DNS use of MailCow

SShadow · Oct 30, 2020

I’ve noticed MailCow is talking directly to DNS servers on the internet instead of using my local internal DNS servers in my network. I’ve found this page:

Redirecting...

mailcow.github.io

Redirecting...

I’ve tried method A, but then the Unboud container doesn’t look healthy and it doesn’t work:

The instruction said to append a few lines, but in data/conf/unbound/unbound.conf the lines mentioned are not even present. Tried to add them manually…

forward-zone:
  name: "."
  forward-addr: 192.168.1.194

With method B I tried to only adjust the DNS for Postfix to my internal DNS. But then I get this:

So how do I make MailCow use my internal DNS server to lookup internet domains…?

diekuh · Oct 30, 2020

Your whole network seems messed up. “Connect to dovecot: refused”?

Somethings is very broken.

Perhaps start with a summary of the machine. Firewall on and in front of mailcow, OS, Docker version, hypervisor (KVM, VMware etc.), iptables -L -vn output etc.

SShadow · Oct 30, 2020

diekuh I assume you are talking about the Docker network. As I said I’m merely following your own instructions . These errors no-longer showed up after I reverted the changes suggested on your own page.

So perhaps someone can give me a useful reply?

Gebemsea · Oct 31, 2020

Shadow - I can reassure you that Method A for using an external DNS can work. I used these instructions on day one of my evaluation of Mailcow over a year ago, and it has been running like that in production for nearly 9 months. FYI, I have unbound running on physical pfSense box at the edge of my network and just added three lines to the top of Mailcow’s unbound.conf in /opt/mailcow-dockerized/data/conf/unbound as shown in the picture below.

Considering your other issue as well, the experts in this, @diekuh and @pkernstock, are right: there seems to be a hiccough somewhere in your setup and it would take much more information for the community to help.

SShadow · Oct 31, 2020

As I stated in my post I was looking for a method for MailCow to use the internal DNS server in my physical network, which is an AdGuard Home instance and uses DoH to CloudFlare to resolve internet domains.

So apparently the errors that showed after applying method A is is related to DNSSEC validation failures. I’ve managed to disabled it using these instructions: Unbound - Howto Turn Off DNSSEC

NLnet Labs

Unbound - Howto Turn Off DNSSEC

If you find yourself having problems while DNSSEC is configured and you have carefully assessed that the problems have to do with the validation, and have assessed you are not under attack, you may want to follow one of the following steps to disable DNSSEC. Please be warned, do not …

.

Now MailCow is successfully using my internal DNS server. Both Internal (for network perspective) and Outgoing e-mail traffic is seems to be working fine now.

Is it normal for these ‘experts’ to be this unfriendly at questions from potential new customers? So far all I’ve seen they are doing is yelling out ‘Ye something is broken in your setup’. Not very inviting to consider opening my wallet.

Ttbrummell · Nov 1, 2020

Only you see them as unfriendly, I kind of thought you were being an ass as a new user with such a tone. But, you got it working, so all is good in the mailcow world now.

pkernstock · Nov 8, 2020

Shadow Is it normal for these ‘experts’ to be this unfriendly at questions from potential new customers?

Just to add:

While I don’t believe I was unfriendly, apologies you felt unwelcome. Beside that, I’m contributing and responding completely in my free-time.
This forum is a community forum, so all responses are community-driven and not part of some kind of commercial support and does not reflect how you would get support of any commercial support subscription.
Also, you’ve opened a discussion with quite limited of details. Then Andre asked for more details to narrow it down further, you ignored all of them and demanded a “more useful reply”. If you would have provided more details as requested, you might have got more useful hints.

However. The main thing I wanted to make you aware of: As you might have seen in the docs

mailcow.github.io

Redirecting...

it’s NOT recommended to use public resolvers. And Cloudflare is a public resolver, even the fact you’re passing your DNS queries through your Adguard instance.

diekuh · Nov 8, 2020

Using a public forwarder is the worst solution. In fact it is not a solution at all.

Nobody should do that.

About support: As Patrik said you are using a community driven support channel. You either use this channel or the commercial channel.
We do obviously not provide the same support in the community channel. If you need to be taken by hand and get more detailed help (which is TIME consuming), you are using the wrong channel. We cannot provide that level of support for free, obviously.

We also can’t provide that level of support and then kindly ask afterwards if you perhaaaaps like to pay for that time. Just like I cannot give my car into the shop, they repair it for free and ask me if I’m okay with paying for it. What I can do for free is ask them for ideas how to fix the problem with the car myself.

Sorry if you felt unwelcome. But I cannot ask the same questions for information again and again and put even more time into it. My time for the community is very limited (sadly!).