0

I have run into a bit of an issue when attempting to set up a mail system where the parent domain, example.com, already has A records and a web server as well as many clients utilizing the parent domain as an endpoint for VPN configs, but cannot be used to send SMTP port 25 traffic to/from.

So I have a VPS with its own public IP that is relaying the network traffic, and has a subdomain mail.example.com and its PTR records, as well as SPF, DKIM, and DMARC all pointing to mail.example.com.

But it would seem that I have painted myself into a corner here, as my postfix MTA is configured to do everything as example.com and not mail.example.com. Out of convenience, I would prefer to have all email be [email protected] and not [email protected]

I have used some online mail DNS checkers, and everything checks out fine for mail.example.com. If I try to verify example.com, of course all the DNS checks fail.

I am fairly sure that if I would attempt to send some mail as [email protected] that any receving mail server would attempt to verify SPF, DKIM, and DMARC for example.com and never see all the valid TXT records for mail.example.com

A potential solution is to stop all servers and clients from using the root domain for anything, and any existing services moved to their own subdomains, then have the mail system take over the parent domain's A record. Although this is very much not optimal.

Is there a way I can send/receive email through the VPS with its own IP and mail.example.com domain while having all SMTP use @example.com ?

More Detail:

DNS (updated with different TXT records now):

A  mail  VPS_IP_ADDRESS
A  @  MAIN_NETWORK_IP_ADDRESS

PTR  VPS_IP_ADDRESS  mail.example.com

MX  @  mail.example.com  10

TXT  @  v=spf1 mx ip4:VPS_IP_ADDRESS -all
TXT  @  v=DMARC1; p=quarantine; adkim=s; aspf=s;
TXT  @  v=DKIM1;h=sha256;k=rsa;p=xxxxxxxxx

Postfix main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html
compatibility_level = 3.5

# Milter configuration (for opendkim)
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/mailtls.crt
smtpd_tls_key_file=/etc/ssl/private/mailtls.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = encrypt
smtpd_tls_security_level = encrypt
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

# Restrictions
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unlisted_recipient,
        reject_unauth_destination
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
smtpd_relay_restrictions =
        reject_unauth_destination,
        permit_mynetworks,
        permit_sasl_authenticated
smtpd_client_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
luser_relay = [email protected]
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mydomain = example.com
myorigin = $mydomain
mydestination = localhost
relayhost =
relay_domains = 
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp

# Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
        mysql:/etc/postfix/mysql-virtual-email2email.cf

# Even more Restrictions and MTA params
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
#smtpd_etrn_restrictions = reject
#smtpd_reject_unlisted_sender = yes
#smtpd_reject_unlisted_recipient = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
#smtpd_hard_error_limit = 1
smtpd_timeout = 30s
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h
smtpd_client_message_rate_limit = 10
anvil_rate_time_unit = 60s
default_destination_rate_delay = 5s

# Reply Rejection Codes
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
Improve this question
3
  • I don't understand your problem? There is no problem with having mail.example.org handle e-mail for example.com- or any other domain. Tell us your domain and how you've configured things.
    – vidarlo
    Commented Jul 1 at 6:46
  • I guess I am confused about the relationship between the domain/IP doing the sending and receiving of the actual network traffic, and the domain+DNS verifications for the higher level SMTP protocol. I added some more detailed info in my post, but all the other information I provided is how I have set up my domain. Are the SFP/DMARC/DKIM records and verification completely separate from the MX/PTR records and what host they point to?
    – bdrun33
    Commented Jul 1 at 7:20
  • 1
    Yes, they are separate. SPF says who's authorized to send e-mail on your behalf; DKIM gives a key that should be used for signing outgoing messages, and DMARC informs others about your signing policy. This is not related to MX and PTR records. I still don't grok your problem.
    – vidarlo
    Commented Jul 1 at 7:28

1 Answer 1

Reset to default
0

This is mostly comment, but space/formatting limited above....

where the parent domain, example.com, already has A records and a web server

That is wrong - but not related to your mail problems.

my postfix MTA is configured to do everything as example.com and not mail.example.com

But you didn't share any of that config with us.

and has a subdomain mail.example.com

Really? This is a subdomain? Why? Unless the MX record for example.com points to your VPS IP address, then you're not going to receive mail for example.com there.

Your SPF, DMARC and DKIM records need to be on example.com, not on the mail.example.com zone. Why did you set these up before you had a working mail config?

You still need to tell the mailserver it should accept mail sent to "example.com" and append the domain "example.com" to addresses without a domain - change the content of /etc/mailname to example.com

Is there a way I can send/receive email through the VPS with its own IP and mail.example.com domain while having all SMTP use @example.com ?

I have no idea what you are trying to tell us here.

Improve this answer
4
  • Sorry, I had been running postfix as an internal mail server, but going public has given me questions that I can't seem to find answers elsewhere. I appreciate your help though. I added the postfix main.cf to my post for that info. I did add the MX record that points to mail.example.com. I guess I don't actually have any problem if the MX/PTR/A for mail.example.com isn't checked to be the same for the SPF/DKIM/DMARC host records.
    – bdrun33
    Commented Jul 1 at 16:41
  • I did change the SPF/DKIM/DMARC records host part to be the parent domain example.com last night, so the dns should be propagated by now (see the DNS section of my original post). But using something like mxtoolbox.com and putting in the parent domain example.com, it can't find any mail records besides the MX one, but if I do a dig TXT example.com all the TXT records show up. I guess that was my actualy problem is mxtoolbox saying my domain isn't valid despite all the TXT records being there.
    – bdrun33
    Commented Jul 1 at 16:46
  • Maybe you should just tell us what the domain is so we could see for ourselves.
    – symcbean
    Commented Jul 2 at 11:21
  • I have purposely avoided putting my own domain on a public forum. In the last day I read up on the DKIM/DMARC RFCs and realized that the host part of those TXT records are supposed to be specific ones to identify the record and not the parent domain. I corrected that and now the domain shows up as good to go in mxtoolbox. My original question was mainly about if the MX and associated A/PTR records had to match the parent domain in terms of the IP endpoint, but everyone's confusion has helped me realize that they are not related. I appreciate all the help though.
    – bdrun33
    Commented Jul 3 at 20:44

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .