Issues While Setting Up Mail-in-a-Box For First Time

Hi Joshua,

Firstly, thank you so much for creating such an amazing piece of open source software.

Coming to the point in case, I have been trying to setup the ‘Mail-in-a-box’ email server on Digital Ocean from the past few days. But I haven’t been able to successfully set it up. Kindly read below the steps I have taken so far.

I have kept it detailed so that you can help spot the problem easily.

Use Case

Setting up: 'Mail-in-a-box' email server
Hosting: Digital Ocean
Domain Registrar: BigRock
Problems: Nameserver glue records, TLSA and DNSSEC
Reference: Screenshot at end of this message

List of steps I took:

1. Created a DO droplet of 1GB 1vCPU 25GB SSD, took hostname as box.example.com

2. Then I modified our host files in ‘/etc/hosts/’ to associate the hostname with the server’s IP address by this

127.0.0.1 localhost.localdomain localhost
our_server_ip box.example.com box

3. Then I installed ‘Mail-in-a-box’ to get our mail server up and running with all things including security, SSL certificate, UFW firewall, anti-spam, graylisting, SPF, DKIM, DMARC, opportunistic TLS, strong ciphers, HSTS, and DNSSEC (this is the only thing I haven’t implemented yet).

I used this command:

curl -s https://mailinabox.email/bootstrap.sh | sudo bash

4. Then it asked for an email address, I set it up as support@example.com

Then it asked for hostname, I set it up as box.example.com

And the country as India.

5. Then I added the following name servers to both, the child nameservers section and to the NS records for example.com at our domain registrar BigRock. I waited for some time after that, but no propagation happened.

Hostname: ns1.box.example.com
IP Address: our_ip_address

Hostname: ns2.box.example.com
IP Address: our_ip_address

6. Then a Digital Ocean support specialist pointed out that adding the above to the NS records for example.com is not a good practice. So I removed it from there. But I let the child records be there. After which I discovered the external DNS section which exists in Mail-in-a-box > System > External DNS.

Also, adding ns1.box.example.com and ns2.box.example.com to the name servers causes an overlap and loads the box.example.com when example.com is visited.

7. I entered all the feilds in TXT, MX, A, AAAA, SRV, and (TLSA not available at DO) with the values provided in the external DNS with nameservers as ns1.box.example.com and ns2.box.example.com in Digital Ocean DNS.

Under Mail-in-a-box > System > External DNS, I had to add a lot of records, but I couldn’t understand the following:

7.1 CALDAVS

_caldavs._tcp.example.com SRV 0 0 443 box.example.com.

Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain.

The SRV values I added:

HOSTNAME: _caldavs._tcp.example.com
WILL DIRECT TO: box.example.com
PORT: 443
PRIORITY: 0
WEIGHT: 0
TTL (SECONDS): 1800

Are they correct?

7.2 CARDDAVS

_carddavs._tcp.example.com SRV 0 0 443 box.example.com.

‘Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain.’

The SRV values I added:

HOSTNAME: _carddavs._tcp.example.com
WILL DIRECT TO: box.example.com
PORT: 443
PRIORITY: 0
WEIGHT: 0
TTL (SECONDS): 1800

Are they correct?

7.3 DNSSEC

Both DO and BigRock don’t have DNSSEC. Any workarounds?

7.4.a TLSA

_25._tcp.box.example.com TLSA 3 1 1 <random string>

Recommended when DNSSEC is enabled. Advertises to mail servers connecting to the box that mandatory encryption should be used.

Since I couldn’t find TLSA records in the DNS settings of example.com. I added the above as a CAA record. Is that right? Also, where does the random string go?

HOSTNAME: _25._tcp.box.example.com
AUTHORITY GRANTED FOR: box.example.com
TAG: issue
FLAGS: 0
TTL (SECONDS): 1800

7.4.b TLSA

_443._tcp.box.example.com TLSA 3 1 1 <random string>

Optional. When DNSSEC is enabled, provides out-of-band HTTPS certificate validation for a few web clients that support it.

Since I couldn’t find TLSA records in the DNS settings of example.com. I added the above as a CAA record. Is that right? Also, where does the random string go?

HOSTNAME: _443._tcp.box.example.com
AUTHORITY GRANTED FOR: box.example.com
TAG: issue
FLAGS: 0
TTL (SECONDS): 1800

8. We still can’t send mails and we see this error in our Mail-in-a-box > System > External DNS:

’Nameserver glue records (ns1.box.example.com and ns2.box.example.com) should be configured at your domain name registrar as having the IP address of this box (our_ip_address). They currently report addresses of [Not Set]/[Not Set]. If you have set up External DNS, this may be OK.'

9. The below records exist as ‘child name servers’ at BigRock. And the rest of records reside inside the Digital Ocean DNS management system.

Hostname: ns1.box.example.com
IP Address: our_ip_address

Hostname: ns2.box.example.com
IP Address: our_ip_address

Hmm, now? Hoping that you were able to spot the problem here and will be able to help out.

mail-in-a-box-screenshot-share.png1367×2381 199 KB

Many thanks,
Brijesh

When did you change the nameservers? DNS propagating for nameservers can take up to 48 hours to take affect.

Yes, I am aware of that. It’s been more than 5 days adding the records, and about 4 days since we last reset the name servers.

Also - after setting the name server, unless you add a new A record in the custom DNS page in the admin panel of MIAB, it will load box.example.com’s built in default web page.

I am wondering if you have the Glue record set correctly at Big Rock??

from Managing DNS Resource Records | KnowledgeBase

If an NS Record delegates a sub-domain (subdomain.yourdomainname.com)to a DNS Server with a name in that sub-domain (ns1.subdomain.yourdomainname.com), an A Record for that server (ns1.subdomain.yourdomainname.com) must exist in the Parent Zone (yourdomainname.com). This A Record is referred to as a Glue Record, because it doesn’t really belong in the Parent Zone, but is necessary to locate the DNS Server for the delegated sub-domain.

You refer to a “child nameservers section” which is unfamiliar terminology to me. Also, Big Rock’s explanation seems odd to me as well. With the domain registrars I have worked with it is referred to as a ‘Glue record’ or a ‘Registered Name Server’.

Are you trying to use a sub-domain?

Going through your questions one at a time. The External DNS page in MaiB is only needed if you want to host your DNS in a different location, and not on MaiB. I would not do that unless you have a very good reason to do so. MaiB is very capable to handle DNS for all your domain. I currently have 6 domains managed by MiaB today.

7.3 DNSSEC

Both DO and BigRock don’t have DNSSEC. Any workarounds?

DNSEC is not required, but would be setup with your Domain Register, not DO. Is BigRock a Register? (just checked, and they are) If they don’t support DNSEC, I would switch Registers.

The glue records error is the key here. If BigRock is your Register you need to setup your Glue Record with them. I also had a read through the same page as @alento and it seems very confusing, but if you talk to their support I suspect they can create the needed glue records and then once that is done have your name services refer back to MiaB as needed. My Register is GoDaddy and you have to create the Glue Record first (A Record) before you can change your NS records. I assume that is pretty standard across the board.

As far as I know you can’t use child name servers, but someone correct me if I am wrong. MiaB should be the DNS for your domain. Or you can use external DNS and make sure you point all of the records back to MaiB as seen on the External DNS page. I have done it that way before as a test, but it is best to let MiaB handle DNS for your domain.

If you want us to troubleshoot further maybe send one of us your domain name so we can check to see what we get when we do a look up on box.DOMAIN.com and that would give us more info to help.

More of a side discussion, I suppose you can use a sub-domain, but I expect that gets to be pretty complicated if you are hosting your DNS off of MiaB. I’ve only created sub-domains on my MiaB, but never tried to have the MX records point somewhere else.

