Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Postfix & RSPAMD latest Image possible issue with DNSBL resolver #5239

Closed
5 tasks done
itxworks opened this issue May 18, 2023 · 9 comments
Closed
5 tasks done

Postfix & RSPAMD latest Image possible issue with DNSBL resolver #5239

itxworks opened this issue May 18, 2023 · 9 comments
Labels
bug upstream

Comments

@itxworks
Copy link

Contribution guidelines

I've found a bug and checked that ...

  • ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Just recognized that all URI RBL checks are failing since a couple hours ...?
BAD_REP_POLICIES (2)
MIME_GOOD (-0.1) [text/plain]
BAYES_SPAM (0.073939) [59.83%]
IP_REPUTATION_HAM (-0.01) [asn: 34549(0.00), country: DE(-0.01), ip: 178.251.229.9(0.00)]
MX_GOOD (-0.01) []
FROM_EQ_ENVFROM (0)
SEM_URIBL_UNKNOWN_FAIL (0) [mailcow.email:server fail]
RCVD_COUNT_TWO (0) [2]
RCVD_IN_DNSWL_FAIL (0) [178.251.229.9:server fail]
RBL_VIRUSFREE_UNKNOWN_FAIL (0) [178.251.229.9:server fail]
TO_DN_NONE (0)
RBL_NIXSPAM_FAIL (0) [178.251.229.9:server fail]
PREVIOUSLY_DELIVERED (0) [abo@example.com]
RBL_SEM_FAIL (0) [178.251.229.9:server fail]
BLOCKLISTDE_FAIL (0) [178.251.229.9:server fail]
DWL_DNSWL_FAIL (0) [mailcow.email:server fail]
ASN (0) [asn:34549, ipnet:178.251.229.0/24, country:DE]
URIBL_MULTI_FAIL (0) [mailcow.email:server fail,mail.servercow.de:server fail]
MIME_TRACE (0) [0:+]
RSPAMD_URIBL_FAIL (0) [mailcow.email:server fail]
R_SPF_ALLOW (0) [+mx]
RBL_SENDERSCORE_FAIL (0) [178.251.229.9:server fail]
RBL_INTERSERVER_URI_FAIL (0) [mailcow.email:server fail]
SEM_URIBL_FRESH15_UNKNOWN_FAIL (0) [mailcow.email:server fail]
RCPT_MAILCOW_DOMAIN (0) [example.com]
ARC_SIGNED (0) [example.com:s=default:i=1]
RBL_INTERSERVER_IP_FAIL (0) [178.251.229.9:server fail]
MAILSPIKE_FAIL (0) [178.251.229.9:server fail]
R_DKIM_ALLOW (0) [mailcow.email:s=dkim]
BCC (0)
RCVD_TLS_ALL (0)
RBL_SORBS_FAIL (0) [178.251.229.9:server fail]
DMARC_DNSFAIL (0) [mailcow.email : server fail]
RCVD_VIA_SMTP_AUTH (0)
ARC_NA (0)
DKIM_TRACE (0) [mailcow.email:+]

Please check: https://community.mailcow.email/d/2480-rspam-rbl-checks-failing

Logs:

05/18/2023, 11:20:12 AM	warning	warning: dnsblog_query: lookup error for DNS query 165.65.75.106.ix.dnsbl.manitu.net: Host or domain name not found. Name service error for name=165.65.75.106.ix.dnsbl.manitu.net type=A: Host not found, try again
05/18/2023, 11:20:12 AM	warning	warning: dnsblog_query: lookup error for DNS query 165.65.75.106.hostkarma.junkemailfilter.com: Host or domain name not found. Name service error for name=165.65.75.106.hostkarma.junkemailfilter.com type=A: Host not found, try again
05/18/2023, 11:20:12 AM	warning	warning: dnsblog_query: lookup error for DNS query 165.65.75.106.backscatter.spameatingmonkey.net: Host or domain name not found. Name service error for name=165.65.75.106.backscatter.spameatingmonkey.net type=A: Host not found, try again
05/18/2023, 11:20:12 AM	warning	warning: dnsblog_query: lookup error for DNS query 165.65.75.106.bl.spameatingmonkey.net: Host or domain name not found. Name service error for name=165.65.75.106.bl.spameatingmonkey.net type=A: Host not found, try again

