Mailcow-dockerized: ACME resolvs mailcow_hostname as internal IP
Prior to placing the issue, please check following: (fill out each checkbox with an X once done)
- [x] I understand that not following or deleting the below instructions will result in immediate closure and/or deletion of my issue.
- [x] I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
- [x] I have understood that answers are voluntary and community-driven, and not commercial support.
- [x] I have verified that my issue has not been already answered in the past. I also checked previous issues.
Summary
Today my mailcow installation want's to renew the LE certificates but the acme-mailcow container resolvs the IP of the MAILCOW_HOSTNAME (main domain) as the docker internal IP instead of the "outer world" IP. Also I tried to renew the certificates and in that case, the acme container ignores the MAILCOW_HOSTNAME and then the newly generated certificate is wrong. The whole setup wasn't changed in over a year (except daily updates via update-script).
Logs
Here is the log after touch data/assets/ssl/force_renew
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Initializing, please wait...
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Detecting IP addresses...
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - OK: 116.203...., 2a01:4f8:...
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Found AAAA record for autodiscover.domain1.com: 2a01:4f8:... - skipping A record check
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Confirmed AAAA record with IP 2a01:04f8:...:0001
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Found AAAA record for autoconfig.domain1.com: 2a01:4f8:... - skipping A record check
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Confirmed AAAA record with IP 2a01:04f8:...:0001
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Found AAAA record for autodiscover.domain2.de: 2a01:4f8:...:1 - skipping A record check
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Confirmed AAAA record with IP 2a01:04f8:...:0001
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Found AAAA record for autoconfig.domain2.de: 2a01:4f8:... - skipping A record check
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Confirmed AAAA record with IP 2a01:04f8:...:0001
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Found AAAA record for MAILCOW_HOSTNAME: fd4d:6169:6c63:6f77::e - skipping A record check
acme-mailcow_1 | Wed Dec 9 06:29:57 CET 2020 - Cannot match your IP 2a01:04f8:....:0001 against hostname MAILCOW_HOSTNAME (DNS returned fd4d:6169:6c63:6f77:0000:0000:0000:000e)
acme-mailcow_1 | Wed Dec 9 06:29:58 CET 2020 - Found AAAA record for webmail.domain2.de: 2a01:4f8:...:1 - skipping A record check
acme-mailcow_1 | Wed Dec 9 06:29:58 CET 2020 - Confirmed AAAA record with IP 2a01:04f8:....0001
acme-mailcow_1 | Wed Dec 9 06:29:58 CET 2020 - Certificate /var/lib/acme/autoconfig.domain1.com/cert.pem doesn't exist yet or forced renewal - start obtaining
acme-mailcow_1 | Wed Dec 9 06:29:58 CET 2020 - Creating backups in /var/lib/acme/backups/autoconfig.domain1.com/2020-12-09_06_29_58 ...
acme-mailcow_1 | Wed Dec 9 06:29:58 CET 2020 - Checking resolver...
acme-mailcow_1 | Wed Dec 9 06:29:58 CET 2020 - Resolver OK
When I go into the container with docker-compose exec acme... bash and run a host MAILCOW_HOSTNAME it resolvs also only the fd4d..-IP. And inside the unbound-mailcow container it's the same via ping MAILCOW_HOSTNAME.
Reproduction
I'm not sure, but it looks to me, that there is something changed in handling the hostname in docker-compose. Maybe there is a fix within docker or docker-compose. But I'm sure - all other instances of mailcow, that I run would have the same issue.
System information
| Question | Answer |
| --- | --- |
| My operating system | Debian Buster |
| Is Apparmor, SELinux or similar active? | No, default |
| Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported | KVM |
| Server/VM specifications (Memory, CPU Cores) | 4GB, 2x CPU |
| Docker Version (docker version) | 20.10.0 |
| Docker-Compose Version (docker-compose version) | 1.27.4 |
| Reverse proxy (custom solution) | n/a |
- Output of
git diff origin/master, any other changes to the code? If so, please post them. No changes - All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you:
iptables -L -vn,ip6tables -L -vn,iptables -L -vn -t natandip6tables -L -vn -t nat. None. - DNS problems? Please run
docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254(set the IP accordingly, if you changed the internal mailcow network) and post the output.
# docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254
151.101.1.69
151.101.65.69
151.101.193.69
151.101.129.69
trickert76
All 22 comments
I found this issue https://github.com/mailcow/mailcow-dockerized/issues/3201 - and yes, the hostname of the docker host is the same as MAILCOW_HOSTNAME - but what would be the reason, why this is a problem for correct DNS resolution inside the docker container.
trickert76
on 9 Dec 2020
Hi,
some information is missing. Please post all Information.
