1 (edited by LuizC 2020-06-10 02:26:46)

Topic: DNS Config

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.2.1
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Friends,

I followed the instructions in
https://docs.iredmail.org/setup.dns.html
to configure my DNS but my server can't be found.

Can anyone check my DNS config and give me a clue?

Thanks!

Post's attachments

DNS.jpg 87.09 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: DNS Config

As far as I can tell your name server is correctly resolving your names, what specifically is not resolving?

nslookup mail.botboutique.com.br ns1.locaweb.com.br
Server:  UnKnown
Address:  186.202.8.254
Name:    mail.botboutique.com.br
Address:  191.252.103.63

3 (edited by LuizC 2020-06-10 02:59:17)

Re: DNS Config

MuPp3t33r wrote:

As far as I can tell your name server is correctly resolving your names, what specifically is not resolving?

nslookup mail.botboutique.com.br ns1.locaweb.com.br
Server:  UnKnown
Address:  186.202.8.254
Name:    mail.botboutique.com.br
Address:  191.252.103.63

Hi Mu3t33r!

When trying to go to
https://mail.botboutique.com.br
returns an error of non found page.

And when trying to install a SSL from Let's Encrypit using
certbot certonly --webroot --dry-run -w /var/www/botboutique.com.br/html -d mail.botboutique.com.br
the console returns:


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.botboutique.com.br
Using the webroot path /var/www/botboutique.com.br/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mail.botboutique.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.botboutique.com.br/.well-kn … dkQc90BZfs [191.252.103.63]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: mail.botboutique.com.br
   Type:   unauthorized
   Detail: Invalid response from
   http://mail.botboutique.com.br/.well-kn … dkQc90BZfs
   [191.252.103.63]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

==========================================

Any suggestion?

Thanks for your support!

4 (edited by MuPp3t33r 2020-06-10 05:24:58)

Re: DNS Config

From what I understand your nginx is not serving the webroot verification correctly, hence the 404 response (doesn't exist). Personally I didn't find the webroot method to be a very easy to use option. I like to use Cloudflare to manage my DNS records, one of it's great features is a free API that allows certbot to directly validate your domain name in DNS.

If you want to try it, sign up at dash.cloudflare.com and add your domain, change your name servers at your registrar to the ones provided by CF. Going forward you will no longer manage your DNS where you did before, now it's on CloudFlare.

To link to the API you'll need to install certbot python3-certbot-dns-cloudflare
then create file with following contents

nano /etc/letsencrypt/cloudflare.passwd
Contents:

dns_cloudflare_email = youremail@domain.tld
dns_cloudflare_api_key = yourapikeygoeshere

chmod 600 /etc/letsencrypt/cloudflare.passwd
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.passwd -d yourdomain.tld -d *.yourdomain.tld

Now you have a root and wildcard certificate in one smile

By the way you should set up your reverse PTR to match your FQDN, you'll do that with your hosting/VPS provider

5

Re: DNS Config

MuPp3t33r wrote:

From what I understand your nginx is not serving the webroot verification correctly, hence the 404 response (doesn't exist). Personally I didn't find the webroot method to be a very easy to use option. I like to use Cloudflare to manage my DNS records, one of it's great features is a free API that allows certbot to directly validate your domain name in DNS.

If you want to try it, sign up at dash.cloudflare.com and add your domain, change your name servers at your registrar to the ones provided by CF. Going forward you will no longer manage your DNS where you did before, now it's on CloudFlare.

To link to the API you'll need to install certbot python3-certbot-dns-cloudflare
then create file with following contents

nano /etc/letsencrypt/cloudflare.passwd
Contents:

dns_cloudflare_email = youremail@domain.tld
dns_cloudflare_api_key = yourapikeygoeshere

chmod 600 /etc/letsencrypt/cloudflare.passwd
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.passwd -d yourdomain.tld -d *.yourdomain.tld

Now you have a root and wildcard certificate in one smile

By the way you should set up your reverse PTR to match your FQDN, you'll do that with your hosting/VPS provider

WOW, that's a lot to process but it seems pretty objetive. I'm gonna do what you suggest and I'll come back to tell you the results. Stay tuned :-)

Once again, thank you very much.

