Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dovecot not starting anymore #6018

Closed
5 tasks done
Sysadminfromhell opened this issue Aug 16, 2024 · 15 comments · Fixed by #6025
Closed
5 tasks done

Dovecot not starting anymore #6018

Sysadminfromhell opened this issue Aug 16, 2024 · 15 comments · Fixed by #6025
Labels
investigating Still under investigation unconfirmed

Comments

@Sysadminfromhell
Copy link

Contribution guidelines

I've found a bug and checked that ...

  • ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Hello everyone,

I notices that every update dovecot won't start anymore. After diggint into the issue I found the problem with the sa update script which connects to a server which blocks my mail server without any information why. My IP is not a blacklist or other ASN.
Is there a way to update the SA Rules alternatvily or remove the "blacklisting" on such an important service?

The problem is duscussed here (partially in german):
https://community.mailcow.email/d/2213-dovecot-timeout-on-startup

A fix is here documentated aswell but I think to disable the SA-rules script isnt a real fix:
https://community.mailcow.email/d/2213-dovecot-timeout-on-startup/4

Kind regards,

Logs:

root@MailCow:/opt/mailcow-dockerized# docker logs mailcowdockerized-dovecot-mailcow-1
Waiting for database to come up...
Uptime: 1  Threads: 2  Questions: 2  Slow queries: 0  Opens: 17  Open tables: 10  Queries per second avg: 2.000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0curl: (6) Could not resolve host: www.spamassassin.heinlein-support.de
Warning: Problem : timeout. Will retry in 1 seconds. 10 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0curl: (6) Could not resolve host: www.spamassassin.heinlein-support.de
Warning: Problem : timeout. Will retry in 2 seconds. 9 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) SSL connection timeout
Warning: Problem : timeout. Will retry in 4 seconds. 8 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) SSL connection timeout
Warning: Problem : timeout. Will retry in 8 seconds. 7 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) SSL connection timeout
Warning: Problem : timeout. Will retry in 16 seconds. 6 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) SSL connection timeout
Warning: Problem : timeout. Will retry in 32 seconds. 5 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) SSL connection timeout
Warning: Problem : timeout. Will retry in 64 seconds. 4 retries left.

Steps to reproduce:

1. Update to the lastest DOcker Images via update.sh
2. FIN

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Debian 12

Server/VM specifications:

2v CPU, 4 GBRAM

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

QEMU KVM VM

Docker version:

27.1.2

docker-compose version or docker compose version:

v2.13.0

mailcow version:

2024-08

Reverse proxy:

Nginx

Logs of git diff:

diff --git a/data/assets/ssl-example/cert.pem b/data/assets/ssl-example/cert.pem
index 96d16bec..fc2719ee 100644
--- a/data/assets/ssl-example/cert.pem
+++ b/data/assets/ssl-example/cert.pem
@@ -1,19 +1,33 @@
 -----BEGIN CERTIFICATE-----
-MIIDBDCCAe6gAwIBAgIQeJMoL/3dxhxhT9EwuRTL/DALBgkqhkiG9w0BAQswEjEQ
-MA4GA1UEChMHbWFpbGNvdzAeFw0xNjEyMTMxMDExMDBaFw0xOTExMjgxMDExMDBa
-MC0xEDAOBgNVBAoTB21haWxjb3cxGTAXBgNVBAMTEG1haWwuZXhhbXBsZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRg0xT3At9DSb3H5OMp3K1
-MpXAgYyotSK6TS61fC0QEHy2fMXiws7Agcye6Ln7CG63Fe1eN2jkdlefy9xJivS8
-y5w0M8i168v5znzC8fnylL2iOiSYfK/B/oEqfU7YH4RcegO53oDDIUZmi4Frgnu7
-39VVOU1ZyHEVqGJ2H2aAIkoZRjGzumD9Ym4LWGidtKJzBgFt/qmhUeWXipM8w281
-XkQnJU79+x2ywnJSvEZ3r/ZVJC7kbjiVw+/k15k9Cxk6Ik8wmJ0X/+xWxoZomHQI
-1LM0VKAS/iaU95dn2bplvL6jTiiyWAbrMjSKs4XbPt/fIbOicNkj6+CFy0MVfyyH
-AgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIAqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
-KwYBBQUHAwEwDAYDVR0TAQH/BAIwADALBgkqhkiG9w0BAQsDggEBAI/jBJa1P8nB
-eHUN5muQmjBVDVOYyWAAEapOe2HYsBcpjaB2H8Iw3DQzJtz6peYeYSCmHRVqFLCm
-VPrq36l9mPUotyPDPlQQAxCj9R2+WbGaJO+N/E1F8FQ94dr3jqwUyfjVPoqEjmIH
-NFkvbA0RJOeBm9oYGdhM0wjOBV9c9MTHFG82nQ/zQeTuPb7GXuKIOXYCxoLNOZMw
-UJ02Cqjv5ImrgOhcstAKX3Ip0urSvZUGvtPla4CGh+M6yDFJ08GzX6OiMIH207RW
-jAbUXXERSUv/7hysdDjGo5HZjCeMzVu9KAxoZXqnmvkk8g2swKWtWBRcoeU1VGx0
-Bx4Q4KMjuYQ=
+MIIFrTCCA5WgAwIBAgIUZYMe9m9s8+KhmCX+4mtZDXqZA2kwDQYJKoZIhvcNAQEL
+BQAwZjELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEQMA4GA1UEBwwHV2lsbGlj
+aDEQMA4GA1UECgwHbWFpbGNvdzEQMA4GA1UECwwHbWFpbGNvdzETMBEGA1UEAwwK
+bXguc2FmaC5kZTAeFw0yMjEyMDIxNjMzMjRaFw0yMzEyMDIxNjMzMjRaMGYxCzAJ
+BgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxEDAOBgNVBAcMB1dpbGxpY2gxEDAOBgNV
+BAoMB21haWxjb3cxEDAOBgNVBAsMB21haWxjb3cxEzARBgNVBAMMCm14LnNhZmgu
root@MailCow:/opt/mailcow-dockerized# git diff origin/master
diff --git a/data/assets/ssl-example/cert.pem b/data/assets/ssl-example/cert.pem
index 96d16bec..fc2719ee 100644
--- a/data/assets/ssl-example/cert.pem
+++ b/data/assets/ssl-example/cert.pem
@@ -1,19 +1,33 @@
 -----BEGIN CERTIFICATE-----
-MIIDBDCCAe6gAwIBAgIQeJMoL/3dxhxhT9EwuRTL/DALBgkqhkiG9w0BAQswEjEQ
-MA4GA1UEChMHbWFpbGNvdzAeFw0xNjEyMTMxMDExMDBaFw0xOTExMjgxMDExMDBa
-MC0xEDAOBgNVBAoTB21haWxjb3cxGTAXBgNVBAMTEG1haWwuZXhhbXBsZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRg0xT3At9DSb3H5OMp3K1
-MpXAgYyotSK6TS61fC0QEHy2fMXiws7Agcye6Ln7CG63Fe1eN2jkdlefy9xJivS8
-y5w0M8i168v5znzC8fnylL2iOiSYfK/B/oEqfU7YH4RcegO53oDDIUZmi4Frgnu7
-39VVOU1ZyHEVqGJ2H2aAIkoZRjGzumD9Ym4LWGidtKJzBgFt/qmhUeWXipM8w281
-XkQnJU79+x2ywnJSvEZ3r/ZVJC7kbjiVw+/k15k9Cxk6Ik8wmJ0X/+xWxoZomHQI
-1LM0VKAS/iaU95dn2bplvL6jTiiyWAbrMjSKs4XbPt/fIbOicNkj6+CFy0MVfyyH
-AgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIAqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
-KwYBBQUHAwEwDAYDVR0TAQH/BAIwADALBgkqhkiG9w0BAQsDggEBAI/jBJa1P8nB
-eHUN5muQmjBVDVOYyWAAEapOe2HYsBcpjaB2H8Iw3DQzJtz6peYeYSCmHRVqFLCm
-VPrq36l9mPUotyPDPlQQAxCj9R2+WbGaJO+N/E1F8FQ94dr3jqwUyfjVPoqEjmIH
-NFkvbA0RJOeBm9oYGdhM0wjOBV9c9MTHFG82nQ/zQeTuPb7GXuKIOXYCxoLNOZMw
-UJ02Cqjv5ImrgOhcstAKX3Ip0urSvZUGvtPla4CGh+M6yDFJ08GzX6OiMIH207RW
-jAbUXXERSUv/7hysdDjGo5HZjCeMzVu9KAxoZXqnmvkk8g2swKWtWBRcoeU1VGx0
-Bx4Q4KMjuYQ=
+MIIFrTCCA5WgAwIBAgIUZYMe9m9s8+KhmCX+4mtZDXqZA2kwDQYJKoZIhvcNAQEL
+BQAwZjELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEQMA4GA1UEBwwHV2lsbGlj
+aDEQMA4GA1UECgwHbWFpbGNvdzEQMA4GA1UECwwHbWFpbGNvdzETMBEGA1UEAwwK
+bXguc2FmaC5kZTAeFw0yMjEyMDIxNjMzMjRaFw0yMzEyMDIxNjMzMjRaMGYxCzAJ
+BgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxEDAOBgNVBAcMB1dpbGxpY2gxEDAOBgNV
