Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default nextcloud mail config clashes with opportunistic TLS and certificates. #5298

Closed
5 tasks done
krono opened this issue Jun 26, 2023 · 3 comments
Closed
5 tasks done

Default nextcloud mail config clashes with opportunistic TLS and certificates. #5298

krono opened this issue Jun 26, 2023 · 3 comments
Labels
bug

Comments

@krono
Copy link

krono commented Jun 26, 2023
edited

Contribution guidelines

I've found a bug and checked that ...

  • ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Using the default install, Nextcloud 26 can no longer use mailcow for internal mails.

Trying to send mail results in an TLS Certificate error.

Details:

Nextcloud side:

  • Since version 26, Nextcloud uses symfony/mailer to deliver mail.

  • Symfony mailer seems to use StartTLS opportunistically, whenever the server advertises it regardless of what is chosen as encryption in the Nextcloud config UI

  • Symfony mailer treats any TLS-error as fatal, so any certificate error will result in mails not sent.

Integration script side:

  • Since its inception, the nextcloud helper script uses the following mail settings to integrate with mailcow:
    • Mode smtp (as opposed to sendmail)
    • domain as ${MAILCOW_HOSTNAME}
    • smtphost as postfix
    • smtpport as 588

Postfix side:

  • Port 588 is apparently designated for SOGo and allows internal mails from within the mailcow docker setup.

Error indication:

Since nextcloud tries to connect to postfix, but the cert presented does not have the bare name in its sANs, symfony errors and mails cannot be sent:

Unable to connect with STARTTLS: stream_socket_enable_crypto(): Peer certificate CN=`[REDACTED HOSTNAME]' did not match expected CN=`postfix'

Possible workaround (not yet tried):

  • disable TLS altogether on 588 (does SOGo need it?)
  • use ${MAILCOW_HOSTNAME} instead of postfix (but this forfeits the usefullness of the internal network)
  • create a new postfix service with dedicated port and NO TLS for services like nextcloud

Logs:

