0

I've setup a VPS server with multiple domains all pointing to the same server.

The multiple domains are:

www.maindomain.com
www.seconddomain.com
etc.

For the main domain i've disabled the mail server because for the domain maindomain.com I use Office 365. In regards to the mail settings I've setup the dns for maindomain.com as following:

@     A      'IP address'
@     MX     0 maindomain-com01c.mail.protection.outlook.com.
mail  CNAME  @

For the domain maindomain.com i've purchased a wildcard SSL certificate that i've installed (and assigned to the domain maindomain.com) and have installed for the mail server (Postfix) and the IMAP server (Dovecot).

What I would like to achieveve is that on the client side the server settings for both the incoming and outcoming mail is: 'mail.maindomain.com' so I only have to buy one SSL certificate for my mail server instead of individual SSL certificates for every single domain.

The second domain: www.seconddomain.com has the following mail DNS settings:

@     A      'IP address'
@     MX     10 mail.maindomain.com

I'm having doubts if this is the correct approach since www.maindomain.com only has an MX record for the Office365 settings. Is it then still possible to point all the other domains to mail.maindomain.com as mail server because i've disabled the mail server for www.maindomain.com

UPDATE 14-07

Thank you for all your answers. However I still have a problem to get this setup to work with my DNS settings.

With the following settings everything works fine (without SSL):

maindomain.com DNS settings

@       5 min   A       37.97.193.145
@       5 min   MX      0 maindomain-nl01c.mail.protection.outlook.com.
@       5 min   TXT     v=spf1 include:spf.protection.outlook.com –all
server1 5 min   CNAME   @

seconddomain.com DNS settings

@       5 min   A       37.97.193.145
@       5 min   MX      10 mail
@       5 min   TXT     v=spf1 a mx ip4:37.97.193.145 –all
server1 5 min   CNAME   @

So this is the DNS setup I use currently which works perfect. I can send mail to both Hotmail and Google e-mail adresses and can receive mail. Mailserver in Plesk is disabled for maindomain.com and activated for seconddomain.com. In Outlook I use server1.seconddomain.com as mailserver.

The DNS setup below I want to use so server1.maindomain.com is used as mailserver for seconddomain.com:

maindomain.com DNS settings

@       5 min   A       37.97.193.145
@       5 min   MX      0 maindomain-nl01c.mail.protection.outlook.com.
@       5 min   TXT     v=spf1 include:spf.protection.outlook.com –all
server1 5 min   CNAME   @

seconddomain.com DNS settings

@       5 min   A       37.97.193.145
@       5 min   MX      10 server1.maindomain.com.
@       5 min   TXT     v=spf1 a mx ip4:37.97.193.145 –all
server1 5 min   CNAME   @

With this setup I still have the mailserver deactivated for maindomain.com (because I use Office 365 for maindomain.com) and have the mail server activated for seconddomain.com. In Outlook I use server1.maindomain.com as mailserver.

Mail send from Outlook with server1.seconddomain.com with the above setup is received as spam in both Hotmail and Gmail (without SSL active).

I also run some diagnostics on MX toolbox and with this setup it is saying that Google is the mailserver for server1.maindomain.com. I don’t get any other errors (relay server is also server1, which is also the name of the server). Testing with mail-tester.com everything comes out fine also. As well as testing if the SSL certifcate is working correctly and pointing to the right mailserver.

I think the problem is that seconddomain.com is referring to the mailserver of maindomain.com (it needs to because in the future I want to use the SSL certificate from maindomain.com) but then it is sending e-mail with Outlook. Is that correct? And if so how can I correct this?

UPDATE 19-07

As stated below I changed the MX record to the domain name instead of the cname of the main domain:

@ 5 min MX 10 maindomain.com.

The weird thing is that did still doesn't fix the problem. However I did find out that not every gmail address receives the mail as spam. I did the following send tests:

info@[workdomain].nl Received test mail as spam
jarno@[workdomain].nl Received test mail in inbox
[personal]@gmail.com Received test mail as spam

I edited out some information because of privacy. All domains are hosted by Google apps. So the weird thing is that 2 e-mails for the same domain (stated as [workdomain]) receive the e-mail differently. One receives the mail as spam and the other one in the inbox.

