NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: postfix for 2 domains on 1 vps 1 ip



Mayuresh wrote:
> On Mon, Jan 04, 2021 at 03:19:22PM -0700, Bob Proulx wrote:
> > So for example it is okay for a mailing list for a domain like
> > users%lists.example.com@localhost be hosted on a machine server123.example.net
> > at a different hostname and FQDN.  That's okay.  The name set as the
> > reverse DNS lookup should match the FQDN of the hostname.  As long as
> > that is true then everything should work okay.
> 
> Any in your example server123.example.net is also an email domain, right?

It does not need to be.  Probably would not be.  It might be.

For example I was just dealing with a backscatter joe-job style abuse
against debbugs.gnu.org in the last two days.  Appearances are there
are many outlook.com exit nodes similar to these that I will just take
a 'head' from the list of them.

    mail-ad2are01hn2222.outbound.protection.outlook.com
    mail-ad2are01hn2232.outbound.protection.outlook.com
    mail-am5eur02hn2200.outbound.protection.outlook.com
    mail-am5eur02hn2201.outbound.protection.outlook.com
    mail-am5eur02hn2205.outbound.protection.outlook.com
    mail-am5eur02hn2206.outbound.protection.outlook.com
    mail-am5eur02hn2207.outbound.protection.outlook.com
    mail-am5eur02hn2208.outbound.protection.outlook.com
    mail-am5eur02hn2209.outbound.protection.outlook.com
    mail-am5eur02hn2210.outbound.protection.outlook.com

Wow there are a lot of exit nodes!  And that is just a sample.  They
all have forward reverse DNS lookup verification.  None of them have
MX records therefore as to if they are "also an email domain" I would
say they are not.  They would not receive mail normally.  However if a
host does not have an MX record then the A record address will be used
and an attempt to deliver will be made there.  Therefore it is not
required to have an MX record.  Just strongly recommended to do so.
(If a domain does not receive mail then it is advised to specify a
Null MX record for it.)

    https://tools.ietf.org/html/rfc7505

So in summary server123.example.net is just a hostname.  It would have
both forward and reverse DNS lookup that would validate for those
sites that require that circle to validate.  And it could then send
mail for any domain for which that domain has specified this is
allowed in the SPF record.

Just by-the-by but many larger corporations use the convention that
their .com names are public facing and then they use .net names for
infrastructure of internal use only.  Just as a way to organize
things.  And many other different conventions.

> So domain D1, D2 map to ip IP1. When checking in the context of D1 it will
> check whether IP1 maps to D1 and the check will succeed. In the context of
> D2 similarly it will succeed. It won't get paranoid about IP1 having 2
> domains. Then it sounds good.

Not quite.  D1 forward maps to IP1.  Then IP1 reverse maps to D1.
Therefore the forward reverse DNS lookup check verifies.

D2 forward maps to IP1.  IP1 reverse maps to D1.  Fails the forward
reverse DNS lookup check.  Therefore one would not use D2 as the
envelope header for an SMTP transaction since it would fail that test.
But D1 can send D2 mail for D2 no problem.  As long as D2's SPF record
allows it.

Reverse DNS entry:

    216.184.93.in-addr.arpa. IN PTR	D1

Forward DNS entries:

    D1 IN A	93.184.216.34

    D2 IN A	93.184.216.34
    D2 IN TXT	"v=spf1 a -all"
    D2 IN MX	10 D1

Since D2's SPF record says that the Address of D2 is allowed and that
address is 93.184.216.34 and mail is being sent from 93.184.216.34
then the SPF check passes.

Or could specify the MX relays are allowed like this.

    D2 IN TXT	"v=spf1 mx -all"

Since D2 specifies D1 as the MX mail exchange relay for inbound mail
and the SPF TXT record says "mx" is allowed.

I would do both. I would put both a and mx into the record and then
either would allow it.

    D2 IN TXT	"v=spf1 a mx -all"

Meanwhile in Postfix I would have this.

    myhostname = D1
    mydestination = $myhostname, localhost.$mydomain, localhost,
        $mydomain, mail.$mydomain, www.$mydomain,
	D2, www.D2, lists.D2
    virtual_alias_domains = D2
    virtual_alias_maps = hash:/etc/postfix/virtual
    sender_canonical_maps = hash:/etc/postfix/canonical

That would set up the host natively for D1 but would also receive mail
for D2 too.  And I threw in another few names just to expand the
example.  They would be whatever names you need not these.p

I thought about saying this instead.  Specifying both D1 and D2 as
virtual domains.

    virtual_alias_domains = D1, D2

That's possible.  Especially if the local host system won't ever
receive any email at all and all email for all domains is being routed
out to other places.

But anyway, I would then have these and more in the
/etc/postfix/virtual map file.

    abuse@D1        root
    postmaster@D1   bob%proulx.com@localhost
    abuse@D2        root
    postmaster@D2   bob%proulx.com@localhost
    alice@D2	    alice%example.com@localhost
    bob@D2          bob%proulx.com@localhost
    carol@D2	    carol%example.org@localhost
    bob.proulx@D2   bob%proulx.com@localhost
    ...virtual aliases for more domains...

And /etc/postfix/canonical has the outbound mapping.

    alice	alice%example.com@localhost
    bob		bob%proulx.com@localhost
    carol	carol%example.org@localhost
    david	david%example.net@localhost
    ...canonical maps for more users...

And just use /etc/aliases for the native D1 aliases in the traditional
way for all things D1 related.

    abuse: root
    postmaster: root
    root: bob%proulx.com@localhost

This is all described in some detail here below.  If anything I said
here conflicts with what is documented then accept the authoritative
upstream documentation as primary and know that I made a mistake
typing this in on the fly.

    http://www.postfix.org/VIRTUAL_README.html

Haven't said a word here about DKIM but that also is needed.  I'll
save DKIM for another email. :-)

Bob


Home | Main Index | Thread Index | Old Index