If setting up a mail server. What is the best domain to use for the IP's PTR record?
Is it usually better to use "mail.domain.com" or just "domain.com" ?
I understand that If the PTR record is set, some mail providers will attempt to get a HELO response from the origin address? Because I'm sending mail from my own server only AND is done via my code, I didn't think it was necessary to have port 25 open on the iptables settings. But it seems like I might need to for the mail providers to do the HELO, right? Are there any security implications to opening up port 25 even if I'm sending mail from my own server?
The PTR record should point to a host name. Do not point it to a domain name. If the name of the mail server is
mailin the domainexample.com, then:Most mail servers will attempt to verify that the above relationship is true.
When the mail server connects, it opens the conversation with "EHLO mail.example.com". The receiving mail server then checks the forward and reverse lookups (usually, it's not required but most do).
If you want to receive e-mail you must accept it on port 25, and that would have to be configured in your firewall (iptables) too. If you are not receiving e-mail on this server then you do not have to have port 25 open (for incoming connections). It is a perfectly acceptable configuration for a mail server to only send e-mail. Most commonly in this situation another server handles receiving e-mail for the domain, but this is not required. Your firewall will have to allow outgoing connections to the destination port 25. It's pretty common for firewalls to not filter outgoing connections (though it is common is high security environments).
Every single port you open on your firewall potentially exposes you to new threats. Never open a port unless you know that it's necessary. Even then it should only be done once reasonable measures have been made to secure the server against common attack vectors for the relevant service.