And is 20.10 stable? I think it's still on testing.
andryyy
on 9 Dec 2020
What information do you mean? Iptables - As I wrote at the end - there is no extra setup:
# iptables -L -vn
Chain INPUT (policy ACCEPT 2960K packets, 1451M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 74 packets, 4440 bytes)
pkts bytes target prot opt in out source destination
420K 257M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
420K 257M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
11M 5012M ACCEPT all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
468K 30M DOCKER all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
3486K 2544M ACCEPT all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
344K 22M ACCEPT all -- br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3896K packets, 399M bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.7 tcp dpt:3306
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.12 tcp dpt:8983
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379
4 204 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.4 tcp dpt:443
21 1140 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.4 tcp dpt:80
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345
7 420 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995
2845 171K ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110
21 1244 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.9 tcp dpt:587
9 524 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.9 tcp dpt:465
26 1440 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.9 tcp dpt:25
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
114K 95M DOCKER-ISOLATION-STAGE-2 all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
420K 257M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
35M 19G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
114K 95M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
# ip6tables -L -vn
Chain INPUT (policy ACCEPT 591K packets, 334M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36373 75M DOCKER-USER all * * ::/0 ::/0
3047K 7116M DOCKER-ISOLATION-STAGE-1 all * * ::/0 ::/0
1067K 2718M DOCKER all * br-mailcow ::/0 ::/0
906K 2594M ACCEPT all * br-mailcow ::/0 ::/0 ctstate RELATED,ESTABLISHED
120K 35M ACCEPT all br-mailcow !br-mailcow ::/0 ::/0
93776 6736K ACCEPT all br-mailcow br-mailcow ::/0 ::/0
Chain OUTPUT (policy ACCEPT 619K packets, 2564M bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
3047K 7116M RETURN all * * ::/0 ::/0
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::6 tcp dpt:443
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::6 tcp dpt:80
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:465
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:587
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:25
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::4 tcp dpt:110
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::4 tcp dpt:143
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::4 tcp dpt:4190
895 104K ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::4 tcp dpt:993
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::4 tcp dpt:995
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
2330 560K DOCKER-ISOLATION-STAGE-2 all br-mailcow !br-mailcow ::/0 ::/0
36373 75M RETURN all * * ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * br-mailcow ::/0 ::/0
2330 560K RETURN all * * ::/0 ::/0
md5-fa225615b5544ef444f0a05b35cbc9b6
# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 1398K packets, 99M bytes)
pkts bytes target prot opt in out source destination
3722 236K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 38701 packets, 3236K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1253K packets, 80M bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
177K 15M MASQUERADE all -- * !br-mailcow 172.22.1.0/24 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.22.1.3 172.22.1.3 tcp dpt:8983
0 0 MASQUERADE tcp -- * * 172.22.1.7 172.22.1.7 tcp dpt:3306
0 0 MASQUERADE tcp -- * * 172.22.1.12 172.22.1.12 tcp dpt:8983
0 0 MASQUERADE tcp -- * * 172.22.1.249 172.22.1.249 tcp dpt:6379
0 0 MASQUERADE tcp -- * * 172.22.1.4 172.22.1.4 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.22.1.4 172.22.1.4 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:12345
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:4190
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:995
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:993
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:143
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:110
0 0 MASQUERADE tcp -- * * 172.22.1.9 172.22.1.9 tcp dpt:587
0 0 MASQUERADE tcp -- * * 172.22.1.9 172.22.1.9 tcp dpt:465
0 0 MASQUERADE tcp -- * * 172.22.1.9 172.22.1.9 tcp dpt:25
Chain OUTPUT (policy ACCEPT 75087 packets, 4957K bytes)
pkts bytes target prot opt in out source destination
63 3780 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-mailcow * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.7:3306
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:18983 to:172.22.1.12:8983
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379
4 204 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.22.1.4:443
21 1140 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.22.1.4:80
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345
7 420 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 to:172.22.1.250:4190
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:172.22.1.250:995
2948 177K DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:172.22.1.250:993
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.22.1.250:143
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.22.1.250:110
21 1244 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:172.22.1.9:587
9 524 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:172.22.1.9:465
27 1492 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.22.1.9:25
md5-fa225615b5544ef444f0a05b35cbc9b6
# ip6tables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 229K packets, 21M bytes)
pkts bytes target prot opt in out source destination
5747 559K DOCKER all * * ::/0 ::/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 4111 packets, 428K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 134K packets, 11M bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all * br-mailcow ::/0 ::/0 ADDRTYPE match dst-type LOCAL
48352 4705K MASQUERADE all * !br-mailcow fd4d:6169:6c63:6f77::/64 ::/0
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::6 fd4d:6169:6c63:6f77::6 tcp dpt:443
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::6 fd4d:6169:6c63:6f77::6 tcp dpt:80
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:143
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:993
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:995
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:4190
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:110
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:25
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:465
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:587
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:587
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:465
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:25
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::4 fd4d:6169:6c63:6f77::4 tcp dpt:995
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:995
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:110
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:143
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:4190
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:993
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:465
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:587
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:25
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:443
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:80
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:587
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:465
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:80
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::b fd4d:6169:6c63:6f77::b tcp dpt:443
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:143
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:4190
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:993
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:995
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:110
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:443
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:80
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::a fd4d:6169:6c63:6f77::a tcp dpt:80
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:995
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:110
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:143
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:4190
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::10 fd4d:6169:6c63:6f77::10 tcp dpt:993
Chain OUTPUT (policy ACCEPT 34489 packets, 3023K bytes)
pkts bytes target prot opt in out source destination
17280 1382K DOCKER all * * ::/0 !::1 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all br-mailcow * ::/0 ::/0
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:443 to:[fd4d:6169:6c63:6f77::6]:443
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:80 to:[fd4d:6169:6c63:6f77::6]:80
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:465 to:[fd4d:6169:6c63:6f77::b]:465
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:587 to:[fd4d:6169:6c63:6f77::b]:587
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:25 to:[fd4d:6169:6c63:6f77::b]:25
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:110 to:[fd4d:6169:6c63:6f77::4]:110
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:143 to:[fd4d:6169:6c63:6f77::4]:143
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::4]:4190
94 7520 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:993 to:[fd4d:6169:6c63:6f77::4]:993
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:995 to:[fd4d:6169:6c63:6f77::4]:995
Docker-20.10 comes from
deb https://download.docker.com/linux/debian buster stable
And - accidently - a second different instance of mailcow has now the same issue.
