NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: postfix for 2 domains on 1 vps 1 ip



Mayuresh wrote:
> On Fri, Jan 01, 2021 at 09:53:13AM -0600, Edgar Pettijohn wrote:
> > If you set up spf, dkim, and dns correctly you shouldn't have any issues.
> 
> How exactly - meaning if these are set reverse dns check is not applied by
> peers or does it mean these mechanisms deal with multiple reverse map as
> desired?

SPF identifies authorized IP addresses for domains in the message
envelope.  Therefore the reverse DNS pointer record does not matter in
this.  The hostname does not matter.  Only the IP address as indicated
through a DNS response.  This is an anti-forgery protection.  This has
been a defacto standard requirement for all SMTP host sites for some
years now.  Must have valid SPF records.  However I do know of small
low activity sites that still do not implement this and squeeze by
depending upon the nebulous value of the sending host's "IP reputation
score".

    https://en.wikipedia.org/wiki/Sender_Policy_Framework

DKIM signs based upon the sending domain name in the message header
and is not concerned about IP addresses.  This is a "newish" defacto
standard that is now required for all SMTP host sites.  Required
because Google and Yahoo pretty much require it.  They will accept
mail without it but then score this such that it is mostly delivered
only to the user's Junk folder.  Therefore you will want it.  This is
an anti-forgery protection.

    https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

Reverse DNS is the oldest validation that checks that a sending host
identifies its own FQDN, which is looked up to an IP address with
normal forward DNS, which is then looked up to a FQDN with reverse
DNS, which must match the original name.  This is done under the idea
that valid SMTP sites are using static IP address assignments and have
control of their DNS.  Since spammer sites most often did not have a
static IP assignment and did not have control of their DNS.  This is
an anti-forgery protection.  These assumptions have been called into
question in recent years.

    https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS

Additionaly there is DMARC which is the latest layer of email
authentication.  This is an anti-forgery protection.  Strict DMARC
places a requirement that messages pass DKIM and SPF and that the
message From: address matches.  Strict DMARC is very useful for banks,
financial institutions, and other organizations that need to prevent
abuses such as phishing emails forging them.  However none of those
sites typical participate in mailing lists and other related
situations.  My opinion is that strict DMARC is inappropriate for
personal email which is expected to communicate with others in mailing
lists and with people who may themselves be forwarding them email
through to their own mailbox provider at a different site.  Because
strict DMARC is specifically designed to block all of that.

    https://en.wikipedia.org/wiki/DMARC

All of this is probably too much information and too much detail.
Sorry.  But such is the requirements of being a mail operator these
days.  Every decade things get twice as complicated as they where in
the previous as additional layers are added and eventually become
required by fait accompli by the large mailbox providers such as
Google and the others.

Bob


Home | Main Index | Thread Index | Old Index