{"reqId":"4oVRMJM8ndqQMsQ0tTil","level":0,"time":"2023-06-26T07:11:18+00:00","remoteAddr":"[REDACTED IP]","user":"admin","app":"no app in context","method":"POST","url":"/index.phpadmin/mailtest","message":"Email transport \"Symfony\\Component\\Mailer\\Transport\\Smtp\\SmtpTransport\" starting","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:109.0) Gecko/20100101 Firefox/114.0","version":"26.0.3.2","data":[]}
{"reqId":"4oVRMJM8ndqQMsQ0tTil","level":0,"time":"2023-06-26T07:11:18+00:00","remoteAddr":"[REDACTED IP]","user":"admin","app":"core","method":"POST","url":"/index.phpadmin/mailtest","message":"Sending mail to \"Array\n(\n    [tobias@netshed.de] => admin\n)\n\" with subject \"Test der E-Mail-Einstellungen\" failed","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:109.0) Gecko/20100101 Firefox/114.0","version":"26.0.3.2","exception":{"Exception":"Symfony\\Component\\Mailer\\Exception\\TransportException","Message":"Unable to connect with STARTTLS: stream_socket_enable_crypto(): Peer certificate CN=`[REDACTED HOSTNAME]' did not match expected CN=`postfix'","Code":0,"Trace":[{"function":"Symfony\\Component\\Mailer\\Transport\\Smtp\\Stream\\{closure}","class":"Symfony\\Component\\Mailer\\Transport\\Smtp\\Stream\\SocketStream","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/web/nextcloud/3rdparty/symfony/mailer/Transport/Smtp/Stream/SocketStream.php","line":174,"function":"stream_socket_enable_crypto","args":[null,true]},{"file":"/web/nextcloud/3rdparty/symfony/mailer/Transport/Smtp/EsmtpTransport.php","line":115,"function":"startTLS","class":"Symfony\\Component\\Mailer\\Transport\\Smtp\\Stream\\SocketStream","type":"->","args":[]},{"file":"/web/nextcloud/3rdparty/symfony/mailer/Transport/Smtp/SmtpTransport.php","line":253,"function":"doHeloCommand","class":"Symfony\\Component\\Mailer\\Transport\\Smtp\\EsmtpTransport","type":"->","args":[]},{"file":"/web/nextcloud/3rdparty/symfony/mailer/Transport/Smtp/SmtpTransport.php","line":194,"function":"start","class":"Symfony\\Component\\Mailer\\Transport\\Smtp\\SmtpTransport","type":"->","args":[]},{"file":"/web/nextcloud/3rdparty/symfony/mailer/Transport/AbstractTransport.php","line":72,"function":"doSend","class":"Symfony\\Component\\Mailer\\Transport\\Smtp\\SmtpTransport","type":"->","args":[["Symfony\\Component\\Mailer\\SentMessage"]]},{"file":"/web/nextcloud/3rdparty/symfony/mailer/Transport/Smtp/SmtpTransport.php","line":136,"function":"send","class":"Symfony\\Component\\Mailer\\Transport\\AbstractTransport","type":"->","args":[["Symfony\\Component\\Mailer\\SentMessage"],["Symfony\\Component\\Mailer\\DelayedEnvelope"]]},{"file":"/web/nextcloud/3rdparty/symfony/mailer/Mailer.php","line":45,"function":"send","class":"Symfony\\Component\\Mailer\\Transport\\Smtp\\SmtpTransport","type":"->","args":[["Symfony\\Component\\Mime\\Email"],null]},{"file":"/web/nextcloud/lib/private/Mail/Mailer.php","line":217,"function":"send","class":"Symfony\\Component\\Mailer\\Mailer","type":"->","args":[["Symfony\\Component\\Mime\\Email"]]},{"file":"/web/nextcloud/apps/settings/lib/Controller/MailSettingsController.php","line":168,"function":"send","class":"OC\\Mail\\Mailer","type":"->","args":[["OC\\Mail\\Message"]]},{"file":"/web/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"sendTestMail","class":"OCA\\Settings\\Controller\\MailSettingsController","type":"->","args":[]},{"file":"/web/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Settings\\Controller\\MailSettingsController"],"sendTestMail"]},{"file":"/web/nextcloud/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Settings\\Controller\\MailSettingsController"],"sendTestMail"]},{"file":"/web/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Settings\\Controller\\MailSettingsController","sendTestMail",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["settings.MailSettings.sendTestMail"]]},{"file":"/web/nextcloud/lib/base.php","line":1060,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/settings/admin/mailtest"]},{"file":"/web/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/web/nextcloud/3rdparty/symfony/mailer/Transport/Smtp/Stream/SocketStream.php","Line":171,"message":"Sending mail to \"Array\n(\n    [tobias@netshed.de] => admin\n)\n\" with subject \"Test der E-Mail-Einstellungen\" failed","exception":{},"CustomMessage":"Sending mail to \"Array\n(\n    [[REDACTED EMAIL]] => admin\n)\n\" with subject \"Test der E-Mail-Einstellungen\" failed"}}

Steps to reproduce:

1. Install nextcloud via script with defaults
2. Try to send a test email via the backed. 
3. Receive an error akin to "Beim Senden der E-Mail ist ein Problem aufgetreten. Bitte überprüfe deine Einstellungen. (Fehler: E-Mail konnte nicht versandt werden. Prüfe dein E-Mail-Server-Protokoll)"

Which branch are you using?

master

Operating System:

Debian GNU/Linux 11 (bullseye)

Server/VM specifications:

12 GM RAM, 10 Cores

Is Apparmor, SELinux or similar active?

yes, apparmor

Virtualization technology:

KVM

Docker version:

24.0.2

docker-compose version or docker compose version:

v2.18.1

mailcow version:

2023-05a

Reverse proxy:

mailcow default (nginx)

Logs of git diff:

