DNS error message: DNS isn't configured properly for this domain:


#1

Continuing the discussion from Error messages: WARN: uid is 0 but '/' is owned by 107:

DNS isn’t configured properly for this domain: DNS resolution failed (AAAA: The DNS response does not contain an answer to the question: subdomain.example.com. IN AAAA).

What does this even mean?

Steps:

I rebuilt my server and now I am getting all sorts of strange messages.

I used scp to transfer my subdomains over from another linode server.
Then, I created an alias for info@subdomain.example.com
Then, I went to the TLS certificate and saw this error message:

DNS isn’t configured properly for this domain: DNS resolution failed (AAAA: The DNS response does not contain an answer to the question: subdomain.example.com. IN AAAA).

I went to mxtoolbox and did a test run on my box.example.com. The errors are as follows:

  • Reverse DNS does not match SMTP Banner
  • Blacklisted by SPAMCANNIBAL

Reverse DNS does not match SMTP Banner: The short answer is that the reverse IP address name is not contained in the server HELO or EHLO banner. In the example below, the string “someotherdomain.com” is not found anywhere in the server banner, which is reporting “example.com“. This is only a warning, and in some cases you may have no control over this. However, if you have the ability to make these match, you should.

Blacklisted by SPAMCANNIBAL: Apparently, I need to update my PTR record. So, I created a PTR record that connects my IP address to my domain name.


#2

Can you post the results from you status checks (Sanitized if you like)?

The reverse DNS is important, but probably unrelated to this issue.


#3

System
✓ All system services are running.
✓ System software is up to date.
✓ Mail-in-a-Box is up to date. You are running version v0.23a.
✓ System administrator address exists as a mail alias. [administrator@box.example.com ↦ me@box.example.com]
✓ The disk has 11.18 GB space remaining.
✓ System memory is 47% free.

Network
✓ Firewall is active.
✓ Outbound mail (SMTP port 25) is not blocked.
✓ IP address is not blacklisted by zen.spamhaus.org.
box.example.com
✓ Nameserver glue records are correct at registrar. [ns1/ns2.box.example.com ↦ 12.345.456.78]
✓ Domain resolves to box’s IP address. [box.example.com ↦ 12.345.678.91 / 2321:3123131:31231:23132b]
:heavy_multiplication_x: Your box’s reverse DNS is currently [liab.members.linode.com (IPv4) and [Not Set] (IPv6), but it should be box.example.com. Your ISP or cloud provider will have instructions on setting up reverse DNS for your box.
✓ The DANE TLSA record for incoming mail is correct (_25._tcp.box.example.com).
✓ Hostmaster contact address exists as a mail alias. [hostmaster@box.example.com ↦ administrator@box.example.com]
✓ Domain’s email is directed to this domain. [box.example.com ↦ 10 box.example.com]
✓ Postmaster contact address exists as a mail alias. [postmaster@box.example.com ↦ administrator@box.example.com]
✓ Domain is not blacklisted by dbl.spamhaus.org.
✓ TLS (SSL) certificate is signed & valid. The certificate expires in 88 days on 10/09/17.


#4

Is that all it shows on the screen? No network, no hostname section?


#5

Sorry, was desanitising and setting up the reverse DNS on linode…


#6

Just checking, this is the error you get when you navigate to the TLS page? Status checks report that tls is fine.

The error means that it’s looking up the AAAA record. That is the IPv6 equivalent of an A record. Which is the record to match a name to an ip.

The certificate is 2 days old. (About) did you renew it on this new box? Or on the old one? Did the old one have an IPv6 address and this one doesn’t?

(Just a side note, me personally wouldn’t recommend running IPv6 on a mail server just yet, most big providers don’t trust mail coming from an IPv6 address)


#7

Interesting. I was at an ipv6 security conference yesterday. They said we are all sending traffic over ipv6 eventhough we think it is going over ipv4, apparently.

the strange thing is that my linode has one ipv6 address assigned and mail in a box is telling me to change my dns to add a similiar but different ipv6 address.


#8

The problem with ipv6 and mail servers is that blacklists are hard to implement I guess. I removed my public ipv6 address from my main server.

the strange thing is that my linode has one ipv6 address assigned and mail in a box is telling me to change my dns to add a similiar but different ipv6 address.

Some providers (I don’t use linode so I can’t verify) have private IP’s on the machines and public IP’s on the firewall. Perhaps the detection of the private and public IP didn’t work properly? They can be overridden with an export. Maybe that is the problem.

You can also try and force a certificate renewal from the command line.


#10

How would I force the certificate renewal via the command line?

Per Linode:
1.) Your Linode does have a private IP. I’m not exactly sure what the issue might be or what they mean by “export”

2.) Hey there, Yes that looks correct! The extra zeros aren’t an issue, with IPv6, you can keep or remove the extra zero’s. Here is a link that gives you some more insight on that: https://networklessons.com/ipv6/shortening-ipv6-addresses/ Just to clarify: [IPV6 address with :0000:0000:] & [IPv6 address] Are the same IPv6 address :slight_smile: I’m not sure why Mail in a Box adds them with the zeros, but there is no need to be alarmed there. Please keep in mind that since we are an unmanaged hosting provider, troubleshooting this issue is a task for your systems administrator or developer. If you have any other questions, please feel free to reach out to us at any time. Kind Regards, HM Linode Support

Per Google Domains:
Dennis So, in your web host’s end, there’s a setup that’s somehow expecting to resolve at [IPV6 address]. You see, as your registrar, we only point your domain name to the mapping information provided by your host.


