Hi, looking to downsize my dedicated server to cloud server, my sites are not busy and dedicated server is overkill, except for memory.
The mail server with spammassin uses plenty of memory, and cloud server with enough memory for all services cost nearly as much dedicated i am using, so i am thinking of putting mail server on its own cloud server which would work out much cheaper.
How difficult is it to setup HestiaCP with mail service on different server, are there any issues?
thanks
Hestia works fine with a dedicated mail server. Make sure to install MariDB, PHP and Nginx if you still want to use webmail.
For SSL generation nginx is always requiredā¦
Thatās the way I use hestiaCP
I have one server for email+DNS
I have N servers for web
If a site gets hacked, it doesnāt affect email delivered and soā¦
You also get less hacking attempts.
Just a questionā¦ If you have a server with the web pages (with the domains domain1.com, domain2.comā¦ etc), and the email server is on another serverā¦ What domain do you have to set on email server? domain1.com, domain2.com or servermail.com and use it as smtp relay?
In the first case I have doubts about how to manage the letās encrypt certificates on two different servers, in the second I donāt know how to configure dkim, dmarc and if it can give an error because the web domain and the email domain do not match.
thank you
Web server: web01.mycompany.com
Email server: mail01.mycompany.com
Clients domains
client001.com
client002.com
client003.com
The LE certificates are for different Subdomains.
This is the standard way to go, no errors on dmarc or dkim expected.
If you want your web server to send emails you have to configure PTR to allow web01.mycompany.com to send emails as client001.com
EDIT: I mean SPF. The PTR is only if you own the IP.
The client can also use the name mail.client.com for sending SMTP emails, and webmail.client.com to connect to webmail. Provided of course that there are the A records pointing to the IP of the mail server.
Websites on webserver webserver.example.com can be configured to send emails via SMTP, which I believe is the best option. For WordPress you can use an SMTP Plugin.
Some more things you need to configure are MX Record, SPF and DKIM.
"v=spf1 a mx ip4:{IP_OF_WEB_SERVER} -all"./usr/local/hestia/data/users/{USERNAME}/mail/{DOMAIN}.pub and put it in DNS as a TXT record mail._domainkey like this "v=DKIM1; k=rsa; p={LONG_STRING_HERE}".Is there a (known working) workaround for the PTR record? I have my PTR set to host.mydomain.com which is the installation of HestiaCP. I also have setup my MX, SPF and DKIM records exactly as @Felix explained above.
Unfortunately recently Microsoft, Hotmail, Live etc. started to not except e-mails from my server anymore. (All other providers incl. Gmail work without issues.)
For now I had to SMTP-relay through SMTP2GO which works well but if you know of a solution to have āmultipleā PTR records for all clients that would be awesome.
Got a little dkim formatting script I use, which Iāll share here. If you run it with no parameters, it tells you the DKIM status of every domain on the server. If you run it with USER MAILDOMAIN it will check what your record currently is, and what it should be according to Hestia.
#!/bin/bash
# Check for input
if [ -z "$1" ]
then
echo "Call script with USER DOMAIN arguments. Here are the mail domains on this server."
for USER in $( v-list-users plain | awk '{print $1}' )
do
COUNTMAIL=$(v-list-mail-domains $USER plain | awk '{print $1}' | wc -l )
if [[ "$COUNTMAIL" -gt "0" ]]; then
for MDOMAIN in $( v-list-mail-domains $USER plain | awk '{print " " $1}' )
do
DKIMSTATE=$(dig txt +short mail._domainkey.$MDOMAIN)
if [[ "$DKIMSTATE" == "" ]] ; then
STATEMESSAGE="No DKIM for this mail._domainkey.$MDOMAIN"
else
STATEMESSAGE="A DKIM record is set at DNS provider for mail._domainkey.$MDOMAIN"
fi
echo -e "\t $USER \t\t $MDOMAIN \t\t $STATEMESSAGE"
done
fi
done
# We have user and domain
else
echo "Current record (dig +short txt mail._domainkey.$2)"
dig +short txt mail._domainkey.$2
echo ""
echo "Check that the TXT record for mail._domainkey.$2 is:"
v-list-mail-domain-dkim $1 $2 \
| sed '1,/BEGIN PUBLIC KEY/d' | sed '/END PUBLIC KEY/d' \
| tr -d '\n' | sed 's/.*/"v=DKIM1; k=rsa; p=&"\n/'
fi
Thank you
v-list-mail-domain-dkim-dns gives the DNS record you need to add
WoW! Nice! 
I didnāt know about that command.
Hah, me too! Probably wouldnāt have spent time writing a script to do it if Iād found that first!
We have to study the CLI commands from time to timeā¦
hey Iām so sorry, but can you PLEASE give more details about 'configure PTR to allow to send emails AS"?
Iām a linode user, and I donāt think that they ALLOW us to create PTR records. from what I see, thatās my side of the story. Is a PTR record just a normal TXT record?
I found an article once that said that āif we want to configure email open a ticketā but then when I TRIED to do that, they told me to go take a hike. I donāt understand PTR records AT ALL.
Do you have recommendations on testing PTR config? I have about 100 different āEmail Config Testing Toolsā that Iāve been collecting, but this PTR stuff is NEWS to me. THANKS
PTR records are set at the owner of the ip space. So contact your provider
In simple terms, PTR records exist to allow REVERSE lookup, i.e. find the hostname of an IP address. Itās the opposite of an A record, that gives you the IP address of a hostname.
As @eris already said, PTR records can be set by those owning the IPs. Quite similarly to A records that can be set by those owning the domain name. If you do not own the public IP address you are using (99% probability), then you need to ask your provider to set the PTR record for you. Some providers give you a web interface to do that. For others you need to open a ticket. A few of them do not give that option at all.
Sorry. I meant SPF. I had a lapsus.
Your server is in a private block list. Maybe because of the bad reputation in the past of that IP or maybe because of the neighborhood (class C)
Either way, you have to register with Microsoft postmaster and give your details and ask for restoration of your status.
You also have to monitor your apps and make sure your clients donāt spam or your webs are not hacked.
In the meantime you may connect to Amazon SES.
For Microsoft, I advise to register for the Junk Mail Reporting Program Microsoft JMRP to be able to monitor the situation.
One more thing to note, you may face blocking issues if your domain name is too young.
Thank you @Felix and @jlguerrero. I have my PTR set as the hostname of my HestiaCP installation: host.mydomain.com. Once I read about some workarounds where you can set CNAME so just checking if you guys knew about that.
I did do some delisting requests through here and also sending an e-mail from my vps with a requestā¦
I now signed up for JMRP to be able to monitor the situation and also requested delisting at: https://sender.office.com/ which gave back that my IP is currently not blocked in their systemsā¦
Anyway, itās a big pain these Microsoft policiesā¦