Digital Ocean Reserved IP (server can't reach itself)

Digital Ocean has a magic system where you can have a private Anchor IP for each server and a public Reserved IP that can be moved between servers. I guess it’s similar to a NAT… I followed their guide and now everything works fine from the outside. But the status page doesn’t agree. It seems the server can’t reach itself when doing the tests.

✖  Public DNS (nsd4) is not running (port 53).
✖  Incoming Mail (SMTP/postfix) is running but is not publicly accessible at 67.x.x.x:25.

Here’s a post that sounds helpful but I don’t quite understand what the solution is…

And here’s some random desperate DNS testing

> dig @ $HOSTNAME
HOSTNAME.       21600   IN      A       67.x.x.x

> dig @localhost $HOSTNAME
;; communications error to timed out
;; no servers could be reached

> dig @localhost              300     IN      A

> netstat -lpn | grep 53

tcp        0      0  *               LISTEN      14117/named         
tcp        0      0  *               LISTEN      722/nsd             
tcp        0      0 *               LISTEN      14117/named         
udp        0      0  *                           14117/named         
udp        0      0  *                           722/nsd


Apparently Digital Ocean is blocking SMTP on reserved IPs!

I dunno if this is the cause of all errors above, but it sure is a deal breaker.

Now, I could just use the good ol’ server-specific IP and change the DNS records again once it’s time for the next reinstall/upgrade… But I can never recommend Digital Ocean to anyone else…



Sadly this annoying restriction made me decide to go back to hosted email. But it’s been some fun and relatively easy 6 years of Mail-in-a-box. Thanks for this amazing project! It’s turned the rocket science of mail servers into something even stupid people like me can figure out!

Well, Digital Ocean is not the only VPS provider out there … there are many who will unblock email ports just for the asking…

And, ya know, it is not necessary at all to change your IP at a server reinstall/upgrade due to OS changes. Simply spin up a second droplet, install MiaB v60+ on it and restore your backups. Then do a snapshot and restore the snapshot onto the droplet with the original IP address. :slight_smile:

See there’s ways around everything without giving up.

Honestly please do not do this. Networking is not set up for this type of behavior within MiaB. This is one of the reasons that AWS is all but worthless for installing MiaB. And apparently as @allejok mentions, email ports are blocked with this “magic system”.

Hey, you’re smart!

Ok to be fair, a google search tells me they are willing to unlock SMTP for users after 60 days.

I’ve run MIAB on both Digital Ocean in the past, and using AWS to run a mail in a box server now. Both allow, once you follow the proper process, allow for sending/receiving mail traffic just fine. Both of them are trying to prevent spam bots from running in their networks, and so you’ve got to request the access. For DO, I think it was just an email to support. For AWS, an email to support gets you a form that needs submitted and approved. AWS asked some technical questions to make sure you know what you’re doing, how you’re gonna prevent becoming an accidental relay, etc.

I left DO a few years back because their IP blocks have been listed on some various blocklists and as a result was affecting my email deliverability. DO has to essentially pay the extortion required to delist them, but every time a spammer slips through, it requires action on their part. They don’t want to participate in the game, and I don’t blame them. To be clear, I love DO and still use them for other purposes.

From my limited perspective, AWS keeps their IP blocks off of spam blocklists fairly well, and knock-on-wood, I haven’t had an issue. Your EC2 instance has a private, internal address, and a public IP address. You allocate a public elastic IP address, and then associate it with the instance. MIAB works just fine with this setup. If you upgrade your instance by creating a new one (like a 22.04), you de-associate the elastic IP from the old instance, and reassociate it with the new one.

One other point is to make sure to work with AWS to add a reverse DNS entry for the IP to point to your domain name. The allow-mail-form already has support for this, but just don’t forget to do this. Many mail servers want to lookup your connecting IP and make sure it matches the domain.

Hope this helps anyone considering using DO or AWS.

I think this comment is a bit harsh, elastic IPs work quite well and don’t have the weird behaviour your implying. Saying that I don’t think I would recommend AWS to new users unless they already use AWS for other servers and know their way around it.

There is just better support from yourself and this forum for other VPSs.

Right. I’ve been using MIAB in AWS for two years without issue. Fired up the instance, had a couple days of back and forth emails with AWS support, had everything purring in no time.

Similar experience, love my MIAB on AWS, been using it for 4 years.

I want to be an advocate, but find that some/many aren’t supportive of AWS. I think for a new MIAB user that wants community support it is easier to not use AWS.

This is only my own personal opinion of course, and don’t mean to be dampener on your or anyone’s enthusiasm for MIAB on AWS.