Hi!
Basic setup
10.0.0.1 192.168.0.1
LAN1 --- OPNsense1 --------------------- openVPN site-to-site -------------- OPNsense2 --- LAN2
abcd.home.arpa wxyz.home.arpa
I want to reach a (local, LAN-only) email server on LAN1 from LAN2. Apparently sendmail does not accept the mailaddress as "user@[10.0.0.114]" , but only as "user@mail.abcd.home.arpa".
I tried to add domain overrides and add the remote nets to the ACL of unbounds on both opnsenses, according to this
https://forum.opnsense.org/index.php?topic=5901.msg24507#msg24507
OPNsense1
wxyz.home.arpa 192.168.0.1
OPNsense2
abcd.home.arpa 10.0.0.1
But when I configure the first domain override on any OPNsense, unbound stops when pressing "Apply" and won't start (even after reboot).
Is the problem that both sides of the tunnel have ".home.arpa" domain names?
Hmmm....
Quoteforapurpose on May 18, 2018
In case this issue on pages 7-8 is overlooked:
Because 'home.arpa.' is not globally scoped and cannot be secured using DNSSEC based on the root domain's trust anchor, there is no way to tell, using a standard DNS query, in which homenet scope an answer belongs. Consequently, users may experience surprising results with such names when roaming to different homenets.
To prevent this from happening, it could be useful for the resolver on the host to securely differentiate between different homenets and between identical names on different homenets. However, a mechanism for doing this has not yet been standardized and doing so is out of scope for this document. It is expected that this will be explored in future work.
https://news.ycombinator.com/item?id=17093337
Workaround:
https://stackoverflow.com/questions/6139032/sending-email-using-ip-address-instead-of-domain-name
8)
(Question: why not using another mail program? Answer: mdadm only uses sendmail, apparently...)