Contribution guidelines
Checklist prior issue creation
Description
With the current version 2023-06b the sub-addressing behind a Forwarding Hosts (Proxmox Mail Gateway) with Spam filter disabled is no more working, similar to #7030.
With versions before 2026-* it was working when the header X-Moo-Tag: YES was added on the forwarding host.
Steps to reproduce:
- Send a mail over a forwarding host to
info+test@example.com
- Check mails, is not delivered to sub folder.
Logs:
Which branch are you using?
master (stable)
Which architecture are you using?
x86_64
Operating System:
Debian GNU/Linux 12 (bookworm)
Server/VM specifications:
4 Cores, 16GB
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
KVM (Proxmox VE 9.1.6)
Docker version:
29.2.1
docker-compose version or docker compose version:
v5.0.2
mailcow version:
2026-03b
Reverse proxy:
none
Logs of git diff:
Logs of iptables -L -vn:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7386 4625K MAILCOW 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* mailcow */
4481K 940M DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
4481K 940M DOCKER-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
22 1320 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.12 tcp dpt:443
4 216 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.12 tcp dpt:80
0 0 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:587
10 520 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:465
5 284 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:25
0 0 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345
0 0 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190
0 0 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995
0 0 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993
1 44 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143
0 0 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110
0 0 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.6 tcp dpt:3306
0 0 ACCEPT 6 -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379
0 0 DROP 0 -- !docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP 0 -- !br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-BRIDGE (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
42 2384 DOCKER 0 -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-CT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3785 4026K ACCEPT 0 -- * br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain DOCKER-FORWARD (1 references)
pkts bytes target prot opt in out source destination
4481K 940M DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0
3652K 298M DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0
3652K 298M DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
3572 600K ACCEPT 0 -- br-mailcow * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-INTERNAL (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
Chain MAILCOW (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 6 -- !br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0 /* mailcow isolation */
Logs of ip6tables -L -vn:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
109K 140M MAILCOW 0 -- * * ::/0 ::/0 /* mailcow */
4709K 1711M DOCKER-USER 0 -- * * ::/0 ::/0
4709K 1711M DOCKER-FORWARD 0 -- * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
327 26160 ACCEPT 6 -- !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::11 tcp dpt:443
0 0 ACCEPT 6 -- !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::11 tcp dpt:80
105 8400 ACCEPT 6 -- !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:587
105 8400 ACCEPT 6 -- !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:465
0 0 ACCEPT 6 -- !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::10 tcp dpt:25
0 0 ACCEPT 6 -- !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:4190
0 0 ACCEPT 6 -- !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:995
125 10000 ACCEPT 6 -- !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:993
178 14240 ACCEPT 6 -- !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:143
0 0 ACCEPT 6 -- !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:110
0 0 DROP 0 -- !docker0 docker0 ::/0 ::/0
0 0 DROP 0 -- !br-mailcow br-mailcow ::/0 ::/0
Chain DOCKER-BRIDGE (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER 0 -- * docker0 ::/0 ::/0
840 67200 DOCKER 0 -- * br-mailcow ::/0 ::/0
