On Wed, Aug 19, 2015 at 2:26 AM, L.P.H. van Belle <be...@bazuin.nl> wrote:
>>>> Okay, I assume then that this should be the only PTR record:
>>>>
>>>> 4.3.2.1.in-addr.arpa. IN PTR B.tld.
>>>
>>> Yes. Provided of course B.tld is The One True Hostname for
>>your server.
>>
>>It is!
>
> No, imo, it is not.. and this setup can be better i think.
> read on..
>
> A hostname is not a domain name, and best is not to mixup this.
> as per example.
> The server name is core.primary-domain.tld

Yes, you are correct!

> for postfix in master.cf
> myhostname = core.primary-domain.tld
> smtpd_banner = mail.primary-domain.tld ready
>
> core.primary-domain.tld has an A and PTR record. (the real and only hostname 
> of the server)

Okay, good.

> mail.primary-domain.tld has an A record and is not a CNAME. ( = the helo 
> hostname )

You are correct!  CNAME should be an alias and mail.* is not an alias
(as opposed to www.*)

> And the MX point to mail.primary-domain.tld
> All virtual domains point the MX to mail.primary-domain.tld
>
> and in this case mail and core have the same IP, but depending on the setup,
> this can be split up very easy over multiple servers, without change-ing 
> anything in my postfix setup,
> i just move domains to other servers, and change dns MX record. ( and if 
> needed the SPF record )
>
> an SPF setup is now very easy, like :
> TXT     "v=spf1 mx -all"
> or
> TXT     "v=spf1 mx ptr -all"
> or
> and here is where the A record for mail is handy..
> TXT     "v=spf1 mx a -all"
> This is not possible with a CNAME

Good point.

>
> Why not use-ing domain.tld to and mail cnames..
> ehlo hostname must be A record, and correct me if im wrong.

Okay.

> what happens if you set the smtpd_helo_restrictions with
>  reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, 
> reject_unknown_helo_hostname,
>
> and what people often forget, is the setup of the webserver.
> For a webserver, the best is to set the domain.tld and www.domain.tld to the 
> same virtual for the webserver,
> but this is not possible if you have your webserver and your mail server on 2 
> different machines.
> and a certificate these days have domain.tld and subdomain.domain.tld in 1 
> certificate.
>
> there are more reasons to not use the CNAME setup..
> but all above is just a suggestion.

Thanks so much, Louis.  Taking your suggestions I have changed my setup to:

# the web server virtual domains (A..Z)
X.TLD.          IN A     142.54.186.2
www.X.TLD.  IN CNAME X.TLD.
X.TLD.          IN MX    10 mail.B.TLD.

# only for B.TLD (the mail server in the "real" Postfix domain):
mail.B.TLD.                      IN A     142.54.186.2
2.186.54.142.in-addr.arpa. IN PTR B.TLD.

Does that look better (the only difference from your comments I
believe is I am using 'mail' instead of 'core' for the server name
since ALL is on one real host)?

Best regards,

-Tom

Reply via email to