Steps to reproduce:

root@rspamd:/# dig 165.65.75.106.b.barracudacentral.org

; <<>> DiG 9.16.37-Debian <<>> 165.65.75.106.b.barracudacentral.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42910
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;165.65.75.106.b.barracudacentral.org. IN A

;; ANSWER SECTION:
165.65.75.106.b.barracudacentral.org. 679 IN A	127.0.0.2

;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Thu May 18 11:23:52 CEST 2023
;; MSG SIZE  rcvd: 81

Which branch are you using?

nightly

Operating System:

Debian

Server/VM specifications:

8 GB / 4

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

Docker version 24.0.0, build 98fdcd7

docker-compose version or docker compose version:

v2.10.2

mailcow version:

2023-04b

Reverse proxy:

traefik

Logs of git diff:

diff --git a/data/conf/postfix/postscreen_access.cidr b/data/conf/postfix/postscreen_access.cidr
index 5509433b..f1cd9047 100644
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -86,7 +86,6 @@
 35.176.132.251 permit
 35.190.247.0/24        permit
 35.191.0.0/16  permit
-37.188.97.188  permit
 37.218.248.47  permit
 37.218.249.47  permit
 37.218.251.62  permit
@@ -628,7 +627,6 @@
 87.253.232.0/21        permit
 89.22.108.0/24 permit
 91.220.42.0/24 permit
-94.236.119.0/26        permit
 94.245.112.0/27        permit
 94.245.112.10/31       permit
 95.131.104.0/21        permit
@@ -1342,8 +1340,6 @@
 129.159.87.137 permit
 130.61.9.72    permit
 130.211.0.0/22 permit
-130.248.172.0/24       permit
-130.248.173.0/24       permit
 131.107.0.0/16 permit
 131.253.30.0/24        permit
 131.253.121.0/26       permit
@@ -1563,7 +1559,6 @@
 188.125.85.238 permit
 188.172.128.0/20       permit
 192.0.64.0/18  permit
-192.28.128.0/18        permit
 192.30.252.0/22        permit
 192.64.236.0/24        permit
 192.64.237.0/24        permit
@@ -1611,7 +1606,6 @@
 198.245.80.0/20        permit
 198.245.81.0/24        permit
 199.15.176.173 permit
-199.15.212.0/22        permit
 199.15.213.187 permit
 199.15.226.37  permit
 199.16.156.0/22        permit

Logs of iptables -L -vn:

iptables -L -vn
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 91263 packets, 3784K bytes)
 pkts bytes target     prot opt in     out     source               destination
18390 1467K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
2852K  686M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 1756  117K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
12392 1081K ACCEPT     all  --  *      *       10.0.1.0/24          0.0.0.0/0
    1    40 ACCEPT     all  --  *      *       192.168.0.0/16       0.0.0.0/0
    8   460 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22 -m geoip --source-country AT,DE
  438 24987 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    2    84 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6556

