Mail-in-a-box with Let's Encrypt, my own DNS


#1

I have enjoyed learning my own Internet Infrustrature Systsems, from sendmail->courier->all sorts of roll your own and have finally settled on a nice ready made VM called Mail-in-a-Box. It’s great for hosting 3-5 of my own domains for all the fancy features like imap/calander/owncloud, and such. It now has Let’s Encrypt functionality, however, I do not use it’s built in DNS. I run my own nameservers using Bind on a pair of Raspberry Pi’s, just cause I can.

This seems to have presented me with Let’s Encrypt integration issues, that I believe are readily solvable so that I can participate in the community in an auto-recert fashion as intended by let’s encrypt. I thought I would ask the community if anyone is using Mail-In-A-Box already, without using the VM as your DNS server? (Alas, the Mail-in-a-box forums have not been very helpful, though I am still trying)

I was hoping this would be a matter of getting assistance with what my DNS needs to look like so the Let’s Encrypt can validate me, But I am betting the Mail-In-A-Box configuration might be getting in the way because it believes it can tweak and change DNS how it sees fit for each domain it’s hosts…

But since I DO have admin rights to the Ubuntu load under the hood, maybe I can get automation anyway? :smiley:


#2

hi @Nellson

as lets encrypt is a public CA it uses the wider internet DNS to resolve hostnames

from what i am gathering you are running your own DNS servers? Are they internet accessible?

so the first challenge is - what is your domain name ?

this will let us know if it is resolvable with clients such as certbot, getssl or any of the other clients

Andrei


#3

Yes! I use Comcast business class cable and I have 8 static IP’s at home both of my raspberry pie DNS servers have dedicated static IP’s that NAT to my internal network. The mail in a box server has a static NAT as well but just for the ports required.

When I look at the TLS status page for mail in the box it is always upset that when it checks it self my domains resolve to the internal IP address. So it will not use it’s integrated let’s crypt client.

If I tell the mailing a box DNS service to use my external IP’s then it can no longer reach its self because it’s popping out to my firewall and trying to come back in. It actually makes me wonder whether mailing a box actually understands how NAT is supposed to work.

My internal DNS and external DNS run the same instance of bind in a split “views” configuration such the internal IP’s get internal answers and external IP’s get external answers for the same request .

If I could get some assistance in creating my DNS records properly so that lets encrypt could validate me I think I can also run the Let’s encrypt software agent to do the renewal . It might mean that the mail in the box software is always in a state of broken as far as that’s concerned but if the Certs get put where they’re supposed to get but hopefully my iPhone client will respect the CERT and I can read my mail again .


#4

Was there anyone using mail-in-a-box with let’s encrypt that has this working? Or someone that could give me an example of how I might rework my DNS entry for mail.nickellson.com to allow my to run the ubuntu agent under the hood?


#5

I don’t believe your DNS Name Servers are available on the public internet.

without them responding to DNS queries no one can reach your servers

Andrei


#6

I’m not sure what tool you used, but it failed.

I used icann.org and it’s working fine. Shows both dns01.nickellson.com & dns02.nickellson.com

One of my pi’s is offline, I’ll get that fixed, but it’s all working.

Nick

Nick Ellson - from iPhone (forgive typos)
CCIE #20018; VCIX-NV, CNSE
Network Hobbyist
"Educating Layer 8, one user at a time."


#7

Hi Nick

https://dns.google.com/query?name=nickellson.com&type=A&dnssec=true

looks like you are correct - DNS Name servers are there but not responding to queries

Andrei


#8

Online tools see it just fine…
[50.196.4.113] returned an authoritative response in 63 ms:Answer recordsnameclasstypedatatime to livemail.nickellson.comINA50.196.4.11686400s(1d)Authority recordsnameclasstypedatatime to livenickellson.comINNSdns02.nickellson.com86400s(1d)nickellson.comINNSdns01.nickellson.com86400s(1d)Additional recordsnameclasstypedatatime to livedns01.nickellson.comINA50.196.4.11386400s(1d)dns02.nickellson.comINA50.196.4.11486400s(1d)-- end –

                                                                                                      ahaw021               
           March 21                                                          Hi Nickhttps://dns.google.com/query?name=nickellson.com&type=A&dnssec=truelooks like you are correct - DNS Name servers are there but not responding to queriesAndrei                

Visit Topic or reply to this email to respond. In Reply To Nellson
March 21 I’m not sure what tool you used, but it failed. I used icann.org and it’s working fine. Shows both dns01.nickellson.com & dns02.nickellson.com One of my pi’s is offline, I’ll get that fixed, but it’s all working. Nick Nick Ellson - from iPhone (forgive typos) CCIE #20018; VCIX-NV, CNSE Netwo…
Visit Topic or reply to this email to respond.
To unsubscribe from these emails, click here.


#9

You do realize that the mail that I’m sending to you is coming from one of my own domains that would not work if your mail server could not find my domain?

                                                                                                      ahaw021               
           March 21                                                          Hi Nickhttps://dns.google.com/query?name=nickellson.com&type=A&dnssec=truelooks like you are correct - DNS Name servers are there but not responding to queriesAndrei                

Visit Topic or reply to this email to respond. In Reply To Nellson
March 21 I’m not sure what tool you used, but it failed. I used icann.org and it’s working fine. Shows both dns01.nickellson.com & dns02.nickellson.com One of my pi’s is offline, I’ll get that fixed, but it’s all working. Nick Nick Ellson - from iPhone (forgive typos) CCIE #20018; VCIX-NV, CNSE Netwo…
Visit Topic or reply to this email to respond.
To unsubscribe from these emails, click here.


#10

From one of my domains, you will be able to reply to me without issue.
Nick

                                                                                                      ahaw021               
           March 21                                                          Hi Nickhttps://dns.google.com/query?name=nickellson.com&type=A&dnssec=truelooks like you are correct - DNS Name servers are there but not responding to queriesAndrei                

Visit Topic or reply to this email to respond. In Reply To Nellson
March 21 I’m not sure what tool you used, but it failed. I used icann.org and it’s working fine. Shows both dns01.nickellson.com & dns02.nickellson.com One of my pi’s is offline, I’ll get that fixed, but it’s all working. Nick Nick Ellson - from iPhone (forgive typos) CCIE #20018; VCIX-NV, CNSE Netwo…
Visit Topic or reply to this email to respond.
To unsubscribe from these emails, click here.


#11

Ahhhh. I do see a typo in the registra that has existed for a while now… dns01.nickellson.com shows 50.169.4.113 and should be 50.196.4.113. My other domains are registered correctly (n7cky.com & theresaellson.com)

.113 is online, but .114 lost its SD card, I’ll have it back up tonight. Hey, thanks for finding that one…

Nick


#12

Andrei found two problems in my DNS that I have repaired. Dns01.nickellson.com was registered with the wrong IP (typo), and dns02.nickellson.com had fails (bad media in my Raspberry Pi).

I have fixed both issues :smiley:


#13

goodo

:smiley: good luck with the certificate issuing :smiley:


#14

Alas, the mail-in-a-box appliance still fails its own DNS self checks which prevent its Let’s Encrypt interface from functioning. Still not hearing much from the mail-in-a-box community.

But since I have root access to the appliance, and it’s ubuntu… I ought to be able to do it in my own and still be automated, yes?

Nick Ellson - from iPhone (forgive typos)
CCIE #20018; VCIX-NV, CNSE
Network Hobbyist
"Educating Layer 8, one user at a time."


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.