trickert76
on 9 Dec 2020
And the second docker host has a completly different hostname then the hosted mailcow instance on that server. So it isn't the "same hostname" issue.
trickert76
on 9 Dec 2020
It's a 20.10 issue. Easy. I will first need to prepare the internal systems, fix mailcows in support and then come back here with a fix.
andryyy
on 9 Dec 2020
Ok, thats it - the workaround for now is, do not install docker-ce 20.10. If you installed Docker via Debian Package, pin the 19. version
# more /etc/apt/preferences.d/docker
Package: docker-ce
Pin: version 5:19.*
Pin-Priority: 1001
Package: docker-ce-cli
Pin: version 5:19.*
Pin-Priority: 1001
Sorry - but why did you close the issue?
Actually this is a fix in docker 20.10 (https://github.com/moby/moby/pull/39204) - not an issue - so the behaviour will always be that acme-mailcow cannot resolve the external IP of MAILCOW_HOSTNAME anymore.
trickert76
on 9 Dec 2020
I closed it as fixed with https://github.com/mailcow/mailcow-dockerized/commit/1311066089d523957e5906387b852fc12242b2b9
andryyy
on 9 Dec 2020
Fix https://github.com/mailcow/mailcow-dockerized/commit/1311066089d523957e5906387b852fc12242b2b9 from @andryyy has not resolved the issue.
Forced to make a downgrade to 19 version:
yum downgrade docker-ce
core01
on 9 Dec 2020
I have a similar problem on my installation this morning, still get errors on aceme logs but no visible error on panel @andryyy I write you this morning a mail about this :)
EDIT: the last fix seems to work, because I don't get any errors on aceme log and the certs are renewed correctly without error.
Thanks.
omexlu
on 9 Dec 2020
It does fix the issue.
andryyy
on 9 Dec 2020
I was able to renew the certificates with the fix from https://github.com/mailcow/mailcow-dockerized/commit/1311066089d523957e5906387b852fc12242b2b9 and Docker 20.10 under Linux Debian
- Stop Mailcow
- Reinstall Docker 20.10
- run update.sh of mailcow
- touch data/assets/ssl/force_renew
- Start Mailcow
Done.
trickert76
on 9 Dec 2020
It also takes a while to request the new certs. Run update.sh, open acme-mailcow logs and follow the party.
andryyy
on 9 Dec 2020
Is there also an impact on the EHLO? In a mailq on one server I have messages like this:
host ... refused to talk to me: 421 EHLO MXIN201 Your HELO/EHLO 24883ac15b0e.localdomain is not matching your DNS configuration
You can test this with telnet:
telnet mail.webarch.email 25
Trying 81.95.52.48...
Connected to mail.webarch.email.
Escape character is '^]'.
220 24883ac15b0e.localdomain ESMTP Postcow
QUIT
chriscroome
on 9 Dec 2020
Please update or add myhostname = my.host.name (your MAILCOW_HOSTNAME) in data/conf/postfix/extra.cf and restart "postfix-mailcow" if you don't want to update right now.
andryyy
on 9 Dec 2020
@andryyy if there was some content in .../postfix/extra.cf this get overwritten by the update? Or the new variable get set on the end? 馃
omexlu
on 9 Dec 2020
Only existing myhostname values will be removed and the new myhostname put to the first. :)
andryyy
on 9 Dec 2020
Only existing myhostname values will be removed and the new myhostname put to the first. :)
OK thank you, so I am not affected with my changes in this file, thank you :)
omexlu
on 9 Dec 2020
Feel free to report back. :)
andryyy
on 9 Dec 2020
Feel free to report back. :)
Just checked and all is correct :)
omexlu
on 9 Dec 2020
Hi. I had the same problem and I just updated to the latest version and it's working fine now. Thank you. More about my issue here: https://community.mailcow.email/d/508-ssl-certificate-does-not-include-mailcow-hostname
mikestp27
on 16 Dec 2020
Related issues
lgleim
路
3Comments
a3li
路
3Comments
starcraft0429
路
3Comments
Adorfer
路
3Comments
Braintelligence
路
3Comments