I have an existing mailinabox setup for MIABdomain.tld. I also have domain2.tld that I host on another server, but because it gets so much spam I’d like to send and receive its email from my MIAB server to take advantage of its spam filter. But I want to keep hosting the website on domain2.tld. Is this possible?
I have created a new email user for domain2.tld on my MIAB server and I can change the MX record to point to MIABdomain.tld, but the MIAB system status checks say
This domain should resolve to this box’s IP address (A [MIAB IP ADDRESS]) if you would like the box to serve webmail or a website on this domain.
which is not what I want to do. Will email work if I just change the DNS records for MX, SPF, and DKIM?
Do not change anything else. You can host domain2 elswhere no worries. Just make an A and AAAA records pointing to the IP address where you hosting domain2.
Ah, I was thinking of keeping the existing external DNS settings for domain2, but I see now that it’s possible to use MIAB as the name servers and create custom A and AAAA records within MIAB itself. That seems to be working.
The only problem I ran into is that in order to send mail for the other domain, I need to setup MTA-STS.
The MIAB status checks for my 2nd domain say:
MTA-STS policy is missing: STSFetchResult.NONE
My understanding is that in order to implement MTA-STS you need to serve the file /.well-known/mta-sts.txt over SSL. It looks like the MIAB is already configured to serve up a valid looking /.well-known/mta-sts.txt file, so I created a CNAME record to send mta-sts.domain2.tld to my MIAB machine, but the MIAB machine doesn’t have an SSL certificate for that sub-domain.
I tried creating an SSL certificate with:
ssl_certificates.py mta-sts.domain2.tld
but it fails with:
skipped: mta-sts.domain2.tld:
The domain has a custom DNS A/AAAA record that points the domain elsewhere, so there is no point to installing a TLS certificate here and we could not automatically provision one anyway because provisioning requires access to the website (which isn’t here).
Seems like it would work if I could just create the SSL certificate, but not sure how to do that.
You don’t need a certificate for mta-sts.domain2.tld on the MIAB box.
The admin page under Certificates should say: domain2.tld The domain’s website is hosted elsewhere.
On the other instance where you host domain2.tld you can run let’s encrypt from terminal and provision a certificate. Google it.
Rerun mailinabox setup maybe it will clear the status page as the website is pointed elsewhere.
Or just ignore the warning.
You can check you webmail for domain2.tld via the box.domain1.tld/mail Roundcube. That’s how it works. Just login with domain2.tld email.
All your domain2.tld mail goes via domain1.tld in terms of DKIM, DMARC, SPF.
If you are using an external DNS. Go back to MIAB managed dns and make sure everything is OK in the status page before you transfer the records Outside.
I figured it out. I really did need a certificate for mta-sts.domain2.tld on the MIAB.
The problem was that MIAB didn’t want to create it because I had created a custom DNS CNAME record for mta-sts.domain2.tld pointing to the MIAB. This custom record was technically accurate, but redundant because that subdomain was already pointing to my MIAB and creating it caused the ssl_certificates python script to erroneously assume that the subdomain was pointing to an external location.
In short, I deleted the custom CNAME record and re-ran ssl_certificates "mta-sts.domain2.tld" and now MTA-STS is working and the status checks error message is gone.