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
72321   22M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
67789   19M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
57220   14M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 2398  153K DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 3048 1120K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
 2306  148K ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
40736   12M ACCEPT     all  --  *      br-6680d7649422  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  236 14160 DOCKER     all  --  *      br-6680d7649422  0.0.0.0/0            0.0.0.0/0
  946 55250 ACCEPT     all  --  br-6680d7649422 !br-6680d7649422  0.0.0.0/0            0.0.0.0/0
  236 14160 ACCEPT     all  --  br-6680d7649422 br-6680d7649422  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      br-65f9b5601eb9  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-65f9b5601eb9  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-65f9b5601eb9 !br-65f9b5601eb9  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-65f9b5601eb9 br-65f9b5601eb9  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      br-105b626fcaca  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-105b626fcaca  0.0.0.0/0            0.0.0.0/0
  560 77728 ACCEPT     all  --  br-105b626fcaca !br-105b626fcaca  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-105b626fcaca br-105b626fcaca  0.0.0.0/0            0.0.0.0/0
 3331 1938K ACCEPT     all  --  *      br-9369e7a91959  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   32  1920 DOCKER     all  --  *      br-9369e7a91959  0.0.0.0/0            0.0.0.0/0
   52  6610 ACCEPT     all  --  br-9369e7a91959 !br-9369e7a91959  0.0.0.0/0            0.0.0.0/0
   32  1920 ACCEPT     all  --  br-9369e7a91959 br-9369e7a91959  0.0.0.0/0            0.0.0.0/0
2180K  603M ACCEPT     all  --  *      br-4a1d09c89252  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 195K   12M DOCKER     all  --  *      br-4a1d09c89252  0.0.0.0/0            0.0.0.0/0
1730K  735M ACCEPT     all  --  br-4a1d09c89252 !br-4a1d09c89252  0.0.0.0/0            0.0.0.0/0
 195K   12M ACCEPT     all  --  br-4a1d09c89252 br-4a1d09c89252  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3490K packets, 5045M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (7 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.9           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:8443
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:8080
   18  1080 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
   18  1080 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
   20  1200 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
   18  1080 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
   18  1080 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     tcp  --  !br-4a1d09c89252 br-4a1d09c89252  0.0.0.0/0            172.18.0.3           tcp dpt:443
    0     0 ACCEPT     tcp  --  !br-4a1d09c89252 br-4a1d09c89252  0.0.0.0/0            172.18.0.3           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3048 1120K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
  946 55250 DOCKER-ISOLATION-STAGE-2  all  --  br-6680d7649422 !br-6680d7649422  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-65f9b5601eb9 !br-65f9b5601eb9  0.0.0.0/0            0.0.0.0/0
1730K  735M DOCKER-ISOLATION-STAGE-2  all  --  br-4a1d09c89252 !br-4a1d09c89252  0.0.0.0/0            0.0.0.0/0
  560 77728 DOCKER-ISOLATION-STAGE-2  all  --  br-105b626fcaca !br-105b626fcaca  0.0.0.0/0            0.0.0.0/0
   52  6610 DOCKER-ISOLATION-STAGE-2  all  --  br-9369e7a91959 !br-9369e7a91959  0.0.0.0/0            0.0.0.0/0
  19M 3412M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (7 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-6680d7649422  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-65f9b5601eb9  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-4a1d09c89252  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-105b626fcaca  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-9369e7a91959  0.0.0.0/0            0.0.0.0/0
1823K  746M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13   660 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 465,143,993,110,995,4190,80,443 -m geoip --source-country IR,EC,LT
1446K  297M ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
  717 37256 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL  LOG flags 0 level 4 prefix "[netfilter] "
  717 37256 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 -m geoip --source-country LT,IR  LOG flags 0 level 4 prefix "[netfilter] "
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 -m geoip --source-country LT,IR
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 -m geoip --source-country LT,IR  LOG flags 0 level 4 prefix "[netfilter] "
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 -m geoip --source-country LT,IR
    1    40 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL  LOG flags 0 level 4 prefix "[netfilter] "
    1    40 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 -m geoip --source-country LT,IR  LOG flags 0 level 4 prefix "[netfilter] "
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 -m geoip --source-country LT,IR
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL  LOG flags 0 level 4 prefix "[netfilter] "
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL  LOG flags 0 level 4 prefix "[netfilter] "
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 -m geoip --source-country LT,IR  LOG flags 0 level 4 prefix "[netfilter] "
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 -m geoip --source-country LT,IR
    1    40 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL  LOG flags 0 level 4 prefix "[netfilter] "
    1    40 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 -m geoip --source-country LT,IR  LOG flags 0 level 4 prefix "[netfilter] "
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 -m geoip --source-country LT,IR  LOG flags 0 level 4 prefix "[netfilter] "
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 -m geoip --source-country LT,IR
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL  LOG flags 0 level 4 prefix "[netfilter] "
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 -m geoip --source-country RU,BR,CN,VN,IN,KR,PL
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 -m geoip --source-country LT,IR  LOG flags 0 level 4 prefix "[netfilter] "
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 -m geoip --source-country LT,IR
    0     0 LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 LOG flags 0 level 4 prefix "[netfilter] "
 101K 6430K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
  275 15684 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465
   66  3456 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 587,4190
   27  1336 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 110,995
  148  8452 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 143,993
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
  19M 3412M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain L (0 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of ip6tables -L -vn:

