External dns with miab as a subdomain from route53

Hi there.
First off, thanks for MIAB. Its fantastic.

I’m trying to set up MIAB on lightsail in AWS. I use route53 for my mydomain.com as I host website in AWS. I have done the following:

  • Add glue A records in route53 (mydomain.com) for ns1.box.mydomain.com and ns2.box.mydomain.com. These both point to the static IP of my MIAB box.
  • Add NS records in route53 (mydomain.com) pointing the following domains to MIAB box:
    ** box.mydomain.com NS
    ** autoconfig.mydomain.com NS
    ** autodiscover.mydomain.com NS
    ** mta-sts.mydomain.com NS
  • Add the following records in route53 (mydomain.com) copied from the external DNS section in MIAB:
    ** mydomain.com MX
    ** mydomain.com TXT
    ** _dmarc.mydomain.com TXT
    ** mail._domainkey.mydomain.com TXT
    ** _mta-sts.mydomain.com TXT
    ** _caldavs._tcp.mydomain.com TXT
    ** _carddavs._tcp.mydomain.com TXT

My MIAB status shows only the following red flags:

  • Incoming Mail (SMTP/postfix) is running but is not publicly accessible.
    I will look into this. might be blocked by AWS.
  • Outbound mail (SMTP port 25) seems to be blocked by your network.
    Outbound mail is working, as I have configured postfix to send via AWS SES to simplify any banning issues - and I know… this is not a standard MIAB setup.
  • Reverse dns is wrong for box.mydomain.com
    I will need to get AWS to fix this for me.

It appears to be working, but I have a few of questions.

Have I set this up correctly?
Can I simplify this any further? e.g. those records with _underscores… can I somehow configure route53 to send these DNS requests to the MIAB box?
The DNS setup on the miab box.mydomain.com does not seem to have an SOA record for box.mydomain.com. Instead it has an SOA record for mydomain.com , per the standard MIAB setup… will this be ok?

A final question:
Should I give up on subdomain dns and just use external DNS with all records… maybe that is easier.

I cannot say whether the dns settings are correct, but I can see that port 25 is blocked. That is the default by AWS Lightsail. You will need to contact AWS and ask them to open port 25 and ask them to set the reverse dns name for you. There is a AWS form to fill. Just Google for it.

Yep. I have done that now and the errors have gone. Still waiting to see if they can do reverse DNS for the IPv6 address.

I ended up just forgetting the subdomain DNS. I put all the records into route53.

To get dkim to work I had to remove the date header from the set of opendkim signed headers, because SES rewrites it.

Also had to add include:amazonses.com to the SPF records.

All seems to be working well.

I had some issues hosting a CloudFront site on a subdomain of mine which I also use for an email addresses. When setting up an Alias entry in R53, it seems AWS takes over all the records for that subdomain and was ignoring the MX record in MiaB. I resorted to using R53 as my DNS provider for the main domain. It works fine for the most part. The export from MiaB requires at least one change from what I recall… long domainkeys that are “split” in the file by surrounding the parts in quotes. MiaB puts a space between the parts and R53 complains. Just remove the space in the exported records. Also, R53 doesn’t appear to support SSHFP or TLSA records, so you’ll lose those too.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.