MIAB refusing email from hosts on the internal network the miab server is on

My MIAB box is on a an internal net 10.9.26/24 and I have forwarding rules on the router to forward email to this host from the outside. I have MX records pointing to the external IPv4 address of the oiutside for the three domains that occupy the internal net. When I send email from a host on the internal net (files.summertrail.org) with a destination of ted@frohling.org (one of the advertised domains and the one that is the most well known and the PTR record for the outside address is frohling.org (it this matters in this case) MIAB rejects emails from files… like so:

This is the mail system at host files.summertrail.org.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<ted@frohling.org> (expanded from <root>): host
    box.summertrail.org[10.9.26.107] said: 550 5.7.27
    <root@files.summertrail.org>: Sender address rejected: Domain
    files.summertrail.org does not accept mail (nullMX) (in reply to RCPT TO
    command)


Reporting-MTA: dns; files.summertrail.org
X-Postfix-Queue-ID: F0FCF4165B
X-Postfix-Sender: rfc822; root@files.summertrail.org
Arrival-Date: Tue, 21 May 2024 06:26:52 -0700 (MST)

Final-Recipient: rfc822; ted@frohling.org
Original-Recipient: rfc822;root@files.summertrail.org
Action: failed
Status: 5.7.27
Remote-MTA: dns; box.summertrail.org
Diagnostic-Code: smtp; 550 5.7.27 <root@files.summertrail.org>: Sender address
    rejected: Domain files.summertrail.org does not accept mail (nullMX)


Return-Path: <root@files.summertrail.org>
Received: by files.summertrail.org (Postfix)
	id F0FCF4165B; Tue, 21 May 2024 06:26:52 -0700 (MST)
Delivered-To: root@files.summertrail.org
Received: by files.summertrail.org (Postfix, from userid 0)
	id E3F12416C2; Tue, 21 May 2024 06:26:52 -0700 (MST)
From: root@files.summertrail.org (Cron Daemon)
To: root@files.summertrail.org
Subject: Cron <root@files> test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <20240521132652.E3F12416C2@files.summertrail.org>
Date: Tue, 21 May 2024 06:26:52 -0700 (MST)

It’s true, files.summertrail.org is not setup to receive emails.

Can’t figure out why this is happening. Please let me know what other log dumps would be helpful in solving this problem.

Thanks

Ted

Sounds like your router doesn’t support hair-pinning.

In which case you would need to run “internal DNS” and basically poison internal DNS to resolve dns names that are local, locally.

Right now your trying to resolve files.summertrail.org if you go to your PC and do a “nslookup files.summertrail.org” (assuming that is the name of your MIAB server) what does it return? Your public IP or your interal private IP.

So say your PC is 10.9.26.100/24 and your MIAB server is 10.9.26.25/24

you would need some kind of DNS to tell your PC not to return some public IP.

Right now if I do a “nslookup files.summertrail.org” it returns 10.9.26.190.

This is a private IP space so it will never work on the internet.

What is your public IP?

What is the contents of /etc/mailinabox.conf

cat /etc/mailinabox.conf

C:\Users\chris>nslookup frohling.org

Non-authoritative answer:
Name:    frohling.org
Address:  216.183.79.79

Pretty sure this one above is using your Public IP appropriately.

Are you using DNS on your box or external DNS (from the domain registrar?)

Thanks for replying to my problem and helping me solve this one.

Actually in checking this from other systems on my internal network, none can get MIAB to accept their emails.

Looking at the main.cf I have this mynetworks = 127.0.0.0/8 10.9.26.0/24

here is /etc/mailinabox.conf

root@box:/etc# cat mailinabox.conf
STORAGE_USER=user-data
STORAGE_ROOT=/home/user-data
PRIMARY_HOSTNAME=box.summertrail.org
PUBLIC_IP=216.183.79.79
PUBLIC_IPV6=
PRIVATE_IP=10.9.26.107
PRIVATE_IPV6=
MTA_STS_MODE=enforce

The files machine doesn’t have any problem getting to any of the systems on the internal net. I did add files.summertrail.org at 10.9.26.107 in the custom DNS for MIAB to see if that would get me around the problem. All the hosts on my network point there DNS to my pi-hole DNS server. I tried adding that nameserver address to /etc/resolv.conf to see if that will get around the problem on the MIAB system (box…)

10.9.26.8 is the address of the pi-hole DNS server.

Here is an example of nslookup on the MIAB box

root@box:/etc/postfix# nslookup files.summertrail.org
Server: 10.9.26.8
Address: 10.9.26.8#53

Name: files.summertrail.org
Address: 10.9.26.190

Here’s resolv.conf

nameserver 10.9.26.8
nameserver 127.0.0.1

Here is my main.cf:
root@box:/etc/postfix# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1d
compatibility_level = 3.6
delay_warning_time = 3h
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
maximal_queue_lifetime = 2d
message_size_limit = 134217728
milter_default_action = accept
mydestination = localhost
myhostname = box.summertrail.org
mynetworks = 127.0.0.0/8 10.9.26.0/24
non_smtpd_milters = $smtpd_milters
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_bind_address = 10.9.26.107
smtp_bind_address6 =
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = aNULL,RC4
smtp_tls_loglevel = 2
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP Hi, I’m a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)
smtpd_forbid_bare_newline = normalize
smtpd_milters = inet:127.0.0.1:8891 inet:127.0.0.1:8893
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org=127.0.0.[2…11],reject_unlisted_recipient,check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = sqlite:/etc/postfix/sender-login-maps.cf
smtpd_sender_restrictions = reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2…99]
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /home/user-data/ssl/ssl_certificate.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /home/user-data/ssl/dh2048.pem
smtpd_tls_exclude_ciphers = aNULL,RC4
smtpd_tls_key_file = /home/user-data/ssl/ssl_private_key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL,DES,3DES,MD5,DES+MD5,RC4
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtputf8_enable = no
tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = no
virtual_alias_maps = sqlite:/etc/postfix/virtual-alias-maps.cf
virtual_mailbox_domains = sqlite:/etc/postfix/virtual-mailbox-domains.cf
virtual_mailbox_maps = sqlite:/etc/postfix/virtual-mailbox-maps.cf
virtual_transport = lmtp:[127.0.0.1]:10025

Blockquote

Here’s what I’ve done to get local servers to send via MIAB:

• In MIAB / admin / custom_dns, added A, AAAA, and MX records for the full local name of each server (eg myserver.mydomain.com)

• In /etc/postfix/main.cf adjust the mynetworks line to include your local servers (both IPv4 and IPv6 addresses).

• Whitelist the servers by adding to /etc/mail/spamassassin/99_local.cf lines like whitelist_from *@myserver.mydomain.com, and whitelist_from *@myserver.lan if that name also resolves to your server.

• And list the server domains in /etc/postgrey/whitelist_clients.local

• Then reboot the box, try a test email from a server, and you might need to wait 4 mins and try another test email.

Not all of that makes sense (probably not all necessary) but it’s in my notes of what I do on upgrade/rebuild. The whitelisting doesn’t always seem to work and I haven’t looked into what I’ve got wrong about that

Much thanks Andrew. It looks like these changes have things working. I’ll need to wait till tomorrow as the various cron jobs fire off. After making the changes, I received what were several held messages. Fingers Crossed.

Got the output of the cron jobs from the other systems. The adds were not documented anywhere that I could find and they work. Sort of non-intuitive that they should have been needed, but Andrew hit the nail on the head. Seems that the MIAB documentation for setup should cover this.
ted

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.