How to Host Multiple Mail Domains in PostfixAdmin on Ubuntu

This tutorial will be showing you how to set up multiple mail domains (virtual hosting) on Ubuntu server with PostfixAdmin, which is an open-source web-based interface to configure and manage a Postfix based email server for many domains and users.


To follow this tutorial, it’s assumed that

What You Need to Do

If you want to host multiple mail domains, then you need to

  • Add a new mail domain and user in PostfixAdmin web-based panel.
  • Create MX, A and SPF record for the new mail domain.
  • Set up DKIM signing for the new domain.
  • Create DMARC Record for the new domain.
  • Set up RoundCube Webmail, Postfix and Dovecot for multiple domains
Reverse DNS check is used to check if the sender’s IP address matches the HELO hostname. You don’t need to add another PTR record when adding a new mail domain.

Step 1: Adding Additional Domains in PostfixAdmin Panel

Log into PostfixAdmin panel with the postmaster account. ( Then go to Domain List -> New Domain to add a new domain.

postfixadmin multiple domains

Note that the new domain should have DNS A record, or PostfixAdmin would throw the following error message. You can check the DNS propagation status on

Invalid domain, and/or not discoverable in DNS

Next, add a user under the new domain.

postfixadmin add new mailbox

Step 2: Creating MX, A and SPF record for the new mail domain

In your DNS manager, add MX record for the new domain like below.

Record Type    Name      Value

MX             @

The A record points to your mail server’s IP address.

Record Type    Name     Value

A              mail     IP-address-of-mail-server

If your server uses IPv6 address, be sure to add AAAA record.

Then create SPF record to allow the MX host to send email for the new mail domain.

Record Type    Name      Value

TXT            @         v=spf1 mx ~all

Step 3: Setting up DKIM signing for the new domain

We have installed and configured OpenDKIM for a single domain in part 4 of this tutorial series. Now we need to tell OpenDKIM to sign every outgoing email for the new mail domain.

Edit the OpenDKIM signing table file.

sudo nano /etc/opendkim/signing.table

Add the second domain like below.


Edit the key table file.

sudo nano /etc/opendkim/key.table

Add the second domain like below.

Edit the trusted hosts file.

sudo nano /etc/opendkim/trusted.hosts

Add the second domain like below.

Next, we need to generate a priavte/public keypair for the second domain. Create a separate folder for the second domain.

sudo mkdir /etc/opendkim/keys/

Generate keys using opendkim-genkey tool.

sudo opendkim-genkey -b 2048 -d -D /etc/opendkim/keys/ -s default -v

The above command will create 2048 bits keys. -d (domain) specifies the domain. -D (directory) specifies the directory where the keys will be stored and we use default as the selector (-s). Once the command is executed, the private key will be written to default.private file and the public key will be written to default.txt file.

Make opendkim as the owner of the private key.

sudo chown opendkim:opendkim /etc/opendkim/keys/

Display the public key

sudo cat /etc/opendkim/keys/

The string after the p parameter is the public key.

add a new domain in opendkim

In your DNS manager, create a TXT record for the second domain. Enter default._domainkey in the Name field. Copy everything in the parentheses and paste into the value field. Delete all double-quotes. (You can paste it into a text editor first, delete all double quotes, then copy it to your DNS manager. Your DNS manager may require you to delete other invalid characters, such as carriage return.)

create dkim record

After saving your changes. Check the TXT record with this command.

dig TXT

Now you can run the following command to test if your DKIM DNS record is correct.

sudo opendkim-testkey -d -s default -vvv

If everything is OK, you will see

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key ''
opendkim-testkey: key secure
opendkim-testkey: key OK

If you see “Key not secure”, don’t panic. This is because DNSSEC isn’t enabled on your domain name. DNSSEC is a security standard for secure DNS query. Most domain names haven’t enabled DNSSEC. You can continue to follow this guide.

Restart OpenDKIM so it will start signing emails for the second domain.

sudo systemctl restart opendkim

Step 4: Creating DMARC Record For the New Domain

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following. Note that you need to create the [email protected] email address.

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

create dmarc record txt

The above DMARC record is a safe starting point. To see the full explanation of DMARC, please check the following article.

Step 5: Setting up RoundCube, Postfix and Dovecot for Multiple Domains

I assume you installed Roundcube webmail for the first mail domain.

It makes sense to let users of the first domain use and users of the second domain use when accessing RoundCube webmail. I will show you how to do it with Apache and Nginx.


If Roundcube is served by Apache web server, then create a virtual host for the second domain.

sudo nano /etc/apache2/sites-available/

Put the following text into the file.

