Join Log in
Score:0
Chr avatar Server

Postfix and Subdomains

ci flag
Chr

I set up Postfix on an Ubuntu 20.04 machine. However, I am not sure where I have to use the subdomain and where the domain. Let us call them mail.example.com and example.com respectively.

The system is a null client, sending emails but not receiving any (implemented via inet_interfaces = loopback-only in /etc/postfix/main.cf). I intend to send messages from [email protected] exclusively.

  • The MX record is @ IN MX 0 mail.example.com.
  • A records for both @ and mail point to the Postfix server.
  • The TLS certificates mentioned in /etc/postfix/main.cf refer to mail.example.com: smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/fullchain.pem and smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem.
  • With smtp_generic_maps = hash:/etc/postfix/generic I rewrite user@hostname to [email protected] in /etc/postfix/main.cf.
  • I added masquerade_domains = example.com in /etc/postfix/main.cf to replace the mail.example.com in [email protected] with example.com. Somehow, that does not work. Emails still arrive from sender [email protected].

The questions are accordingly:

  • Do I have to use @ or mail in the MX record?
  • Do the TLS certificates have to refer to refer to mail.example.com or to example.com?
  • Should /etc/postfix/generic first convert user@hostname into [email protected] or directly into [email protected]?
99
0 + 0
Michael Hampton avatar
cz flag
Michael Hampton
If this system is not meant to receive mail, why have you directed incoming mail to it in the MX record?
1
Reply
Chr avatar
ci flag
Chr
@MichaelHampton Thank you for the comment. I read that mail servers commonly refuse to communicate with servers that do not have a MX record. Am I mistaken?
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
Not having an MX record is completely legitimate, so I don't know why any mail server would do that. Maybe some do. Of course, not having an MX record means that incoming mail goes to the same host; the MX record is intended to divert incoming email elsewhere.
2
Reply
Chr avatar
ci flag
Chr
That is good to know. Thanks. Do you also happen to have comments on the other questions?
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
Most everything you have asked so far relates to _incoming_ mail, and what little remains will probably change depending on what you actually want, to wit: Exactly what do you intend to do with incoming mail?
2
Reply
anx avatar
fr flag
anx
If you are concerned about people *"refusing to communicate"* with you.. then *"sending emails but not receiving any"* is the first thing you need to address..
1
Reply
Chr avatar
ci flag
Chr
@MichaelHampton I was planning on simply rejecting incoming mail, not admitting it into the server at all.
0
Reply
Score:2
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

Most correct way to do this nowadays is to create an account on the proper mail service which is fully configured to serve example.com. (Of course, this could be your own server, this doesn't matter.) Then, on your null host, you only configure mail server as a smart host, with SASL authentication.

While it is perfectly possible to set up Postfix like this (there are plenty of manuals out there, including Postfix's own), I think Postfix is overkill for such use. Consider using nullmailer, which is suited exactly for systems which don't do anything with mail except originate some system notifications.

If that is not possible, set up DNS like this:

  • example.com MX record points to its proper mail service. It has nothing to do with subdomains.
  • nullhost.example.com. MX 10 ., i.e. point to nowhere. This is explicit indication that you don't intend to receive any mail for [email protected]. This is not requred if you protect null host's smtpd service from outside connections (firewall tcp/25, listen on localhost:25 only, etc.); however, explicit is always better than implicit.
  • this null host is going to send mail which sets example.com as sender domain, so its mail must obey DMARC settings for that domain. Otherwise correctly behaving receivers will drop its mail.

This last point, DMARC, could complicate things considerably. If it is set securely, which means the record looks like _dmarc.example.com. TXT "v=DMARC1; p=reject; pct=100; ...", you'll need to set up SPF and DKIM signing on the null host. SPF is easy, just add "a:nullhost.example.com" into SPF TXT record. DKIM is challenging, you'll need to create additional DKIM key pair, choose a selector (nullhost probably will do), install it's public pair into DNS as nullhost._domainkey.example.com. TXT "... key data ...". Then configure singning with corresponding private key directly on the null host (and use the chosen selector), I'd employ opendkim for that. Did I mentioned using smart host is preferred method?

And, your questions.

  • You are not the server (you said you this system shouldn't receive any mail). So you don't need any TLS Server certificate. You may set up things using TLS Client certificate, so when you connect to your smart host or to other servers via TLS you'll be able to present it. But why would you want to do that?
  • The "apex" record @ MX, a.k.a. example.com. MX, must be directed to example.com's mail exchanger (the system which receives mail for [email protected]). It has nothing to do with mail for any subdomain. Each subdomain is mail domain on its own.
  • How you set up address rewriting is up to you. The only thing outside world sees is the final result. So why bother doing it in two steps?
0 + 0
Chr avatar
ci flag
Chr
That is a very insightful answer. Thank you.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.