Configure box to send mail but not host website?

I have an existing mailinabox setup for MIABdomain.tld. I also have domain2.tld that I host on another server, but because it gets so much spam I’d like to send and receive its email from my MIAB server to take advantage of its spam filter. But I want to keep hosting the website on domain2.tld. Is this possible?

I have created a new email user for domain2.tld on my MIAB server and I can change the MX record to point to MIABdomain.tld, but the MIAB system status checks say

This domain should resolve to this box’s IP address (A [MIAB IP ADDRESS]) if you would like the box to serve webmail or a website on this domain.

which is not what I want to do. Will email work if I just change the DNS records for MX, SPF, and DKIM?

Do not change anything else. You can host domain2 elswhere no worries. Just make an A and AAAA records pointing to the IP address where you hosting domain2.

Ah, I was thinking of keeping the existing external DNS settings for domain2, but I see now that it’s possible to use MIAB as the name servers and create custom A and AAAA records within MIAB itself. That seems to be working.

You can do that as well. Just replicate all the the entries as in MIAB and point the A and AAAA records for domain2.

The only problem I ran into is that in order to send mail for the other domain, I need to setup MTA-STS.

The MIAB status checks for my 2nd domain say:

MTA-STS policy is missing: STSFetchResult.NONE

My understanding is that in order to implement MTA-STS you need to serve the file /.well-known/mta-sts.txt over SSL. It looks like the MIAB is already configured to serve up a valid looking /.well-known/mta-sts.txt file, so I created a CNAME record to send mta-sts.domain2.tld to my MIAB machine, but the MIAB machine doesn’t have an SSL certificate for that sub-domain.

I tried creating an SSL certificate with: mta-sts.domain2.tld

but it fails with:

skipped: mta-sts.domain2.tld:
The domain has a custom DNS A/AAAA record that points the domain elsewhere, so there is no point to installing a TLS certificate here and we could not automatically provision one anyway because provisioning requires access to the website (which isn’t here).

Seems like it would work if I could just create the SSL certificate, but not sure how to do that.

You don’t need a certificate for mta-sts.domain2.tld on the MIAB box.
The admin page under Certificates should say: domain2.tld The domain’s website is hosted elsewhere.
On the other instance where you host domain2.tld you can run let’s encrypt from terminal and provision a certificate. Google it.

Rerun mailinabox setup maybe it will clear the status page as the website is pointed elsewhere.
Or just ignore the warning.

You can check you webmail for domain2.tld via the box.domain1.tld/mail Roundcube. That’s how it works. Just login with domain2.tld email.

All your domain2.tld mail goes via domain1.tld in terms of DKIM, DMARC, SPF.

If you are using an external DNS. Go back to MIAB managed dns and make sure everything is OK in the status page before you transfer the records Outside.

Or if External DNS records give you a headache and you wish a better propagation and to get rid of the tedious External DNS replication (not Automatic in MIAB for now), just make an account and a zone on buddy dns and paste these in Admin>CustomDNS> Using a secondary nameserver (there is a space between them):

You can always rerun setup by running mailinabox from terminal.
And it is a good idea to restart from time to time.

I figured it out. I really did need a certificate for mta-sts.domain2.tld on the MIAB.
The problem was that MIAB didn’t want to create it because I had created a custom DNS CNAME record for mta-sts.domain2.tld pointing to the MIAB. This custom record was technically accurate, but redundant because that subdomain was already pointing to my MIAB and creating it caused the ssl_certificates python script to erroneously assume that the subdomain was pointing to an external location.

In short, I deleted the custom CNAME record and re-ran ssl_certificates "mta-sts.domain2.tld" and now MTA-STS is working and the status checks error message is gone.

This is why it is tricky to use an External DNS. There are always redundant entries.
But good job!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.