Thanks for taking out time and replying guys. Really appreciate it. @murgero, alento, and cwilkins. I can’t mention more than 2 users right now using @. Haha…

Our domain is syob.co and mailbox is at box.syob.co.

@ murgero

“Also - after setting the name server, unless you add a new A record in the custom DNS page in the admin panel of MIAB, it will load box.example.com’s built-in default web page.”

Thank you for pointing this out, but what will the values be for that A record in the custom DNS page in the admin panel of MIAB? If you can can elaborate more, then it would be great.

@ alento

“I am wondering if you have the Glue record set correctly at Big Rock??”

What exactly is a Glue record? Oh, it seems to be what BigRock calls a ‘Child Name Server’. In the BigRock domain admin panel, there are two sections for adding domain name servers:

1 Name Servers

Ability to add only name records like ns1.example.com. There is no option or ability of adding any IP address here.

Example:

Name Server 1: ns1.example.com
Name Server 2: ns2.example.com
Name Server 3: ns3.example.com
Name Server 4: ns4.example.com

Kindly read point nos. 5, 6, and 9 in my original post. >> Also, adding ns1.box.example.com and ns2.box.example.com to the name servers causes an overlap and loads the box.example.com when example.com is visited.

So we added box.example.com to the child name servers section, which seems to be correct now (after doing some research).

2 Child Name Servers

Ability to add the Host Name and IP Address.

Example:

Host name: ns1.box.example.com
IP address: 255.11.22.33

Host name: ns2.box.example.com
IP address: 255.11.22.33

@ cwilkins

“Are you trying to use a sub-domain?”

Yes, we are using a subdomain as box.example.com.

“The External DNS page in MaiB is only needed if you want to host your DNS in a different location, and not on MaiB.”

We are using the Digital Ocean DNS. So I guess it comes under the section of external DNS only.

“DNSEC is not required but would be set up with your Domain Register, not DO. Is BigRock a Register? (just checked, and they are) If they don’t support DNSEC, I would switch Registers.”

Why is DNSSEC not required. And yes, BigRock is our domain registrar but DNS is being handled by Digital Ocean. We are already looking to move to a better one.

“As far as I know you can’t use child name servers, but someone correct me if I am wrong.”

What exactly is a Glue record? Oh, it seems to be what BigRock calls a ‘Child Name Server’. In the BigRock domain admin panel, there are two sections for adding domain name servers - Name Servers and Child Name Servers (Glue Records).

Our domain is syob.co and mailbox is at box.syob.co.

Just want to know If I am using the Digital Ocean DNS and my registrar is BigRock, in order to get my MIAB work what should be the right way to get it done? Any links or step by step tutorial?

@JoshData Can you please help? You might be able to spot the issue in a fraction of seconds.

Why are you using DNS at Digital Ocean rather than within MiaB? Is there a specific reason for this?

And since you have disclosed your domain name, could you please use it rather than example.com going forward?

Why are you using DNS at Digital Ocean rather than within MiaB? Is there a specific reason for this?

We just want our DNS to be in one place. Will having it at MiaB solve the problem?

And since you have disclosed your domain name, could you please use it rather than example.com going forward?

Haha, ok.

Having DNS on your MIAB makes it 1000x easier to help you troubleshoot. (And all your domains can use MIAB as a nameserver for almost any DNS thing it needs too)

As Murgero says above … it will make things 1000x easier to troubleshoot.

As it looks now, you have 3 ns records showing Digital Ocean as your name servers, a MX record pointing to mail.syob.com, and a A record for syob.co. This all is in conflict with what you have said you have done.

So, go back to your registrar and tell them you need your glue records for ns1.syob.co and ns2.syob.co to point to the IP address of your DO droplet. Ask them to set it up or give you specific instructions. Once that is done, I suspect that things will work.

Also after changing the nameservers - wait at least 48 hours before reporting more issues as nameserver changes can take up to 48 hours to take affect.

Okay, let me try it. I will test it and let you guys know if that worked for me in the next 3-4 days. Thanks for your replies.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.