<VirtualHost *:80>
  DocumentRoot /var/www/roundcube/

  ErrorLog ${APACHE_LOG_DIR}/mail.domain2.com_error.log
  CustomLog ${APACHE_LOG_DIR}/mail.domain2.com_access.log combined

  <Directory />
    Options FollowSymLinks
    AllowOverride All

  <Directory /var/www/roundcube/>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all


Save and close the file. Then enable this virtual host with:

sudo a2ensite

Reload Apache for the changes to take effect.

sudo systemctl reload apache2


If Roundcube is served by Nginx web server, then create a virtual host for the second domain.

sudo nano /etc/nginx/conf.d/

Put the following text into the file.

server {
  listen 80;
  root /var/www/roundcube/;
  index index.php index.html index.htm;

  error_log /var/log/nginx/;
  access_log /var/log/nginx/;

  location / {
    try_files $uri $uri/ /index.php;

  location ~ \.php$ {
   try_files $uri =404;
    fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;

  location ~ /.well-known/acme-challenge {
    allow all;
    deny all;
  location ~ ^/(bin|SQL)/ {
    deny all;
 # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;

Note: If you use Ubuntu 20.04, you should replace php7.2-fpm with php7.4-fpm in the above code.

Save and close the file. Then test Nginx configurations.

sudo nginx -t

If the test is successful, reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Obtaining TLS Certificate

Now use Certbot to obtain TLS certificate for all your mail domains, so you will have a single TLS certificate with multiple domain names on it and mail clients won’t throw security warnings.


sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp -d, --cert-name --email [email protected]


sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp -d, --cert-name --email [email protected]

Notice that in the above command, we specified the cert name using the first mail domain, which will be used in the file path, so you don’t have to change the file path in Postfix or Dovecot configuration file.

When it asks if you want to update the existing certificate to include the new domain, answer U and hit Enter.

certbot multi-domain iredmail

Now you should see the following message, which indicates the multi-domain certificate is successfully obtained.

iredmail nginx multiple domain

Run the following command to grant permission to read Let’s Encrypt TLS certificates.

sudo setfacl -R -m u:www-data:rx /etc/letsencrypt/live/ /etc/letsencrypt/archive/

Reload Apache or Nginx to pick up the new certificate.

sudo systemctl reload apache2
sudo systemctl reload nginx

You should now be able to use different domains to access RoundCube webmail. Also you need to reload Postfix SMTP server and Dovecot IMAP server in order to let them pick up the new certificate. That’s all you need to do for Postfix and Dovecot to serve multiple domains.

sudo systemctl reload postfix dovecot

Using Mail Client on Your Computer or Mobile Device

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account of the second domain.

  • In the incoming server section, select IMAP protocol, enter as the server name, choose port 143 and STARTTLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.


Hint: You can also use port 993 with SSL/TLS encryption for IMAP, and use port 465 with SSL/TLS encryption for SMTP. You should not use port 25 as the SMTP port to submit outgoing emails.

Although Postfix SMTP server and Dovecot IMAP server are using the hostname of the first mail domain ( when communicating with others, they are now using a multi-domain certificate, so the mail client won’t display certificate warnings.

SPF and DKIM Check

Now you can use your desktop email client or webmail client to send a test email to [email protected] and get a free email authentication report. Here’s the report I got from

postfix spf dkim ubuntu

Don’t forget to test your email score at and also test email placement with GlockApps.

If DKIM check fails, you can go to to see if there are any errors with your DKIM record.

dmarc analyzer dkim record checker

What if Your Emails Are Still Being Marked as Spam?

I have more tips for you in this article: 7 effective Tips to stop your emails being marked as spam. Although it requires some time and effort, your emails will eventually be placed in the inbox after applying these tips.

rDNS for Multiple Mail Domains?

Reverse DNS (rDNS), aka PTR record, is used to check if the sender’s IP address matches the HELO hostname. You don’t need to add another PTR record when adding a new mail domain. Your rDNS should be set to just one hostname, i.e. the hostname set in Postfix, which can be shown with the following command.

postconf myhostname

rDNS is a record for IP addresses. It’s not a record for domain name. If you have just one IP address, then you need just one rDNS record pointing to one hostname. Reverse DNS check doesn’t verify what From: domain is in your email, as long as your IP address has an rDNS record and the hostname can resolve back to the same IP address, you can pass reverse DNS check.

Also, you don’t need to change the following settings in Postfix when hosting multiple domains on one server.

  • myhostname
  • myorigin
  • mydestination

Hosted email services like G Suite and Microsoft Exchange Online all use one hostname for a server to send an email for their customers. Emails sent from G Suite users all use in the hostname and emails sent from Microsoft Exchange Online users all use in the hostname. This is also true for other email service providers like Mailchimp, SendinBlue, SendPluse, etc. They all use one hostname for a single server and one IP address has just one rDNS record.

Unable to Receive Email From Gmail, Hotmail, Yahoo Mail, etc

If you can’t receive emails from Gmail, Hotmail, Yahoo Mail, etc, here are the possible causes:

  1. Your MX record is wrong, or not propagated to the Internet yet.
  2. Your mail server hostname doesn’t have DNS A record, or is not propagated to the Internet yet.
  3. Your firewall doesn’t allow incoming connections to port 25. Maybe your mail server is behind a NAT?
  4. Postfix isn’t listening on the public IP address.
  5. Check the mail log (/var/log/mail.log) to find out if there are other errors in your Postfix and Dovecot configuration.

