I don't recall why, but years ago I was told by an email server vendor that it was better to not use a subdomain for an email server. Taking this advice, I have always used “domain.com” instead of “mail.domain.com”. I have never encountered any major issues but I would like to know what the Astaro/Sophos experts on this forum consider best practices when setting up a Sophos UTM, domains, PTR records, etc.
Below is my current setup:
- Static IP address block from “***.***.***.1” to “***.***.***.5”
- Webserver, FTP server and email server behind the UTM
- Five web domains
- For example: “domain_1.com” through “domain_5.com”.
- There is a “www.domain_*.com” virtual host for each web domain and each has “domain_*.com” as an alias.
- Both my primary domain and SMTP domain are “domain_1.com”.
- My UTM’s host name under ‘Management->System Settings->Hostname’ is “gateway. domain_1.com”.
- The UTM (“gateway.domain_1.com”[[[[[[;)]]]]]], SSL VPN (“vpn. domain_1.com”[[[[[[;)]]]]]], primary domain (“domain_1.com”[[[[[[;)]]]]]], email server (“domain_1.com”[[[[[[;)]]]]]] and FTP server (“ftp.domain_1.com”[[[[[[;)]]]]]] all have the same “A” record which is “***.***.***.1”.
- I know this is not a good thing, but there are currently two PTR records for “***.***.***.1”. They are: “gateway.domain_1.com” and “domain_1.com”.
- “domain_1.com” is the exclusive SMTP domain for all of the domains as indicated in their MX records and the email server’s config. All domains use the same SPF record which is: v=spf1 a mx ip4:***.***.***.1 ptr[:D]omain_1.com mx[:D]omain_1.com –all
- The SPF always seems to pass even though some receiving MTA’s get “gateway.domain_1.com” when they do the RDNS check while others get “domain_1.com”.
- Some of the other domains share a static IP address from the block and some domains have their own.
- I am using the Sophos SMTP Proxy for inbound only.
To be more specific, I would like to know the following about my current setup:
- Do I need a PTR record for the UTM (i.e., “gateway.domain_1.com”[[[[[[;)]]]]]]?
- Should the UTM and mail server share the same domain name since you’re supposed to have only one PTR record per IP address and they both share the same primary IP address?
- Which PTR record should I delete?
- Should my MX records and SPF records point to “domain_1.com” or “gateway.domain_1.com”?
Finally, back to my original question… What’s best practices? Should I use “mail.domain_1.com” for the email server with its own static IP address and use an SNAT so outgoing email does not come from “gateway.domain_1.com”?
Yes, I’m confused [:)]
This thread was automatically locked due to age.
