I’ve been researching the forum but can’t seem to find a post that matches my ask. I’d like to use emails with Virtualmin, and all my DNS is managed through cloudflare. The seetings in Virtualmin, DKIM, DMARC are all enabled, all looking good IMHO. However when sending emails to GMAIL, I get this:
The IP address sending this message does not have a PTR record setup, or the corresponding forward DNS entry does not point to the sending IP. As a policy, Gmail does not accept messages from IPs with missing PTR records.
Now, in Plesk, the PTR record (i.e. reverse DNS) is automatically “managed” by Plesk, if it is connected to external DNS providers such as cloudflare. However I understand, that Virtualmin doesn’t manage the PTR record. Things to note:
in cloudflare, I’ve set SSL settings to “full/strict”. I’m not really willing to compromise on this unless there is a really good reason, as any setting below leads to a lot of redirect issues, particularly from HTTP to HTTPS request etc.
all domains are let’s encrypt SSL’ed
DOMAINKEY and DKIM are all properly set up
services like mail-tester appreciate all other mail server settings, just the PTR is a problem
Question:
While I understand that I can create a PTR record manually in each of my cloudflare domains, I’d prefer to automate this and retain the “push” set up of Virtualmin pushing updates to cloudflare somehow and avoid having to do anything cloudflare DNS settings manually.
As I use cloudflare for all my domains managed within virtualmin, is there a way to easily set this up? The advice from mail-tester suggests that: "You may want to publish a pointer (PTR type) DNS record with a value of domain.com or use subdomain.hostprovider.net as hostname in your mail software.
Equally, I’m aware that I can put my mailserver somewhere else, but I’d like to keep things together, and the DNS-proxy to obfuscate my IPs isn’t that important to me.
I’m trying to find a step-by-step guide on how to set up virtualmin with cloudflare, so that a mail-tester.com test gets me close to the 10 points. Ironically, I think I actually had gotten there, but I messed up something in the process, and now I’m getting these error message…
I have to admit, that email and mail server handling isn’t my forte, so appreciate a bit of a helping hand.
Cheers team, you rock, loving this piece of software as I get to know it a bit better…
So while it’s not the solution I wanted, the temporary fix I’m applying (that passes the gmail and mail-tester tests) is as follows:
in postfix mail server configuration, selected “What domain to use in outbound mail” as “Use hostname”.
in network configuration, Hostname and DNS Client, put the RDNS entry from the ISP
Why does this solve things?
the hostname is now the RDNS entry, so the nslookup of the IP resolves to the hostname
the mail server uses the hostname to send emails.
Why does this not solve things?
Ideally, I’d like the host name to be a different domain from the RDNS entry of the ISP, so the hosname URL is “prettier” than the lengthy subdomain assigned from the ISP
I’d like to avoid having to use RDNS entry from my ISP as the domain used to send email, I’d prefer to have the domain of the email to be the domain used for sending email.
This again leads to the automated PTR record creation discussion above, which remains unresolved by this work-around.
Thanks for your offer to help! I’m afraid that’s not neccessarilyy accurate, as it depends on the hosting panel you have. My ISP for example DOES allow what, as I run my own VPS.
That doesn’t solve my problem though, as I will stil lhave a single hostname I need to use for all emails, which I don’t want to do. What I’m aiming to get at, is:
you can not do that unless you have more than 1 IP address a ptr record eludes to the IP address and not multiple domain names. As long as whatever the contents of ptr record is resolves to your allocated IP there should be no problem sending mail
No it’s not As I created the topic and the intent is to use PTR records to overcome the limitations of the 1:1 relationship betweena an IP and a domain name…
A DNS pointer record (PTR for short) provides the domain name associated with an IP address, and that is what I am trying to achieve here, i.e. having virtualmin “spoof” the RDNS by managing the cloudflare PTR record to ensure that the domain is mapped to the IP…
Apologies if that wansn’t clear, but that’s really my only issue.
Hi there, I’m all good with this. I know what the reverse look up of my IP is, as mentioned in the post before. My problem is not finding the domain to the IP, my problem is trying to allow emails to pass the RDNS test by automatically managing the PTR records in cloudflare through webmin…
Yes, but in cloudflare, for every single domain, I can set a PTR record that will confirm that the IP = domain, even if there are numerous domains on the same IP.
Am I misunderstanding what you are trying to say?
Let me backup a little, this is what mail-tester outputs for a domain that is managed by plesk through cloudflare. Every domain sends email through their own domain name as the host name. I’m wondering whether what I’m try to accomplish can be managed through SPF, but as mentioned in my initial post, I’m not great with email and the security parametrs in recent years…
Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses.
What we retained as your current SPF record is:
v=spf1 +a +mx +a:hosting.mydomain.com -all
pass
mydomain.com: 11.11.111.11 is authorized to use 'hosting@mydomain.com' in 'mfrom' identity (mechanism 'a' matched)
mydomain.com: 11.11.111.11 is authorized to use 'hosting@mydomain.com' in 'mfrom' identity (mechanism 'a' matched)
Received-SPF: pass (mydomain.com: 11.11.111.11 is authorized to use 'hosting@mydomain.com' in 'mfrom' identity (mechanism 'a' matched)) receiver=ns303428.ip-94-23-206.eu; identity=mailfrom; envelope-from="hosting@mydomain.com"; helo=hosting.mydomain.com; client-ip=11.11.111.11
So I imagine you can set the PTR record at Cloudflare when proxing HTTP traffic for yourdomain.com and www.yourdomain.com, because those will resolve to Cloudflare’s IPs for which they also control the PTR.
But they don’t proxy email (SMTP protocol), so it would make no sense for mail.yourdomain.com to resolve to a Cloudflare IP, and thus they don’t control the PTR record for it. Instead this would need to be managed by your ISP or hosting company.
There is nothing to overcome. A PTR record maps an IP address to a name. That’s it.
Reverse DNS for an IP is managed by the owner of the network block your IP is in. Some providers will delegate it to your name servers if requested, some will allow you to set it directly, some require you to file a ticket and have them update it, some just expect you to use the automatically assigned PTR. Any of those is fine, as long as the name the PTR resolves to has an A record that resolves back to your IP. But, you don’t “own” the IP PTR record, so there is nothing a control panel can do about it without it being delegated to you.
You can manage reverse zones in Webmin, so you can certainly manage PTR records in Webmin, if your host has delegated the zone(s) for the IPs of your server(s) to your DNS servers. For most folks, that is an unnecessary bit of complexity.
And, Plesk cannot magically make PTR records do something they aren’t meant to do.
As I created the topic and the intent is to use PTR records to overcome the limitations of the 1:1 relationship betweena an IP and a domain name…