Mein Server hat mehrere IPs, eine für die Verwaltung (Server IP) und mehrere für die Domains. Bei einem NSlookup auf die Domain erscheint die ServerIP als weiterer Eintrag in den SPF und TXT Records. Wie kann ich verhindern, dass neben der DomainIP auch die ServerIP in den NSrecords auftaucht?
SPF und TXT Record IP
- MyIgel
- Closed
- Thread is marked as Resolved.
-
Mein Server hat mehrere IPs, eine für die Verwaltung (Server IP) und mehrere für die Domains. Bei einem NSlookup auf die Domain erscheint die ServerIP als weiterer Eintrag in den SPF und TXT Records. Wie kann ich verhindern, dass neben der DomainIP auch die ServerIP in den NSrecords auftaucht?Hello ;
First please, note that many changes were done in Git Master. The following information are based on Git Master.
In last Git Master, the base server IP is used as IP source for the outbound mails. So you cannot hide it. If you use another IP, some of your mail will be rejected by receivers which check the SPF records.
Another solution is to have a dedicated IP for i-MSCP (base server IP). This IP must have a correct reverse DNS which match with the server hostname. This IP is added in all zones for the mail server entry such as:
domain.tld zone:
Code- $ORIGIN .$TTL 10800 ; 3 hoursdomain.tld IN SOA ns1.domain.tld. postmaster.domain.tld. ( 2013122901 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 1209600 ; expire (2 weeks) 3600 ; minimum (1 hour) ) NS ns1.domain.tld. A 192.168.5.121 MX 10 mail.domain.tld. TXT "v=spf1 a mx -all" SPF "v=spf1 a mx -all"$ORIGIN domain.tld.ftp CNAME domain.tld.imap CNAME mailmail A 192.168.5.122ns1 A 192.168.5.121pop CNAME mailpop3 CNAME mailrelay CNAME mailsmtp CNAME mailsub A 192.168.5.121 MX 10 mail TXT "v=spf1 include:domain.tld -all" SPF "v=spf1 include:domain.tld -all"$ORIGIN sub.domain.tld.ftp CNAME sub.domain.tld.www CNAME sub.domain.tld.$ORIGIN domain.tld.www CNAME domain.tld.
Here the 192.168.5.122 is the base server IP, which is used as IP source for outbound mails:
Postfix main.cf file:
Display MoreCode- cat /etc/postfix/main.cf
- # Postfix directory settings; These are critical for normal Postfix MTA functionallity
- command_directory = /usr/sbin
- daemon_directory = /usr/lib/postfix
- # Some common configuration parameters
- inet_protocols = ipv4
- inet_interfaces = all
- mynetworks_style = host
- # IPv4 source for outbound mails
- smtp_bind_address = 192.168.5.122
- # IPv6 source for outbound mails
- #smtp_bind_address6 =
- myhostname = wheezy.nuxwin.com
- mydomain = wheezy.nuxwin.com.local
- myorigin = $myhostname
- smtpd_banner = $myhostname ESMTP i-MSCP Git Master Managed
- setgid_group = postdrop
- # Receiving messages parameters
- mydestination = $myhostname, $mydomain
- append_dot_mydomain = no
- append_at_myorigin = yes
- local_transport = local
- transport_maps = hash:/etc/postfix/imscp/transport
- relay_domains = hash:/etc/postfix/imscp/relay_domains
- alias_maps = hash:/etc/aliases
- alias_database = hash:/etc/aliases
- # Delivering local messages parameters
- mail_spool_directory = /var/mail
- # Mailboxquota
- # => 0 for unlimited
- # => 104857600 for 100 MB
- mailbox_size_limit = 0
- mailbox_command = procmail -a "$EXTENSION"
- # Message size limit
- # => 0 for unlimited
- # => 104857600 for 100 MB
- message_size_limit = 0
- biff = no
- recipient_delimiter = +
- local_destination_recipient_limit = 1
- local_recipient_maps = unix:passwd.byname $alias_database
- # i-MSCP Autoresponder parameters
- imscp-arpl_destination_recipient_limit = 1
- # Delivering virtual messages parameters
- virtual_mailbox_base = /var/mail/virtual
- virtual_mailbox_limit = 0
- virtual_mailbox_domains = hash:/etc/postfix/imscp/domains
- virtual_mailbox_maps = hash:/etc/postfix/imscp/mailboxes
- virtual_alias_maps = hash:/etc/postfix/imscp/aliases
- virtual_minimum_uid = 999
- virtual_uid_maps = static:999
- virtual_gid_maps = static:8
- # SASL parameters
- smtpd_sasl_auth_enable = yes
- smtpd_sasl_security_options = noanonymous
- broken_sasl_auth_clients = yes
- smtpd_sasl_authenticated_header = yes
- smtpd_helo_required = yes
- smtpd_helo_restrictions = permit_mynetworks,
- permit_sasl_authenticated,
- reject_invalid_helo_hostname,
- reject_non_fqdn_helo_hostname
- smtpd_sender_restrictions = reject_non_fqdn_sender,
- reject_unknown_sender_domain,
- permit_mynetworks,
- permit_sasl_authenticated
- smtpd_recipient_restrictions = reject_non_fqdn_recipient,
- reject_unknown_recipient_domain,
- permit_mynetworks,
- permit_sasl_authenticated,
- reject_unauth_destination,
- reject_unlisted_recipient,
- check_policy_service inet:127.0.0.1:12525,
- check_policy_service inet:127.0.0.1:10023,
- permit
- smtpd_data_restrictions = reject_multi_recipient_bounce,
- reject_unauth_pipelining
- # TLS parameters
- #smtpd_tls_security_level = may
- #smtpd_tls_loglevel = 2
- #smtpd_tls_cert_file = /etc/imscp/wheezy.nuxwin.com.pem
- #smtpd_tls_key_file = /etc/imscp/wheezy.nuxwin.com.pem
- #smtpd_tls_auth_only = no
- #smtpd_tls_received_header = yes
- #smtp_tls_security_level = may
- #smtp_tls_loglevel = 2
- #smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
- virtual_transport = maildrop
- maildrop_destination_concurrency_limit = 2
- maildrop_destination_recipient_limit = 1
- # Added by Plugins::Postfix::Smarthost
- relayhost=mail.nuxwin.com:587
- smtp_sasl_auth_enable=yes
- smtp_sasl_password_maps=hash:/etc/postfix/relay_passwd
- smtp_sasl_security_options=noanonymous
Note: In near future, it will be possible to setup specific IP for outbound mail instead of the base server IP. Also, the dual protocol (ipv4/ipv6) will be implemented officially.
-
-
Ok, thank you for your answer, so i'm waiting for the next release
Tank you for your work on this really nice server CP!
