I am moving along with my MiaB setup at klovia.htt-consult.com. Only customizations are netplan static IPv4 (and no IPv6), set-timezone, and install locate. I am staying away from other customizations…
My domain is htt-consult.com with name.com as my Registrar. They are still pointing to my old DNS server of onlo.htt-consult.com and I can’t switch this until MiaB DNS is doing a couple things.
I have one system on a VLAN who’s DNS is being served by klovia so I have a test site. I can access all hosts currently configure by MiaB defaults and what I have set up in Custom DNS. I have created one user, rgm@test.htt-consult.com which has added MX records for test.htt-consult.com. I have used imapsync.lamiral to move that user’s email from my current mail server at z9m9z; I had to open port 143 on klovia to use this tool.
So now onto a set of questions so I can take the next steps:
DNS on klovia is not providing name resolution for the rest of the Internet. What do I have to do for this?
I have 2 subdomains to first move to MiaB: test and labs. I need for the current DNS, onlo, to point to klovia. Are the following “all” I need to add to my current DNS for mail to be directed to klovia:
Once I switch a system to be using klovia for its DNS, until I can migrate mail@htt-consult.com (my main users!), I would need klovia’s DNS MX records to point to z9m9z.htt-consult.com. Is that possible?
I have 2 secondary DNS servers. I THINK adding them is straight-forward, but I need to talk to their admin for the switch over. What SOA timer controls updates to those servers?
For some 10 years, my users have used webmail.htt-consult.com to access Roundcube. This is done with rewrite runs in my web server. I don’t look forward to retraining them. Is this possible with MiaB, or am I stuck with the /mail part of the Roundcube URL?
questions 1-4 are critical. 5 is needed/desired. 6 would be nice.
Set the nameserver at name.com to klovia. You’ll probably also need to set a glue record for klovia there.
I think for delivery you only need the MX records. If you want to send mail it’s recommended to set the other mail specific entries (spf, dkim etc). This is not needed if you already did #1
You can try, it’s possible to override mailinabox dns entries with custom ones. I’m noy entirely overseeing the implications
Not sure what timer is involved. I thinx it works by axfr notifications
I think it is, I don’t have it readily available. Search the forum
Possible. First create an email adress (can be an alias) @webmail.htt… Then you can create a yaml file that will take care of forwarding. (agaon don’t know the syntax top of mind, have to look it up)
I can’t do that until I KNOW that DNS on klovia will handle what I need. And I can’t do that until I migrate the bulk of my users that are in htt-consult.com, currently served from z9m9z. That makes switching a flag day. I can’t do that.
I guess I am “use” to a nameserver having the option of being authoritative for its domain and caching for everything else.
I just got a response from a colleague that had a big hand in ISC and BIND, but now does not use it. Rather NSD. But he said:
“nsd is authoritative only. For recursive service you need something like unbound. One can definitely run both on the same box if one is careful, but they’ll need to be on different addresses or ports, and you’ll need to pay careful attention to resolv.conf setting. If absolutely necessary, one can even configure such a combo to provide bind9-like mix of authoritative and recursive on a single address and port, but that’s usually a bad idea so only if really needed.”
Wow! I am getting a bit of an education here. I lived in my small DNS corner for decades.
I trust him on such matters; it has been his job for many-a-year1. So how does MiaB and its clients resolve FQDNs? Do you use some public resolver, perhaps your registrar’s? This kind of turns the whole DNS lookup around. It seems like MiaB just serves its zone to its registrar and it and clients need a “real” DNS resolver source?
I got that working now for test.htt-consult.com. I can now setup labs and get a good test of migration AND have a real test for Thunderbird accessing MiaB before moving the bulk of my users.
Is important if I am going to avoid a flag day of switching DNS AND email for htt-consult.com mail uses.
But will this “always” work over the priorty 10 of klovia? How long will MiaB wait on priority 5 before moving down to 10? I will do a simple test with the sendmail command from that system on the klovia DNS subnet.
is figured out. I had some old cruft hanging around for a few months that was messing me up.
Bad news, in a sense that NSD is only an Authoritative nameserver, and does not provide recursive lookups for fully supporting clients. I have thought a bit about your instructions, and realize that for someone installing MiaB on a cloud service, they would never have an issue with this. Someone (like me!) installing it locally has to know this little tidbit. It means that for all my local systems, that I have to use some DNS server other than MiaB. For right now I will use the one AT&T has configured in their gateway here. I will look into Unbound and see what it takes to run it (and not on the MiaB system).
I have successfully moved the one user in subdomain labs.htt-consult.com. I can’t shut off the current server’s postfix. What I did was first remove the MX records for labs. Then moved the emails (took ~2hr) and logged into the moved account with Thunderbird. I had to change from using STARTTLS to TLS which meant I also had to open port 465 on my internal firewall box. Changes noted to help out other users…
It will take some time to migrate all users on my domain. I don’t have to switch DNS until the users are all on MiaB. THEN switch DNS to some outside nameserver and change my registrar to point to MiaB. Not too bad of a task.
5&6 still to be done.
I really do not like the current RoundCube look-and-feel. I showed it to my daughter (one of my domain users) and she said yuck. And that it looks just like Outlook at work; which sounds bad for the home team to change to something like it was back on release 1.0.6.
If anyone has tips on “fixing” how Roundcube looks. It is NOT opening emails in another tab, eventhough I have selected that config option.
So I it looks like I will make the move. Most likely finished by end of next week. With a few loose ends.
All mail has been moved for old to new server.
Postfix turned off on old server.