diff --git a/data/conf/phpfpm/php-fpm.d/pools.conf b/data/conf/phpfpm/php-fpm.d/pools.conf
index 605e686c..71b4c88f 100644
--- a/data/conf/phpfpm/php-fpm.d/pools.conf
+++ b/data/conf/phpfpm/php-fpm.d/pools.conf
@@ -11,7 +11,8 @@ access.log = /proc/self/fd/2
 clear_env = no
 catch_workers_output = yes
 php_admin_value[memory_limit] = 256M
-php_admin_value[disable_functions] = show_source, highlight_file, apache_child_terminate, apache_get_modules, apache_note, apache_setenv, virtual, dl, disk_total_space, posix_getpwnam, posix_getpwuid, posix_mkfifo, posix_mknod, posix_setpgid, posix_setsid, posix_setuid, posix_uname, proc_nice, openlog, syslog, pfsockopen, system, shell_exec, passthru, popen, proc_open, exec, ini_alter, pcntl_exec, proc_close, proc_get_status, proc_terminate, symlink
+;php_admin_value[disable_functions] = show_source, highlight_file, apache_child_terminate, apache_get_modules, apache_note, apache_setenv, virtual, dl, disk_total_space, posix_getpwnam, posix_getpwuid, posix_mkfifo, posix_mknod, posix_setpgid, posix_setsid, posix_setuid, posix_uname, proc_nice, openlog, syslog, pfsockopen, system, shell_exec, passthru, popen, proc_open, exec, ini_alter, pcntl_exec, proc_close, proc_get_status, proc_terminate, symlink
+php_admin_value[disable_functions] = show_source, highlight_file, apache_child_terminate, apache_get_modules, apache_note, apache_setenv, virtual, dl, disk_total_space, posix_getpwnam, posix_getpwuid, posix_mkfifo, posix_mknod, posix_setpgid, posix_setsid, posix_setuid, posix_uname, proc_nice, openlog, syslog, pfsockopen, system, passthru, popen, proc_open, ini_alter, pcntl_exec, proc_close, proc_get_status, proc_terminate, symlink

 [web-worker]
 user = www-data
@@ -26,4 +27,5 @@ access.log = /proc/self/fd/2
 clear_env = no
 catch_workers_output = yes
 php_admin_value[memory_limit] = 512M
-php_admin_value[disable_functions] = show_source, highlight_file, apache_child_terminate, apache_get_modules, apache_note, apache_setenv, virtual, dl, disk_total_space, posix_getpwnam, posix_getpwuid, posix_mkfifo, posix_mknod, posix_setpgid, posix_setsid, posix_setuid, posix_uname, proc_nice, openlog, syslog, pfsockopen, system, shell_exec, passthru, popen, proc_open, exec, ini_alter, pcntl_exec, proc_close, proc_get_status, proc_terminate, symlink
+;php_admin_value[disable_functions] = show_source, highlight_file, apache_child_terminate, apache_get_modules, apache_note, apache_setenv, virtual, dl, disk_total_space, posix_getpwnam, posix_getpwuid, posix_mkfifo, posix_mknod, posix_setpgid, posix_setsid, posix_setuid, posix_uname, proc_nice, openlog, syslog, pfsockopen, system, shell_exec, passthru, popen, proc_open, exec, ini_alter, pcntl_exec, proc_close, proc_get_status, proc_terminate, symlink
+php_admin_value[disable_functions] = show_source, highlight_file, apache_child_terminate, apache_get_modules, apache_note, apache_setenv, virtual, dl, disk_total_space, posix_getpwnam, posix_getpwuid, posix_mkfifo, posix_mknod, posix_setpgid, posix_setsid, posix_setuid, posix_uname, proc_nice, openlog, syslog, pfsockopen, system, passthru, popen, proc_open, ini_alter, pcntl_exec, proc_close, proc_get_status, proc_terminate, symlink
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index a445b60c..6a0dd564 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -198,3 +198,19 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks

 # DO NOT EDIT ANYTHING BELOW #
 # User overrides #
+
+myhostname = [REDACTED HOSTNAME]
+
+sender_canonical_maps = tcp:172.22.1.230:10001
+sender_canonical_classes = envelope_sender
+recipient_canonical_maps = tcp:172.22.1.230:10002,
+  proxy:mysql:/opt/postfix/conf/sql/mysql_recipient_canonical_maps.cf
+recipient_canonical_classes = envelope_recipient, header_recipient
+
+# spread out email sending to tame gmail etc
+default_destination_rate_delay = 5s
+smtp_destination_rate_delay = 15s
+default_destination_concurrency_limit = 1
+smtp_destination_concurrency_limit = 1
+default_destination_recipient_limit = 2
+smtp_destination_recipient_limit = 2
diff --git a/docker-compose.yml b/docker-compose.yml
index a5a8f95b..3c429397 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -582,36 +582,6 @@ services:
           aliases:
             - ofelia

