#4902 Mail server name in MX records and Client Autoconfiguration
The mail server name in the MX record in Virtualmin > Server Configuration > Suggested DNS records and in the autoconfig.cgi file created by Email Messages > Mail Client Configuration currently gets set to something like "mail.mydomain.com", where mydomain.com is the Virtualmin domain not the mail server domain. This works but leads to two problems:
-
A receiving mail client that does a reverse lookup on the mail server will see a mismatch because the IP address belongs to the server hostname not the Virtualmin domain. This can cause some spam filters to reject the connection (can't remember exactly which, sorry - most likely ones like hotmail).
-
Encrypted mail connections will see a mismatch between the certificate name and the hostname, unless the postfix certificate is signed for every Virtualmin domain, which is very expensive and laborious. This will cause mail client autoconfiguration to fail, and will also fail SSL checks like https://www.htbridge.com/ssl/
Both problems can be solved by changing the mail server name (in the MX record and autoconfig.cgi) to the fully qualified server hostname.
For question 1, on a system that hosts multiple domains on a single IP you are always going to run into this problem, as reverse-resolution can only return a single hostname.
For question 2, using the hostname in the mail client autoconfiguration response is a good idea. I will fix this in the next release.
For question 1, it's true that you will always have a reverse DNS problem with web sites sharing an IP and there's nothing you can do about it. But for the special case of MX records you can do something about it - set them to the mail server domain rather than to match the domain you're editing. So for example for my domain bromleysymphony.org hosted on server mail.beeches.it and sending mail from there my MX record becomes
bromleysymphony.org. 300 IN MX 10 mail.beeches.it.
I spent some time trying the various options and this is the way that passes all the tests and gets best delivery because checks like reverse lookups, certificate names and EHLO will all now match the MX record.
Also note that if you do this the SPF record can be quite simple, mine is just the IP addresses:
bromleysymphony.org. 300 IN TXT "v=spf1 ip4:149.210.138.83 ip6:2a01:7c8:aab0:68::1 ~all"
You don't need the extra 'a' and 'mx' bits that all resolve to the same IP address and they can do some harm by slowing things down with multiple lookups and potentially exceeding the length limit if someone added a long 'include'.
Fair point - being able to customize the MX record would be a reasonable feature. I'll look into implementing this..
This has been implemented for inclusion in the next release.