+BAoMB21haWxjb3cxEDAOBgNVBAsMB21haWxjb3cxEzARBgNVBAMMCm14LnNhZmgu
+ZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC1/p+T5aTE/qQnZcVm
+V5uv9nfbNJ55I0lNduU/ml9RUx4VNp0Lc8Kza7qFN1pb1HGOkONOtdHkxH8DZWe0
+9E/53KC4nEIiSn8i8Ibpz/tvqk4zFdza7FRMCJ0RnKVtD/6a3plAZrTU1U82dB67
+BUXN3o4orwXnwgsRHo4B5MWTFrHrH3+m94tzGtRh/9OTPAsrUNia7srLzQw3QgD+
+BbtNcQrBwtwQjnDGRLyxdSdxN7vYT2PK05jxE7xJq4RRP9Vv2JOuBqo3Pv1fjk43
+V8idD56WgHZeq6qfwKnJPFchqGCwlhUZSATkSbdMyNJby1EgXUX8UPS0AjYv+HOq
+4LudNvJ9qy4utwCs1ueSfgL9dHt3fcnyc9GATu8Mrt0hZXqqhTjsRMvlCswcNMoW
+/DAJHjCDi+0ulR3pS/wgfGyaCKXKWiefI8Mxt7J03kvpAPYoY9NrW/t4hmYrqkb1
+gclEhFHrs47mCbgiN14m37bt8fYlLUfNkFhyl9CMr8RC6uuBz3ct6cLqGLQaHqP8
+/gtF85Va9Say7hR1KKPGADxKbA/uURYS3Mq7xlYzDWc21SgIVi+ZKCx/FhO/D44e
+idhTcYm/JkAVQQrJQ+cnKCK8dJFL3rOlVeJJ13791Smawj4hkRa4Vk1vGVdvpXLe
+KtlUXv+O3Nv9qInmBaQE11TIlwIDAQABo1MwUTAdBgNVHQ4EFgQU0TQDLNSOkpLM
+PqXtxXB1qnSQQI4wHwYDVR0jBBgwFoAU0TQDLNSOkpLMPqXtxXB1qnSQQI4wDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAEF/U83dmU283TWziwEo4
+qJ8AZQCDqVHqUPtBvl6JTwY5LE58nnkqihSHKrsW/Ertqeunn8g16OVspgYWik2G
+bdW+laxN71ZLynZ3Iq2d20K9JEf3GkYbx2ulsNiAiO+LbJKNwl/y/Zd3ZriwBlRR
+uAxpx0/me6whymb/Bi3drrDqkoz4jKM3WMYznPCDEG+KiA3JD9ttuo5LZiJHoOQl
+c2X/1NNLYMm0EtPbdhRbNJIZlNT/1AKPXtk2K62XkK0SwgoTe16haWpN5AWsUELq
+oFfwqXN4JD4HKwLZnm3YdIuFnaKTu86EOdrH3VrRONPDN0/Y6XmOU07TwZ0GU720
+v1ROG1jDHUQuqixvaJ91WgNDDzFV+DDTS6MMVoxNLidfxRKkqqEjwP1XU46QsAXr
+4y9wRf5rOZ5f3QpvAbDL9n+KWD7wngA8uniRL+8dxeQysIXgZgq+PCHJThUz81K2
+35pgWfY6Oq5ky//GndWd+VBzf+4lb0bSppl/fykCwiLLOjKRFpvm2ICz4s+ef9hK
+bpdYEk035LMRJBw8HgjDsawpRh2peuVmuV07i6BvP8+ynWE+KBnH/xdemjYZPXuX
+xrdCI54rnDBIzvJXeBOPZ/XIguFYyO5dbz5d8n7QpV4RTmtDzEqaKPwxpkZPLfWP
+pT+iRhzKScZLfuoH+oae5Ik=
 -----END CERTIFICATE-----
diff --git a/data/assets/ssl-example/key.pem b/data/assets/ssl-example/key.pem
index cedf35a0..0a776a99 100644
--- a/data/assets/ssl-example/key.pem
+++ b/data/assets/ssl-example/key.pem
@@ -1,27 +1,52 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0YNMU9wLfQ0m9x+TjKdytTKVwIGMqLUiuk0utXwtEBB8tnzF
-4sLOwIHMnui5+whutxXtXjdo5HZXn8vcSYr0vMucNDPItevL+c58wvH58pS9ojok
-mHyvwf6BKn1O2B+EXHoDud6AwyFGZouBa4J7u9/VVTlNWchxFahidh9mgCJKGUYx
-s7pg/WJuC1honbSicwYBbf6poVHll4qTPMNvNV5EJyVO/fsdssJyUrxGd6/2VSQu
-5G44lcPv5NeZPQsZOiJPMJidF//sVsaGaJh0CNSzNFSgEv4mlPeXZ9m6Zby+o04o
-slgG6zI0irOF2z7f3yGzonDZI+vghctDFX8shwIDAQABAoIBAQC9kiLnIgxXGyZt
-pmmYdA6re1jatZ2zLSp+DcY8ul3/0hs195IKCyCOOSQPiR520Pt0t+duP46uYZIJ
-aakp9gxaI5Vz+oMacH/AyaBDuDTj1Mf9WMSyIOfbDVCMRJOppGLcVh62+Gfjp2EO
-+h2hTJBuvypFkbK2kVIZOaHVpbXWKw1oYuEcTftk9XfxxvfSMw1HQ12/P2CAcbaa
-jPmVbisunv6kpXtewSBTcaLSYWJf1MYD5Hi8fzkD2FJSXYbfQd8RKvT2rj6FA7ux
-CDMzbYhdnd7lc63OARCIjfCRNtDT1cZ3gR1CQHD98lWxmPQIZukv+w7s/bSrFgnQ
-ROZ0ghBJAoGBAOmE/3d5FDmp0aJNxXynKcRGdpEEM4O40RIdqa2eR6Pa7aTRosao
-z0qVgdFuJrqjlB3jgedxXEX1M0abCUzzM9Q5F7JLl+KsjwRwpkIOkPiyUncLp7LK
-QbY3tvYBIdpjlF1USOMGRL4j11hqr4vQC/yPBF7jj81kCZDTbmZhp82jAoGBAOWu
-ql5QFUOlmqkuWIAFkiLEZhOu+ptqkE+zG50CCGMJIX0dJ2PHXFyNGInomAeT0nbI
-pbnK3x7KeEKiGrAqZFNCTHhApTwkrIj0L/RQbMDZ7u7j1AEUVNFEhIm62kg84FtG
-xtfxVxredE+NQc/tyV3hXegdNZxegALirlcMKIvNAoGAWFwIxk48Ru1o8z72QQqH
-lUsMRicOzwK5qV8r+xPvC6MlVL42F3F8rj4QFwzU/r4yp3SUjNyqC5aSRl8Xj9Re
-gijwPHi6Cf09SHLPliMo29GtvnnchJxfbPF7+23GP3p6gy4HPk/65u9s5nnH3uFk
-B7ad8sGsgg0eSXyXQ4okEn0CgYEAnogPuedGthlxBgMiPMMbmfm7hyyId4t3Ljuu
-/JExnsHnpobf8EPjoVIWNOIhRWGnrCtUEEhR9tvDZCKljyDDfKBPTdU496lMmX8K
-NnToi7gg7iy84T3aSVMktDgPgDrclMPmbZh8CeSvnVUfrtgu3Ci4+4Rlw5eKffNe
-aGDQ/6UCgYAbUq9mRT2WOXIo+Dchi9VzDWgtfOw5VEyqkSpb7hPiIYx5jNaENnVK
-cAi3iqbBgPJBuMlTrKmmaxdmssGOEZNJLuuXLDbCU+f5cpu5PQ4crC6UtRI5rlhp
