mjl- / mox

modern full-featured open source secure mail server for low-maintenance self-hosted email
https://www.xmox.nl
MIT License
3.71k stars 113 forks source link

Autodiscover check: private IP is attempted even if NATIPs is present #116

Closed pmarini closed 8 months ago

pmarini commented 10 months ago

In my server (based on mox 0.0.9) I get:

image

However NATIPs parameters is present, so if I'm not wrong the private IP shouldn't be checked?

https://www.xmox.nl/config/#cfg-mox-conf-Listeners-x-NATIPs

mjl- commented 10 months ago

Looking at the code and error, I think the following is happening:

Mox tries to make a TLS connection to the autodiscover (and autoconfig) hostname, on port 443 to check it is working correctly. For autoconfig, that will be autoconfig.<domain>:443, which is working fine (no error message). For autodiscover, the SRV record for _autodiscover._tcp.<domain> points to your hostname, so mox tries to connect to hostname:443. I suspect that on your mail host that name is resolving to your private IP address, likely due to an entry in /etc/hosts, which prevents resolving from going through DNS resolving.

I think it's generally not a good idea to have a DNS name resolve to a different IP on the machine in question. If this is your MX host, it typically also leads to problems when trying to deliver messages to your own domains (the MX record points to your hostname too, and trying to connect may fail). Also, any DNSSEC status you would get from resolving over DNS is gone when using /etc/hosts.

If this is the case, I would suggest removing entry for the full hostname from /etc/hosts, while leading any non-FQDN in.

Perhaps the analysis above isn't quite right and we need to dive in deeper.

pmarini commented 10 months ago

Your analysis is correct. I had a local DNS entry, once removed the warning disappears. Thanks!

mjl- commented 8 months ago

Marking as closed, feel free to reopen if needed!