#11

Google: Bounced email is only a result of DNS records not properly configured. You need to check the correct mapping info for your email. …Let me just check something about your MX records. I checked the MX records and it is recognizing the MX records.

me: Yes, so I receive the messages but people are getting bounce notifications

Google: You need to contact Linode about it…Now, we’re talking about bounce messages. As I’ve said, when I ran the MX, it’s recognizing the mail server.

me: but the messages are still bouncing (theoretically)

Google: Now, given that you it is the configuration came from your mail host, you will need to contact them and tell them the issue.


#12

prostream reported the exact same ipv6 problem that I reported. Whereas I was told to disable ipv6, prostream was directed to the following:




#13

management/ssl_certificates.py --force

Only do that if the certificates where from the old machine, though I don’t think it will solve it. I don’t want you hitting the rate limit.

This problem was about an error on the TLS page wasn’t it? The info I gave about ipv6 was a side note based on my personal experience. You’re welcome to run ipv6, I think a lot of people are using it. I’ve had bad experiences with it.


#14

@michaelkroes

Do you understand what they are saying in terms of the ipv6 patch?

Can you please describe the actual steps to fix the mismatch?


#15

Yes (I wrote the patch :slight_smile:) The easiest way to get the patch is to get on the latest version of MIAB. That would be the master version. I assume you installed via de curl method? You would need to clone the repo and run the setup.
You would need to know how to use git to do that.
git clone git@github.com:mail-in-a-box/mailinabox.git

However, it is merely a cosmetic issue. Everything should still be working even if the status report says the IP address doesn’t match. Sorry if I couldn’t get that from your posts.


#16

I literally just rebuilt my server 30 minutes ago, after realising that my previous rebuild was on Debian 8. Yet, I still have the ipv6 problem

Anyway, git clone git@github.com:mail-in-a-box/mailinabox.git produces

Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

solution: GitHub isn’t able to authenticate you. So, either you aren’t setup with an SSH key, because you haven’t set one up on your machine, or your key isn’t associated with your GitHub account. https://gist.github.com/stormpython/9517102

new problem: root@box:~# git clone git@github.com:mail-in-a-box/mailinabox.git
fatal: destination path ‘mailinabox’ already exists and is not an empty directory.

management/ssl_certificates.py --force produces:

root@box:/# management/ssl_certificates.py --force
-bash: management/ssl_certificates.py: No such file or directory


#17

You need to move the existing mailinabox directory, probably under /root/mailinabox (or delete it, it doesn’t contain user data).

You need to run the command from the mailinabox directory. If the box is that new and the certificates where generated on that box it isn’t necessary.


#18

root@box:~/mailinabox# management/ssl_certificates.py --force
Traceback (most recent call last):
File “management/ssl_certificates.py”, line 803, in
provision_certificates_cmdline()
File “management/ssl_certificates.py”, line 446, in provision_certificates_cmdline
status = provision_certificates(env, agree_to_tos_url=agree_to_tos_url, logger=my_logger, force_domains=force_domains, show_extended_problems=show_extended_problems)
File “management/ssl_certificates.py”, line 272, in provision_certificates
domains, problems = get_certificates_to_provision(env, force_domains=force_domains, show_extended_problems=show_extended_problems)
File “management/ssl_certificates.py”, line 255, in get_certificates_to_provision
domains = set(filter(can_provision_for_domain, domains))
File “management/ssl_certificates.py”, line 216, in can_provision_for_domain
from status_checks import normalize_ip


#19

Is that from a freshly cloned repo?

From the mailinabox directory try and run:

git status
git remote -v

If it is a fresh repo also run:

management/status_checks.py 

Otherwise I think there is something broken in the normalize_ip function.


#20

I believe it was from a freshly cloned repo. I manually changed the files, so all should be well.

I just don’t understand why my gmail rejects my mail forwarding from box.example.com.

root@box:~/mailinabox# git status
Not currently on any branch.
Changes not staged for commit:
(use “git add …” to update what will be committed)
(use “git checkout – …” to discard changes in working directory)

    modified:   management/status_checks.py

no changes added to commit (use “git add” and/or “git commit -a”)

root@box:~/mailinabox# git remote -v
origin https://github.com/mail-in-a-box/mailinabox (fetch)
origin https://github.com/mail-in-a-box/mailinabox (push)


#21

The forwarding might be related to this post: Forwarding, SPF and SRS

The repo you have isn’t a fresh clone. It’s the one from curl -s https://mailinabox.email/setup.sh | sudo bash. I can tell from the: Not currently on any branch.

You now have modified files there. When you want to upgrade it will give some errors. It’s fine for now