-8Yc+oiv3HWbSw3sVRpMFB6NP4DnvgFW3B2Wdfb/lNzPCKWqBsX7gWw==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC1/p+T5aTE/qQn
+ZcVmV5uv9nfbNJ55I0lNduU/ml9RUx4VNp0Lc8Kza7qFN1pb1HGOkONOtdHkxH8D
+ZWe09E/53KC4nEIiSn8i8Ibpz/tvqk4zFdza7FRMCJ0RnKVtD/6a3plAZrTU1U82
+dB67BUXN3o4orwXnwgsRHo4B5MWTFrHrH3+m94tzGtRh/9OTPAsrUNia7srLzQw3
+QgD+BbtNcQrBwtwQjnDGRLyxdSdxN7vYT2PK05jxE7xJq4RRP9Vv2JOuBqo3Pv1f
+jk43V8idD56WgHZeq6qfwKnJPFchqGCwlhUZSATkSbdMyNJby1EgXUX8UPS0AjYv
++HOq4LudNvJ9qy4utwCs1ueSfgL9dHt3fcnyc9GATu8Mrt0hZXqqhTjsRMvlCswc
+NMoW/DAJHjCDi+0ulR3pS/wgfGyaCKXKWiefI8Mxt7J03kvpAPYoY9NrW/t4hmYr
+qkb1gclEhFHrs47mCbgiN14m37bt8fYlLUfNkFhyl9CMr8RC6uuBz3ct6cLqGLQa
+HqP8/gtF85Va9Say7hR1KKPGADxKbA/uURYS3Mq7xlYzDWc21SgIVi+ZKCx/FhO/
+D44eidhTcYm/JkAVQQrJQ+cnKCK8dJFL3rOlVeJJ13791Smawj4hkRa4Vk1vGVdv
+pXLeKtlUXv+O3Nv9qInmBaQE11TIlwIDAQABAoICAAtvgmtypJXUQlBPbsXtf1Th
+McrOVZ7a/sIlVGZYtuCPTnaaxedwUK2heUjhn4XhpXkF1aKefh/X0PtPpeKS72uN
+13OCLg2ljLOPVYrfjLcJhnxjRUtkSi+04tm2dBaUSLVGg26uhXJSLPYI+d1aiXZU
+I66ewMo9QSDEQLwRufByHp/djNHbACItb2bxAkRgI3uHSvUBSDDiI4BdX16W0Zwe
+HETsj5Niv+dVbl3gNKhCjkUbR/P4s8WCLfSbGGdakXjDrRPkS1HJXXZhpLyJgYuM
+7bQbQlTUiJYdLw38AqWUxO6Tn6PFCLmngCMNA1rNPb3A3qLqG1YsRWdiPzJfiKpP
+C3XISsGGPulIft7ud5XEiPPCWllD17MEYEj5m41ERpJDMe49DciA4kjrXMpfFYNg
+E+WHLScmkFr7r5U70IVUsxLceGa7AOPmh2jL0foM2aOsSzzf3Li+dpn9HcJ0vsCZ
+PACwASNQ+bjbT46MMCFDxq1GebubkIGuKR7rkkEK0x2eT0qIAULc2S7wOJXqGXxw
+xDURO4eZpS9Q1/fLwr8sut5dyUUXca2EgzfqRRL37kK9zKq+EyNnqttfkCG7g2HA
+2ACTD5pnxN5CBWNzjka+qpeTyFKzMVO8BvYe9/90iK++T816MVlh3UJj+CPE0QFP
+ft+5vue7GqtcDCp0KuQBAoIBAQDsEROR1B4PU0gjO7woYIaL1cM8raWzyNXsBF1M
+oAOslR/+QYL9csvFFPoubm6R1RIhpqDltWULoS/3F1tK9uVsqkD5V039VTgpaz8J
+JSnMsykeGjfoHpCrBRWp0urFASXWf659Y1OpnUt5JKRq7j9I9AHF/zg16xoRj5F9
+IMRNecfBOD42V3VH6nldk5Oropd64ikBQnQLUY9zGMLDcdILPn8FIFes+LdlH0uH
+G9q6+LCEQugAA8VjcjdKsvbgKJ5H89gjXgYCkg7GYyepXj1iu4njK2kIVqtsLPUO
+Twla+gldU+mvozWAwo5gp0+qef8bpyjIWTv0OgK40Sd4NEEBAoIBAQDFXLNYmnsF
+ZY8C/FDXx0CRchaFHRHOBgBLle5NcUgBhEemqL6CZ4x8nwZSGCl65hBgLIlP45gS
+CN/fPXx/Du+XW2yPu5prNXjIogPGTso34vrsxPCeKTU+A+7ay9jZTZGv5cOdQKBL
+JwipD/3PQXFeySD4MTQrTFIEhopC2mlJgpvBGnRoNjAtaYhMOK/GkoxDsbamZUAu
+LqIx63RlicJjbSekAnub0TYZzVHcRVCZ7Amcf551/5qQjDRwtsT3E3e6cqDSYef+
+fFUasYlSJjPqFwRaR42FnhYw9yNjYXErFJUYECesVTVLFSzJTODfz7iynHT2Im6G
+iG4idLbO0XGXAoIBAC5v/YWGUJN7Mombypu2wUDowAtDrYD8VPiksyXLpG1iuHRv
+trDc0DDou34+wwl0/KgZ+zS0xjfPcXwN4CuS/fauVzG1duYKyY18R14pLVvTMpd1
+WOIUgSjjSyupDf3LCAJ2A4Eu9No80wf1qVJPo6taNK8aUZhpsysZLumKdJM5DY54
+3eQauDt5aH579WSiC2Jk8uQIioNfe/SMPmPsFAGaPapoflbMZmdCDL17QT/eg/rA
+nprCIyY45Z+QLPhThS9qTG5IpK4ExVtJThgHLdQqSCmj9HlrczVIcrxp19FJtmXh
+h+rBFFlL7G4e+5DxhrmN3Hvs8dpNPxPUMQt4XAECggEAI/mTz3DJP+CVQuwPKGXv
+hROQu07jMfSyFRUNTRx7DZu5G83ifA638vdhxZEV7osFLSKxHNjVnWP0utKQYPCu
+B57omQKPUT979sZhfcJa5fj/2CzF126Xf+hjn4pMyr9y8Ocm0wE2trw0vexmTWMW
+cTqkQdlmMwZEZQLJLQp26qleDsLtuRk3iu+ToqEqmT2ZR7WbH5WRL1ncwtCydNe5
+kToSYbj6Ixrti6J7a3VPDd+SmO5CSiv/Vp3X6TvHh2oLBvdiDTc/fInZUXZPG6RP
+DjqH1pT4XQTF8sL5tmHKqRmlW6+GK8mUX01Kzp6u1t0cQ6J1R3BbSTaRLMKtl+Fh
+nQKCAQAGa8WeN+9sAxG5U9JDAzv+u1x0PWTqFLSzu0SzIligk7Lm1clctQV6IrgS
+okyn+OJBNYpaCY+JyxzEjbGkf2u1XCXndtIIxiFH8CW3TbjvXXcLazcJ/8pG6DXq
+L5Zet/tVQN1gNL6VMriedEfTh1gv7DVmSPfQxTqsNuTzrbqnQ0Zqd8DnhEB5SLRS
+2/dhMLr0snmNfUJNUmYjg1i+C4lll76ACA5dQT7HiR34Kd00pWIb6iHjvIS6CU8p
+cEu7wZMcqm7rCs72yldWIluJXrFu0mQm60sgCxZk3r21vyT/vNHVCT5Ho426PLFz
+RmkE8fsTvYIx/I9IQKa+Y9CLTaRd
+-----END PRIVATE KEY-----
diff --git a/data/conf/dovecot/global_sieve_after b/data/conf/dovecot/global_sieve_after
index cf12543a..7b58c131 100644
--- a/data/conf/dovecot/global_sieve_after
+++ b/data/conf/dovecot/global_sieve_after
@@ -12,6 +12,10 @@ if header :contains "X-Spam-Flag" "YES" {
   fileinto "Junk";
 }

