Sub-Addressing behind forwarding host no more working

### Contribution guidelines

- [x] I've read the [contribution guidelines](https://github.com/mailcow/mailcow-dockerized/blob/master/CONTRIBUTING.md) and wholeheartedly agree

### Checklist prior issue creation

- [x] I understand that failure to follow below instructions may cause this issue to be closed.
- [x] I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
- [x] I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
- [x] I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
- [x] I confirm that I have reviewed previous [issues](https://github.com/mailcow/mailcow-dockerized/issues) to ensure this matter has not already been addressed.
- [x] I confirm that my environment meets all [prerequisite requirements](https://docs.mailcow.email/getstarted/prerequisite-system/) as specified in the official documentation.

### Description

With the current version 2023-06b the sub-addressing behind a `Forwarding Hosts` (Proxmox Mail Gateway) with Spam filter disabled is no more working, similar to #7030.

With versions before `2026-*` it was working when the header `X-Moo-Tag: YES` was added on the forwarding host.



### Steps to reproduce:

1. Send a mail over a forwarding host to `info+test@example.com`
2. Check mails, is not delivered to sub folder.

### Logs:

```plain text
No relevant logs found
```

### Which branch are you using?

master (stable)

### Which architecture are you using?

x86_64

### Operating System:

Debian GNU/Linux 12 (bookworm)

### Server/VM specifications:

4 Cores, 16GB

### Is Apparmor, SELinux or similar active?

no

### Virtualization technology:

KVM (Proxmox VE 9.1.6)

### Docker version:

29.2.1

### docker-compose version or docker compose version:

v5.0.2

### mailcow version:

2026-03b

### Reverse proxy:

none

### Logs of git diff:

```plain text

```

### Logs of iptables -L -vn:

```plain text
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7386 4625K MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
4481K  940M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
4481K  940M DOCKER-FORWARD  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   22  1320 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.12          tcp dpt:443
    4   216 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.12          tcp dpt:80
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
   10   520 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    5   284 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    1    44 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.6           tcp dpt:3306
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 DROP       0    --  !docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-BRIDGE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
   42  2384 DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-CT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 3785 4026K ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
4481K  940M DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
3652K  298M DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
3652K  298M DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
 3572  600K ACCEPT     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-INTERNAL (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */
```

### Logs of ip6tables -L -vn:

```plain text
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 109K  140M MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
4709K 1711M DOCKER-USER  0    --  *      *       ::/0                 ::/0                
4709K 1711M DOCKER-FORWARD  0    --  *      *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  327 26160 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::11  tcp dpt:443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::11  tcp dpt:80
  105  8400 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:587
  105  8400 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:995
  125 10000 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:993
  178 14240 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:110
    0     0 DROP       0    --  !docker0 docker0  ::/0                 ::/0                
    0     0 DROP       0    --  !br-mailcow br-mailcow  ::/0                 ::/0                

Chain DOCKER-BRIDGE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      docker0  ::/0                 ::/0                
  840 67200 DOCKER     0    --  *      br-mailcow  ::/0                 ::/0                

Chain DOCKER-CT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
72661  128M ACCEPT     0    --  *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
4709K 1711M DOCKER-CT  0    --  *      *       ::/0                 ::/0                
2325K  849M DOCKER-INTERNAL  0    --  *      *       ::/0                 ::/0                
2325K  849M DOCKER-BRIDGE  0    --  *      *       ::/0                 ::/0                
    0     0 ACCEPT     0    --  docker0 *       ::/0                 ::/0                
35981   12M ACCEPT     0    --  br-mailcow *       ::/0                 ::/0                

Chain DOCKER-INTERNAL (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination
```

### Logs of iptables -L -vn -t nat:

```plain text
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 531K   29M DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1492  117K MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.6:3306
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    1    44 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    5   284 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
   10   520 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    4   216 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.12:80
   24  1448 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.12:443
```

### Logs of ip6tables -L -vn -t nat:

```plain text
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
85499 6876K DOCKER     0    --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   62  4960 DOCKER     0    --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  765 74694 MASQUERADE  0    --  *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0                
    0     0 MASQUERADE  0    --  *      !docker0  fd00:dead:beef:c0::/80  ::/0                

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::b]:110
  179 14320 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::b]:143
  127 10160 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::b]:993
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::b]:995
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::b]:4190
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::10]:25
  107  8560 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::10]:465
  106  8480 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::10]:587
    0     0 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:80 to:[fd4d:6169:6c63:6f77::11]:80
  332 26560 DNAT       6    --  !br-mailcow *      !fe80::/10            ::/0                 tcp dpt:443 to:[fd4d:6169:6c63:6f77::11]:443
```

### DNS check:

```plain text
docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254
198.252.206.1
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sub-Addressing behind forwarding host no more working #7179

Contribution guidelines

Checklist prior issue creation

Description

Steps to reproduce:

Logs:

Which branch are you using?

Which architecture are you using?

Operating System:

Server/VM specifications:

Is Apparmor, SELinux or similar active?

Virtualization technology:

Docker version:

docker-compose version or docker compose version:

mailcow version:

Reverse proxy:

Logs of git diff:

Logs of iptables -L -vn:

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Logs of ip6tables -L -vn -t nat:

DNS check:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Sub-Addressing behind forwarding host no more working #7179

Description

Contribution guidelines

Checklist prior issue creation

Description

Steps to reproduce:

Logs:

Which branch are you using?

Which architecture are you using?

Operating System:

Server/VM specifications:

Is Apparmor, SELinux or similar active?

Virtualization technology:

Docker version:

docker-compose version or docker compose version:

mailcow version:

Reverse proxy:

Logs of git diff:

Logs of iptables -L -vn:

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Logs of ip6tables -L -vn -t nat:

DNS check:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions