hc-email: PTR/FCrDNS for hc IPs (.107-.109 -> hcmta01-03) done + SPF/DKIM/DMARC verified
This commit is contained in:
justin
parent
8c51fa4b99
commit
61dac80dc6
1 changed files with 27 additions and 6 deletions
|
|
@ -230,12 +230,33 @@ Committed and validated on dev:
|
|||
prod host ports / postgres volume.
|
||||
|
||||
## REMAINING before any healthcare send (manual, needs Justin/DNS)
|
||||
1. **PTR / FCrDNS** for the hc IPs: `.107->hcmta01`, `.108->hcmta02`,
|
||||
`.109->hcmta03` (.performancewest.net). Required or institutional MX will
|
||||
spam/space us. (Currently .107-.109 have `mta18-20` PTR from the trucking
|
||||
pool; repoint to hcmtaNN.)
|
||||
2. **SPF**: confirm `.107-.109` are authorized (they already are in the 20-IP
|
||||
block, but verify after PTR change). DKIM/DMARC are domain-level, unchanged.
|
||||
1. **PTR / FCrDNS** for the hc IPs — ✅ **DONE 2026-06-06.**
|
||||
`.107->hcmta01`, `.108->hcmta02`, `.109->hcmta03` (.performancewest.net),
|
||||
plus matching forward A records, verified resolving on the authoritative NS
|
||||
AND HE.net secondaries (SOA serial in sync). FCrDNS confirmed both ways.
|
||||
|
||||
**How (for future reference):** HestiaCP box `cp.carrierone.com` =
|
||||
`207.174.124.22`, **SSH port 22022** (not 22). `admin@` is sftp-only, but
|
||||
**`root@.22:22022` accepts our default `~/.ssh/id_ed25519`** → full shell +
|
||||
Hestia CLI. Forward zone `performancewest.net` and reverse zone
|
||||
`124.174.207.in-addr.arpa` are both owned by Hestia user **`justin`**; HE.net
|
||||
auto-zone-transfers (secondaries). Commands used:
|
||||
```
|
||||
export PATH=$PATH:/usr/local/hestia/bin
|
||||
# forward A: USER DOMAIN RECORD TYPE VALUE
|
||||
v-add-dns-record justin performancewest.net hcmta01 A 207.174.124.107
|
||||
# reverse PTR: USER REVZONE OCTET PTR FQDN. "" "" <restart yes/no>
|
||||
v-add-dns-record justin 124.174.207.in-addr.arpa 107 PTR hcmta01.performancewest.net. "" "" yes
|
||||
v-delete-dns-record justin 124.174.207.in-addr.arpa <ID> no # remove stale
|
||||
v-rebuild-dns-domain justin 124.174.207.in-addr.arpa # bump serial
|
||||
```
|
||||
(Also removed pre-existing duplicate `mta18-20` PTRs in the reverse zone.)
|
||||
NOTE: the workers' `hestia_provisioner.py` path (admin@:22 + mounted key)
|
||||
remains unfinished/unused — the working path is root@:22022 with our key.
|
||||
2. **SPF/DKIM/DMARC** — ✅ **VERIFIED 2026-06-06.** SPF already authorizes
|
||||
`.107/.108/.109` explicitly and ends `-all` (only 2 DNS-lookup mechanisms,
|
||||
`a mx` — safe under the 10 limit). DKIM selector `mail` published (2048-bit).
|
||||
DMARC `p=quarantine; pct=100; rua=dmarc@`. All domain-level, no change needed.
|
||||
3. **Install on prod**: create `listmonk_hc` DB + `--install`, configure its 3
|
||||
SMTP servers (commands in deploy.sh header), run `hc_stream_setup.sh` on the
|
||||
prod MTA, install `pw-hc-rampcap` cron.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue