IDN (Internationalized Domain Names) emails

miabatf2f10 · September 4, 2021, 2:02pm

HI Team,
I have a domain running already; I added a second domain with CHINESE domain name.

I tried send an email from Gmail to that with both Chinese character domain or it’s IDN format domain, the email was denied by my box.

Is there anything I need to adjust in the box to let this work?
Thanks!

The response from the remote server was:

554 5.7.1 <peng.li@芃晓.com>: Relay access denied

Final-Recipient: rfc822; peng.li@xn–1jv704d.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; box.f2f10.com. (76.10.176.225, the server for the domain xn–1jv704d.com.)
Diagnostic-Code: smtp; 554 5.7.1 <peng.li@芃晓.com>: Relay access denied
Last-Attempt-Date: Fri, 03 Sep 2021 09:41:13 -0700 (PDT)

openletter · September 4, 2021, 2:29pm

I am not at all familiar with this aspect of DNS management or even server or local locale settings, but I observe that the IDN format of the domain does not return anything, and since it is a .COM TLD, should be working, or MiaB cannot do anything, so far as I am aware.

When I input your IDN into any of my browsers (not using the hyperlinked character link in your post), the browsers change the domain being looked up to http://xn--xn1jv704d-r89d.com/. I don’t know why.

I can’t find away to look up your domain with dig or whois.

Just out of curiosity, is it possible to add a domain to MiaB using the characters?!

This is what I see in my browser:

IDNbrowserrequest

openletter · September 4, 2021, 2:36pm

Okay, there may be some additional configuration required in Ubuntu for MiaB to recognize the characters.

From my local computer running Linux Mint and no special locale configuration that I am aware of, I get the following:

$ dig mx 芃晓.com
; <<>> DiG 9.16.1-Ubuntu <<>> mx 芃晓.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27408
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;芃晓.com.			IN	MX

;; ANSWER SECTION:
芃晓.com.		86400	IN	MX	10 box.f2f10.com.

;; Query time: 100 msec
;; SERVER: 192.168.20.1#53(192.168.20.1)
;; WHEN: Sat Sep 04 07:32:01 PDT 2021
;; MSG SIZE  rcvd: 70

But on MiaB I get:

$ dig mx 芃晓.com

; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> mx 芃晓.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13424
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b9f42ea266f5db18e0b2cc3d61338347858ddb6c91f54e6f (good)
;; QUESTION SECTION:
;\232\138\131\230\153\147.com.	IN	MX

;; AUTHORITY SECTION:
com.			893	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1630765868 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Sep 04 07:31:35 PDT 2021
;; MSG SIZE  rcvd: 140

miabatf2f10 · September 4, 2021, 4:41pm

Thanks Openletter!
I was thinking this is just an extra domain/email parked on this MIAB and it should receive it as any other domain/email. This should be all handled by box itself nicely. It can send out email no problem though.

Thanks!

JoshData · September 4, 2021, 6:15pm

@miabatf2f10 Did you check that everything looks OK in the status checks in the control panel for this domain? (Would you paste an image?)

miabatf2f10 · September 4, 2021, 6:57pm

Hi Josh,
Here’s the status. Thanks for taking a look at it!
Peng

System Status Checks

Disable New-Version Check

	System
✓	All system services are running.
✓	SSH disallows password-based login.
	System updates have been installed and a reboot of the machine is required.
✓	Mail-in-a-Box is up to date. You are running version v0.54.
✓	System administrator address exists as a mail alias. [administrator@box.f2f10.com ↦ peng.li@f2f10.com]
✓	The disk has 274.77 GB space remaining.
✓	System memory is 93% free.
	Network
✓	Firewall is active.
✓	Outbound mail (SMTP port 25) is not blocked.
✓	IP address is not blacklisted by zen.spamhaus.org.
	box.f2f10.com
?	DNSSEC ‘DS’ record set at registrar is valid but should be updated to ECDSAP256SHA256 (see below).

