Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot Receive e-mail & various issues mx host domain.tld does not match enforced mta-sts policy with hosts mail.domain.tld #261

Open
LordPraslea opened this issue Dec 10, 2024 · 3 comments

Comments

@LordPraslea
Copy link

Hi There

I just installed and configured mox on a VPS hosted at Linode for the domain subl.im. After fiddling around I managed to setup most DNS records, migrated from the OLD mailserver. DNSSEC is not available on linode, so that keeps giving errors.

I can send emails and it does get into spam in yahoo, and gmail.

However, I cannot seem to be able to RECEIVE any form of EMAIL.

When I send from the subl.im domain to myself (alias) I get the following "error" and it's retried/requeued at infinity

mx host subl.im does not match enforced mta-sts policy with hosts mail.subl.im	(default)		
	5/5	13mins 28s ago	andrei	[email protected]	[email protected]	2 kb	2		8mins 57s	5mins 56s ago	mx host subl.im does not match enforced mta-sts policy with hosts 172-232-47-121.ip.linodeusercontent.com

I managed to go from the 172-232-47-121.ip.linodeusercontent.com error to mail.subl.im by simply renaming the mtasts.db

./mox mtasts lookup subl.im
DNS TXT record _mta-sts.subl.im: v=STSv1; id=20241209T143105

policy at https://mta-sts.subl.im/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
max_age: 86400
mx: mail.subl.im

Don't know what you might require to debug this, let me know which files I should copy/paste for debugging purposes.

I did have other issues which I think(hope) i managed to solve, there seems to be some weird errors on
http://localhost:8080/admin/#domains/subl.im/dnscheck

Such as a REVERSE IP which has nothing to do with the mail.subl.im domain. Granted, subl.im domain, plus another subdomains are hosted on other VPSes but this VPS only has the mail system.
Should I have a domain with 0 subdomains/domains ? I don;t think this would matter too much.

None of the IPs that mx "mail.subl.im." points to is ours: [2600:3c07::f03c:95ff:fe26:60af 139.162.131.xxx]

Questions

Would it provide issues if I don't have DNSSEC and keep using linode's DNS? My previous mail provider did not have such a high success rate on the dns veriffications either but it worked flawlessly.
Do you know any good GOlang based DNS Server which is low overhead and easy to configure?

Ensure a DNS CNAME record like the following exists:

	mail.subl.im. CNAME mail.subl.im.

Seems redundant as I already have mail.subl.im setup as A/AAAA and of course adding a cname won't work..

Thanks for the great work, love how much more easy it was to setup than the old style servers.

@LordPraslea
Copy link
Author

LordPraslea commented Dec 10, 2024

I eventually made some more changes to DNS/settings and found the solution for receiving emails.
It seemed I had MX for mytld.im and used the subdomain feature for mail.mytld.im and it needed to be directly on mail.mytld.im (DNS weirdness from the provider)

Plus in mox.conf I needed to add the IPV6 address to the list of IP's allowed to validate SPF (and avoid one of the extra warnings thrown by the mox webserver)

Again, I'm simply amazed by the features packed into 1 single binary. Thanks for building this. :)

@mjl-
Copy link
Owner

mjl- commented Dec 11, 2024

Hi @LordPraslea, thanks for reporting.

I managed to go from the 172-232-47-121.ip.linodeusercontent.com error to mail.subl.im by simply renaming the mtasts.db

mta-sts works by fetching a policy for a domain, and checking it for future
connections. There's a good chance it found and stored an earlier policy with
a different mx name? After changing the MX hostname, a new MTA-STS policy is
created, but it needs to be propagated through DNS through an updated policy
id in the _mta-sts TXT record. Anyway, moving the mtasts.db file away is a
nice and simple way to work around this. (:

Would it provide issues if I don't have DNSSEC and keep using linode's DNS?

This is about not having the records of your domain DNSSEC-signed right? In
that case, email sending/receiving should work fine. Many domains don't have
DNSSEC yet, for various reasons (one being that dns operators don't/badly
implement it). Of course, DNSSEC does add protection for secure mail delivery
to your domain that no other security mechanism provides.
For resolving with DNSSEC-verification, you may already have set that up, but
you can always do that yourself.

Do you know any good GOlang based DNS Server which is low overhead and easy to configure?

There is CoreDNS. I think it's popular in the kubernetes world. I haven't
used it and don't know if it's good for running your own authoritative dns
server. I don't know of any DNSSEC-verifying Go-based recursive resolver (I'm
using unbound).
For authoritative name servers, I'm currently using bind, it automatically
manages DNSSEC signing of zones. But I should really look into knot, it seems
quite good.

Ensure a DNS CNAME record like the following exists:
mail.subl.im. CNAME mail.subl.im.

Seems redundant as I already have mail.subl.im setup as A/AAAA and of course adding a cname won't work..

Indeed, that record should not be shown in this situation. There is a check
that should prevent it, see
https://github.com/mjl-/mox/blob/v0.0.13/mox-/admin.go#L915. It would
misfire if the "Hostname:" field in mox.conf wasn't set to mail.subl.im.
May that have been the case?

@risturiz
Copy link

Plus in mox.conf I needed to add the IPV6 address to the list of IP's allowed to validate SPF (and avoid one of the extra warnings thrown by the mox webserver)

Sorry to hijack this... But where do you add the IPv6 in mox config? I think have the same SPF warning... Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants