Setting up dedicated mail server

Hi, looking to downsize my dedicated server to cloud server, my sites are not busy and dedicated server is overkill, except for memory.

The mail server with spammassin uses plenty of memory, and cloud server with enough memory for all services cost nearly as much dedicated i am using, so i am thinking of putting mail server on its own cloud server which would work out much cheaper.

How difficult is it to setup HestiaCP with mail service on different server, are there any issues?


1 Like

Hestia works fine with a dedicated mail server. Make sure to install MariDB, PHP and Nginx if you still want to use webmail.

For SSL generation nginx is always required…

That’s the way I use hestiaCP

I have one server for email+DNS
I have N servers for web

If a site gets hacked, it doesn’t affect email delivered and so…

You also get less hacking attempts.


Just a question… If you have a server with the web pages (with the domains,… etc), and the email server is on another server… What domain do you have to set on email server?, or and use it as smtp relay?

In the first case I have doubts about how to manage the let’s encrypt certificates on two different servers, in the second I don’t know how to configure dkim, dmarc and if it can give an error because the web domain and the email domain do not match.

thank you

Web server:
Email server:

Clients domains

The LE certificates are for different Subdomains.

This is the standard way to go, no errors on dmarc or dkim expected.

If you want your web server to send emails you have to configure PTR to allow to send emails as

EDIT: I mean SPF. The PTR is only if you own the IP.

1 Like

The client can also use the name for sending SMTP emails, and to connect to webmail. Provided of course that there are the A records pointing to the IP of the mail server.

Websites on webserver can be configured to send emails via SMTP, which I believe is the best option. For WordPress you can use an SMTP Plugin.

Some more things you need to configure are MX Record, SPF and DKIM.

  1. The MX record should point to the IP of the email server. This is configured where you host the zone
  2. For SPF you can use "v=spf1 a mx ip4:{IP_OF_WEB_SERVER} -all".
  3. As for DKIM, you need to find the record in the email server. I believe this is inside the file /usr/local/hestia/data/users/{USERNAME}/mail/{DOMAIN}.pub and put it in DNS as a TXT record mail._domainkey like this "v=DKIM1; k=rsa; p={LONG_STRING_HERE}".
1 Like

Is there a (known working) workaround for the PTR record? I have my PTR set to which is the installation of HestiaCP. I also have setup my MX, SPF and DKIM records exactly as @Felix explained above.
Unfortunately recently Microsoft, Hotmail, Live etc. started to not except e-mails from my server anymore. (All other providers incl. Gmail work without issues.)

For now I had to SMTP-relay through SMTP2GO which works well but if you know of a solution to have “multiple” PTR records for all clients that would be awesome.

Got a little dkim formatting script I use, which I’ll share here. If you run it with no parameters, it tells you the DKIM status of every domain on the server. If you run it with USER MAILDOMAIN it will check what your record currently is, and what it should be according to Hestia.

# Check for input 
if [ -z "$1" ]
      echo "Call script with USER DOMAIN arguments. Here are the mail domains on this server."
      for USER in $( v-list-users plain | awk '{print $1}' )
	COUNTMAIL=$(v-list-mail-domains $USER plain | awk '{print $1}' | wc -l )
	if [[ "$COUNTMAIL" -gt "0" ]]; then
        for MDOMAIN in $( v-list-mail-domains $USER plain | awk '{print "  " $1}' )
      	  DKIMSTATE=$(dig txt +short mail._domainkey.$MDOMAIN)
	  if [[ "$DKIMSTATE" == "" ]] ; then
		STATEMESSAGE="No DKIM for this mail._domainkey.$MDOMAIN"
		STATEMESSAGE="A DKIM record is set at DNS provider for mail._domainkey.$MDOMAIN"
	echo -e "\t $USER \t\t $MDOMAIN \t\t $STATEMESSAGE"

# We have user and domain

echo "Current record (dig +short txt mail._domainkey.$2)"
dig +short txt mail._domainkey.$2

echo ""
echo "Check that the TXT record for mail._domainkey.$2 is:"
v-list-mail-domain-dkim $1 $2 \
 | sed '1,/BEGIN PUBLIC KEY/d' | sed '/END PUBLIC KEY/d' \
 | tr -d '\n' | sed 's/.*/"v=DKIM1; k=rsa; p=&"\n/'


1 Like

Thank you

v-list-mail-domain-dkim-dns gives the DNS record you need to add


WoW! Nice! :slight_smile: I didn’t know about that command.

Hah, me too! Probably wouldn’t have spent time writing a script to do it if I’d found that first! :slight_smile:

We have to study the CLI commands from time to time…

hey I’m so sorry, but can you PLEASE give more details about 'configure PTR to allow to send emails AS"?

I’m a linode user, and I don’t think that they ALLOW us to create PTR records. from what I see, that’s my side of the story. Is a PTR record just a normal TXT record?

I found an article once that said that ‘if we want to configure email open a ticket’ but then when I TRIED to do that, they told me to go take a hike. I don’t understand PTR records AT ALL.

Do you have recommendations on testing PTR config? I have about 100 different ‘Email Config Testing Tools’ that I’ve been collecting, but this PTR stuff is NEWS to me. THANKS

PTR records are set at the owner of the ip space. So contact your provider

In simple terms, PTR records exist to allow REVERSE lookup, i.e. find the hostname of an IP address. It’s the opposite of an A record, that gives you the IP address of a hostname.

As @eris already said, PTR records can be set by those owning the IPs. Quite similarly to A records that can be set by those owning the domain name. If you do not own the public IP address you are using (99% probability), then you need to ask your provider to set the PTR record for you. Some providers give you a web interface to do that. For others you need to open a ticket. A few of them do not give that option at all.

Sorry. I meant SPF. I had a lapsus.

Your server is in a private block list. Maybe because of the bad reputation in the past of that IP or maybe because of the neighborhood (class C)

Either way, you have to register with Microsoft postmaster and give your details and ask for restoration of your status.

You also have to monitor your apps and make sure your clients don’t spam or your webs are not hacked.

In the meantime you may connect to Amazon SES.

For Microsoft, I advise to register for the Junk Mail Reporting Program Microsoft JMRP to be able to monitor the situation.

One more thing to note, you may face blocking issues if your domain name is too young.

Thank you @Felix and @jlguerrero. I have my PTR set as the hostname of my HestiaCP installation: Once I read about some workarounds where you can set CNAME so just checking if you guys knew about that.

I did do some delisting requests through here and also sending an e-mail from my vps with a request…

I now signed up for JMRP to be able to monitor the situation and also requested delisting at: which gave back that my IP is currently not blocked in their systems…

Anyway, it’s a big pain these Microsoft policies…