* Robin Rowe: > Let's say my domains are virtual1.com and virtual2.com. Both the same IP. > > /etc/hosts: virtual1.com > rDNS: virtual1.com > > What is the best mail server naming approach to use in DNS PTR, DKIM and > SPF? Configure virtual2.com DNS for a mail server name of > mail.virtual1.com or mail.virtual2.com? Same question for DKIM and > SPF.
The way I always do it, and recommend for my customers: * Decide on a single, permanent name, which may but need not be related to the virtual domains, for each mail server, e.g. "host.example.com". Generate your SSL certificate for host.example.com. * Ensure that forward and reverse DNS resolution matches, so if "dig host.example.com" returns 11.22.33.44, "dig -x 11.22.33.44" returns host.example.com (the same for the AAAA record). * Define "host.example.com" as the MX for your virtual domains. * If host.example.com has several network interfaces, make sure to bind Postfix to outgoing IP addresses that match your SPF records. The "host" part need not be "mail" or "mx", just a valid hostname. The domain can be any valid (sub)domain; you may even want to choose a deliberately neutral domain name unrelated to the virtual domains. > Ok to sign all the DKIM mail with the same key, not generate a key for > every virtual domain? Yes, sharing a key has no negative effect when signatures are verified. I am not going into possible security concerns here. -Ralph