+if header :contains "PMG-Spam-Flag" "YES" {
+  fileinto "Junk";
+}
+
 if allof (
   envelope :detail :matches "to" "*",
   header :contains "X-Moo-Tag" "YES"
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 6a87f2ec..65d40400 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -103,8 +103,8 @@ smtpd_sender_login_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender
 smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
   permit_mynetworks,
   permit_sasl_authenticated,
-  reject_unlisted_sender,
-  reject_unknown_sender_domain
+  #reject_unlisted_sender,
+  #reject_unknown_sender_domain
 smtpd_soft_error_limit = 3
 smtpd_tls_auth_only = yes
 smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
@@ -173,3 +173,48 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks

 # DO NOT EDIT ANYTHING BELOW #
 # Overrides #
+
+postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
+  hostkarma.junkemailfilter.com=127.0.0.1*-2
+  list.dnswl.org=127.0.[0..255].0*-2
+  list.dnswl.org=127.0.[0..255].1*-4
+  list.dnswl.org=127.0.[0..255].2*-6
+  list.dnswl.org=127.0.[0..255].3*-8
+  ix.dnsbl.manitu.net*2
+  bl.spamcop.net*2
+  bl.suomispam.net*2
+  hostkarma.junkemailfilter.com=127.0.0.2*3
+  hostkarma.junkemailfilter.com=127.0.0.4*2
+  hostkarma.junkemailfilter.com=127.0.1.2*1
+  backscatter.spameatingmonkey.net*2
+  bl.ipv6.spameatingmonkey.net*2
+  bl.spameatingmonkey.net*2
+  b.barracudacentral.org=127.0.0.2*7
+  bl.mailspike.net=127.0.0.2*5
+  bl.mailspike.net=127.0.0.[10;11;12]*4
+  dnsbl.sorbs.net=127.0.0.10*8
+  dnsbl.sorbs.net=127.0.0.5*6
+  dnsbl.sorbs.net=127.0.0.7*3
+  dnsbl.sorbs.net=127.0.0.8*2
+  dnsbl.sorbs.net=127.0.0.6*2
+  dnsbl.sorbs.net=127.0.0.9*2
+
+
+# User Overrides
+myhostname = mail.safh.de
+relayhost=10.0.1.3:26
+# Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+# Otherwise, allow bare <LF> and process it as if the client sent
+# <CR><LF>.
+#
+# This maintains compatibility with many legitimate SMTP client
+# applications that send a mix of standard and non-standard line
+# endings, but will fail to receive email from client implementations
+# that do not terminate DATA content with the standard End-of-DATA
+# sequence <CR><LF>.<CR><LF>.
+#
+# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+# The example below allowlists SMTP clients in trusted networks.
+#
+#smtpd_forbid_bare_newline = normalize
+#smtpd_forbid_bare_newline_exclusions = $mynetworks
diff --git a/data/conf/postfix/master.cf b/data/conf/postfix/master.cf
index df91a390..7e460cc0 100644
--- a/data/conf/postfix/master.cf
+++ b/data/conf/postfix/master.cf
@@ -5,7 +5,8 @@ smtp       inet  n       -       n       -       1       postscreen
   -o syslog_name=haproxy
 smtpd      pass  -       -       n       -       -       smtpd
   -o smtpd_sasl_auth_enable=no
-  -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain
+  -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender
+#,reject_unknown_sender_domain

