From 61dac80dc6369ded8294399d8b644ebb8d0a5a93 Mon Sep 17 00:00:00 2001 From: justin Date: Fri, 5 Jun 2026 23:01:34 -0500 Subject: [PATCH] hc-email: PTR/FCrDNS for hc IPs (.107-.109 -> hcmta01-03) done + SPF/DKIM/DMARC verified --- docs/healthcare-email-stream-plan.md | 33 +++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/docs/healthcare-email-stream-plan.md b/docs/healthcare-email-stream-plan.md index 25ddb4f..ca1fe80 100644 --- a/docs/healthcare-email-stream-plan.md +++ b/docs/healthcare-email-stream-plan.md @@ -230,12 +230,33 @@ Committed and validated on dev: prod host ports / postgres volume. ## REMAINING before any healthcare send (manual, needs Justin/DNS) -1. **PTR / FCrDNS** for the hc IPs: `.107->hcmta01`, `.108->hcmta02`, - `.109->hcmta03` (.performancewest.net). Required or institutional MX will - spam/space us. (Currently .107-.109 have `mta18-20` PTR from the trucking - pool; repoint to hcmtaNN.) -2. **SPF**: confirm `.107-.109` are authorized (they already are in the 20-IP - block, but verify after PTR change). DKIM/DMARC are domain-level, unchanged. +1. **PTR / FCrDNS** for the hc IPs — ✅ **DONE 2026-06-06.** + `.107->hcmta01`, `.108->hcmta02`, `.109->hcmta03` (.performancewest.net), + plus matching forward A records, verified resolving on the authoritative NS + AND HE.net secondaries (SOA serial in sync). FCrDNS confirmed both ways. + + **How (for future reference):** HestiaCP box `cp.carrierone.com` = + `207.174.124.22`, **SSH port 22022** (not 22). `admin@` is sftp-only, but + **`root@.22:22022` accepts our default `~/.ssh/id_ed25519`** → full shell + + Hestia CLI. Forward zone `performancewest.net` and reverse zone + `124.174.207.in-addr.arpa` are both owned by Hestia user **`justin`**; HE.net + auto-zone-transfers (secondaries). Commands used: + ``` + export PATH=$PATH:/usr/local/hestia/bin + # forward A: USER DOMAIN RECORD TYPE VALUE + v-add-dns-record justin performancewest.net hcmta01 A 207.174.124.107 + # reverse PTR: USER REVZONE OCTET PTR FQDN. "" "" + v-add-dns-record justin 124.174.207.in-addr.arpa 107 PTR hcmta01.performancewest.net. "" "" yes + v-delete-dns-record justin 124.174.207.in-addr.arpa no # remove stale + v-rebuild-dns-domain justin 124.174.207.in-addr.arpa # bump serial + ``` + (Also removed pre-existing duplicate `mta18-20` PTRs in the reverse zone.) + NOTE: the workers' `hestia_provisioner.py` path (admin@:22 + mounted key) + remains unfinished/unused — the working path is root@:22022 with our key. +2. **SPF/DKIM/DMARC** — ✅ **VERIFIED 2026-06-06.** SPF already authorizes + `.107/.108/.109` explicitly and ends `-all` (only 2 DNS-lookup mechanisms, + `a mx` — safe under the 10 limit). DKIM selector `mail` published (2048-bit). + DMARC `p=quarantine; pct=100; rua=dmarc@`. All domain-level, no change needed. 3. **Install on prod**: create `listmonk_hc` DB + `--install`, configure its 3 SMTP servers (commands in deploy.sh header), run `hc_stream_setup.sh` on the prod MTA, install `pw-hc-rampcap` cron.