justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

hc-email: PTR/FCrDNS for hc IPs (.107-.109 -> hcmta01-03) done + SPF/DKIM/DMARC verified

Browse source
This commit is contained in:
justin 2026-06-05 23:01:34 -05:00
parent 8c51fa4b99
commit 61dac80dc6
1 changed files with 27 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

33
docs/healthcare-email-stream-plan.md
View file

@ -230,12 +230,33 @@ Committed and validated on dev:
prod host ports / postgres volume. prod host ports / postgres volume.
## REMAINING before any healthcare send (manual, needs Justin/DNS) ## REMAINING before any healthcare send (manual, needs Justin/DNS)
1. **PTR / FCrDNS** for the hc IPs: `.107->hcmta01`, `.108->hcmta02`, 1. **PTR / FCrDNS** for the hc IPs — ✅ **DONE 2026-06-06.**
`.109->hcmta03` (.performancewest.net). Required or institutional MX will `.107->hcmta01`, `.108->hcmta02`, `.109->hcmta03` (.performancewest.net),
spam/space us. (Currently .107-.109 have `mta18-20` PTR from the trucking plus matching forward A records, verified resolving on the authoritative NS
pool; repoint to hcmtaNN.) AND HE.net secondaries (SOA serial in sync). FCrDNS confirmed both ways.
2. **SPF**: confirm `.107-.109` are authorized (they already are in the 20-IP
block, but verify after PTR change). DKIM/DMARC are domain-level, unchanged. **How (for future reference):** HestiaCP box `cp.carrierone.com` =
`207.174.124.22`, **SSH port 22022** (not 22). `admin@` is sftp-only, but
**`root@.22:22022` accepts our default `~/.ssh/id_ed25519`** → full shell +
Hestia CLI. Forward zone `performancewest.net` and reverse zone
`124.174.207.in-addr.arpa` are both owned by Hestia user **`justin`**; HE.net
auto-zone-transfers (secondaries). Commands used:
```
export PATH=$PATH:/usr/local/hestia/bin
# forward A: USER DOMAIN RECORD TYPE VALUE
v-add-dns-record justin performancewest.net hcmta01 A 207.174.124.107
# reverse PTR: USER REVZONE OCTET PTR FQDN. "" "" <restart yes/no>
v-add-dns-record justin 124.174.207.in-addr.arpa 107 PTR hcmta01.performancewest.net. "" "" yes
v-delete-dns-record justin 124.174.207.in-addr.arpa <ID> no # remove stale
v-rebuild-dns-domain justin 124.174.207.in-addr.arpa # bump serial
```
(Also removed pre-existing duplicate `mta18-20` PTRs in the reverse zone.)
NOTE: the workers' `hestia_provisioner.py` path (admin@:22 + mounted key)
remains unfinished/unused — the working path is root@:22022 with our key.
2. **SPF/DKIM/DMARC** — ✅ **VERIFIED 2026-06-06.** SPF already authorizes
`.107/.108/.109` explicitly and ends `-all` (only 2 DNS-lookup mechanisms,
`a mx` — safe under the 10 limit). DKIM selector `mail` published (2048-bit).
DMARC `p=quarantine; pct=100; rua=dmarc@`. All domain-level, no change needed.
3. **Install on prod**: create `listmonk_hc` DB + `--install`, configure its 3 3. **Install on prod**: create `listmonk_hc` DB + `--install`, configure its 3
SMTP servers (commands in deploy.sh header), run `hc_stream_setup.sh` on the SMTP servers (commands in deploy.sh header), run `hc_stream_setup.sh` on the
prod MTA, install `pw-hc-rampcap` cron. prod MTA, install `pw-hc-rampcap` cron.