Join Log in
Score:0
zorkwarrior avatar Server

Correct hostname/PTR/A for a mail server serving multiple domains?

tk flag
zorkwarrior

I am amalgamating a few of my company's Debian VPSs into 1. I will be serving multiple domains, as well as their sub-domains, all of which will send emails, but not receive them (except for bounces):

  • my-company.com
  • alpha.my-company.com
  • beta.my-company.com
  • my-other-company.com

EDIT: The alpha.my-company.com & beta.my-company.com sites are the main focus here. They are privately accessed SAAS apps that perform a lot of email operations, while the other two are simple static sites that send the odd email.

I am running exim and dovecot to send mail. These are legacy systems so I don't want to change the services they use unless I have to. I have this running fine for a single domain. The DKIM, etc is valid.

I run into trouble when I have multiple domains. My provider says that my PTR should point to the hostname. As is my understanding, the hostname should be a canonical name of the machine itself, not a domain name. Makes sense.

The default hostname is something like 12345.hosting.com. I think it makes sense to change this to something appropriate to my company, maybe server1 (the FQDN being server1.my-company.com??). Really not sure about this.

Would I need an A record (or a CNAME in the my-company.com DNS zone) to point to this FQDN even though I won't serve a default site via nginx? Would it make more sense to name the hostname mail.my-company.com so that there would be a legitimate MX record pointing to that domain?

I guess my confusion is that if the hostname is not a domain name, then wouldn't creating records for it effectively make it a domain name?

I'm using mail-tester.com and mxtoolbox.com to test my deliverability.

97
2 + 2
anx avatar
fr flag
anx
You will likely find the [mail-tester](https://www.mail-tester.com/) and [zonemaster](https://zonemaster.fr/) free services useful in determining whether your setup ended up consistent and is resolved as expected from a 3rd party POV. You may find [this sites recommendations on obfuscation](https://meta.serverfault.com/questions/963/what-information-should-i-include-or-obfuscate-in-my-posts/6063#6063) helpful in creating future posts and receiving more specific answers, especially where domain names are involved.
0
Reply
zorkwarrior avatar
tk flag
zorkwarrior
@anx Great links, very helpful - thank you. Zonemaster especially looks like a great tool
0
Reply
Score:0
anx avatar Server
fr flag
anx

Apart from the purely technical answer (simple: chose whatever you want, consistency is sufficient) there is a lengthy list of soft considerations which all boil down to making it easy for you to maintain continuity (across rebrands/mergers/acquisitions and software/architectural modernisation), and making it easier for outsiders to quickly understand technical (and to some degree, legal) responsibility.

You have one mail server maintained by one entity serving the purposes of a group of companies all connected to my-Company. Express that:

  • Make it obvious to outsiders what the server does, something that conveys "this is a properly maintained mail relay", like mx2 or mailout02
  • If this server is not also serving an public incoming MX role, not being published as such is perfectly reasonable - connecting it to the domains as an authorized sender is done via SPF and DKIM
  • Place it under a stable domain to minimize unusual permissions or ambiguities across different business entities, e.g. the "main" entity. If a wholly owned subsidiary tech controls services for a bunch of connected companies, that is reasonable. If the financial consultancy moneycity.example sends mail via the fishingclubcity.example domain that will rarely be visible to most non-technical staff, still complicate anti-phishing efforts.
  • Combine that into one name and publish it, netting you an FQDN
  • Setup that FQDN so it is used consistently. In the simplest case your mail server will greet (EHLO) with its one FQDN which resolves to the public addresses (one IPv4 & IPv6 each) used by the mail server which each also point (PTR/rDNS) point back to that one FQDN.

Correct hostname

I should note that especially the last bullet points is a recommendation which to require is arguably not correct as far as internet standards go, yet still practically highly desirable after a significant share of parties in the mail ecosystem have made it the easiest way to achieve their baseline requirements for some or all interaction with them.

Would I need an A record

Only when eventually netting A / AAAA records it becomes a resolvable name, which is required for use in SMTP context.

0.2.0.192.forgot-to-change-this.hosting.example I think it makes sense to change this

Yes. Not just because you might want to have full control of the domain where your hosting providers defaults might be unsuitable, but importantly also as a signal that you are declaring responsibility for the server, no longer judged by spam filters as an merely an average customer of that provider.

I won't serve a default site via nginx

Serving a redirect to your companies about-us or contact form page would not hurt, as long as it is not too complicated to maintain. Think of people failing to reach you for technical reasons looking for authentic alternates, by clicking on the server FQDN mentioned in the non-delivery returns.

+ 1
zorkwarrior avatar
tk flag
zorkwarrior
Very articulate answer to my rambling question. Really satisfies that sense of organization that I knew was lacking in my implementation. Being that I'm migrating these operating servers into this one, I'd like it to be setup as proper as possible to be easily maintained by anyone. Thank you!
0
Reply
Score:0
paladin avatar Server
id flag
paladin

Most people refer to the term hostname as the machine name of a computer, the machine hostname originates by the machine itself, so the machine is giving itself its hostname. While on the other side, there is also a term called DNS hostname. A DNS hostname is defined by a DNS server, or more precise, by a DNS record. A DNS hostname is always also a domain name, but it's not certain that it's a valid domain name. A FQDN, a fully qualified domain name always must end with a dot '.'.

So, to answer your question.

Give your mailserver a company specific hostname (machine name), like for example "mailserver". Give your mailserver 4 global IP, preferably IPv6, let's call them global IP A, B, C and D.

Adjust the DNS records like:

  • my-company.com points to global IP A
  • alpha.my-company.com points to global IP B
  • beta.my-company.com points to global IP C
  • my-other-company.com points to global IP D

Then you adjust your mail services on your mailserver to listen to each of the global IP A, B, C and D and you're done.

+ 5
Paul avatar
cn flag
Paul
Note that based on where the users are located it may be preferred to use IPv4 over IPv6, as there are many users with no IPv6 address and many mail servers with no IPv6 address.
0
Reply
anx avatar
fr flag
anx
I would advise against multiple records. Its not easy to get multiple names (and addresses, so times two, need both address versions for now) right - and when you do, you get little more than an extra complicated version of multiple (virtual) installations. If it is one machine working with at least mostly shared policy and supporting personnel, then having it appear as *one* name externally reduces the number of potential manual troubleshooting steps for both the operator and operators of systems interacting with it.
0
Reply
paladin avatar
id flag
paladin
I disagree both of you. Whoever isn't able to connect to a IPv6 host, it's his own fault. OP already has reserved those domain names, even if not, it's not hard to reserve a domain these days. 2 of those domains are even subdomains. Reserving global IPv6 address is easy, you literally get an entire IPv6 segment with millions of free global IPv6 addresses for your personal/company use. We live in the year 2023, stop demanding IPv4 compatibility. PS all global IPv4 addresses are mapped IPv6 addresses anyway
0
Reply
anx avatar
fr flag
anx
@paladin I understand IPv4 compatibility is a demand Microsoft is making, at least they are responsible for most of my outbound v4 connections.
0
Reply
zorkwarrior avatar
tk flag
zorkwarrior
@paladin RE: who's fault it is if my clients can't connect - it is only my own. I had failed to mention that this is a SAAS company, so we cater to our clients as opposed to the public at large. All I'm really interested in (at least for the moment), is ensuring my clients have access the way they currently do - which is via IPv4. Being that we're located in Canada, it's likely a move to IPv6 wouldn't cause any upset, but I'll look at that in the future once this is settled. I think your comment is super valid, but this is legacy software and leaving anyone behind means a world of pain :)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.