Thanks Dan, that's exactly what I was looking for. I wasn't sure if this was the proper way to configure the MX records, or if all of my domains should have MX records that point to a single A record in my primary domain, which is where the PTR for my IP points to and that is in my ME file. It sounds like either will work.
On 04/28/2014 13:55, Dan McAllister wrote: > Kelly: > > While Eric's reply is clear about the fact that the MX record has to use an A record reference (vs CNAME), I think the answer you need here is simply that the A-record has to point to the correct IP address. What name you put in the MX record is of little import, so long as it references an A record that points to the correct IP address. > > === > > By way of examples (for other users): > Say my mail host is at 10.0.0.2, behind a NAT router with WAN IP address 1.2.3.4 (apologies to Google for using their IP in my example). > - my mail host listens on ALL the standard ports (25, 80, 110, 143, 443, 465, 587, 993, & 995) for web and mail hosting (all forwarded through my router). > - my mail host uses a name of MAIL.QMTHOSTING.COM (that's one of MY OWN hosting domains, so no worries about using it here) > - my clients each have their own domains (for grins, we'll use A.COM, B.COM, C.COM, etc) > - in general, my clients DNS servers (whether hosted by me or not, with entries for their domains that look like: > @ IN MX 10 MAIL > MAIL IN A 1.2.3.4 > > Thus, to the outside world, they have an MX server at MAIL.A.COM, which resolves to 1.2.3.4. (Their domain name, their A record, my IP address). > > Now, where the SPAM detection for IP addressing starts is when an outside mail server connects: > - sendingdomain.com wants to send to u...@a.com & detects the MX record is MAIL.A.COM, which resolves (by A-record) to 1.2.3.4 > - sendingdomain.com connects to 1.2.3.4 on port 25 and gets an EHLO response that the name of the server is MAIL.QMTHOSTING.COM > - sendingdomain.com then does a DNS query for MAIL.QMTHOSTING.COM and gets an IP of 1.2.3.4 -- so far, so good > - sendingdomain.com next does a DNS query for 1.2.3.4 (actually, 4.3.2.1.IN-ADDR.ARPA) and gets a PTR value of MAIL.QMTHOSTING.COM -- bingo! a match! > - sendingdomain.com continues sending the message (presumably to a domain in the rcpthosts file)... > > The trouble comes when you want to connect your _CLIENTS_... > - for WEBMAIL, I simply create an entry for each domain (HTTPS://MAIL.A.COM [1], etc) that redirects to the real ssl page HTTPS://MAIL.QMTHOSTING.COM [2]. That way the SSL certificate (which only has the name mail.qmthosting.com in it) works. (I do not allow webmail access except through https). > > - for IMAP mail, there are 3 options: > a) connect to MAIL.A.COM on port 143 and use IMAP with _no security_ (BAD IDEA -- I only allow this on one host, and only because the client INSISTS upon it) > b) connect to MAIL.A.COM on port 993 and use IMAP OVER SSL -- clients will have _varying degrees of difficulty _as the SSL Cert won't match the host name > c) connect to MAIL.QMTHOSTING.COM on port 993 and use IMAP OVER SSL with my TRUSTED SSL CERTIFICATE (names match, so no errors, and no worries!) > NOTE: Most clients choose option C -- in large part because I tell them to :) > > - The same general idea goes for POP access, only on ports 110 and 995. > > SMTP access is a little more tricky... it is a BEST PRACTICE to disallow SMTP-AUTH on port 25 (because it can be abused -- I'm not sure how, but all the major anti-virus and anti-spam companies tell me so, and I'm not of a need to determine exactly why -- I have bigger fish to fry!). Since this is the only un-authenticated access to the system, this port's SMTP service is plugged into SPAMDYKE -- which has been told to NOT allow SMTP-AUTH. But that is OK, because we're talking about CLIENT access to an SMTP server here: > - I allow SMTP-AUTH with or without SSL on port 587 (if you choose to enable SSL, remember that the certificate is for the site mail.qmthosting.com) > - I allow SMTP-AUTH only with SSL on port 465 (again, remember that the certificate is for the hostname mail.qmthosting.com). > > So, clients can configure their SMTP access as being on port 587 using mail.a.com, or port 465 using SSL and the host name mail.qmthosting.com. > > I really need to post some of this on the WIKI ... sigh when I'm less overworked :) > > Dan > > On 4/25/2014 7:41 PM, Kelly Cobean wrote: > >> Sorry about the hijack Eric. Won't do that again. One last question. Should the MX records for the other domains indicate the hostname that is in the me file or should they be a record for a host in their own domain that maps to my server ip? Ie should I have 5 domains all with identical MX entries? >> >> Sent from my iPhone > > -- > IT4SOHO, LLC > 33 - 4th Street N, Suite 211 > St. Petersburg, FL 33701-3806 > > CALL TOLL FREE: > 877-IT4SOHO > > 877-484-7646 Phone > 727-647-7646 Local > 727-490-4394 Fax > > We have support plans for QMail! Links: ------ [1] https://mail.a.com [2] https://mail.qmthosting.com
