Reverse DNS and Mailserver and self generated certificates

Question

this is my first question here, so don't kill me if it sounds stupid.

I don't know much about server administration, that's why we booked a managed server to host our clients.

So far we have been to setup most of it but I am concerned about the Mailserver setup.

Wer are unable to change the reverse dns of the server. It uses a generic name such as xxx.yourserver.com and I am worried that the generic reverse dns server will lead to email rejections due to bad reputation as so many people are using the same reverse dns.

We do have our own dedicated ip adress and the option to book more.

I have seen that some agencies change the reverse dns to something like isp.agencyname.com and they also have the Mailserver for clients set up like this : mail.clientdomain.com

I'm wondering how the hostname, reverse dns and Mailserver work actually work together and how to set them up together to work in harmony.

I've tried to set the Mailserver for client domains to mail.clientdomain.com but then I had a mismatch with the hostname and the certificate name since the 2 are different. Also, plesk comes with a self generated certificate by rapid SSL for the hostname. Can I keep it or do I have to purchase my own certificate to ensure reliable transmission of email.

How can I achieve a reliable Mailserver setup for my clients?

Thanks so much for your help

Answer 1

I am racking my brain around this for some time now too. Any suggestions or corrections are very welcome.

In the following examples I will refer to xxx.yourdomain.com as hostname.yourdomain.com. Because the PTR (reverse dns record) should point to the hostname on any host, regardless if the host has a mailserver running.

Forward zone yourdomain.com:

yourdomain.com.   IN    MX    hostname
hostname          IN    A     1.2.3.4

The MX record should point to the host that will be serving mail for yourdomain.com. In your case this is a probably a pointer to itself, if you serve mail by the mailserver running on that host. The hostname must point to an A or AAAA record. The host where the MX is pointing to must always be an A or AAAA record and never an alias with CNAME.

The reverse dns record should point to your hostname.

1.2.3.4    -->    hostname.yourdomain.com.

Forward zone clientdomain.com:

clientdomain.com.   IN    MX     hostname.yourdomain.com.
mail                IN    CNAME  hostname.yourdomain.com.

The MX record should point to the hostname of your server, which will be serving mail for clientdomain.com. The subdomain mail here just serves as an alias to your mailserver host.

The mailserver running on host hostname.yourdomain.com should always advertise itsef with its hostname in the SMTP dialog. Many mailservers will make a reverse dns lookup and check if the IP address points to the same hostname as advertised by your mailserver.

Basically it would be sufficient to have a mailserver certificate with hostname.yourdomain.com as CN name. But if you want your clients to be able to also connect to your mailserver via mail.clientdomain.com, then this domain must be contained in the certificate as subjectAltName. Any commercial CA should be able to do this. As a free alternative you can use Let's Encrypt, where you are able to use up to 100 (at the moment of writing) subjectAltNames per certificate.