 # smtpd tls-wrapped (smtps) on 465/tcp
 # TLS protocol can be modified by setting smtps_smtpd_tls_mandatory_protocols in extra.cf
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index d3165b8a..532dcbc7 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -118,7 +118,7 @@ $AVAILABLE_LANGUAGES = array(
 $UI_THEME = "lumen";

 // Show DKIM private keys - false by default
-$SHOW_DKIM_PRIV_KEYS = false;
+$SHOW_DKIM_PRIV_KEYS = true;

 // mailcow Apps - buttons on login screen
 $MAILCOW_APPS = array(
diff --git a/docker-compose.yml b/docker-compose.yml
index 59f41785..a6f5a661 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -613,42 +613,12 @@ services:
           aliases:
             - ofelia

-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge
     driver_opts:
       com.docker.network.bridge.name: br-mailcow
-    enable_ipv6: true
+    enable_ipv6: false
     ipam:
       driver: default
       config:

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
10336 5781K MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
10336 5781K DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0
10336 5781K DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0
 8685 5640K ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  858 53670 DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
  793 86542 ACCEPT     0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
  853 53366 ACCEPT     0    --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:8983
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.6           tcp dpt:3306
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:80
    1    64 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    4   240 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  793 86542 DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2535K 1264M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
 110K  113M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  65M   31G RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Logs of ip6tables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
    0     0 DOCKER-USER  0    --  *      *       ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-1  0    --  *      *       ::/0                 ::/0
    0     0 ACCEPT     0    --  *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  ::/0                 ::/0
    0     0 ACCEPT     0    --  docker0 !docker0  ::/0                 ::/0
    0     0 ACCEPT     0    --  docker0 docker0  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  ::/0                 ::/0
    0     0 RETURN     0    --  *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      br-mailcow  ::/0                 ::/0
    0     0 DROP       0    --  *      docker0  ::/0                 ::/0
    0     0 RETURN     0    --  *      *       ::/0                 ::/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  *      *       ::/0                 ::/0

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
11231  679K DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  588 43118 MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  6    --  *      *       172.22.1.5           172.22.1.5           tcp dpt:8983
    0     0 MASQUERADE  6    --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  6    --  *      *       172.22.1.6           172.22.1.6           tcp dpt:3306
    0     0 MASQUERADE  6    --  *      *       172.22.1.8           172.22.1.8           tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       172.22.1.8           172.22.1.8           tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.5:8983
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.6:3306
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.8:80
    1    64 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.8:443
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    5   300 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      !docker0  fd00:dead:beef:c0::/80  ::/0

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  docker0 *       ::/0                 ::/0

DNS check:

172.64.155.249
104.18.32.7
@h3ssan
Copy link
Member

h3ssan commented Aug 16, 2024

Hello there,

Could you please try this command, and let me know if it resolvable via container's DNS.

docker exec -it mailcowdockerized-dovecot-mailcow-1 nslookup www.spamassassin.heinlein-support.de

Also, try this with -v or --verbose to show up more info.

docker exec -it mailcowdockerized-dovecot-mailcow-1 curl -v https://www.spamassassin.heinlein-support.de

Also try them in your host server, not inside containers.

@DerLinkman DerLinkman added support please consider asking at https://community.mailcow.email/ or https://t.me/mailcow not-a-bug and removed bug labels Aug 16, 2024
@milkmaker
Copy link
Collaborator

THIS IS A AUTOMATED MESSAGE!

