What's' the best way to set up the UTM, domains and reverse DNS if you have an internal email server? I don't recall why, but years ago I was told by an email server vendor that it was better to not use a subdomain for an email server. Taking this advice, I have always used “domain.com” instead of “mail.domain.com”. I have never encountered any major issues but I would like to know what the Astaro/Sophos experts on this forum consider best practices when setting up a Sophos UTM, domains, PTR records, etc. Below is my current setup: Static IP address block from “***.***.***.1” to “***.***.***.5” Webserver, FTP server and email server behind the UTM Five web domains For example: “domain_1.com” through “domain_5.com”. There is a “www.domain_*.com” virtual host for each web domain and each has “domain_*.com” as an alias. Both my primary domain and SMTP domain are “domain_1.com”. My UTM’s host name under ‘Management->System Settings->Hostname’ is “gateway. domain_1.com”. The UTM (“gateway.domain_1.com&#8221[[[[[[;)]]]]]], SSL VPN (“vpn. domain_1.com&#8221[[[[[[;)]]]]]], primary domain (“domain_1.com&#8221[[[[[[;)]]]]]], email server (“domain_1.com&#8221[[[[[[;)]]]]]] and FTP server (“ftp.domain_1.com&#8221[[[[[[;)]]]]]] all have the same “A” record which is “***.***.***.1”. I know this is not a good thing, but there are currently two PTR records for “***.***.***.1”. They are: “gateway.domain_1.com” and “domain_1.com”. “domain_1.com” is the exclusive SMTP domain for all of the domains as indicated in their MX records and the email server’s config. All domains use the same SPF record which is: v=spf1 a mx ip4:***.***.***.1 ptr[:D]omain_1.com mx[:D]omain_1.com –all The SPF always seems to pass even though some receiving MTA’s get “gateway.domain_1.com” when they do the RDNS check while others get “domain_1.com”. Some of the other domains share a static IP address from the block and some domains have their own. I am using the Sophos SMTP Proxy for inbound only. To be more specific, I would like to know the following about my current setup: Do I need a PTR record for the UTM (i.e., “gateway.domain_1.com&#8221[[[[[[;)]]]]]]? Should the UTM and mail server share the same domain name since you’re supposed to have only one PTR record per IP address and they both share the same primary IP address? Which PTR record should I delete? Should my MX records and SPF records point to “domain_1.com” or “gateway.domain_1.com”? Finally, back to my original question… What’s best practices? Should I use “mail.domain_1.com” for the email server with its own static IP address and use an SNAT so outgoing email does not come from “gateway.domain_1.com”? Yes, I’m confused [:)]

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best way to setup UTM, domains, DNS

What's' the best way to set up the UTM, domains and reverse DNS if you have an internal email server?

I don't recall why, but years ago I was told by an email server vendor that it was better to not use a subdomain for an email server. Taking this advice, I have always used “domain.com” instead of “mail.domain.com”. I have never encountered any major issues but I would like to know what the Astaro/Sophos experts on this forum consider best practices when setting up a Sophos UTM, domains, PTR records, etc.

Below is my current setup:

Static IP address block from “***.***.***.1” to “***.***.***.5”
Webserver, FTP server and email server behind the UTM
Five web domains
For example: “domain_1.com” through “domain_5.com”.
There is a “www.domain_*.com” virtual host for each web domain and each has “domain_*.com” as an alias.
Both my primary domain and SMTP domain are “domain_1.com”.
My UTM’s host name under ‘Management->System Settings->Hostname’ is “gateway. domain_1.com”.
The UTM (“gateway.domain_1.com&#8221[[[[[[;)]]]]]], SSL VPN (“vpn. domain_1.com&#8221[[[[[[;)]]]]]], primary domain (“domain_1.com&#8221[[[[[[;)]]]]]], email server (“domain_1.com&#8221[[[[[[;)]]]]]] and FTP server (“ftp.domain_1.com&#8221[[[[[[;)]]]]]] all have the same “A” record which is “***.***.***.1”.
I know this is not a good thing, but there are currently two PTR records for “***.***.***.1”. They are: “gateway.domain_1.com” and “domain_1.com”.
“domain_1.com” is the exclusive SMTP domain for all of the domains as indicated in their MX records and the email server’s config. All domains use the same SPF record which is: v=spf1 a mx ip4:***.***.***.1 ptr[:D]omain_1.com mx[:D]omain_1.com –all
The SPF always seems to pass even though some receiving MTA’s get “gateway.domain_1.com” when they do the RDNS check while others get “domain_1.com”.
Some of the other domains share a static IP address from the block and some domains have their own.
I am using the Sophos SMTP Proxy for inbound only.

To be more specific, I would like to know the following about my current setup:

Do I need a PTR record for the UTM (i.e., “gateway.domain_1.com&#8221[[[[[[;)]]]]]]?
Should the UTM and mail server share the same domain name since you’re supposed to have only one PTR record per IP address and they both share the same primary IP address?
Which PTR record should I delete?
Should my MX records and SPF records point to “domain_1.com” or “gateway.domain_1.com”?

Finally, back to my original question… What’s best practices? Should I use “mail.domain_1.com” for the email server with its own static IP address and use an SNAT so outgoing email does not come from “gateway.domain_1.com”?

Yes, I’m confused [:)]

This thread was automatically locked due to age.

Parents

0 adhodgson over 10 years ago

Hi,

I would delete the PTR for domain_1.com leaving the gateway.domain_1.com intact. The PTR record needs to match the outgoing ehlo string that the SMTP server sending outbound mail is using.

If you don't use the UTM for outbound mail delivery then a more important question is how is the NAT set up on the UTM for outbound traffic, and how are you using the other IP addresses in your public block?

What mail server are you using internally and also what is its hostname, do you have any custom settings so it sends out a different ehlo string? Is there any reason you can't use the UTM for outbound mail as well?

Thanks.
Andrew.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 adhodgson over 10 years ago

Hi,

I would delete the PTR for domain_1.com leaving the gateway.domain_1.com intact. The PTR record needs to match the outgoing ehlo string that the SMTP server sending outbound mail is using.

If you don't use the UTM for outbound mail delivery then a more important question is how is the NAT set up on the UTM for outbound traffic, and how are you using the other IP addresses in your public block?

What mail server are you using internally and also what is its hostname, do you have any custom settings so it sends out a different ehlo string? Is there any reason you can't use the UTM for outbound mail as well?

Thanks.
Andrew.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data

Best way to setup UTM, domains, DNS

Submitted a Tech Support Case lately from the Support Portal?