show more|
|✓|Nameserver glue records are correct at registrar. [ns1/ns2.box.f2f10.com ↦ 76.10.176.225]|
|✓|Domain resolves to box’s IP address. [box.f2f10.com ↦ 76.10.176.225]|
|✓|Reverse DNS is set correctly at ISP. [76.10.176.225 ↦ box.f2f10.com]|
|✓|The DANE TLSA record for incoming mail is correct (_25._tcp.box.f2f10.com).|
|✓|Hostmaster contact address exists as a mail alias. [hostmaster@box.f2f10.com ↦ administrator@box.f2f10.com]|
|✓|Domain’s email is directed to this domain. [box.f2f10.com ↦ 10 box.f2f10.com]|
|✓|MTA-STS policy is present.|
|✓|Postmaster contact address exists as a mail alias. [postmaster@box.f2f10.com ↦ administrator@box.f2f10.com]|
|✓|Domain is not blacklisted by dbl.spamhaus.org.|
|✓|TLS (SSL) certificate is signed & valid. The certificate expires in 37 days on 2021-10-12.|
||f2f10.com|
|?|DNSSEC ‘DS’ record set at registrar is valid but should be updated to ECDSAP256SHA256 (see below).

show more|
|✓|Nameservers are set correctly at registrar. [ns1.box.f2f10.com; ns2.box.f2f10.com]|
|✓|Domain’s email is directed to this domain. [f2f10.com ↦ 10 box.f2f10.com]|
|✓|MTA-STS policy is present.|
|✓|Domain is not blacklisted by dbl.spamhaus.org.|
|✓|Domain resolves to this box’s IP address. [f2f10.com ↦ 76.10.176.225]|
|✓|TLS (SSL) certificate is signed & valid. The certificate expires in 36 days on 2021-10-11.|
|✓|www.f2f10.com: Domain resolves to this box’s IP address. [www.f2f10.com ↦ 76.10.176.225]|
|✓|www.f2f10.com: TLS (SSL) certificate is signed & valid. The certificate expires in 36 days on 2021-10-11.|
|✓|autoconfig.f2f10.com: Domain resolves to this box’s IP address. [autoconfig.f2f10.com ↦ 76.10.176.225]|
|✓|autoconfig.f2f10.com: TLS (SSL) certificate is signed & valid. The certificate expires in 22 days on 2021-09-27.|
|✓|autodiscover.f2f10.com: Domain resolves to this box’s IP address. [autodiscover.f2f10.com ↦ 76.10.176.225]|
|✓|autodiscover.f2f10.com: TLS (SSL) certificate is signed & valid. The certificate expires in 22 days on 2021-09-27.|
||peng-xiao.com|
|✓|Nameservers are set correctly at registrar. [ns1.box.f2f10.com; ns2.box.f2f10.com]|
|✓|Domain’s email is directed to this domain. [peng-xiao.com ↦ 10 box.f2f10.com]|
|✓|MTA-STS policy is present.|
|✓|Domain is not blacklisted by dbl.spamhaus.org.|
|✓|Domain resolves to this box’s IP address. [peng-xiao.com ↦ 76.10.176.225]|
|✓|TLS (SSL) certificate is signed & valid. The certificate expires in 83 days on 2021-11-27.|
|?|This domain’s DNSSEC DS record is not set. The DS record is optional. The DS record activates DNSSEC. See below for instructions.

show more|
|✓|www.peng-xiao.com: Domain resolves to this box’s IP address. [www.peng-xiao.com ↦ 76.10.176.225]|
|✓|www.peng-xiao.com: TLS (SSL) certificate is signed & valid. The certificate expires in 83 days on 2021-11-27.|
|✓|autoconfig.peng-xiao.com: Domain resolves to this box’s IP address. [autoconfig.peng-xiao.com ↦ 76.10.176.225]|
|✓|autoconfig.peng-xiao.com: TLS (SSL) certificate is signed & valid. The certificate expires in 83 days on 2021-11-27.|
|✓|autodiscover.peng-xiao.com: Domain resolves to this box’s IP address. [autodiscover.peng-xiao.com ↦ 76.10.176.225]|
|✓|autodiscover.peng-xiao.com: TLS (SSL) certificate is signed & valid. The certificate expires in 83 days on 2021-11-27.|
||芃晓.com|
|?|DNSSEC ‘DS’ record set at registrar is valid but should be updated to ECDSAP256SHA256 (see below).

