DNS & SSL Configuration¶

Required DNS Records¶

For each managed domain, the following DNS records must be present for full mail functionality.

MX Record¶

@   MX  10  mail.solutechhub.com.

SPF Record¶

@   TXT  "v=spf1 mx a:mail.solutechhub.com ~all"

DKIM Record¶

The DKIM selector is mail for all domains. The public key is stored in MariaDB and in the Rspamd DKIM directory.

mail._domainkey   TXT   "v=DKIM1; k=rsa; p=<public-key>"

Retrieve a domain's DKIM public key via the API:

GET /api/v1/domains/{domain}/dkim

DMARC Record¶

_dmarc   TXT   "v=DMARC1; p=quarantine; rua=mailto:postmaster@yourdomain.com"

PTR (Reverse DNS)¶

The server IP 161.97.157.206 must have a PTR record pointing to mail.solutechhub.com. This is configured at the hosting provider (Contabo) control panel.

Note: The PTR record previously pointed to mail.resourcegsr.com and should be updated to mail.solutechhub.com.

Verifying DNS via API¶

The API can verify all DNS records for a domain automatically:

GET /api/v1/domains/{domain}/verify

This checks MX, SPF, DKIM, DMARC, and PTR records and returns a per-record pass/fail result.

The verifier accepts both mail.solutechhub.com and mail.resourcegsr.com as valid MX/PTR targets.

SSL Certificates¶

Certificates are issued by Let's Encrypt via Certbot.

Issue a new certificate¶

# Using HTTP challenge (Nginx must be running)
certbot --nginx -d docs.solutechhub.com

# Using Cloudflare DNS challenge (for wildcard or pre-Nginx)
certbot certonly --dns-cloudflare \
  --dns-cloudflare-credentials /root/.secrets/cloudflare.ini \
  -d docs.solutechhub.com

Check certificate status¶

certbot certificates

Auto-renewal¶

Certbot installs a systemd timer that renews certificates automatically:

systemctl status certbot.timer

Mail certificate (covers both hostnames)¶

The mail-combined certificate covers both mail hostnames and is used by Postfix and Dovecot:

/etc/letsencrypt/live/mail-combined/fullchain.pem
/etc/letsencrypt/live/mail-combined/privkey.pem