I also tested the 'spamminess' of my mails with the online mail-tester tool. See the link below for a report:

https://www.mail-tester.com/web-dyZFsW

Drifter104
  • 3,773
  • 2
  • 25
  • 39
TheGloaming
  • 1
  • 1
  • I believe Plesk and such things are off-topic, but your problem is not really with Plesk as far as I can see. You should give the real domains so that we can help you better. For instance, are you really sending mail to addresses `@www.seconddomain.com` and not `@seconddomain.com`? "With SSL it still doesn't work" is not a useful diagnostic, there are too many variables (TTL, for instance). – Law29 Jul 07 '16 at 22:05
  • SSL isn't required for email, though it can be used to theoretically increase security in transport. Email is a commodity service, you're better off hosting it externally, in the same place as you host your other domains. Sometimes this can be done on the same account to save money. – Tim Jul 07 '16 at 22:13
  • I understand that my diagnostic in regards to the SSL connection not working doesn't tell you much. My intention was not to get that error fixed with this question but to learn if it is the correct approach to refer to the 'maindomain' server by using '10 mail.maindomain.com' as mx record and still use the Office365 MX record in the DNS settings for 'maindomain.com'. – TheGloaming Jul 07 '16 at 22:19
  • @Tim I do host everything externally on the same VPS. I also register my domains at the same place where I rent my VPS. However I want the best DNS setup (with only one server) so I only have to use one SSL certificate. My doubts are if this is possible when the mail server (maindomain.com) is using Office365 as MX records. – TheGloaming Jul 07 '16 at 22:24
  • Use free Let's Encrypt certificates and your stated problem goes away. However your MX records expose your source IP, which typically is good to hide behind a CDN. Having hosted email is usually cheap and much easier than running your own server. I believe the MX record can be any IP address or domain name, so I suspect the answer to your question is yes you can do this. Do you specifically need SSL mail delivery? While good it's still unusual. – Tim Jul 07 '16 at 22:40

3 Answers3

1

Your approach is indeed possible and is often used by hosting companies.

You see mail servers like mail01.hosting-company.com, which supports SSL. Domains that have their mail handled by that same server can also have mail subdomains pointing to the IP address of mail01.hosting-company.com, but they won't be able to support SSL over POP/IMAP/SMTP. So while all mail subdomains point to the same server, only one can support SSL.

Email clients can then be configured to connect to mail01.hosting-company.com using SSL or to mail.any-domain.com not using SSL.

Robin
  • 21
  • 4
  • Thank you for you answer. I've updated my question because it is still not working correctly. Maybe you can point me in the right direction? Thank you. – TheGloaming Jul 14 '16 at 11:11
0

Yes, it is possible (protocol-authorized and will work as expected) to have

  1. one SSL certificate for *.maindomain.com
  2. mail for @maindomain.com sent to Office365 by setting maindomain.com IN MX 0 maindomain-com01c.mail.protection.outlook.com., which can protect mail with TLS by using a certificate for that MX
  3. mail for other domains such as seconddomain.com sent to mail.maindomain.com, which can protect mail with TLS by using the certificate from 1. EDIT: however an MX cannot point to a CNAME. You need either to define mail.maindomain.com with the A address only, or else you define seconddomain.com IN MX 0 maindomain.com

In other words, the SSL certificate is for the MX host name and need have no relation to the domain name in the e-mail address.

Note: security-wise this leaves a problem: you can be "certain" that you are conversing with maindomain-com01c.mail.protection.outlook.com, but how can you be certain that that server is the one you are supposed to give maindomain.com mail to? That problem is covered by another system called DNSSEC.

Note 2: you don't have to use "mail.maindomain.com" either, you can use anything at all such as "mailforsecconddomain.maindomain.com" or "foo.maindomain.com".

Law29
  • 3,557
  • 1
  • 16
  • 28
  • Thank you for your answer. I updated my question with my current DNS setup and the DNS setup that I tested but is not working correctly. Does this have to do with the security problem you addressed in your anwer? – TheGloaming Jul 14 '16 at 11:13
  • 1
    @TheGloaming Your problem may be that the MX of seconddomain.com is server1.maindomain.com, which is a CNAME, and "MX points to CNAME" is not allowed. Edited my answer accordingly. Replace `@ 5 min MX 10 server1.maindomain.com.` by `@ 5 min MX 10 maindomain.com.` – Law29 Jul 14 '16 at 18:25
  • I've updated my question in regards to the change in MX record (this did not fix the problem unfortunately). – TheGloaming Jul 19 '16 at 14:25
  • Your update is the first time you refer to your problem as being being tagged as spam (didn't see the update from the 14th). Being tagged spam by Gmail is a **totally** different problem from not getting SSL certificates to work! – Law29 Jul 19 '16 at 19:09
0

As noted by @Law29:

MX may not point to a CNAME: https://en.wikipedia.org/wiki/CNAME_record#Restrictions

MX and NS records must never point to a CNAME alias (RFC 2181 section 10.3).

Phillip -Zyan K Lee- Stockmann
  • 1,368
  • 10
  • 14