Using Mail-in-a-Box v0.53.
If a domain’s website (A record) and mailinabox (MX record) are at different IPs, using external DNS, then mailinabox shows several errors in the status page:
- Nameservers incorrect
- MTA-STS policy is missing: STSFetchResult.NONE
- Domain not resolving to box’s ipv4 address
- www. (what does www have to do with mail?)
It also omits the _mta_sts record from the zone file and does not include the domain in the TLS certificate(s) that it offers to provision. Mailinabox may still be able to process mail for that domain, but the plethora of red errors is disconcerting for someone who does not know the details about mailinabox and mta-sts and how exactly email works.
How do you get over this hurdle?
I thought that having a website and mailinabox for the same domain on different machines is a standard use case, because mailinabox should be used only for email, therefore the website for the same domain should be somewhere else. Then why does mailinabox want the ips for domain D and www.D to point to itself?
Probably mailinabox needs the A record in order to provision a TLS certificate for the email domain, and I’ve found out that without the TLS certificate, it does not enable MTA-STS. See Support MTA Strict Transport Security (MTA-STS) · Issue #1388 · mail-in-a-box/mailinabox · GitHub and management/dns_update.py (mta_sts_records).
But Let’s Encrypt just needs to access a verification file in http:///.well-known/acme-challenge/ , so if I use a reverse HTTP proxy to send those urls to to mailinabox, mailinabox would be able to provision a TLS certificate for the domain automatically, without needing the A record to point to itself. Mailinabox can verify http access to /.well-known/acme-challenge the same way that Let’s Encrypt does. It can put a file with a random name in /home/user-data/ssl/lets_encrypt/webroot/.well-known/acme-challenge/ and then try to access it with http, using the domain name with IPv4. I just tested this. The request goes out to my reverse http proxy and comes back to mailinabox. I suggest that mailinabox checks access to /.well-known/acme-challenge this way and does not require that A/AAAA of the domain and www to point to itself. I also tested that it works for the case that A points to mailinabox and for the case where mailinabox is the domain nameserver.