Thank you @Andy_Wismer, @royceb and all other for your great replies.
This forum is really the best one… 
Michel-André
2 Likes
You’ve also got to admit, looking at a mail header and seeing mail.domain.something does look much better (and more serious) than myhelo or say “testserver”… 
And if you want three more tests, I can give you remote access from here…
2 Likes
Hi all,
My sincere thanks to @Andy_Wismer.
The most simple working solution is to use a setprop command.
1 → At the ISP (the real owner of the IP address):
- The PTR record is set to
mail.DomainName.
2 → At the domain registrar for the DNS records:
- There is an A records for
DomainNamepointing at the IP. - There is an A records for
mail.DomainNamepointing at the IP. - There is an A records for
myhelopointing at the IP.
3 → At the NethServer console:
The default HeloHost:
# config show postfix
postfix=service
...
HeloHost=myhelo.DomainName
...
#
Using setprop:
# config setprop postfix HeloHost mail.DomainName
#
# signal-event nethserver-mail-server-update
#
The new HeloHost property:
# config show postfix
postfix=service
...
HeloHost=mail.DomainName
...
#
4 → https://www.mail-tester.com/:
The orange check mark is due to the fact that I didn’t include an unsubscribe link in the email I sent for the test.
●●● Maybe ask the developers to change myhelo.DomainName to mail.DomainName because it is recommended to always use mail and never myhelo as @Andy_Wismer explained.
Michel-André
P.S. The next problem will be with multi-domains, but this is another story by itself…
4 Likes
This setting affects your LOCAL HELO settings without you having to create a custom SMTP banner or change the host name of the Nethsrever install. I was confused at first being that it was in the Relay section but this was incorrect on my part. The picture above that has the WHAT.the.fudge HELO response after I changed the Custom HELO message to WHAT.the.fudge and would be the solution you were looking for without needing the custom SMTP banner changes that Andy suggested.
Hi all,
I am now writing a document on how to setup DNS records for a mail server.
This document has to be 100% correct and cointains no errors.
From: ClouDNS: What is an MX Record?
FAQ
Question: Do I need an “A” record for my mail server alongside with my domain’s MX records?
Answer: If the mail server is part of the same domain namespace (lies in the zone), then an “A” record is required.
Everything is working correctly and my DNS records are now:
I have a little doubt about the imap, smtp and pop DNS records.
QUESTIONS:
● Is this the right way to describe these imap, smtp and pop records with CNAMEs ?
As stated in the above link:
“…alongside with my domain’s MX records”…,
● Do I have to add an MX record for mail even if it already has an A record or the addition of a MX mail record might fool the DNS request from the mail receiving server ?
All comments or suggestions highly appreciated.
Michel-André
1 Like
Salut Michel-André
Actually, strictly said, the IMAP, SMTP and POP entries are not really necessary.
SMTP “looks” nice, but’ that’s about it.
-> However, for ALL users of mobile phones, and most Mail Clients, having those three entries as CNAME or A records just makes it easier to add in an account, as most mobiles (Android, iOS), and Desktop Mail clients probes for those names… No idea about obsolute stuff like Blackberries or MS-Phone.
These do not work when using .local or .lan pseudo domains.
To add a historical note:
Up until around the Millenium / the Dot.com Dot.gone crash, the standards used to be:
Incoming: pop.domain.tld
Outgoing: smtp.domain.tld
IMAP wasn’t still very common, some providers also had
imap.domain.tld
And: Incoming and Outgoing were very often different servers. Servers were a lot less powerful in those days!
A very common, very insecure auth scheme for SMTP was “pop before smtp”…
My 2 cents
Andy
2 Likes
Salut Michel-André
Forgot the last question:
To be correct a mail server MUST always have an “A” record AND a “MX” Record.
In larger environments, these do not have to be within the same domain, but the mail server still needs at least one of each.
The MX tells were to dump mail, and the A record tells where to find that server!
My 2 cents
Andy
1 Like
I have a multi-domain server with three different domains including mail
I received 10/10 points for all mail addresses.
My configuration:
Nethserver: srv01.mymaindomain.tld
DNS mymaindomain.tld:
mymaindomain.tld. 86400 IN MX 10 mymaindomain.tld.
mymaindomain.tld. 86400 IN TXT v=spf1 a:srv01.mymaindomain.tld mx:mail.mymaindomain.tld ip4:123.456.789.10 ?all
mymaindomain.tld. 86400 IN A
mymaindomain.tld. 86400 IN CAA 0 issue "letsencrypt.org"
*.mymaindomain.tld. 86400 IN A 123.45.67.10
_dmarc.mymaindomain.tld. 86400 IN TXT v=DMARC1;p=reject;pct=100;ruf=mailto:abuse@mymaindomain.tld;fo=0:d:s;aspf=r;adkim=r;
default._domainkey.mymaindomain.tld. 1800 IN TXT ( "v=DKIM1; k=rsa; " "p=MIIBIjANBg…" "Iv..AB" ) ; ----- DKIM key default for mymaindomain.tld
*._tcp.mymaindomain.tld. 3600 IN TLSA 3 1 1 ecd585ed2f2d2801da49…
imap.mymaindomain.tld. 86400 IN CNAME mail.mymaindomain.tld.
mail.mymaindomain.tld. 86400 IN A 123.45.67.10
mail.mymaindomain.tld. 86400 IN CAA 0 issue "letsencrypt.org"
ns-srv01.mymaindomain.tld. 86400 IN A 123.45.67.10
pop.mymaindomain.tld. 86400 IN CNAME mail.mymaindomain.tld.
smtp.mymaindomain.tld. 86400 IN CNAME mail.mymaindomain.tld.