show more|
|✓|Nameservers are set correctly at registrar. [ns1.box.f2f10.com; ns2.box.f2f10.com]|
|✓|Domain’s email is directed to this domain. [芃晓.com ↦ 10 box.f2f10.com]|
|✓|MTA-STS policy is present.|
|✓|Domain is not blacklisted by dbl.spamhaus.org.|
|✓|Domain resolves to this box’s IP address. [芃晓.com ↦ 76.10.176.225]|
|✓|TLS (SSL) certificate is signed & valid. The certificate expires in 83 days on 2021-11-27.|
|✓|www.芃晓.com: Domain resolves to this box’s IP address. [www.芃晓.com ↦ 76.10.176.225]|
|✓|www.芃晓.com: TLS (SSL) certificate is signed & valid. The certificate expires in 83 days on 2021-11-27.|
|✓|autoconfig.芃晓.com: Domain resolves to this box’s IP address. [autoconfig.芃晓.com ↦ 76.10.176.225]|
|✓|autoconfig.芃晓.com: TLS (SSL) certificate is signed & valid. The certificate expires in 83 days on 2021-11-27.|
|✓|autodiscover.芃晓.com: Domain resolves to this box’s IP address. [autodiscover.芃晓.com ↦ 76.10.176.225]|
|✓|autodiscover.芃晓.com: TLS (SSL) certificate is signed & valid. The certificate expires in 83 days on 2021-11-27.|

miabatf2f10 · September 4, 2021, 7:58pm

just for your reference:
email sent to another secondary domain works; this is a English domain.
peng.li@peng-xiao.com

openletter · September 4, 2021, 8:09pm

I have to admit I just discovered this tool, but something it does nicely is display the full communication with the server:

https://www.wormly.com/test-smtp-server

openletter · September 4, 2021, 8:16pm

Also, I discovered the issue with the character domain on MiaB seems to be the dig version, because curl works just fine, so it is at least supported by the OS.

And have you tried emailing the address from other mail servers outside of your own?

miabatf2f10 · September 4, 2021, 11:09pm

Hi Openletter,
Sending email out is no issue.
thanks!

openletter · September 5, 2021, 12:14am

I meant to communicate trying to send an email from a server that is not the MiaB server and not a Google server, such as example@hotmail.com to an email address of the character domain. Because it seems so far you have only communicated a problem receiving mail from a Google server.

miabatf2f10 · September 8, 2021, 3:33pm

Hi Josh,
Once you have some time, please kindly share some thoughts on this. Thank you. !

system · September 15, 2021, 3:33pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

JoshData · September 19, 2021, 12:12am

I did some research into what is happening. We use Dovecot to manage mailboxes, and Dovecot does not appear to support “SMTPUTF8” which is a recent-ish addition to email protocols for supporting Unicode, i.e. internationalized email addresses.

What we’ll do in Mail-in-a-Box going forward is turn off SMTPUTF8 support in Postfix. This will signal to senders (like Gmail) that an internationalized address is not supported, and Gmail will instead send the email using the IDNA form (@xn--...), which doesn’t look as nice in your mailbox, but at least the email can be received. (I just tested this.)

This may have the downside that Mail-in-a-Box users might be sending SMTPUTF8-requiring outbound emails, which will stop working. I don’t think we can have it both ways (esp. since an outbound email might be an email to an internationalized domain hosted by the box itself). I’m not sure.

(While researching this, I noticed that the “relay access denied” error could be fixed so that it gives a more informative error in the bounce (“SMTPUTF8 is required, but was not offered”) without disabling SMTPUTF8, by letting Postfix know we also should be receiving email for the Unicode form of the domain. But after I discovered that disabling SMTPUTF8 makes the emails deliverable, that seemed preferable.)

miabatf2f10 · September 19, 2021, 1:35pm

Thank you Josh for your insights and efforts on this!
Will this be in next release?
Thank you!

JoshData · September 19, 2021, 3:43pm

Yes (unless I mess something up!).