My setup is a server behind NAT (because I want openvpn, ipset for country acls, own firewall rules, rspamd, nginx reverse proxy in front of MIAB server). I do DNAT to MIAB for mail and http reverse proxiing to MIAB for http(s).
My previous setup (iRedMail) worked perfectly without greylisting with rspamd - but got unsupportable after upgrade to bullseye.
These are all reasons why I do not need letsencrypt (I do this with dehydrated - much easier on the frontend server). Anyway, I also tried to forward the .well-known location to MIAB server.
Manually replacing the cert links with my own letsencrypt certs resulted in #3867 (no reply) and #3565 (sorry, cannot post more links on my first post:-).
Still the reason why I not just using letsencrypt builtin is issue #8495.
Why my self-signed cert of the host itself is not done by builtin letsencrpyt?
The maildomains do work - but the cert for the hostname itself is still self-signed.
if domain not in actual_web_domains:
domains_cant_provision[domain] = "The domain has a custom DNS A/AAAA record that points the domain elsewhere, so there is no point to installing a TLS certificate here and we could not automatically provision one anyway because provisioning requires access to the website (which isn't here)."
in management/ssl_certificates.py.
My hostname resolves internally to the private IP, not the public one: Certificate Status:
Self-signed. Get a signed certificate to stop warnings. The domain name does not resolve to this machine: 172.31.253.3 (A).
If he would try it would resolve externally to him
Well, I removed the forwarder in /etc/bind/named.conf.options, and thus resolving myself via external DNS servers.
Now that warning “The domain name does not resolve to this machine” is gone and mail3.mydomain.tld (hostname) is resolving to the external IP and is listed on the “Provision” button.
I have to think through, if my host needs to resolv internal IP addresses.
Might there be a config option somewhere to accept that “not resolve to this machine” with an override?
Now it is not working because it wanted to do www.maildomain.tld, too.
Why it added www.maildomain.tld? www is a completely different host!
Where is it coming from and how to get rid of it in the TLS page?
“Provision” of certs is now valid and is out of the box behaviour without modification (all standard settings via GUI and supported).
This is a perfect scenario for me now:
Miab server resolves via public DNS hierarchy and sends out directly to Inet
Inbound mail via postfix relay w/ rspamd in front of it (this also solves the greylisting somehow, together with the whitelist_clients.local workaround)
Certs for it’s hostname, so internal communication is valid, too
nginx reverse proxy in front of MiaB Server do some filtering and IP sharing for other purposes
admin page only reachable from inside. with correct cert.
BTW: For others fall into the HSTS trap after generated self signed too often: clear browser cache!
