I have my mail server behind a firewall and have made sure to open all the correct ports. The status checks page says that no service is publicly accessible, the Name server glue records are not set and the MX records are not set.
The box is hosting it’s own dns and handles email fine. I ran host ns1.box.MYDOMAIN.us and host -t ns MYDOMAIN.us on the box which came back as not found: 2(SERVFAIL)
I ran the commands on another server and they successfully resolved.
Do you mean you’re not using the built in MIAB UFW firewall, but using your own (maybe hardware?)
Or maybe both? If you issue the following command: ufw status numbered
be sure that all those ports are also open in your other firewall, also would help if you can post the output of that command (okay to redact IP/hostnames if they are in there)
Sorry about the late reply. I searched through all the logs and nothing has been blocked pertaining to the port forwards. Could this be an issue with DNS forwarding or something through pfsense. I’m not very familiar with DNS.
Anyone have any ideas? Everything seems to function normally except it will not allow me to get a let’s encrypt certificate with these errors. I forwarded all ports tcp and udp through my firewall but nothing seemed to change.
It’s to do with being behind a NAT. I had the same trouble running MiaB within an LXC container.
I had to turn on something called “NAT hairpinning” on the virtual bridge I was using. Try searching for something like that for your pfSense firewall.
It’s a bit complicated, but basically the issue is that the traffic generated by the status checks reaches your NAT/firewall, and then doesn’t get routed back to your box like you’d think it would. This is because your firewall is only configured to forward external “incoming” packets to your box, but it sees this traffic as “internal” traffic that’s trying to get to your public IP. Since the firewall is your public IP, it thinks that the traffic has reached its destination, and it just dies there.
This only happens when the box tries to talk to itself over the public IP. That’s why all the external stuff is probably working just fine, and also why you can access the box over its internal IP without any issues.
What you need is a way for the firewall to know to treat traffic coming from your internal box IP that’s bound for your public IP the same as incoming traffic, and forward it back to your MiaB IP accordingly.
It’s in System > Advanced > Firewall & NAT. Set “NAT Reflection mode for port forwards” to “Pure NAT”, and enable “Enable automatic outbound NAT for Reflection” (plus “Enable NAT Reflection for 1:1 NAT” if relevant). You can also set the reflection mode on the individual NAT rules pertaining to your MIAB host if you’d prefer not to enable this globally. (Say, if you use split DNS and don’t actually need reflection for anything other than MIAB’s verification page.)
Also be aware, if you’re using IP aliases in your NAT rules, they’ll have to be pointing at an actual IP address, not a hostname. pfSense won’t know which interface to add the additional NAT rules to otherwise https://redmine.pfsense.org/issues/8233.