It seems your issue is not a bug.
Therefore we highly advise you to get support!

You can get support either by:

This issue will be closed. If you think your reported issue is not a support case feel free to comment above and if so the issue will reopened.

@milkmaker milkmaker closed this as not planned Won't fix, can't repro, duplicate, stale Aug 16, 2024
@Sysadminfromhell
Copy link
Author

Sysadminfromhell commented Aug 16, 2024

@h3ssan here is the output:

docker exec -it mailcowdockerized-dovecot-mailcow-1 nslookup www.spamassassin.heinlein-support.de

Server:         127.0.0.11
Address:        127.0.0.11#53

Non-authoritative answer:
Name:   www.spamassassin.heinlein-support.de
Address: 185.97.174.62

docker exec -it mailcowdockerized-dovecot-mailcow-1 curl -v https://www.spamassassin.heinlein-support.de

* Host www.spamassassin.heinlein-support.de:443 was resolved.
* IPv6: (none)
* IPv4: 185.97.174.62
*   Trying 185.97.174.62:443...
* Connected to www.spamassassin.heinlein-support.de (185.97.174.62) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* Recv failure: Connection reset by peer
* OpenSSL SSL_connect: Connection reset by peer in connection to www.spamassassin.heinlein-support.de:443
* closing connection #0
curl: (35) Recv failure: Connection reset by peer

nslookup www.spamassassin.heinlein-support.de

Server:         10.0.1.2
Address:        10.0.1.2#53

Non-authoritative answer:
Name:   www.spamassassin.heinlein-support.de
Address: 185.97.174.62

curl -v https://www.spamassassin.heinlein-support.de

*   Trying 185.97.174.62:443...
* Connected to www.spamassassin.heinlein-support.de (185.97.174.62) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=spamassassin.heinlein-support.de
*  start date: Jul 23 06:29:20 2024 GMT
*  expire date: Oct 21 06:29:19 2024 GMT
*  subjectAltName: host "www.spamassassin.heinlein-support.de" matched cert's "www.spamassassin.heinlein-support.de"
*  issuer: C=US; O=Let's Encrypt; CN=R10
*  SSL certificate verify ok.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: www.spamassassin.heinlein-support.de
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 200 OK
< Date: Fri, 16 Aug 2024 12:35:57 GMT
< Server: Apache
< Last-Modified: Thu, 16 Jan 2014 22:20:04 GMT
< ETag: "2b-4f01dd3c87b53"
< Accept-Ranges: bytes
< Content-Length: 43
< Content-Type: text/html
<
Please see: http://www.heinlein-support.de
* Connection #0 to host www.spamassassin.heinlein-support.de left intact

SO why can the Host itself access the URL via curl but the the docker? I did not modify any of the settings

@Sysadminfromhell
Copy link
Author

@DerLinkman I disagree with the "not a bug" tag, the website mailcow uses blocks the connection via docker for which reason ever. I reinstalled the whole server and did not change any of the settings regarding to docker / host and still got this behaviour. This should be looked into and is not a support case. Its a bug.

@h3ssan
Copy link
Member

h3ssan commented Aug 16, 2024

Hi @DerLinkman, looks like the problem with the container itself not the host server.
Since the server connects successfully to the host www.spamassassin.heinlein-support.de, but not the container, therefore it's a bug.

@DerLinkman
Copy link
Member

DerLinkman commented Aug 16, 2024

It's not a bug... it's not working for him not all. We have these cases a few times... every case was something broken on their machines regarding docker networking.

@DerLinkman
Copy link
Member

Yeah we could discuss if the dovecot should not start if he can't download the stuff but... i don't know...

@h3ssan
Copy link
Member

h3ssan commented Aug 16, 2024

Yeah we could discuss if the dovecot should not start if he can't download the stuff but... i don't know...

Okay @DerLinkman, as you wish.

Final tips for @Sysadminfromhell try mess with OpenSSL, might be the handshake issues related to OpenSSL.

@DerLinkman
Copy link
Member

Wait... let me correct my answer from above: It seems like a partial problem. 1st it was looking like a DNS issue but if you carefully read the logs it said SSL error, so i presume heinlein was not online at the moment. That is indeed a problem...

To ease this up: I'll ad a give up section were he continues even if it has failed... but i think he is already doing it no?

@DerLinkman DerLinkman added unconfirmed investigating Still under investigation and removed support please consider asking at https://community.mailcow.email/ or https://t.me/mailcow not-a-bug labels Aug 16, 2024
@DerLinkman DerLinkman reopened this Aug 16, 2024
@h3ssan
Copy link
Member

h3ssan commented Aug 16, 2024

To ease this up: I'll ad a give up section were he continues even if it has failed... but i think he is already doing it no?

Yes @DerLinkman , it’s already retrying 10 times, but all failed.

@Sysadminfromhell
Copy link
Author

Sysadminfromhell commented Aug 19, 2024

Yea I can confirm that that the dovecot container is not starting. It just retries and then reboots after 10 retries. So the loop has no"end" condition.

@DerLinkman
Copy link
Member

Yea I can confirm that that the dovecot container is not starting. It just retries and then reboots after 10 retries. So the loop has no"end" condition.

