SPF DNS Record uses internal (private) Address when using Virtualmin behind NAT

When configuring Virtualmin for NAT, means using an external IP for DNS and internal IP for vhosts, the SPF Record of the respective Domain contains the internal IP of the machine.

I assume this is a bug because private Ranges are not allowed externally, especially not in DNS Systems.

Also, an A Record of the original Hostname pointing to the private IP is added to the Zone, which leads to private IP synchronized across DNS if Virtualmin is used for DNS hosting.

This Record has manually to be deleted off the DNS Zone.

This should be considered when configuring private IP with NAT and using the Server as authoritative Nameserver for the respecive Zones.





Assigned: Unassigned »

If you go to Server Configuration -> Change IP Address, is the address you want to use in the SPF (and other DNS records) shown in the "External IP address" field?

If you mean Virtualmin Configuration/Networking Settings/ I have Default virtual server IP address From network interface
Default IP address for DNS records Other Address: My External fixed IP

Yes. Obviously, Virtualmin adds the local IP of the local hostname (hostname -f) to the DNS zone if the Zone is the same as the Domain of the Server. So I created a zone example.com which manages the DNS Authoritative for this zone where the Virtualmin Host is a Part of it, called webhost01.example.com

Also I can not receive Mail for the zone from other providers via telnet webmail01.example.com 25 it works though.

The setting at Virtualmin Configuration -> Networking Settings controls the default for new domains .. you should make sure that the setting is also correct for existing domains, on the Change IP Address page.

It doesn't sound like you're seeing a bug here though, it appears to be a configuration issue.

Hopefully Jamie's suggestions resolve that for you, but if you had any additional questions, since you're using Virtualmin GPL there you'd actually want to ask those questions in the Forums. We monitor the Forums, along with lots of wonderful folks in the community. Thanks!

Hi, for sure there is the proper configuration on the Virtual Server Side, actually the virtual server was created AFTER I set the proper settings for the host.

So if I set the proper Settings and created the virtual server afterwards, and the Server Template has the proper settings, and virtualmin creates the WRONG spf records, and virtualmin creates the WRONG hostname.domain.com A record which both are pointing to the internal private IP even if it is an AUTH zone, you don´t consider this a bug?

Secondly, andreychek, I take my time investigate and report bugs here on the issue tracker because I like the product and consider upgrading to PRO if my testing phase runs successfully - and am not the only one doing it this way for sure - I need no thanks or anything for taking my time, but you should not lightly ask away power users from the issue tracker when virtualmin badly needs bug fixing and improvement which comes for the good of the product maintainers for FREE! I never asked any configurational question on the issue tracker but submitted only bug reports and I know the difference quite well.

It does seem like a bug if the DNS records are wrong even though you've configured to correct external IP.

Are you letting Virtualmin entirely create the DNS records, or do you have a custom template?


yes I let virtualmin entirely create the dns records. What I recognized: 1.) The wrong hostname A record with the private IP is only created on the virtual server which matches the webhosts domain name. So after I installed virtualmin with the hostname webhost1.example.com, and afterwards create virtual server example.com with external DNS IP, the hostname webhost01.example.com gets created with the private IP despite the DNS/external IP Points to another one. 2. When creating another virtual server with domain example2.com, the Records are created properly without a hostname to private IP A record, but the SPF record still looks like (same with 1.): v=spf1 a mx a:example2.com ip4:pri.va.te.ip ip4:pu.bl.ic.ip ?all

Wait, so for the SPF record, are you saying that it is adding TWO ip4: values? Because that actually seems reasonable.

Yes, but only on the toplevel servers. The Record adds the internal private IP as well. I can not think of this to be RFC conform, but maybe i am wrong. On Alias Servers, the spf record gets created only with the external ip.

I chose to include the internal IP as well, just in case on some deployments there are mail servers that receive connections for the domain from the internal IP.