6

Re: DNS Config

LuizC wrote:
MuPp3t33r wrote:

From what I understand your nginx is not serving the webroot verification correctly, hence the 404 response (doesn't exist). Personally I didn't find the webroot method to be a very easy to use option. I like to use Cloudflare to manage my DNS records, one of it's great features is a free API that allows certbot to directly validate your domain name in DNS.

If you want to try it, sign up at dash.cloudflare.com and add your domain, change your name servers at your registrar to the ones provided by CF. Going forward you will no longer manage your DNS where you did before, now it's on CloudFlare.

To link to the API you'll need to install certbot python3-certbot-dns-cloudflare
then create file with following contents

nano /etc/letsencrypt/cloudflare.passwd
Contents:

dns_cloudflare_email = youremail@domain.tld
dns_cloudflare_api_key = yourapikeygoeshere

chmod 600 /etc/letsencrypt/cloudflare.passwd
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.passwd -d yourdomain.tld -d *.yourdomain.tld

Now you have a root and wildcard certificate in one smile

By the way you should set up your reverse PTR to match your FQDN, you'll do that with your hosting/VPS provider


After do eveything step by step, I get this message:

deploy@botboutique:~# certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.passwd -d botboutique.com.br -d *.botboutique.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for botboutique.com.br
dns-01 challenge for botboutique.com.br
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/botboutique.com.br/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/botboutique.com.br/privkey.pem
   Your cert will expire on 2020-09-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
- If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

====================================================================

At first glance, seems that everything runs ok, but I still can't acess mail.botboutique.com.br nor botboutique.com.br/mail/ nor botboutique.com.br/iredadmin, HTTP and HTTPS.

Rough times, trying to install and run iRedMail :-(

Can give me another suggestion, Mup3t33r?

Thanks a lot!

7

Re: DNS Config

By the way, there is my CloudFlare DNS config :-)

The record above the MX record is a CNAME (just for the record)

Post's attachments

dns.jpg
dns.jpg 70.32 kb, 1 downloads since 2020-06-10 

You don't have the permssions to download the attachments of this post.

8 (edited by MuPp3t33r 2020-06-10 16:35:51)

Re: DNS Config

Well it looks like you have your certificate issued successfully! smile
Did you change your nginx config files when you were trying to do the webroot method?
You might need to revert whatever changes you made there, since we're still getting 404 errors, which means the data was not found on your server

Have you linked your letsencrypt certificate to the default iredmail cert path? and of course restart services.
https://docs.iredmail.org/letsencrypt.h … mbol-links
Although, cloudflare also has you covered with their own SSL cert now smile

By the way, your SPF record is incomplete, you need to specify which hosts are allowed to send mail for your domain.
You could perhaps use a record like this:
v=spf1 a mx ip4:191.252.103.63 ~all

~all means softfail (accept message but tag it as fail) or if you want strict SPF you can place -all

Oh yes, and one more thing about cloudflare DNS, about the "proxied" status, as this only does HTTPS proxying, not SMTP, you might have delivery issues, if you want to use the proxy then you should create a separate record A/CNAME unproxied to your origin server IP, and set your MX linking to the unproxied host.

EG: Create an A record named "mx" pointing to 191.252.103.63
      update MX record to point to mx.botboutique.com.br

The proxying is entirely optional though, you can get by fine without it, although it does have some nice features so no harm in using it (I do, and love it)

As an example, here's roughly how I have mine set up in screenshot.

EDIT: Your DNS setup won't be exactly the same as mine, as I use a reverse proxy on-premises which handles the splitting of my web servers, mail servers and others behind the same public IP (in total I run more than 10 web servers at the same location, so can't use simple port forwarding...

Post's attachments

Untitled.png
Untitled.png 42.32 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

9 (edited by LuizC 2020-06-10 23:40:47)

Re: DNS Config

Hi, Mup3t33r! Nice to have your support!

