Error on installing MiaB

Back at it. It was not TOO hard for a new Ubuntu build. Not to customize it beyond proper netplan for addressing and then successfully (I think!) install MiaB.

I can now go to the admin web URL, go to External DNS and see the base zone file you create.

I found out where the zone files are stored (yay locate command!): /etc/nsd/zones

Does not look wise to directly edit any of the files there. So…

The FIRST customization I want is to add an A record for another host:

medon IN A 23.122.122.50

But the External DNS tab is only display and download zone file.
Custom DNS lets me create a RR for a zone, but not seem to allow specifying the host name?

I see some API instructions for maybe:

curl -X PUT https://klovia.htt-consult.com/admin/dns/custom/medon.htt-consult.com

?

How does this go? After I get a couple other hosts set up in my main zone, I will create a subzone of test.htt-consult.com for further testing and next moving on to doing some mailing.

Also there is a strange thing going on with that External DNS page which I think is associated with the SSHD port. I moved my SSHD port to 1234 and I get an error on that web page and it would not do that nice display of all the zone records, yet I could still download the zone file. Do you have some SSH commands buried into your web scripting? I moved SSHD back to 22 and that page started working properly, so I really think this is a lockdown to SSHD to the default port? From a security position, this is not so good.

If I knew what your commands look like (ssh localhost or ssh host), I could probably edit /etc/ssh/ssh_config to provide the port value. I do that on my laptop to make connecting to my various hosts with there non-default SSHD port, and still connect to github on port 22.

But IMO, changing SSHD port cuts down the noise of all the port knocking. Otherwise you have to implement rate limiting on the default port.

If you want to serve dns for another host, first add an email user for that domain. Then it will be possible to create custom dns entries for that new domain.
You should configure the ssh port through the sshd config as explained earlier. That is what mailinabox recognizes, and probably explains the error you see.

The hosts(s) are all in the htt-consult.com domain. Not a subdomain. So like klovia.htt-consult.com (in the htt-consult.com domain), medon.htt-consult.com and onlo.htt-consult.com, and valeria.htt-consult.com (ever read Doc E.E. Smith Lensmen series), are all in the htt-consult.com domain (been so for years). None of these hosts directly send (other than logwatch reports to rgm@htt-consult.com) or receive emails.

The domain, htt-consult.com, already has an email created for rgm@htt-consult.com as part of the setup.

After I get these properly served, then I will create the subdomain test.htt-consult.com which will not have any hosts in it, but just NS and MX records to klovia.htt-consult.com for email. Once I get test.htt-consult.com working then labs.htt-consult.com which has real users to migrate.

I will review the SSHD stuff you refer to and get back here on it.

Ah: sudo sshd -T | grep port and sudo sshd -T | grep listenaddress

I will change back to port 1234 and see what these report. Changing SSHD port number with systemd means many changes and what sshd -T reports may be from a config file that need not be changed for how SSHD really listens now. Will work on that tomorrow. Along with DNS stuff.

Are you just adding local servers to the main domain - like myprinter.mydomain.com? Use the admin page / System / Custom DNS and Set custom DNS records.

Wow. The name field content hint is rather misleading. It suggests a subdomain. Perhaps “host name or subdomain”?

So moving forward on the DNS front. Interesting all the other RR you add for a host (e.g, SPF). I run logwatch on all my servers and their postfix sends email typically to rgm@htt-consult.com

I will get around to testing this, but if you can forewarn me,

My things-to-do list includes:

• add custom DNS entries for local servers

• add lines like whitelist_from *@server.domain.com to /etc/spamassassin/99_local.cf

• add name or address of known acceptable servers to /etc/postgrey/whitelist_clients.local

• send test email from each server - might need to wait 3 mins and resend, to get through greylisting the first time

• check that nothing in /etc/ssh/sshd_config.d/* has PasswordAuthentication yes … Ubuntu seems to include this by default and any ‘yes’ overrides defaults . I use sshd -T | grep password to check the effective config.

Also set-up watchdog timer and secondary DNS, if you/your-hardware support them.

I will probably have more to say tomorrow, but,

The External DNS Download option opens a dialog box that, at least on Firefox, is a pain to use. You have to selectively highlight the content of the dialog (cntl-A also highlights the page behind the dialog box), and copy the clipboard into a file editor of choice. Something more effective for getting the zone file locally would be nice.

MIAB is a community project - I imagine @JoshData would welcome your pull request with a better download dialog.

Guessed right.

