0

So my problem is simple I just need a solid answer so that I don't break the email service.

I have two servers one for mail and other for the web service. The web server is responsible for the SSL certificates renewal (I'm using Let's Encrypt Certificate Authority).

My DNS A record is mail.example.com and points to the mail server IP. The MX record points to that A record.

The SSL certificates validation is made via DNS so I added another A record with the same hostname (mail.example.com) but pointing to the web server IP.

I tried this for a little while and It worked out (the validation succeeded and the mail service worked normally) but im not 100% sure about it and led me two the following thoughts:

1 - The A record for the web server was added after, so in the DNS query the mail server IP comes first, and because of this everything works fine.

2 - I read somewhere that the in the browser the DNS queries results are used in a random order. If the first IP can't serve HTTP requests the second will be used. I'm not sure about this but could it be that for the mail service the same happens? If the first IP resolved does not accept mail, it will try the second one?

I would like to be clarified about this because I wan't to be 100% sure of what is happening and why, to prevent any problems in the future.

Marco
  • 1,679
  • 3
  • 17
  • 31
  • `My DNS A record is mail.example.com and points to the mail server IP. The MX record points to that A record. The SSL certificates validation is made via DNS so I added another A record with the same hostname (mail.example.com) but pointing to the web server IP.` - Why are you using the same name for the email server and for the website? – joeqwerty Feb 11 '19 at 16:28
  • Because the SSL certificates renewal happens in the web server. – Bruno Tavares Feb 11 '19 at 22:46

3 Answers3

3

You've created a DNS round-robin.

Do not create multiple A records with the same name unless you intend for them to point at the same service. There are other ways of solving what you are trying to do; for example by setting up a minimal web service on the mail server with the explicit task of renewing certificates, or by putting a load balancer/reverse proxy in front of both servers. The latter makes managing certificates a bit more tedious.

Mikael H
  • 4,868
  • 2
  • 8
  • 15
  • Thanks for the reply, I had a bad feeling about that. I don't think I can use any of your suggestions but I will try DNS validation has @Joe suggested – Bruno Tavares Feb 11 '19 at 14:14
2

This is the wrong approach for getting Let's Encrypt certificates for a mail server with no installed web server.

Instead, you should use certbot's standalone plugin. With this, certbot starts its own built in temporary web server to perform the HTTP validation.

You request a certificate for the name corresponding to the value of your MX record. For instance, if you have the domain example.com and your MX record points to mail.example.com, then you request a certificate for mail.example.com, the IP address for which must point only to that mail server.

For example:

certbot certonly --standalone -d mail.example.com

You can then add the resulting certificate links in /etc/letsencrypt/live to your mail server configuration.

Note that when you certbot renew, your mail server won't be restarted automatically. You'll need to set up a --post-hook to do that. For example:

certbot renew --post-hook "systemctl reload postfix dovecot"

For further information on automating certificate renewal, see Cron job for let's encrypt renewal.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
1

Mickael is correct about the DNS round-robin. Another option is to validate the domain via DNS rather than an HTTP request. Check out this link from Certify The Web that explains how to use their software to perform DNS validation. Then you can completely remove the web server if all you needed it for was domain validation.

Joe
  • 1,175
  • 1
  • 8
  • 11
  • I will try the DNS validation. It was not the first option because we have a lot of domains and our DNS console is very poor. We need to ask our provider to create the TXT records for us. But to solve this problem only one TXT record will be necessary so I think is viable. I should have thought about this... Thanks a lot! – Bruno Tavares Feb 11 '19 at 14:17
  • on a side note, just move everything over to AWS Route 53. The console is simple and you have much more control and features. – Joe Feb 11 '19 at 14:51