MuPp3t33r wrote:

Did you change your nginx config files when you were trying to do the webroot method?

No, the only modification was a "server block", because I'm using my VPS to serve another simple site. Could this be a problem?

MuPp3t33r wrote:

Have you linked your letsencrypt certificate to the default iredmail cert path? and of course restart services.

OOOOps, I didn't. Now I did it, and ... now I have a ERR_TOO_MANY_REDIRECTS message in browser :-/

MuPp3t33r wrote:

By the way, your SPF record is incomplete, you need to specify which hosts are allowed to send mail for your domain.
You could perhaps use a record like this:
v=spf1 a mx ip4:191.252.103.63 ~all

~all means softfail (accept message but tag it as fail) or if you want strict SPF you can place -all

Oh yes, and one more thing about cloudflare DNS, about the "proxied" status, as this only does HTTPS proxying, not SMTP, you might have delivery issues, if you want to use the proxy then you should create a separate record A/CNAME unproxied to your origin server IP, and set your MX linking to the unproxied host.

EG: Create an A record named "mx" pointing to 191.252.103.63
      update MX record to point to mx.botboutique.com.br

Nice tips! I updated my Cloudflare's configuration as showed in image.

What can we do now?

Despite all this dificulties, I'm feeling confident in keep trying to make it works, thanks to your support :-)

Post's attachments

Screenshot_2020-06-10 DNS botboutique com br Account Cloudflare - Web Performance Security.png
Screenshot_2020-06-10 DNS botboutique com br Account Cloudflare - Web Performance Security.png 18.28 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

10 (edited by LuizC 2020-06-11 00:45:04)

Re: DNS Config

Mup3t33r,

I have a VPS that my provider registered as vps18569.publiccloud.com.br

And now I saw that I can access Roundcube and iRedAdmin using this adress!!!! More than that: mailboxes in iRedAdmin could only be created with <user>@mail.botboutique.com.br, but the desired is <user>@botboutique.com.br.

What I messed and how to fix it?

11 (edited by MuPp3t33r 2020-06-11 19:54:18)

Re: DNS Config

LuizC wrote:

mailboxes in iRedAdmin could only be created with <user>@mail.botboutique.com.br, but the desired is <user>@botboutique.com.br.

Sounds to me like when you were setting up the server you set your first mail domain name to mail.botboutique.com.br (which is correct for your server name, but not for your mail domain name, which should be botboutique.com.br)

LuizC wrote:

I have a VPS that my provider registered as vps18569.publiccloud.com.br

You'll need to login to the control panel of your hosting provider to change this, it may be labelled as eg: Reverse DNS, Reverse PTR, etc. If you are unable to find this then open a support ticket with your VPS provider, they should be able to guide or assist you there.

LuizC wrote:

the only modification was a "server block"

Do you think you could share the contents of your nginx sites enabled files?

LuizC wrote:

ERR_TOO_MANY_REDIRECTS

Sorry, I forgot a step in Cloudflare to tell you. Check on the SSL/TLS tab in cloudflare and change the encryption mode to Full(Strict).
If this whole thing is giving you too much headache, you can completely disable the Proxied status for your records on Cloudflare (DNS only). Once you have it up and running the way you expect it to then you can look at going back to proxied (as mentioned previously, that's all entirely optional and is my personal recommendation, not that of the iRedMail team)

LuizC wrote:

I updated my Cloudflare's configuration as showed in image.

Don't forget to change your A record for mx.botboutique.com.br to be DNS only, not Proxied, otherwise you won't be able to receive emails

12 (edited by LuizC 2020-06-12 01:07:44)

Re: DNS Config

Hi, MuPp3t33r!

MuPp3t33r wrote:

Sounds to me like when you were setting up the server you set your first mail domain name to mail.botboutique.com.br (which is correct for your server name, but not for your mail domain name, which should be botboutique.com.br)

Is it fixable?

MuPp3t33r wrote:

Do you think you could share the contents of your nginx sites enabled files?

Sure!

