2253: Workaround the infamous coredns feature r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Ensure that we set the ``DO`` flag on our queries to work around https://github.com/coredns/coredns/issues/5189
Add a FAQ entry to point users in the right direction in other cases (dnsmasq), discourage users from running Mailu without unbound
### Related issue(s)
- closes#2243
- closes#2239
- #2164
- #2163
- #2162
- #2135
- #1988
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
log.critical("Your DNS resolver at %s is not working (%s). Please use another resolver or enable unbound via https://setup.mailu.io.",ns,e);
log.critical("Your DNS resolver at %s is not working (%s). Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation",ns,e);
else:
else:
ifresult.response.flags&dns.flags.AD:
ifresult.response.flags&dns.flags.AD:
break
break
log.critical("Your DNS resolver at %s isn't doing DNSSEC validation; Please use another resolver or enable unbound via https://setup.mailu.io.",ns)
log.critical("Your DNS resolver at %s isn't doing DNSSEC validation; Please see https://mailu.io/master/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation.",ns)
First, check if you are really sure the user is a legitimate sender, i.e. the registered user is authenticated successfully and own either the account or alias he/she is trying to send from. If you are really sure this is correct, then the user might try to errornously send via port 25 insteadof the designated SMTP client-ports. Port 25 is meant for server-to-server delivery, while users should use port 587 or 465.
First, check if you are really sure the user is a legitimate sender, i.e. the registered user is authenticated successfully and own either the account or alias he/she is trying to send from. If you are really sure this is correct, then the user might try to errornously send via port 25 insteadof the designated SMTP client-ports. Port 25 is meant for server-to-server delivery, while users should use port 587 or 465.
The admin container won't start and its log says ``Critical: your DNS resolver isn't doing DNSSEC validation``
Since v1.9, Mailu requires a **validating** DNSSEC enabled DNS resolver. To check whether your DNS resolver (and its upstream) fits the requirements you can use the following command and see whether the **AD** flag is present in the reply:
..code-block:: bash
dig @<ip> +adflag example.org A
We recommend that you run your own DNS resolver (enable unbound and update your docker-compose.yml when you update from older versions) instead of relying on publicly available ones. It's better security-wise (you don't have to trust them) and RBLs used by rspamd are known to rate-limit per source-ip address.
We have seen a fair amount of support requests related to the following:
- dnsmasq won't forward DNSSEC results unless instructed to do so. If you are running openwrt or pi-hole, you do need to enable DNSSEC.
- `coredns has a bug`_ that we have now worked around
.._`coredns has a bug`: https://github.com/coredns/coredns/issues/5189
<p>The unbound resolver enables Mailu to do DNSSEC verification, DNS root lookups and caching. This also helps the antispam service not to get blocked by the public or ISP DNS servers.</p>
<divclass="form-check form-check-inline">
<divclass="form-check form-check-inline">
<p>The unbound resolver enables Mailu to do DNSSEC verification, DNS root lookups and caching. This also helps the antispam service not to get blocked by the public or ISP DNS servers.</p>
<p><spanclass="label label-danger">Read this:</span> Mailu requires a <b>validating, DNSSEC-enabled</b> DNS resolver</b> to function. Be sure to read our <ahref="https://mailu.io/{{ version }}/faq.html#the-admin-container-won-t-start-and-its-log-says-critical-your-dns-resolver-isn-t-doing-dnssec-validation">FAQ entry</a> on the topic.</p>
</div>
<p>You server will be available under a main hostname but may expose multiple public
<p>You server will be available under a main hostname but may expose multiple public
hostnames. Every e-mail domain that points to this server must have one of the
hostnames. Every e-mail domain that points to this server must have one of the
Work around a bug in coredns: set the DO flag on our DNSSEC queries. Add a new FAQ entry to explain our DNSSEC requirements and ensure that our error message points to it.