DNS myseconddomain.tld:
myseconddomain.tld. 86400 IN MX 10 mymaindomain.tld.
myseconddomain.tld. 86400 IN TXT v=spf1 a:srv01.mymaindomain.tld mx:mail.mymaindomain.tld ip4:123.456.789.10 ?all
myseconddomain.tld. 86400 IN A 123.45.67.10
myseconddomain.tld. 86400 IN CAA 0 issue "letsencrypt.org"
*.myseconddomain.tld. 86400 IN TXT v=spf1 a mx mx:srv01.mymaindomain.tld ip4:123.456.789.10 ~all
_dmarc.myseconddomain.tld. 86400 IN TXT v=DMARC1;p=reject;pct=100;ruf=mailto:marko.dargel@gmail.com;fo=0:d:s;aspf=r;adkim=r;
default._domainkey.myseconddomain.tld. 86400 IN TXT ( "v=DKIM1; k=rsa; " "p=MIIBIjANBg…" "Iv...AB" ) ; ----- DKIM key default for myseconddomain.tld
*._tcp.myseconddomain.tld. 3600 IN TLSA 3 1 1 20d315859f86d83c8943…
imap.myseconddomain.tld. 86400 IN CNAME mail.myseconddomain.tld.
mail.myseconddomain.tld. 86400 IN A 123.45.67.10
pop.myseconddomain.tld. 86400 IN CNAME mail.myseconddomain.tld.
smtp.myseconddomain.tld. 86400 IN CNAME mail.myseconddomain.tld.
best regards, Marko
2 Likes
Hi
Better use
123.45.67.10
as sample, that’s at least valid… 
Gruss!
1 Like
Hi all,
@Andy_Wismer
Your explanations are complete and perfect. I will write them down in my document, obviously with a reference to your site.
@capote
Thank you a thousand times for your description of your DNS records. This is exactly what I was looking for a second domain on my main NethServer. I will also include a reference to your reply.
What a great bunch of contributors this forum has.
Michel-André
4 Likes
And all three people mentionned in your Post fully agree!
NethServer Forum is the best!
3 Likes
I am glad to be able to give something back to the community, and especially to you, since I have experienced so much support myself.
1 Like
Hi all,
Now I am in the secondary domain (VHOST) titi.org on the same server as toto.org.
I created a mail server for titi.org and the appropriate DNS and aliases.
I created a user-1@toto.org and an alias for him that points to user-1@titi.org.
At Webmail: https://www.titi.org/webmail, user-1 can connect without any problem.
In Webmail, I created a new user-1@titi.org identity and set it as the default identity.
I created an email with user-1@titi.org and the FROM: identity was correctly user-1@titi.org.
I sent the message to michelandre@toto.org and everything went well.
DKIM does indicate that it is from srv1.titi.org. Everything indicates that only titi.org exists and there is no mention of toto.org at all in the email received.
PROBLEM:
● In Thunderbird, I cannot create an account user-1@titi.org (cannot connect); I have to use user-1@toto.org.
● I cannot adjust the incoming/outgoing server to titi.org, only to toto.org.
I have looked at Markos DNS records and see that I don’t have CAA and TLSA records.
I googled around and the CAA record is linked to the certificate Authority.
Let’s Encrypt issued my 2 certificates (one for toto.org and another one for titi.org).
● The certificate for titi.org is a SAN in the sense that it is used for mail, srv1, www, etc.
● Configuring the CAA record, I have to use a flag [issue || issuewild || iodef].
https://support.dnsimple.com/articles/caa-record.
† issue: explicitly authorizes a single certificate authority to issue a certificate (any type) for the hostname.
† issuewild: explicitly authorizes a single certificate authority to issue a wildcard certificate (and only wildcard) for the hostname.
† iodef: specifies a URL to which a certificate authority may report policy violations.
QUESTION:
● Is the flag issue the proper one to use ?
● Is that the solution to have Thunderbird working with user1@titi.org or there is another way to solve that ?
If I remember well, the SAN is for a multi-domains (meaning mail, srv1, www, etc, and possibly also including titi.org, titi.com, titi.net) and WILDCARD is for *.domain (here the [ * ] meaning mail, srv1, www, etc, but all from the same domain).
I am confused, but on a higher level than before…
The TLSA record will be for later if possible…
All comments and suggestions are highly appreciated,
Michel-André
Has anyone been successfully ably to create & authenticate multi users/domains on a single Nethserver install? Since SOGo v 5 I can create multiple email identity/alias and send/receive as a secondary domain (user1@test.com & user1@example.com) but everything is tied to the primary domain/user that the email identity was created for.
1 Like
Hi all,
The exact error I received from Thunderbird is:
Failed to connect to server …
Michel-André
Yes, I have done it. I have three domains running, corresponding to three different vhosts and mail domains. Each with a few mail users.
How are you defining the unique login credentials for user1@example.com that is different than user1@test.com on the same Nethserver host?
Hi Royce,
As far as I know with NethServer, the names are different but the password is/are the same one.
Michel-André