Chain DOCKER-CT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * docker0 ::/0 ::/0 ctstate RELATED,ESTABLISHED
72661 128M ACCEPT 0 -- * br-mailcow ::/0 ::/0 ctstate RELATED,ESTABLISHED
Chain DOCKER-FORWARD (1 references)
pkts bytes target prot opt in out source destination
4709K 1711M DOCKER-CT 0 -- * * ::/0 ::/0
2325K 849M DOCKER-INTERNAL 0 -- * * ::/0 ::/0
2325K 849M DOCKER-BRIDGE 0 -- * * ::/0 ::/0
0 0 ACCEPT 0 -- docker0 * ::/0 ::/0
35981 12M ACCEPT 0 -- br-mailcow * ::/0 ::/0
Chain DOCKER-INTERNAL (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
Chain MAILCOW (1 references)
pkts bytes target prot opt in out source destination
Logs of iptables -L -vn -t nat:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
531K 29M DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER 0 -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1492 117K MASQUERADE 0 -- * !br-mailcow 172.22.1.0/24 0.0.0.0/0
0 0 MASQUERADE 0 -- * !docker0 172.17.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT 6 -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379
0 0 DNAT 6 -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.6:3306
0 0 DNAT 6 -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.22.1.250:110
1 44 DNAT 6 -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.22.1.250:143
0 0 DNAT 6 -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:172.22.1.250:993
0 0 DNAT 6 -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:172.22.1.250:995
0 0 DNAT 6 -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 to:172.22.1.250:4190
0 0 DNAT 6 -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345
5 284 DNAT 6 -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.22.1.253:25
10 520 DNAT 6 -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:172.22.1.253:465
0 0 DNAT 6 -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:172.22.1.253:587
4 216 DNAT 6 -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.22.1.12:80
24 1448 DNAT 6 -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.22.1.12:443
Logs of ip6tables -L -vn -t nat:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
85499 6876K DOCKER 0 -- * * ::/0 ::/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
62 4960 DOCKER 0 -- * * ::/0 !::1 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
765 74694 MASQUERADE 0 -- * !br-mailcow fd4d:6169:6c63:6f77::/64 ::/0
0 0 MASQUERADE 0 -- * !docker0 fd00:dead:beef:c0::/80 ::/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT 6 -- !br-mailcow * !fe80::/10 ::/0 tcp dpt:110 to:[fd4d:6169:6c63:6f77::b]:110
179 14320 DNAT 6 -- !br-mailcow * !fe80::/10 ::/0 tcp dpt:143 to:[fd4d:6169:6c63:6f77::b]:143
127 10160 DNAT 6 -- !br-mailcow * !fe80::/10 ::/0 tcp dpt:993 to:[fd4d:6169:6c63:6f77::b]:993
0 0 DNAT 6 -- !br-mailcow * !fe80::/10 ::/0 tcp dpt:995 to:[fd4d:6169:6c63:6f77::b]:995
0 0 DNAT 6 -- !br-mailcow * !fe80::/10 ::/0 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::b]:4190
0 0 DNAT 6 -- !br-mailcow * !fe80::/10 ::/0 tcp dpt:25 to:[fd4d:6169:6c63:6f77::10]:25
107 8560 DNAT 6 -- !br-mailcow * !fe80::/10 ::/0 tcp dpt:465 to:[fd4d:6169:6c63:6f77::10]:465
106 8480 DNAT 6 -- !br-mailcow * !fe80::/10 ::/0 tcp dpt:587 to:[fd4d:6169:6c63:6f77::10]:587
0 0 DNAT 6 -- !br-mailcow * !fe80::/10 ::/0 tcp dpt:80 to:[fd4d:6169:6c63:6f77::11]:80
332 26560 DNAT 6 -- !br-mailcow * !fe80::/10 ::/0 tcp dpt:443 to:[fd4d:6169:6c63:6f77::11]:443
DNS check:
docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254
198.252.206.1
Contribution guidelines
Checklist prior issue creation
Description
With the current version 2023-06b the sub-addressing behind a
Forwarding Hosts(Proxmox Mail Gateway) with Spam filter disabled is no more working, similar to #7030.With versions before
2026-*it was working when the headerX-Moo-Tag: YESwas added on the forwarding host.Steps to reproduce:
info+test@example.comLogs:
Which branch are you using?
master (stable)
Which architecture are you using?
x86_64
Operating System:
Debian GNU/Linux 12 (bookworm)
Server/VM specifications:
4 Cores, 16GB
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
KVM (Proxmox VE 9.1.6)
Docker version:
29.2.1
docker-compose version or docker compose version:
v5.0.2
mailcow version:
2026-03b
Reverse proxy:
none
Logs of git diff:
Logs of iptables -L -vn:
Logs of ip6tables -L -vn:
Logs of iptables -L -vn -t nat:
Logs of ip6tables -L -vn -t nat:
DNS check: