172.22.1.0/24 0.0.0.0/0
MASQUERADE 0 – 172.17.0.0/16 0.0.0.0/0

Chain DOCKER (2 references)
target prot opt source destination
DNAT 6 – 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379
DNAT 6 – 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.6:3306
DNAT 6 – 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.22.1.250:110
DNAT 6 – 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.22.1.250:143
DNAT 6 – 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:172.22.1.250:993
DNAT 6 – 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:172.22.1.250:995
DNAT 6 – 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 to:172.22.1.250:4190
DNAT 6 – 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345
DNAT 6 – 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.22.1.253:25
DNAT 6 – 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:172.22.1.253:465
DNAT 6 – 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:172.22.1.253:587
DNAT 6 – 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.22.1.12:80
DNAT 6 – 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.22.1.12:443
root@mailcow:~# ip6tables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
MAILCOW 0 – ::/0 ::/0 /* mailcow */
DOCKER-USER 0 – ::/0 ::/0
DOCKER-FORWARD 0 – ::/0 ::/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT 6 – ::/0 fd4d:6169:6c63:6f77::11 tcp dpt:443
ACCEPT 6 – ::/0 fd4d:6169:6c63:6f77::11 tcp dpt:80
ACCEPT 6 – ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:587
ACCEPT 6 – ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:465
ACCEPT 6 – ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:25
ACCEPT 6 – ::/0 fd4d:6169:6c63:6f77::b tcp dpt:4190
ACCEPT 6 – ::/0 fd4d:6169:6c63:6f77::b tcp dpt:995
ACCEPT 6 – ::/0 fd4d:6169:6c63:6f77::b tcp dpt:993
ACCEPT 6 – ::/0 fd4d:6169:6c63:6f77::b tcp dpt:143
ACCEPT 6 – ::/0 fd4d:6169:6c63:6f77::b tcp dpt:110
DROP 0 – ::/0 ::/0
DROP 0 – ::/0 ::/0

Chain DOCKER-BRIDGE (1 references)
target prot opt source destination
DOCKER 0 – ::/0 ::/0
DOCKER 0 – ::/0 ::/0

Chain DOCKER-CT (1 references)
target prot opt source destination
ACCEPT 0 – ::/0 ::/0 ctstate RELATED,ESTABLISHED
ACCEPT 0 – ::/0 ::/0 ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target prot opt source destination
DOCKER-CT 0 – ::/0 ::/0
DOCKER-INTERNAL 0 – ::/0 ::/0
DOCKER-BRIDGE 0 – ::/0 ::/0
ACCEPT 0 – ::/0 ::/0
ACCEPT 0 – ::/0 ::/0

Chain DOCKER-INTERNAL (1 references)
target prot opt source destination

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN 0 – ::/0 ::/0

Chain MAILCOW (1 references)
target prot opt source destination
root@mailcow:~# ip6tables -n -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER 0 – ::/0 ::/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER 0 – ::/0 !::1 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 – fd4d:6169:6c63:6f77::/64 ::/0
MASQUERADE 0 – fd00:dead:beef:c0::/80 ::/0
MASQUERADE 0 – ::/0 ::/0 ADDRTYPE match dst-type LOCAL
MASQUERADE 0 – ::/0 ::/0 ADDRTYPE match dst-type LOCAL
MASQUERADE 6 – fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:110
MASQUERADE 6 – fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:25
MASQUERADE 6 – fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:143
MASQUERADE 6 – fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:80
MASQUERADE 6 – fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:465
MASQUERADE 6 – fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:993
MASQUERADE 6 – fd4d:6169:6c63:6f77::12 fd4d:6169:6c63:6f77::12 tcp dpt:443
MASQUERADE 6 – fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:587
MASQUERADE 6 – fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:995
MASQUERADE 6 – fd4d:6169:6c63:6f77::c fd4d:6169:6c63:6f77::c tcp dpt:4190

Chain DOCKER (2 references)
target prot opt source destination
DNAT 6 – !fe80::/10 ::/0 tcp dpt:110 to:[fd4d:6169:6c63:6f77::b]:110
DNAT 6 – !fe80::/10 ::/0 tcp dpt:143 to:[fd4d:6169:6c63:6f77::b]:143
DNAT 6 – !fe80::/10 ::/0 tcp dpt:993 to:[fd4d:6169:6c63:6f77::b]:993
DNAT 6 – !fe80::/10 ::/0 tcp dpt:995 to:[fd4d:6169:6c63:6f77::b]:995
DNAT 6 – !fe80::/10 ::/0 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::b]:4190
DNAT 6 – !fe80::/10 ::/0 tcp dpt:25 to:[fd4d:6169:6c63:6f77::10]:25
DNAT 6 – !fe80::/10 ::/0 tcp dpt:465 to:[fd4d:6169:6c63:6f77::10]:465
DNAT 6 – !fe80::/10 ::/0 tcp dpt:587 to:[fd4d:6169:6c63:6f77::10]:587
DNAT 6 – !fe80::/10 ::/0 tcp dpt:80 to:[fd4d:6169:6c63:6f77::11]:80
DNAT 6 – !fe80::/10 ::/0 tcp dpt:443 to:[fd4d:6169:6c63:6f77::11]:443