That is not good... i mean that you cannot resolve this either but also that it does not has a exit condition... let me adjust that

@alyxto
Copy link

alyxto commented Dec 11, 2024

Unfortunately, the issue doesn't seem to be fully fixed.
I'm on version 2024-11b and have encountered the same issue again.

╰─➤  docker container logs mailcowdockerized-dovecot-mailcow-1 --tail 100 --follow                           
Warning: Problem : timeout. Will retry in 32 seconds. 5 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15003 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 64 seconds. 4 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 128 seconds. 3 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 256 seconds. 2 retries left.
Uptime: 812  Threads: 17  Questions: 3165  Slow queries: 0  Opens: 71  Open tables: 62  Queries per second avg: 3.897
grep: /etc/dovecot/extra.conf: No such file or directory
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 1 seconds. 10 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 2 seconds. 9 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 4 seconds. 8 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 8 seconds. 7 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 16 seconds. 6 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 32 seconds. 5 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 64 seconds. 4 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 128 seconds. 3 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 256 seconds. 2 retries left.
Uptime: 1248  Threads: 18  Questions: 5125  Slow queries: 0  Opens: 76  Open tables: 67  Queries per second avg: 4.106
grep: /etc/dovecot/extra.conf: No such file or directory
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 1 seconds. 10 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 2 seconds. 9 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 4 seconds. 8 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 8 seconds. 7 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 16 seconds. 6 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 32 seconds. 5 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 64 seconds. 4 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 128 seconds. 3 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15001 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 256 seconds. 2 retries left.
Uptime: 1652  Threads: 14  Questions: 7156  Slow queries: 0  Opens: 77  Open tables: 68  Queries per second avg: 4.331
grep: /etc/dovecot/extra.conf: No such file or directory
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 1 seconds. 10 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 2 seconds. 9 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 4 seconds. 8 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 8 seconds. 7 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 16 seconds. 6 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 32 seconds. 5 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 64 seconds. 4 retries left.
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 15002 ms: Timeout was reached
Warning: Problem : timeout. Will retry in 128 seconds. 3 retries left.
╰─➤  docker exec -it mailcowdockerized-dovecot-mailcow-1 nslookup www.spamassassin.heinlein-support.de
Server:		127.0.0.11
Address:	127.0.0.11#53

Non-authoritative answer:
Name:	www.spamassassin.heinlein-support.de
Address: 185.97.174.62
╰─➤  docker exec -it mailcowdockerized-dovecot-mailcow-1 curl -v https://www.spamassassin.heinlein-support.de
* Host www.spamassassin.heinlein-support.de:443 was resolved.
* IPv6: (none)
* IPv4: 185.97.174.62
*   Trying 185.97.174.62:443...
* connect to 185.97.174.62 port 443 from 172.22.1.250 port 42716 failed: Operation timed out
* Failed to connect to www.spamassassin.heinlein-support.de port 443 after 130312 ms: Could not connect to server
* closing connection #0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 130312 ms: Could not connect to server
╰─➤  nslookup www.spamassassin.heinlein-support.de                                                                                                                                                                                       28 ↵
Server:		2a10:cc45:12a::1
Address:	2a10:cc45:12a::1#53

Non-authoritative answer:
Name:	www.spamassassin.heinlein-support.de
Address: 185.97.174.62
╰─➤  curl -v https://www.spamassassin.heinlein-support.de
*   Trying 185.97.174.62:443...
* connect to 185.97.174.62 port 443 failed: Connection timed out
* Failed to connect to www.spamassassin.heinlein-support.de port 443 after 129589 ms: Couldn't connect to server
* Closing connection 0
curl: (28) Failed to connect to www.spamassassin.heinlein-support.de port 443 after 129589 ms: Couldn't connect to server

EDIT: It seems like it never reaches the retry limit. Can't exactly tell why, the container is running and not restarting, but it goes down to 2 restarts left and then starts again at 10.

Edited my sa-rules.sh to only have a retry limit of 5 and then it starts successfully.

@ricardoalcantara
Copy link

I am having the same issue and have no idea how to solve it. Now I cannot send any emails. Has anyone found a way to resolve this issue?

@alyxto
Copy link

alyxto commented Dec 20, 2024

I've changed the retry limit from 10 to a more reasonable 5 in the file /opt/mailcow-dockerized/data/Dockerfiles/dovecot/sa-rules.sh

In this section:

# Deploy
if curl --connect-timeout 15 --retry 5 --max-time 30 https://www.spamassassin.heinlein-support.de/$(dig txt 1.4.3.spamassassin.heinlein-support.de +short | tr -d '"' | tr -dc '0-9').tar.gz --output /tmp/sa-rules-heinlein.tar.gz; then
  if gzip -t /tmp/sa-rules-heinlein.tar.gz; then
    tar xfvz /tmp/sa-rules-heinlein.tar.gz -C /tmp/sa-rules-heinlein
    cat /tmp/sa-rules-heinlein/*cf > /etc/rspamd/custom/sa-rules
  fi
else
  echo "Failed to download SA rules. Exiting."
  exit 0 # Must be 0 otherwise dovecot would not start at all
fi

Then added an override for the file to the docker compose file with a volume mount

- /opt/mailcow-dockerized/data/Dockerfiles/dovecot/sa-rules.sh:/usr/local/bin/sa-rules.sh

Definitely a quick and dirty workaround, but better than a dead email server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
investigating Still under investigation unconfirmed
Projects
None yet
6 participants