Old (but current on Internet) DNS now has updated MX records and mail is arriving to accounts on new server.
ERGO EMail is moved and now live!
I am going to need to find an alternative to RoundCube. They really lost it with the user experience by mimicking Outlook. Unless there is a way that others have found. No response on the RoundCube user list.
I can spin up a server on another box just for reading mail for those that don’t use Thuderbird. But after I move DNS.
Moving DNS will be later today. I have to update my registrar and secondaries. Will update here when done.
Latest challenge is logwatch emails from other servers.
On those servers, logwatch is configured to send to “root”. Then in that server’s postfix aliases, root is mapped to me, rgm@htt-consult.com. This has been working through a number of mail iterations. MiaB is bouncing these messages. The bounces get to me and end up in my spam folder!
So what do I change in MiaB so that these messages are properly forwarded?
The alias helped to stop the bounce. But the email is being tagged as spam, what do I do to stop MiaB from flagging it:
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on klovia.htt-consult.com
X-Spam-Flag: YES
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.4 required=5.0 tests=BAYES_00,
DMARC_FAIL_QUARANTINE,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
RCVD_IN_VALIDITY_RPBL_BLOCKED,SPF_FAIL,SPF_HELO_FAIL,
TO_EQ_FM_DOM_SPF_FAIL autolearn=no autolearn_force=no version=3.4.6
X-Spam-Report:
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
* The query to Validity was blocked. See
* Validity Help Center
* for more information.
* [23.123.122.148 listed in sa-trusted.bondedsender.org]
* 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
* query to Validity was blocked. See
* Validity Help Center
* for more information.
* [23.123.122.148 listed in bl.score.senderscore.com]
* 5.0 DMARC_FAIL_QUARANTINE DMARC check failed (p=quarantine)
* 5.0 SPF_FAIL SPF check failed
* 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
* [SPF failed: Rejected by SPF record]
* 0.3 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF
* failed
X-Spam-Score: 8.4
Authentication-Results: klovia.htt-consult.com; dmarc=fail (p=quarantine dis=none) header.from=htt-consult.com
Authentication-Results: klovia.htt-consult.com; spf=fail smtp.mailfrom=medon.htt-consult.com
Authentication-Results: klovia.htt-consult.com; dkim=none;
dkim-atps=neutral
Received: from medon.htt-consult.com (medon.htt-consult.com [23.123.122.148])
by klovia.htt-consult.com (Postfix) with ESMTP id 1721D4A01BC
for rgm@htt-consult.com; Fri, 30 May 2025 10:29:49 -0400 (EDT)
I believe you mentioned this is an internal network? In that case you’re probably best of in investigating the trusted_networks and shortcircuit ALL_TRUSTED options of spamassassin.
If it’s in an external server, it’s probably easiest to create a dedicated mail account and use this account to send mails from the server.
The error is due to the fact that your external servers don’t have spf etc configured.
These are all internal servers (3 right now, and MiaB soonish). I google this about spamassassin? And how would I enact spamassassin changes with MiaB? I don’t see any controls for this.
There might already be a file under /etc/spamassassin/local.cf containing preparation for this. In any case, if you put it in a *.cf file in that folder, it will become part of the spamassassin config.
No need to restart spamassassin, what is needed is sudo systemctl restart spampd
You should be able to see the result in the email headers you send.
Some debug can be added to spampd by configuring /etc/default/spampd. Look for ADDOPTS and set it to ADDOPTS="--debug --log-rules-hit", then restart spampd again. I’m not sure if this ends up in mail.log, otherwise look at journalctl -u spampd
So the mail is detected to be coming from a trusted network (ALL_TRUSTED), but probably the shortcircuit is not enabled.
I think is is preconfigured (but commented out) in /etc/spamassassin/local.cf. Look for shortcircuit ALL_TRUSTED on (or add that line), and it should also be within a ifpluginendif part. Something like:
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
shortcircuit ALL_TRUSTED on
endif # Mail::SpamAssassin::Plugin::Shortcircuit
I made this change and nothing changed on the spamassasin flagging. Same info in the mail headers as posted above with a 7.1 score. Here is what is in my local.cf (with comment lines dropped):
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
shortcircuit ALL_TRUSTED on
endif # Mail::SpamAssassin::Plugin::Shortcircuit
I did a restart of both spamassasin and spampd.
Is that space before shortcircuit a problem?
New question:
How do I add a second domain? I got subdomains working, but I don’t see how to add a new domain. For MiaB to be the DNS nameserver and email server.
The custom DNS tab only allows adding DNS records to existing domains. Google says something about a domain tab, but I am not seeing that.
I don´t see a space? But some programs are picky with that, so remove it?
If it doesn´t work like this, I’m not sure how to proceed. Look at the debug info from spampd, but you might have to do your own research from there.
As documented, setup nameservers and create a new user or alias for the new domain. Once that is done, you can add DNS records for the new domain.
wrt: spamassasin, I removed the space with no change. I have been on the spamassasin mail list since '07 when I was fighting with Scalix, sendmail, and spamassasin on CentOS5. So I will take this problem there; it has been years since I posted on the list.
wrt to a second domain, I did not deduce from the documentation, that the 1st, key, step is create a user email for the domain then the rest follows. I would think that first create something in the MiaB DNS and then the add a user. OK. I created a user, and now I can add DNS records for said domain. Just backwards from my world-view and why the documentation did not make sense to me…
And a problem with the second domain. It gets the same NS records as the first, but that is not what I want. And I don’t see how I can have the 2 domains have different NS records.