I made the changes to get SSHD listening on my custom port and:

sshd -T | grep listenaddress
listenaddress 23.123.122.149:1234

sshd -T | grep port
port 22
gatewayports no

I had to edit /etc/ssh/sshd_config, adding the line
Port 1234

and then

sshd -T | grep port
port 1234
gatewayports no

And admin External DNS works.

Interesting, as with systemd, /etc/ssh/sshd_config is supposedly not used. At least for port SSHD is listening on.

One more vagary to keep track of.

Oh, I would gladly share here all the changes one needs to make for Ubuntu 22 to move the SSHD port. Just tell me where to send the instructions. There are a number of files to change and add and it is poorly documented in Ubuntu help…

Oh course, someone here might say: “here is the easier way!”

Now moving on to setting up a subdomain. In particular test.htt-consult.com

I had been “playing” around with the default/index.html and restarted ngnix. No change to default behavior (want to redirect https://klovia.htt-consult.com to https://klovia.htt-consult.com/mail)

I rebooted the server and still the new default/index.html not working?

So I ignore this work (maybe a mistake) and went on to the subdomain…

So trying to set up that test.htt-consult.com subdomain.

It looks like the instructions are to first create an email addr in that subdomain. I tried that with rgm@test.htt-consult.com and got an internal error. Note that is the same user name as rgm@htt-consult.com. I don’t know if that matters?

Then I tried to user rgm-ietf@htt-consult.com and that threw and error.

So I threw a wobble and rebooted the server.

Surprise! Those new users are there! And it looks like the subdomain of test.htt-consult.com is there too.

So back to custom DNS and add an NS record for test.htt-consult.com, pointing to me server klovia.htt-consult.com.

That threw an error, but the record is showing on the Custom DNS page. OK. I go to the External DNS page and get an error and it will not list the zone file and contents.

I log in and look in /etc/nsd/zones and only the htt-consult.com zone. No sub zones. I grep that directory content for both test and NS and no NS records there for test.htt-consult.com

Obviously something is off, but I ask for some help on where to look.

thank you

As I noted yesterday, something is off. So I decided to reinstall:

sudo mailinabox

It ends with:

Command ‘[‘ssh-keyscan’, ‘-4’, ‘-t’, ‘rsa,dsa,ecdsa,ed25519’, ‘-p’, ‘1234’, ‘localhost’]’ returned non-zero exit status 1.

Your Mail-in-a-Box is running.

Please log in to the control panel for further instructions at:

====================================

So either even with MiaB seemingly recognizing the new SSHD port, that is not enough, with ssh-keyscan returning status 1?

Or something else is off. So it looks like I will be reinstalling Ubuntu later today and NOT doing any customization until I have MiaB up and running…

Depending on what the reinstall results in, I may extend this thread or start elsewhere.

I DID get further this time over my first try!

this is an update of progress and may be edited as needed unless I get some responses.

One question at the end; you can scan quickly down to it.

Rebuilt MiaB from scratch. This time, the first thing I did from admin was to create rgm@test.htt-consult.com

This resulted in a lot of DNS records in the htt-consult.com.txt zone file for test.htt-consult.com. MiaB is not doing this as a separate zone file with various NS records. OK. I can work with that. Besides the test subdomain, the only active subdomain is labs which has real users.

Testing plan:

I used the imapsync.lamiral.info tool to move the mail. But this tool uses IMAP port 143 along with 993. I fought for hours as to why I could not connect to 143 on MiaB, but I could on the old server; did I have some firewall rule on my network firewall. No, I finally checked and the MiaB install did not enable 143. Why? well I turned it on, at least for the migration and I successfully moved the few test messages.

The question below is now more pertinent…

Here is my question for now:

As much as I would like to switch my public DNS, I can’t yet until I move all email. Which DNS records for test.htt-consult.com do I move to my current public DNS to get mail sent here? I might think all I need to add to my test.htt-consult.com.zone is:

test IN MX 10 klovia.htt-consult.com.
test IN TXT v=spf1 mx -all

This should suffice (I do not have DNSSEC currently on old server)

Another question:

In External DNS page I see:

|www.htt-consult.com|A|23.123.122.149

|Optional. Sets the IP address that www.htt-consult.com resolves to so that the box can provide a redirect to the parent domain.

I want www.htt-consult.com to be a CNAME to medon.htt-consult.com

How do I get this “optional” entry that I did not enter to be replaced by a CNAME record that I would provide. BTW, this is how www.htt-consult.com is currently served,

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.