V.50 MTA-STA questions about mail domains

hello

Just upgraded to .50

Ive read the thread about the policies missing after upgrade. And after provisioning the TLS cert for the box domain, and rerunning the setup, the errors disappear, and external checkers say all is well with those dns entries for the box’s domain name only.

My question - my email server has one domain: box.something.co - and the above was all focused on the box passing the dns checks for MTA-STA records. But my server also has many other email domains, and they all currently do not pass the MTA-STA checks.

“MTA-STS policy is missing: STSFetchResult.NONE”

The TLS SSL page wont automatically install certificates on the mta-sta.somethingelse.co domains

Is the only way to do that by manually creating certificates for each domain?

What happens if I ignore the error, and the missing certificates?

Andrew

Hi Andrew

Hope this adds some color to greyworld!

I had the same issue as you, (multiple domains hosted on the one installation of MIAB with “MTA-STS policy is missing…” errors being reported on the System -> Status Check page, for all of the domains except the one hosting the MIAB install).

I am now in the position where everything is green on the admin -> System -> Status Check page summary page. I did the following three things, but suspect you might be able to get away with doing just items 1 & 3.

  1. Issue TLS (SSL) certificates for all of the new autocreated “mta.sts.yourdomain-dot-com” sites.

You made the observation that it doesn’t automatically install certificates as part of the upgrade, that’s correct, but it does automatically do the certificate creation, you just have give it a nudge by pressing the blue “Provision” button on the admin -> System -> TLS (SSL) Certificates page. This will then run through the process of engaging with the certbot to obtain and install the certificate for each site that doesn’t yet have a Lets Encrypt certificate installed.

Note: Make sure that any virtual firewalls protecting your MIAB server at your hosting company (linode, DigitalOcean etc), are configured as per the Firewall settings in the MIAB set up guide,… specifically port 80 needs to be open for Lets Encrypt servers to talk with the MIAB installation).

Pressing the “System -> TLS (SSL) Certificate -> Provision” button once, should result in ALL of the listed Domains showing they have a signed and valid certificate status ,… no need to manually configure each one.

  1. Add an “mta-sts.txt” policy document for each site.

With regards to the red error messages about “MTA-STS policy missing” that are listed on the System -> Status Check page. I am unsure whether doing the following might be overkill, but if you do it, it will remove the error messages.

My understanding of implementing the MTA-STS policy is that for each domain hosted by the MIAB installation, there needs to be a subdomain called “mta-sts.of-whatever-listed-domain-dot-com”. And each of these subdomain sites hosts a text file stored in a hidden sub-directory which is your mta-sts policy file for that site. My assumption was that each of the sites listed needed its own own policy file stored in the hidden sub directory for that site, … but now I am not so sure as I made some edits to the txt files stored in one of my subdomains and could not get the damn thing to reflect my changes when I tried to read it using a web browser. Turns out that the actual mta-sts.txt policy file being accessed for ANY of the domains hosted on the MIAB server was the same mta-sts.txt file sourced from /var/lib/mailinabox and not from the hidden directory (./well-known) located under each subdomain website (/home/user-data/www/"mta-sts.whatever-listed-domain-dot-com).

Probably OK to do as each website serves up the same mta-sts policy content.

  1. Create and host two DNS TXT records for each of the auto created “mta-sts” subdomain websites

System => Custom DNS => set custom DNS records

Name : [ _mta-sts ] . [ “domain name” from pull down menu ]

Type : [ “TXT” from pull down menu ]

Value : [ v=STSv1; id=yyyymmdd-anyblahblah ] … where I believe the id string can be anything

Press the “Set Record” button to add the custom DNS record

Repeat the above process to add the second custom DNS record for the chosen domain
Name : [ _mta-sts ] . [ “domain name” from pull down menu ]

Type : [ “TXT” from pull down menu ]

Value : [ v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com]

Press the “Set Record” button to add the custom DNS record
(Note if the email address “tlsrpt@yourdomain-dot-com” doesn’t exist, create an alias and map it to an address that does.)

Repeat step 2 for each domain available in the pull down menu (System => Custom DNS => Set custom DNS records => Name = [ ] . [ pull down menu ] )

After doing all of the above and rebooting the machine my “System -> Status Checks” page was all green.

If you ignore the error and missing certificates?.. not sure. … but a its safe to assume that something will get rejected at some point in the (…far distant?) future.

Hope this helped.

1 Like

@hopesow

Hi Andrew,

Thanks for this … I haven’t yet begun to study this so it is a complete unknown to me… however one thing I latched onto I’d like to confirm.

Does MiaB NOT do this automatically? Shouldn’t MiaB do this automatically @JoshData? It seems that this would be an integral function for the box to be performing itself.

@hopesow, I followed your instructions to force the cert provisioning and then re-ran the setup before doing anything else:
curl -s https://mailinabox.email/setup.sh | sudo bash
and all is now good.

@alento, maybe the DNS TXT records are only created automatically when the certs are provisioned and if they are not there the first time the update runs then it fails to complete those steps?

i confirmed, i had the same problem :

  1. run curl -s https://mailinabox.email/setup.sh | sudo bash to update
  2. mta-sts problem appear in “status check” section
  3. provision certificates for new mta-sts domain
  4. re-run curl -s https://mailinabox.email/setup.sh | sudo bash

then it will be ok

1 Like

Hello

My word yes it does! :grinning: Its very much appreciated, and thank you for the time you spent laying that all out. That is my mission for the day.

The last point about something breaking in the future is really where my head was at. So this is going to put my mind at rest.

best wishes

Andrew

p.s greyworld is my art group - greyworld.org - things to make you smile.

PS In my installation, the “provision” button only gets the cert for the main domain. All the others, for example mta-sts.greyworld.org has an “install certificate” button beside it. Clicking it pulls the page down to the Install certificate section. Its not straightforward like the box certificate

PPS The other thing thats different for me is that under /home/user-data/www I dont have any folders for my subdomains… So perhaps thats why, when Ive added the extra TXT records to DNS, they are still showing as errors…

Hmm, this does sound like something that should be done automatically - perhaps an oversight in this version? Has anyone opened an issue on github?

@JoshData thoughts?

I think it’s been working for everyone else… So there’s probably some other reason the control panel isn’t offering to provision a certificate.

Last time i got “provision” no working (only install certificat was displayed), it was because i got 2 certificat for the same domain name, lead to conflict and impossible to provision

i got to delete manually one certificat though ssh (the older one), i dont know why its happened.

But maybe its not that in your case.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.