[SOLVED] Setting correct SMTP HELO host, domain name, PTR records for e-mail server

Support
1

(Topic split from Smtp banner modify in nethserver 7.8.2003)

Salut @Andy_Wismer,

I asked my registrar to change the original PTR record to mail.FQDN and he did it.

Now I have a very good score at https://www.mail-tester.com but with the :ballot_box_with_check: below, I have a doubt about mail.FQDN vs myhelo.FQDN for the PTR record at my registrar.

image
image1100×520 24.7 KB

My DNS records at Godaddy: (There is no possibility for a PTR record at GoDaddy, you have to set it at your registrar)

image

image

A friend of mine with the registrar Gandi: (There is a possibility for a PTR record)

image
image997×280 5.4 KB

image
image815×270 5.73 KB

MY DOUBT:
Should I ask my registrar to point the PTR record to myhelo.FQDN instead of mail.FQDN ?

Thank you in advance,

Michel-André

2

@michelandre

Salut Michel-André

The whole world seems to use mail.domain.com for their Mailserver, where did you get the myhelo from?

Make your Mailserver respond correctly with mail.domainname.com would be the right way…
Eliminate the myhelo, if possible!

I think your server is responding with that in the helo phase…

My 2 cents
Andy

See also this example from Spiceworks:

They use mx. (Common for providers and hosters).

PS:
myhelo.com seems to be some sort of health service…

1 Like
3

@michelandre

See here:
https://community.nethserver.org/t/dns-records/17143/55

1 Like
4

Salut Andy,

I eliminated the myhelo A record and lost 3 points:

image
image1104×297 11.3 KB

Michel-André

5

Well, the test-site seems to be looking ONLY for myhelo…
Why is the tester looking for myhelo?

The hostname myhelo should NOT be used… (at all!)

6

Hello @michelandre, I would say yes your PTR record should match the HELO record. For my Nethserver email setup, the HELO record was that of the FQDN of the NethServer device (demo.example.com). In this setup I would have a PTR record set for demo.example.com with the expectaton that the HELO address is also demo.example.com. You need to make sure you have an A record for demo.example.com as well.

image
image848×729 80.6 KB

image
image1139×306 11.7 KB

1 Like
7

@royceb

Hi Royce

You let chance and not planning define your network?

Strange concept!

My 2 cents
Andy

8

I misunderstand your question.

9

@royceb

I use the names I put on Paper (MindMap or whatever you use as planning tool) for my servers, my DNS, my vLANs…

I plan ALL beforehand, and then just type in the names…

Sure a PTR of a Mailserver should match the helo, but I would make sure the helo is exactly mail.domain.com, and nothing else! If needed, I’d adapt the helo, but NOT the PTR!

My 2 cents
Andy

10

Thank you for clarifying for me. For starters, I do tend to follow what you describe above planning names, DNS, and such using that networking spreadsheet you shared with me as a template (thank you!).

Help clarify if I am wrong but from my understanding of a PTR record in this case is used to verify a 1 to 1 relationship that an ip address of w.x.y.z maps to a given record like demo.example.com. The PTR record is something set by those who own the IP (usually ISP) address of w.x.y.z from which we want our nethserver email to be sending from. I think what you are saying is that the expectation of the PTR records for email servers should be close to or if not exactly mail.example.com. It is also true that is much easier to modify the HELO record on Nethserver.

I supposed my clarified point for @michelandre would then be that these two records must match (your HELO and PTR records) and that the default HELO record when deploying NS comes from it’s FDQN host name.

image
image1592×806 29.3 KB

1 Like
11

Hi Andy,

I tried to change the myhelo A record to point to mail.domain.com but it is refused as it requests an IP address or @.

Is that the way to do it or there is another way ?

