Forbidden 403 NGINX

[Martinwiertz]

Guys,

I request your help. Yesterday my Zimbra server worked normally. Last night the daily backup cycle ran. No updates on Linux or Zimbra.
(Release 10.1.10.INTALIO.20250425.UBUNTU22_64 FOSS edition.)

Today error Forbidden 403 NGINX when starting the webmail. On my laptop browser (Chrome/IE) and also Android phone browser. Tested via wifi, LAN en 5G.
Also via laptop of my son not working and same error.
Via Imap all works OK.
Server several times rebooted.

Troubleshooted today via searching on the forum, google and logfiles. No solution yet.
Via admin webinterface and Show mail of the user I do get a normal webmail page. Mailflow is normal.
Fail2ban service stopped - no change

NGINX.log shows: (only log with an error)
2025/07/31 17:24:58 [error] 107114#0: *864 connect() to [2a02:xxxx:xxxxxxxx]:8443 failed (101: Network is unreachable) while connecting to upstream, client: ::ffff:<home IPv4>, server: www.my.domain, request: "GET / HTTP/2.0", upstream: "https://[2a02:xxxx:xxxxxx]:8443/", host: "www.my.domain"
2025/07/31 17:24:59 [error] 107114#0: *864 connect() to [2a02:xxxxxx]:8443 failed (101: Network is unreachable) while connecting to upstream, client: ::ffff:<home IPv4>, server: www.my.domain, request: "GET / HTTP/2.0", upstream: "https://[2a02:xxxxx]:8443/", host: "www.my.domain"
2025/07/31 17:24:59 [error] 107114#0: *864 connect() to [2a02:xxxxxx]:8443 failed (101: Network is unreachable) while connecting to upstream, client: ::ffff:<home IPv4>, server: www.my.domain, request: "GET /favicon.ico HTTP/2.0", upstream: "https://[2a02:xxxx]:8443/favicon.ico", host: "www.my.domain", referrer: "https://www.my.domain/"

On my host/server I can ping my domain name. All communication is in 1 box.

I am really lost at the moment.

[slacker1337]

It seems your domain is resolved to public IPv6 address (2a02:xxxx..), is this correct and expected? If yes, check the configuration of (IPv6) firewall and network settings, especially if you are able to ping specified IPv6 address.

[Martinwiertz]

Yes, all the right addresses are used. Ping or dig or nslookup works. But somewhere communications is blocked.

Mail.log:
line 1 - postfix/lmtp -- ipv6:7025 - network unreachable
line 2 - retry on ipv4:7025 and it works via relay

Disable firewall or fail2ban does not solve the problem. And the problem appeared last 24hrs. (no update of sort)
I'll keep searching and need a good night sleep.
Thanks for your reply!

[slacker1337]

Is your IPv6 address static or dynamic? Have you checked whether all IPv6 settings match the guidelines here: https://wiki.zimbra.com/wiki/Configuring_for_IP_V6?

I would also recommend checking for any errors in /var/log/zimbra.log and /opt/zimbra/log/mailbox.log during Zimbra startup. Additionally, verify that all Zimbra services are running by using the zmcontrol status command.

If you're unable to resolve the issue, I would temporarily try setting ZimbraIPMode to IPv4.

[Martinwiertz]

Thanks, I restored ipv4 mode 2 days ago. This resolved the webinterface issue.

After a few days searching it looks the internet provider changed something in their router. (consumer fiber connection) I use Zimbra for personal use.
I tried configuring on other machine Ubuntu desktop on IPv6 and this is not working also. internet.nl testsite shows the absence of IPv6. Before all was ok on server.

This article helped also.
https://wiki.zimbra.com/wiki/Configuring_for_IP_V6