What's' the best way to set up the UTM, domains and reverse DNS if you have an internal email server? I don't recall why, but years ago I was told by an email server vendor that it was better to not use a subdomain for an email server. Taking this advice, I have always used “domain.com” instead of “mail.domain.com”. I have never encountered any major issues but I would like to know what the Astaro/Sophos experts on this forum consider best practices when setting up a Sophos UTM, domains, PTR records, etc. Below is my current setup: Static IP address block from “***.***.***.1” to “***.***.***.5” Webserver, FTP server and email server behind the UTM Five web domains For example: “domain_1.com” through “domain_5.com”. There is a “www.domain_*.com” virtual host for each web domain and each has “domain_*.com” as an alias. Both my primary domain and SMTP domain are “domain_1.com”. My UTM’s host name under ‘Management->System Settings->Hostname’ is “gateway. domain_1.com”. The UTM (“gateway.domain_1.com&#8221[[[[[[;)]]]]]], SSL VPN (“vpn. domain_1.com&#8221[[[[[[;)]]]]]], primary domain (“domain_1.com&#8221[[[[[[;)]]]]]], email server (“domain_1.com&#8221[[[[[[;)]]]]]] and FTP server (“ftp.domain_1.com&#8221[[[[[[;)]]]]]] all have the same “A” record which is “***.***.***.1”. I know this is not a good thing, but there are currently two PTR records for “***.***.***.1”. They are: “gateway.domain_1.com” and “domain_1.com”. “domain_1.com” is the exclusive SMTP domain for all of the domains as indicated in their MX records and the email server’s config. All domains use the same SPF record which is: v=spf1 a mx ip4:***.***.***.1 ptr[:D]omain_1.com mx[:D]omain_1.com –all The SPF always seems to pass even though some receiving MTA’s get “gateway.domain_1.com” when they do the RDNS check while others get “domain_1.com”. Some of the other domains share a static IP address from the block and some domains have their own. I am using the Sophos SMTP Proxy for inbound only. To be more specific, I would like to know the following about my current setup: Do I need a PTR record for the UTM (i.e., “gateway.domain_1.com&#8221[[[[[[;)]]]]]]? Should the UTM and mail server share the same domain name since you’re supposed to have only one PTR record per IP address and they both share the same primary IP address? Which PTR record should I delete? Should my MX records and SPF records point to “domain_1.com” or “gateway.domain_1.com”? Finally, back to my original question… What’s best practices? Should I use “mail.domain_1.com” for the email server with its own static IP address and use an SNAT so outgoing email does not come from “gateway.domain_1.com”? Yes, I’m confused [:)]

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best way to setup UTM, domains, DNS

What's' the best way to set up the UTM, domains and reverse DNS if you have an internal email server?

I don't recall why, but years ago I was told by an email server vendor that it was better to not use a subdomain for an email server. Taking this advice, I have always used “domain.com” instead of “mail.domain.com”. I have never encountered any major issues but I would like to know what the Astaro/Sophos experts on this forum consider best practices when setting up a Sophos UTM, domains, PTR records, etc.

Below is my current setup:

Static IP address block from “***.***.***.1” to “***.***.***.5”
Webserver, FTP server and email server behind the UTM
Five web domains
For example: “domain_1.com” through “domain_5.com”.
There is a “www.domain_*.com” virtual host for each web domain and each has “domain_*.com” as an alias.
Both my primary domain and SMTP domain are “domain_1.com”.
My UTM’s host name under ‘Management->System Settings->Hostname’ is “gateway. domain_1.com”.
The UTM (“gateway.domain_1.com&#8221[[[[[[;)]]]]]], SSL VPN (“vpn. domain_1.com&#8221[[[[[[;)]]]]]], primary domain (“domain_1.com&#8221[[[[[[;)]]]]]], email server (“domain_1.com&#8221[[[[[[;)]]]]]] and FTP server (“ftp.domain_1.com&#8221[[[[[[;)]]]]]] all have the same “A” record which is “***.***.***.1”.
I know this is not a good thing, but there are currently two PTR records for “***.***.***.1”. They are: “gateway.domain_1.com” and “domain_1.com”.
“domain_1.com” is the exclusive SMTP domain for all of the domains as indicated in their MX records and the email server’s config. All domains use the same SPF record which is: v=spf1 a mx ip4:***.***.***.1 ptr[:D]omain_1.com mx[:D]omain_1.com –all
The SPF always seems to pass even though some receiving MTA’s get “gateway.domain_1.com” when they do the RDNS check while others get “domain_1.com”.
Some of the other domains share a static IP address from the block and some domains have their own.
I am using the Sophos SMTP Proxy for inbound only.

To be more specific, I would like to know the following about my current setup:

Do I need a PTR record for the UTM (i.e., “gateway.domain_1.com&#8221[[[[[[;)]]]]]]?
Should the UTM and mail server share the same domain name since you’re supposed to have only one PTR record per IP address and they both share the same primary IP address?
Which PTR record should I delete?
Should my MX records and SPF records point to “domain_1.com” or “gateway.domain_1.com”?

Finally, back to my original question… What’s best practices? Should I use “mail.domain_1.com” for the email server with its own static IP address and use an SNAT so outgoing email does not come from “gateway.domain_1.com”?

Yes, I’m confused [:)]

This thread was automatically locked due to age.

Parents

0 BAlfson over 10 years ago

Jeffshead, I think Barry meant to point you at Exchange with SMTP Proxy for a basic idea of how to configure inside the UTM.

If using the UTM as the primary MTA, I usually name it mail.domain.com. In public DNS, I create an A-record for mail -> 50.72.95.129 and an MX-record with priority 10 -> mail.domain.com. I then have the ISP create a PTR record '129.95.72.50.in-addr.arpa -> mail.domain.com'.

I also like to use SPF and DKIM, but that's likely overkill for smaller organizations.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 10 years ago

Jeffshead, I think Barry meant to point you at Exchange with SMTP Proxy for a basic idea of how to configure inside the UTM.

If using the UTM as the primary MTA, I usually name it mail.domain.com. In public DNS, I create an A-record for mail -> 50.72.95.129 and an MX-record with priority 10 -> mail.domain.com. I then have the ISP create a PTR record '129.95.72.50.in-addr.arpa -> mail.domain.com'.

I also like to use SPF and DKIM, but that's likely overkill for smaller organizations.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data

Best way to setup UTM, domains, DNS

Submitted a Tech Support Case lately from the Support Portal?