I have run into a bit of an issue when attempting to set up a mail system where the parent domain, example.com
, already has A records and a web server as well as many clients utilizing the parent domain as an endpoint for VPN configs, but cannot be used to send SMTP port 25 traffic to/from.
So I have a VPS with its own public IP that is relaying the network traffic, and has a subdomain mail.example.com
and its PTR records, as well as SPF, DKIM, and DMARC all pointing to mail.example.com
.
But it would seem that I have painted myself into a corner here, as my postfix MTA is configured to do everything as example.com
and not mail.example.com
.
Out of convenience, I would prefer to have all email be [email protected]
and not [email protected]
I have used some online mail DNS checkers, and everything checks out fine for mail.example.com
. If I try to verify example.com
, of course all the DNS checks fail.
I am fairly sure that if I would attempt to send some mail as [email protected]
that any receving mail server would attempt to verify SPF, DKIM, and DMARC for example.com
and never see all the valid TXT records for mail.example.com
A potential solution is to stop all servers and clients from using the root domain for anything, and any existing services moved to their own subdomains, then have the mail system take over the parent domain's A record. Although this is very much not optimal.
Is there a way I can send/receive email through the VPS with its own IP and mail.example.com
domain while having all SMTP use @example.com
?
More Detail:
DNS (updated with different TXT records now):
A mail VPS_IP_ADDRESS
A @ MAIN_NETWORK_IP_ADDRESS
PTR VPS_IP_ADDRESS mail.example.com
MX @ mail.example.com 10
TXT @ v=spf1 mx ip4:VPS_IP_ADDRESS -all
TXT @ v=DMARC1; p=quarantine; adkim=s; aspf=s;
TXT @ v=DKIM1;h=sha256;k=rsa;p=xxxxxxxxx
Postfix main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html
compatibility_level = 3.5
# Milter configuration (for opendkim)
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/mailtls.crt
smtpd_tls_key_file=/etc/ssl/private/mailtls.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = encrypt
smtpd_tls_security_level = encrypt
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# Restrictions
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
reject_unauth_destination
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_relay_restrictions =
reject_unauth_destination,
permit_mynetworks,
permit_sasl_authenticated
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
luser_relay = [email protected]
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mydomain = example.com
myorigin = $mydomain
mydestination = localhost
relayhost =
relay_domains =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp
# Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
mysql:/etc/postfix/mysql-virtual-email2email.cf
# Even more Restrictions and MTA params
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
#smtpd_etrn_restrictions = reject
#smtpd_reject_unlisted_sender = yes
#smtpd_reject_unlisted_recipient = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
#smtpd_hard_error_limit = 1
smtpd_timeout = 30s
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h
smtpd_client_message_rate_limit = 10
anvil_rate_time_unit = 60s
default_destination_rate_delay = 5s
# Reply Rejection Codes
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
mail.example.org
handle e-mail forexample.com
- or any other domain. Tell us your domain and how you've configured things.