p6tables -L -vn
# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain INPUT (policy ACCEPT 2252K packets, 188M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
12720 9447K DOCKER-USER  all      *      *       ::/0                 ::/0
12720 9447K DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0
 7594 9077K ACCEPT     all      *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 4454  304K DOCKER     all      *      br-mailcow  ::/0                 ::/0
  672 65825 ACCEPT     all      br-mailcow !br-mailcow  ::/0                 ::/0
 4454  304K ACCEPT     all      br-mailcow br-mailcow  ::/0                 ::/0
    0     0 ACCEPT     all      *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      docker0  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 !docker0  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 docker0  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 3341K packets, 12G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::e  tcp dpt:587
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:4190
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::e  tcp dpt:465
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:995
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::e  tcp dpt:25
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:993
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:143
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  672 65825 DOCKER-ISOLATION-STAGE-2  all      br-mailcow !br-mailcow  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  all      docker0 !docker0  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-6680d7649422 !br-6680d7649422  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-65f9b5601eb9 !br-65f9b5601eb9  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-4a1d09c89252 !br-4a1d09c89252  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-105b626fcaca !br-105b626fcaca  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-9369e7a91959 !br-9369e7a91959  ::/0                 ::/0
1615K  909M RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (7 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      br-mailcow  ::/0                 ::/0
    0     0 DROP       all      *      docker0  ::/0                 ::/0
    0     0 DROP       all      *      br-6680d7649422  ::/0                 ::/0
    0     0 DROP       all      *      br-65f9b5601eb9  ::/0                 ::/0
    0     0 DROP       all      *      br-4a1d09c89252  ::/0                 ::/0
    0     0 DROP       all      *      br-105b626fcaca  ::/0                 ::/0
    0     0 DROP       all      *      br-9369e7a91959  ::/0                 ::/0
 8264  892K RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
1615K  909M RETURN     all      *      *       ::/0                 ::/0

Logs of iptables -L -vn -t nat:

iptables -L -vn -t nat
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 785K packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination
 130K 8491K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 21822 packets, 1639K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 16027 packets, 1306K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 846K packets, 52M bytes)
 pkts bytes target     prot opt in     out     source               destination
 2017  159K MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    5   300 MASQUERADE  all  --  *      !br-6680d7649422  172.28.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      !br-65f9b5601eb9  172.29.0.0/16        0.0.0.0/0
   31  1860 MASQUERADE  all  --  *      !br-105b626fcaca  172.19.0.0/16        0.0.0.0/0
    4   240 MASQUERADE  all  --  *      !br-9369e7a91959  172.20.0.0/16        0.0.0.0/0
   19  1152 MASQUERADE  all  --  *      !br-4a1d09c89252  172.18.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.3           172.22.1.3           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.7           172.22.1.7           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.4           172.18.0.4           tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.4           172.18.0.4           tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.10          172.22.1.10          tcp dpt:8443
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.10          172.22.1.10          tcp dpt:8080
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.5           172.22.1.5           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.9           172.22.1.9           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.3           172.18.0.3           tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.3           172.18.0.3           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    1    60 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-6680d7649422 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-65f9b5601eb9 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-4a1d09c89252 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-105b626fcaca *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  br-9369e7a91959 *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.5:8983
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.9:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:8443 to:172.22.1.10:8443
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:8080 to:172.22.1.10:8080
   22  1312 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
   21  1260 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
   11   612 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
   28  1672 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
   25  1516 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
   21  1260 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    4   176 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
   56  3464 DNAT       tcp  --  !br-4a1d09c89252 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.18.0.3:443
    0     0 DNAT       tcp  --  !br-4a1d09c89252 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.18.0.3:80

