Docker暴露端口疯狂

我已经使用docker-compose启动并运行了几个docker容器 . Nginx通过9000 / tcp的内部端口转发连接到PHP . PHP通过内部转发连接到mysql . Nginx可以在公共NIC上访问！

运行postfix的另一个容器基于相同的baseimage，并且配置/启动与Nginx-container完全相同，但其端口无法从Internet访问 .

nginx和postfix都以相同的方式暴露，那么为什么postfix无法访问？

nginx（Dockerfile）

...
EXPOSE 80/tcp 443/tcp
...

后缀（Dockerfile）

...
EXPOSE 25/tcp 465/tcp 587/tcp
...

泊坞窗，compose.yml

...nginx
ports:
  - "80:80/tcp"
  - "443:443/tcp"
...
and
...postfix
ports:
  - "25:25/tcp"
  - "465:465/tcp"
  - "587:587/tcp"
...

docker ps -a

CONTAINER ID    IMAGE     COMMAND                  CREATED          STATUS           PORTS                                                             NAMES
550cf81ccfc3    nginx     "nginx -g 'daemon ..."   17 minutes ago   Up 17 minutes    0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                          nginx
5b1b823c8b75    postfix   "/run.sh"                17 minutes ago   Up 17 minutes    0.0.0.0:25->25/tcp, 0.0.0.0:465->465/tcp, 0.0.0.0:587->587/tcp    postfix
f7541058c973    php       "php5-fpm -F"            17 minutes ago   Up 17 minutes    9000/tcp                                                          php
ad1d1db33351    mysql     "/sbin/entrypoint...."   17 minutes ago   Up 17 minutes    3306/tcp                                                          mysql

netstat -a

Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      464/sshd        
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      461/rsyslogd    
tcp6       0      0 :::25                   :::*                    LISTEN      24924/docker-proxy
tcp6       0      0 :::443                  :::*                    LISTEN      24937/docker-proxy
tcp6       0      0 :::514                  :::*                    LISTEN      461/rsyslogd    
tcp6       0      0 :::587                  :::*                    LISTEN      24899/docker-proxy
tcp6       0      0 :::80                   :::*                    LISTEN      24975/docker-proxy
tcp6       0      0 :::465                  :::*                    LISTEN      24912/docker-proxy

iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT

所有ips上的Telnet：端口在docker主机上工作正常 .

从外部到公共IP的nmap：

25: filtered
80: open
110: filtered (although there is no service running, ~* weird *~)
443: open
465: filtered
587: filtered

uname -a

Linux h2127057 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux

怎么知道解决方案？