mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
14.04k stars 1.44k forks source link

mta-sts config still created for domains whose MX record is not on the MIAB server #1782

Open jvolkenant opened 4 years ago

jvolkenant commented 4 years ago

If MIAB is the nameserver for a domain, but not the MX server. Meaning that there is a custom MX record that points to another mailserver. mta-sts dns and nginx config is still generated. Causing the MX record to point to one place, and the ".well-known/mta-sts.txt" file to still point to the MIAB domain.

I don't think the mta-sts dns and webserver config should be created in this case. Or there should maybe be multiple "mx: .......com" records in the "well-known/mta-sts.txt" file.

ondrejvaroscak commented 4 years ago

I believe that MIAB is INTENDED to be mailserver, that's basically why it was developped in first row... But you can edit /var/lib/mailinabox/mta-sts.txt to suit your needs. Please note that for mta-sts to function properly, you also need manualy to add _mta-sts and _smtp._tls DNS records that point to your mail domain itself and not to the box:

_mta-sts.yourdomain.com IN TXT "v=STSv1; id=20200926153000"

_smtp._tls.yourdomain.com IN TXT "v=TLSRPTv1; rua=mailto:admin@yourdomain.com"

But I agree that MIAB should generate those automatically and also add MX entries to mta-sts.txt

I would fork it, do the changes and make pull request, but I am a newbie and don't want to screw things up :-)

jvolkenant commented 4 years ago

I believe that MIAB is INTENDED to be mailserver, that's basically why it was developped in first row... But you can edit /var/lib/mailinabox/mta-sts.txt to suit your needs.

I understand the intentions of MIAB. And while I could edit mta-sts.txt by hand, every time you run web.sh this file would be overwritten.

The mta-sts.txt file is the same for all domains. MIAB has the flexibility to have custom dns records. You could even have a custom MX record that does not point to MIAB. In that case, you probably don't want to specify a mta-sts.txt if your non MIAB MX record does not handle mta-sts.

Please note that for mta-sts to function properly, you also need manualy to add _mta-sts and _smtp._tls DNS records that point to your mail domain itself and not to the box:

_mta-sts.yourdomain.com IN TXT "v=STSv1; id=20200926153000"

_smtp._tls.yourdomain.com IN TXT "v=TLSRPTv1; rua=mailto:admin@yourdomain.com"

But I agree that MIAB should generate those automatically and also add MX entries to mta-sts.txt

I'm pretty sure MIAB (atleast in master) does these records for us automatically.

JoshData commented 4 years ago

Sorry I missed this issue before making the release with MTA-STS.

I am reluctant to disable MTA-STS for any domain that the box thinks it is serving email for though. It sounds like you created a dummy email user/alias but then directed the MX elsewhere. That's not a situation I really want to support. We can take an alternate route and trick MiaB into serving DNS but not email. The internals are set up for that to be allowed. (All of the automatically generated subdomains are like that.) And in that case it wouldn't generate MTA-STS records.

jvolkenant commented 4 years ago

Yea, My worry was that since you could serve dns but not email for a domain it may cause confusion that some of the plumbing would be there (mta-sts.txt) but wouldn't necessarily be used/correct. The odds someone used MIAB in this way would be quite low I would think

victorlap commented 3 years ago

I would welcome a change in this direction. I started off with a domain that had it's mail handled by the box. Now because hotmail is keeping my ip on a blacklist, I migrated the mail off the box to another provider. For now I think it's best not to update to v0.52.

JoshData commented 3 years ago

If you want to turn Mail-in-a-Box into DNS-in-a-Box (see #683), find a way to have the domain name added to the return value of get_dns_domains at https://github.com/mail-in-a-box/mailinabox/blob/master/management/dns_update.py#L22. That's the beginning of a way to include the domain in DNS without the box thinking it should manage mail for it.

jvolkenant commented 3 years ago

Now because hotmail is keeping my ip on a blacklist, I migrated the mail off the box to another provider. For now I think it's best not to update to v0.52.

The more common problem is that IP reputation is more important than people think. I would imagine that a lot of people come across MIAB, go spin up a VM at <insert super popular, easy to deploy&destroy cloud provider here>, and wonder why the IP you get is not on a blacklist, but no one trusts mail from that IP. I have only used small VSP's for this reason. Other than the first 24h period when I first setup mail on a new IP have I had mail to gmail addresses go to the spam bin.

Just because the IP is not on a blacklist right now, doesn't mean someone wasn't doing bad thing with that IP before you got it.

It causes a lot of problems I feel with mail delivery which get incorrectly put off on MIAB. (just my 2c.)

jvolkenant commented 3 years ago

As far as fixing this issue, there just needs to be a check that, if the A record is PRIMARY_HOSTNAME, then set the nginx config for mta-sts. But with the way that nginx-alldomains.conf is setup, that would be tough without a little rework

victorlap commented 3 years ago

The more common problem is that IP reputation is more important than people think.(...) It causes a lot of problems I feel with mail delivery which get incorrectly put off on MIAB. (just my 2c.)

True, and I do not mean to come off as having a problem with MIAB. I indeed have a VPS with digitalocean, but my hope is that the IP will get accepted by Microsoft someday, seeing that I own that IP for more than 4 years already. Although i think they are just blocking the complete subnet at this point.

It might be easier to migrate the box to another host. May I ask where you have good experiences?

jvolkenant commented 3 years ago

I've used hostus.us for a few years but grew out of that box (low memory vps), I also had a scenario where a whole /24 I was on got blacklisted. A ticket into support to change IP's was simple enough tho. I now use lunanode.com. I personally would stay away from the digital ocean/aws/linode type of places.

jvolkenant commented 3 years ago

I can never find the issue on github, but there is a doc here (https://docs.google.com/spreadsheets/d/13DCG9NrElvYuXoQlmmMrey9tECkx5k6k_Wj_o7wZWBw/edit#gid=0) of a lot of people that have posted their miab's to see what other people might be using.