00-default.conf:
server {
    # Listen on ipv4
    listen 80;
    listen [::]:80;

    server_name _;

    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;
}
------------------------------------------------------
00-default-ssl.conf:
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name _;

    root /var/www/html;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/nginx/templates/stub_status.tmpl;
}
---------------------
In 00-default-ssl.conf, diretory  "root /var/www/html;" should be "root /var/www/botboutique.com.br/html", right? Because when I try to acess vps18569.publiccloud.com.br the padlock shows an error of insecure site. Doing this make using an Reverse DNS/Reverse PTR setup not necessary?

MuPp3t33r wrote:

Sorry, I forgot a step in Cloudflare to tell you. Check on the SSL/TLS tab in cloudflare and change the encryption mode to Full(Strict).

Done, the ERR_TOO_MANY_REDIRECTS has gone :-)

MuPp3t33r wrote:

If this whole thing is giving you too much headache, you can completely disable the Proxied status for your records on Cloudflare (DNS only). Once you have it up and running the way you expect it to then you can look at going back to proxied (as mentioned previously, that's all entirely optional and is my personal recommendation, not that of the iRedMail team)
...
Don't forget to change your A record for mx.botboutique.com.br to be DNS only, not Proxied, otherwise you won't be able to receive email

Everything done :-)

Now, trying to acess botboutique.com.br AND vps18569.publiccloud.com.br leads to /mail (I can see that's the same mail box,no matter the domain). And now I can receive emails in postmaster@mail.botboutique.com.br, but I the replies didn't come to it's recipient.

A note: I'm learning a lot in this thread :-)

Thanks again!

Post's attachments

DNS.jpg 165.88 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

13

Re: DNS Config

it fixable?

Yes, it would be possible, but in my opinion if you haven't got anything else important on that VPS right now, you'd probably be better off wiping the server and starting fresh. I actually ended up doing that more than I could count when I first started playing with iredmail, granted my use-case was slightly different, so I was doing tinkering by the boatload.


In 00-default-ssl.conf, diretory  "root /var/www/html;" should be "root /var/www/botboutique.com.br/html", right?

Not the case, in you config you'll see a bunch on "include" sections, those hold the relevant paths for each component of the web interface

Because when I try to acess vps18569.publiccloud.com.br the padlock shows an error of insecure site. Doing this make using an Reverse DNS/Reverse PTR setup not necessary?

Not quite as simple as that... See the certificate you got from let's encrypt validates only your domain, since you are not the owner of publiccloud.com.br you are not able to verify authenticity of that address. So you'll be able to access the site, but it will have that warning.
Additionally to that, you are trying to host your server at mail.botboutique.com.br, if we do a lookup of that we'll get your IP address, which is correct, but when spam filters start looking up your IP address and see something that does not match your HELO then you'll probably be flagged as spam and your mails won't deliver. So definitely do that for sure.
If you go about nuking your VPS and starting over, it might help to get your reverse DNS out the way first.


And no, send and receive emails didn't working (yet)

If it's still not working after redoing your VPS then have a look over in the mail logs to see whats going on.
run tail -f /var/log/mail.log and then send an email from your server, skim over the logs to identify errors and work your way forward from there.

A note: I'm learning a lot in this thread :-) Thanks again!

You're welcome, I learned most of what I know about postfix/dovecot/mysql/fail2ban/etc from experimenting specifically with iredmail, so it's nice to give back to the community.

Pro tip, set up a hypervisor on your home computer to experiment with, Windows 10 Pro comes with HyperV for free which is fairly decent, VMWare also has a variety of hypervisors for desktop and baremetal, Oracle, etc - if you have a spare PC lying around that you can dedicate to the cause you can try ESXi or Xen...

The more you know, the more you know smile

14 (edited by LuizC 2020-06-12 01:59:05)

Re: DNS Config

MuPp3t33r wrote:

I actually ended up doing that more than I could count when I first started playing with iredmail

When I started experimenting with Linux some time ago and I tryied to install some complex system like iRedMail, this was a commom thing to happen.

So, let's start over again :-)

Thanks for your detailed support, and here we go again!