Logs of ip6tables -L -vn -t nat:

ip6tables -L -vn -t nat
# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain PREROUTING (policy ACCEPT 69023 packets, 5632K bytes)
 pkts bytes target     prot opt in     out     source               destination
  305 20178 DOCKER     all      *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 271 packets, 17562 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 37 packets, 3408 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all      *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 61225 packets, 4898K bytes)
 pkts bytes target     prot opt in     out     source               destination
  656 61731 MASQUERADE  all      *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0
    0     0 MASQUERADE  all      *      !docker0  fd00:dead:beef:c0::/80  ::/0
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:587
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:4190
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:465
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:995
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:25
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:993
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:143
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:110
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:587
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:4190
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:465
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:995
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::e  fd4d:6169:6c63:6f77::e  tcp dpt:25
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:993
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:143
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:110

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all      br-mailcow *       ::/0                 ::/0
    0     0 RETURN     all      docker0 *       ::/0                 ::/0
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::e]:587
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::f]:4190
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::e]:465
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::f]:995
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::e]:25
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::f]:993
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::f]:143
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::f]:110

DNS check:

docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254
151.101.1.69
151.101.65.69
151.101.129.69
151.101.193.69
@itxworks itxworks added the bug label May 18, 2023
@itxworks
Copy link
Author

Sorry I cross checked it's the master not the nightly branch

@bundyland
Copy link

This seems to be a problem related to the latest docker release 24.0.0.
A rollback to previous docker version 23.0.6 has fixed all these RBL errors for me:

apt-cache policy docker-ce
apt-cache policy docker-ce-cli
apt-cache policy docker-ce-rootless-extras
apt install docker-ce=5:23.0.6-1 docker-ce-cli=5:23.0.6-1 docker-ce-rootless-extras=5:23.0.6-1

If you do automatic upgrades (like I do), you should run the following command as well to prevent the upgrade from happening again:

apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras

Good luck!

@itxworks
Copy link
Author

In my opinion downgrade should be only a temp. fix ...

@MAGICCC
Copy link
Member

MAGICCC commented May 19, 2023

I found some issues on docker/moby side about some DNS issues indeed. So seems some upstream issue

@v0tti
Copy link

v0tti commented May 19, 2023

I can also report DNS issues with docker 24.0.0. Downgrade to 23.0.6 seems to fix it.

@itxworks itxworks changed the title Postfix & RSPAMD latest Image possible issue mit DNSBL resolver Postfix & RSPAMD latest Image possible issue with DNSBL resolver May 19, 2023
@MAGICCC
Copy link
Member

MAGICCC commented May 19, 2023

Seems to be moby/moby#45565, waiting for Docker 24.x then

@MAGICCC MAGICCC mentioned this issue May 19, 2023
Closed
5 tasks
@MAGICCC
Copy link
Member

MAGICCC commented May 20, 2023

@itxworks, @jrust-ES, @v0tti Can you try to update your Docker via package manager and see if the issue has been resolved?

@ElectroLutz
Copy link

ElectroLutz commented May 20, 2023
edited

I've upgraded to 24.0.1, but the "server fail" persisted.

Edit: after testing it again (because @jrust-ES said it worked) it really worked.

@bundyland
Copy link

@itxworks, @jrust-ES, @v0tti Can you try to update your Docker via package manager and see if the issue has been resolved?

Hi Peter, it's looking good now. After upgrading no more error messages. Thanks a lot.

@MAGICCC MAGICCC closed this as completed May 22, 2023
@FreddleSpl0it FreddleSpl0it mentioned this issue May 25, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@MAGICCC @ElectroLutz @v0tti @itxworks @bundyland