I would like to set up Postfix properly to serve multiple virtual domains while complying to all standards and being able to enable security measures like SPF.
- The server has the hostname
server.domain.tld
. - Postfix has
mydomain
set todomain.tld
. - Postfix has
myhostname
set toserver.domain.tld
. - Postfix has not set
myorigin
to anything. - The server is hosting a few dozen virtual domains.
- All users have set up
mail.tld
as incoming and outgoing mail server. - I would like Postfix to act to the outer world as
mail.tld
.
My first thought was to just set mydomain
and myhostname
to mail.tld
. But it seems, that it is advised, that the reverse lookup of mail.tld
should resolve to the host's IP address (https://serverfault.com/a/366391/162258 for example). While I could do that, I am concerned though, that setting up the reverse lookup to mail.tld
might lead to problems, when it will be necessary to reverse lookup the host itself.
How can I achieve that Postfix acts as mail.tld
and that I will be able to specify mail.tld
as MX record and use SPF, DKIM and DMARC with it, while retaining the DNS integrity of the host server.domain.tld
?
Best Answer
I have a similar working set up - I'm not using DKIM or DMARC, just SPF for spam fighting.
Here's mine - I set mine up using this as a guide and while I follow it 90% of the way there are a few things I do differently - https://workaround.org/ispmail/jessie
Here's what is in my various files for hostnames. Like you, I'm hosting multiple domains and they all work fine.
Reverse DNS is set to
mail.example.com
I get a letsencrypt cert via the standalone method, and specify example.com, mail.example.com, and www.example.com as hosts on it.
/etc/hostname
-mailserver
( w/ appropriate mapping to 127.0.0.1 in/etc/hosts
)/etc/mailname
-mail.example.com
In
/etc/postfix/main.cf
I have the following references to hostnames or FQDNs -In my
main.cf
I pull in the domains to service as well as users and passwords from a mysql database (per the howto I linked above). Once I enter a domain in the proper table and create a user account or alias under it I can work as a mail server (incoming and outgoing) IF the other domain putsmail.example.com
in as the highest priority (lowest number) MX record for the domain, and any SPF records they have specify that mymail.example.com
is valid for sending - I use the MX record optionClients connect to
mail.example.com
for Submission (w/ TLS/SSL) and pop3 and/or imap (both with tls/ssl). Works great.