Michel-André

12

@royceb

Hi Royce

This is only true for dynamic addresses, and for static addresses where the user has not yet required a PTR record. And these PTR Hostnames are all on the dnsbl Blacklist, by the providers using these IPs for their clients. As soon as a client requests a PTR, the name is usually taken of the dnsbl list - the provider knows you want to run mail there…

Almost correct, but not quite. Mailservers check this, the reasoning is if the sender’s mail clains to be coming from john.doe@doe-home.org , and the sending mailserver resolves to a same Domainname like server.doe-home.org , then the chances are very high it’s legit mail, and not spam!

Now, if helo answer and PTR correspond, it’s almost 100% legit. Sure, something could be spoofed, but PTR is hard to spoof.

I do have some clients servers who do mail, and are NOT called mail.domain.ch or whatever, but a “normal” servername. In such a case, I’ll have the real FQDN as A record, but also mail.domain.ch as A record. PTR would be mail.domain.ch, and the same goes for the helo. The real FQDN could be - for the internet a CNAME of mail.domain.ch…

Mail is the one DNS thing that really needs special attention, and I go by the rule that it should be mail.whatever.com, as it concerns mail, not generic server access. This usually implies setting the helo and PTR and at least one “A” Record accordingly.

Here is a swiss example…

Green (green.ch) is a medium sized swiss provider.
Their mailserver is called: mail.green.ch.

Here I’m quering google the forwards and reverse lookups:

Bildschirmfoto 2020-12-17 um 21.00.26
Bildschirmfoto 2020-12-17 um 21.00.26996×594 103 KB

And here the telnet query to port 25…

Bildschirmfoto 2020-12-17 um 21.02.43
Bildschirmfoto 2020-12-17 um 21.02.43718×204 42.9 KB

As you can see, any way you look at it, this mail server has really optimal A, PTR and helo!
All answer to the same name.

A lot of larger providers, or Google and other large companies usually have a mail-cluster, and each node has mx-name or something. This takes a little more effort, but Gmail works (usually well!)… :slight_smile:

My 2 cents
Andy

13

@michelandre

Hi

I would keep the mail.domain.com as A record, and if possible change the helo to reflect this!
The PTR already says mail.domain.com

An A record MUST point to an IP.
Only a CNAME can point to an A Address.
And mail MUST use an A record!

If it’s not possible to change the servers helo, you’ld need to use myhelo as A record with the right IP.

My 2 cents
Andy

1 Like
14

Hi Andy,

At the ISP, the PTR record is set to main.toto.org
There is an A records for toto.org pointing at the right IP.
There is an A records for mail.toto.org pointing at the right IP.
There is an A records for myhelo pointing at the right IP.

I have access to the server console, how can I change the server helo record ?
If I change it on the server, then I have to delete the myhelo A record ?

Michel-André

15

@michelandre

To change the helo, see the top of this topic, MrMarkuz posted it:

The myhelo A DNS entry can be kept or deleted, as mail does not use it anymore…
But maybe the name is used for other things as well… (No need to delete, you can if you want…).

Hope this helps
Andy

16

@Andy_Wismer,

How about changing the HeloHost with a setprop ?

# config show postfix
postfix=service
...
HeloHost=myhelo.toto.org
...
#

Michel-André

17

I think you and I are functionally talking about the same process except with an attention to naming convention and norms; mail.example.com vs random-name.example.com for helo/ptr setups. Do you have any resources I could study up on for best practices regrading these naming conventions?

Custom HELO can be set via Cockpit under the Relay section.

image
image1913×904 40.5 KB

image
image1122×879 39.2 KB

2 Likes
18

@michelandre

Not sure if that would work, but it’s worth a try.
It’s also possible to use cockpit, apparently…

1 Like
19

@Andy_Wismer

Source of the mail sent to my friend Frederic:

ORIGINAL:

Received: from myhelo.toto.org

After changing it with a setprop:

Received: from mail.toto.org

Maybe a simple solution ?

But I have to wait for tomorrow as I already used my 3 tests at https://www.mail-tester.com.

Michel-André

1 Like
20

Patience again… :slight_smile:

But looks good!

1 Like