-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge

Logs of iptables -L -vn:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
8084K 3546M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
8084K 3546M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
6999K 3341M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 547K   34M DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 538K  172M ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
 527K   33M ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.7           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.9           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
   16   888 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
   98  5336 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
 6804  358K ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:443
  274 15936 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
 3388  203K ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
 8753  448K ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:80
  277 16108 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
  735 38220 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
  199 11320 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
  148  8448 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
 538K  172M DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
  67M   27G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
4043K 2176M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  67M   27G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Logs of ip6tables -L -vn:

# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 2 packets, 144 bytes)
 pkts bytes target     prot opt in     out     source               destination
1583K 2418M DOCKER-USER  all      *      *       ::/0                 ::/0
1583K 2418M DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0
 155K  294M ACCEPT     all      br-mailcow !br-mailcow  ::/0                 ::/0
1240K 1964M ACCEPT     all      br-mailcow br-mailcow  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 !docker0  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 docker0  ::/0                 ::/0
 939K  392M ACCEPT     all      *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
11456  892K DOCKER     all      *      br-mailcow  ::/0                 ::/0
    0     0 ACCEPT     all      *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      docker0  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    1    80 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:4190
   12   920 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:587
  171 13460 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::11  tcp dpt:443
   23  1824 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:995
   12   944 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:465
   24  1716 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::11  tcp dpt:80
  507 42532 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:993
   11   732 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:25
   19  1476 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:143
    2   144 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::f  tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
 155K  294M DOCKER-ISOLATION-STAGE-2  all      br-mailcow !br-mailcow  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  all      docker0 !docker0  ::/0                 ::/0
  12M   20G RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      br-mailcow  ::/0                 ::/0
    0     0 DROP       all      *      docker0  ::/0                 ::/0
1007K 2508M RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  12M   20G RETURN     all      *      *       ::/0                 ::/0

Logs of iptables -L -vn -t nat:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 744K   40M DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   33  1980 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 198K   15M MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.7           172.22.1.7           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.9           172.22.1.9           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.11          172.22.1.11          tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.11          172.22.1.11          tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
  127  7620 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.7:8983
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.9:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
   16   888 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
   98  5336 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
 6804  358K DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.11:443
  274 15936 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
34426 2065K DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
 8757  448K DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.11:80
  277 16108 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
  742 40090 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
  199 11320 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
  148  8448 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110

Logs of ip6tables -L -vn -t nat:

# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
14059 1149K DOCKER     all      *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all      *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
32937 3165K MASQUERADE  all      *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0
    0     0 MASQUERADE  all      *      !docker0  fd00:dead:beef:c0::/80  ::/0
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:4190
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:587
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::11  fd4d:6169:6c63:6f77::11  tcp dpt:443
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:995
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:465
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::11  fd4d:6169:6c63:6f77::11  tcp dpt:80
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:993
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:25
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:143
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::f  fd4d:6169:6c63:6f77::f  tcp dpt:110

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
   12   960 RETURN     all      br-mailcow *       ::/0                 ::/0
    0     0 RETURN     all      docker0 *       ::/0                 ::/0
    1    80 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::f]:4190
   12   920 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::10]:587
  171 13460 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:443 to:[fd4d:6169:6c63:6f77::11]:443
   23  1824 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::f]:995
   12   944 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::10]:465
   24  1716 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:80 to:[fd4d:6169:6c63:6f77::11]:80
  507 42532 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::f]:993
   11   732 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::10]:25
   19  1476 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::f]:143
    2   144 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::f]:110

DNS check:

151.101.65.69
151.101.1.69
151.101.193.69
151.101.129.69
@krono krono added the bug label Jun 26, 2023
@chriscroome
Copy link
Contributor

I don't install Nextcloud on the same servers as Mailcow however I also had this issue and switched to using usr/sbin/sendmail, however I expect this isn't a solution that will work in a Docker container.

@MAGICCC
Copy link
Member

MAGICCC commented Jun 26, 2023

Hi @krono
We have #5283 open, and it can fix it. I am still thinking about merging it, since it's internal network, no need to verify certs imho

@krono
Copy link
Author

krono commented Jun 26, 2023

I confirm that fixes it.
I don't know what kind of user information would help during 25.x -> 26.x updates tho.

Feel free to close.

@chriscroome chriscroome mentioned this issue Jun 27, 2023
Closed
9 tasks
@MAGICCC MAGICCC closed this as completed Jul 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@krono @chriscroome @MAGICCC