How should my end-users connect to my e-mail services?

Discussion in 'Tips/Tricks/Mods' started by Th0m, Feb 20, 2022.

Thread Status:
Not open for further replies.
  1. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Note: This is my personal advice/preference.

    Many admins let their users connect to mail.client-example.com or even client-example.com (when website and e-mail are on the same server). In my opinion this is bad practice and I often tell users on this forum to use a different approach, so I decided to write this post to give you some insight into the bad/good practice (in my opinion).

    In the below text example.com is the name of your (company) domain, and client-example.com is a client domain.

    It is bad practice to use mail.client-example.com/client-example.com because:
    • These DNS records will have to be updated when moving your e-mail services to a new IP, which can be quite a hassle, especially when the DNS zones for (some of) your domains are hosted with someone else.
    • Having a valid SSL certificate set up for these hostnames on your e-mail server is complicated and takes extra time to maintain.
    • When there is no valid SSL certificate, the connection to your e-mail server is less secure.
    • Plus the reasons listed below:
    It is bad practice to use mail.example.com because:
    • If you want to separate your SMTP and IMAP/POP3 server later on, the only way to keep mail.example.com working is setting up a load balancer that sends traffic on the SMTP ports to the SMTP server, and traffic on the IMAP/POP3 ports to the IMAP/POP3 server. Using smtp.example.com and imap.example.com will save you from this dirty solution.
    • I think it looks more professional to have smtp.example.com and imap.example.com instead of mail.example.com :)
    So how would the "perfect" setup look like?
    • The hostname of the mailserver can be anything. I prefer to use mx1.example.com, mx2.example.com, etc. Make sure you set the same hostname in your rDNS (PTR) record for the IP('s) you use for sending out e-mail.
    • Your mail services are best off being on a separate server (or at least a separate IP) than your webserver, so clients can't reach the e-mail server on client-example.com, as some e-mail clients will automatically try to use this.
    • The hostname(s) to reach the mailserver should be smtp.example.com and imap.example.com. (pop3.example.com is optional if you want to clearly support pop3).
    • A valid certificate for the used hostnames can be set up following this guide (given you are using ISPConfig): https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
     
    Th0m, Feb 20, 2022
    #1
    Gaston Girardi, Dennis_sp, jz_ and 1 other person like this.
Thread Status:
Not open for further replies.

Share This Page