Certificate for SMTP TLS

Well Juergen, on moving to the new server, the server hostname they gave me was even worse. It was grepnik.default.my-account-name.uk0.bigv.io
where my-account-name is my real name, trivially findable from every mail sent and every web page published on my server.
I had the option to set the reverse IP name to what I liked, except of course for it to work I'd have needed to register a new domain or use one of my web domains.
I had to open a new account, and still I get this name. On the bright side, it will NEVER be needed by any human to type in.

Can't you ask for a new/specific rDNS?
Do you charge to make such a change?

Osiris. No. My users are about five devices used by two people. And on each mail client I personally configured the send and receive server names to be that name. If I had thousands of users I'd hope there was a way of uploading a default configuration!

I've created a new cert for grepnik.def...., etc, and after a lot of messing around with permissions* I now have TLS enabled and showing valid and verified!

*private key group changed to one the mailserver belongs to, and group read permission set. Not something I like, but that's the recommended way. And that needs to be raised in a new topic - tomorrow. Many thanks all for your quick and helpful replies.

1 Like

rg305, this is only a personal server with some stuff for family and friends. I could set the rDNS to whatever I liked. But the name returned would need to resolve back to the IP address, or it might break things and at the least look very dodgy. So I'd need to use a registered domain name. The two I have have specific purposes and if the worst thing about the general one is its awful long name, well I can live with that!

I don't think you understand what rDNS means here.
Lookup the term FCrDNS - that should explain what you need for emailing purposes.
If you can set your rDNS, then you are either the ISP or they have delegated the IP to your DNS server.
Unless there is a control panel entry for rDNS that I'm not aware of.
[do you even operate a DNS server?]

So, how would you set the rDNS entry?

It makes no difference how many people use the system.
It is either done correctly (and all is good in your email world) or it is not (and you will have problems where some systems just won't accept your outbound emails).

Yes, that would be best.

What about a subdomain of one of those names you own?
Like: email.your.domain

I can indeed set my server's rDNS name! I use my hosting company's DNS servers, and they allow you to set the value of the PTR record they return when someone does e.g. dig -x [IP-address]. (For those domains I myself control I can upload just about every DNS record type to my host's DNSs)

Of course that allows a fake domain name which would not be usable for certs and would fail to forwards validate. Or as you suggest a subdomain that I set up AA/AAAA records for. But the domains aren't the server and I don't want to use either name for it. A new domain registered for the purpose would do, but is overkill just to get a nice simple name for the benefit of my two users!

I ended up using the awful long (but real) server hostname and now have TLS working and verified. Good enough for my purposes.

If you control any domain, you can add a new record in that domain that points to that IP.
If you control the rDNS entry you can add that name to that same IP.
Then it would pass FCrDNS checks.
And be a much shorter name - that you control, maintain, and chose.
IP = FQDN
FQDN = IP
IP = FQDN = IP :heavy_check_mark: [passes FCrDNS checks]

And then change the MX records and the hostname configured in your MTA to that domain name.

1 Like

rg305, Osiris

I simply don't want the server to be named after either of my domains! For a small cost I could register a new domain just for my server, and do as you both suggest. But why? My e-mail headers are a few bytes longer, but I have the disk space. How many will know or care how long my server name is? If I'm known forever as "that guy with the silly long server name" I'll bear it with pride.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.