You can use the Network Tools Email Checker to test if your SMTP server is reachable from the Internet. Just enter your domain email address and click the Go button. As you can see from the screenshot below, it successfully found my domain’s MX record and my SMTP server is reachable from the Internet.

email checker

If your SMTP servers isn’t reachable from the Internet, then you have a problem in the first 4 items. If your SMTP server is reachable from the Internet, but you still can’t receive emails, check the mail log (/var/log/mail.log) to find out if there is any errors in your Postfix and Dovecot configuration.

Multiple TLS Certificates

If you manage email servers for lots of clients, you might not want to bundle all TLS certificates into one file, as it tells the information of your clients. Instead of using the following command to obtain a multi-domain certificate,

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp -d,

You can just use the following command to obtain a separate TLS certificate for the second mail domain.

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp -d

Next, you need to configure Postfix and Dovecot.

Postfix Multiple TLS Certificates

If you use Postfix version 3.4 or higher, you can use multiple TLS certificates. Edit the file.

sudo nano /etc/postfix/

Add the following line at the end of this file to enable multiple TLS certificates.

tls_server_sni_maps = hash:/etc/postfix/sni_maps

Save and close the file. Then create the sni_maps file.

sudo nano /etc/postfix/sni_maps

In this file, add each mail hostname and its certificate file.   /etc/letsencrypt/live/    /etc/letsencrypt/live/   /etc/letsencrypt/live/     /etc/letsencrypt/live/

Save and close the file. Next, build the lookup table.

sudo postmap -F /etc/postfix/sni_maps

Restart Postfix.

sudo systemctl restart postfix

You must use the -F option in postmap to base64-decode each value in the SNI map, or Postfix will throw the malformed BASE64 value error in the /var/log/mail.log file. The following command is wrong.

sudo postmap /etc/postfix/sni_maps

Dovecot Multiple TLS Certificates

If you use multiple TLS certificates in Postfix, you should also enable it in Dovecot. Edit the Dovecot 10-ssl.conf file.

sudo nano /etc/dovecot/conf.d/10-ssl.conf

You can find the following lines.

ssl_cert =</etc/letsencrypt/live/ 
ssl_key =</etc/letsencrypt/live/

Then add the following lines.

local_name {
ssl_cert =</etc/letsencrypt/live/
ssl_key =</etc/letsencrypt/live/

local_name {
ssl_cert =</etc/letsencrypt/live/
ssl_key =</etc/letsencrypt/live/

Save and close the file. Then restart Dovecot.

sudo systemctl restart dovecot

Run the following command to grant permission to read Let’s Encrypt TLS certificates.

sudo setfacl -R -m u:www-data:rx /etc/letsencrypt/live/ /etc/letsencrypt/archive/

Cron Job

If you use SNI map in Postfix, then you should run the sudo postmap -F /etc/postfix/sni_maps command after TLS certificate is renewed. If you don’t do this, then email clients might complain your TLS certificate has expired. You can add this command to Crontab file, so it will be automated.

sudo crontab -e

Apache web server user:

@daily certbot renew --quiet; /usr/sbin/postmap -F /etc/postfix/sni_maps; systemctl reload postfix dovecot apache2

Nginx web server user:

@daily certbot renew --quiet; /usr/sbin/postmap -F /etc/postfix/sni_maps; systemctl reload postfix dovecot nginx

Wrapping Up

That’s it! I hope this tutorial helped you host multiple email domains with PostfixAdmin. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 12 Average: 5]

90 Responses to “How to Host Multiple Mail Domains in PostfixAdmin on Ubuntu

  • Firstly, Thanks for the whole series, I really loved it and helped me a lot.

    If you can help, In Step 5 I cannot see the steps or configuration for Postfix and Dovecot for Multiple Domains.

    It will be really helpful if you can update it.

    Thank you!

    • Xiao Guoan (Admin)
      4 years ago

      You just need to reload Postfix and Dovecot to pick up the new certificate which has multiple domains on it. That’s all you need to do for Postfix and Dovecot, when you are using virtual mailbox domains.

      • Okay. Thank you very much!

        I’ll give it a try.

        Is there any changes I have to make in Postfix related myhostname or mymailname ? As I have two different @domain so while sending the emails form which domain it will go ? I might getting confused! 🙂

    • Xiao Guoan (Admin)
      4 years ago

      myhostname is only used when Postfix identifies itself to other SMTP servers. It won’t affect your sending domain. mymailname is used for emails without the sending domain specified. That usually happens on the command line.

      If you follow my tutorials, you don’t have to change any of that.

      • Got it! Thanks.

        One last question, I have followed your TLS for postfix using Let’s Encrypt but when I send email to gmail it is showing red lock and not encrypted. I have researched a lot. Mostly, this should resolve my problem smtpd_use_tls=yes but though not working.

        Any Idea!

    • Xiao Guoan (Admin)
      4 years ago

      smtpd_use_tls=yes is for the SMTP daemon when receiving emails from other SMTP server.

      To enable TLS when sending emails to other SMTP server, add the following two lines.

      smtp_tls_security_level = may
      smtp_tls_loglevel = 1

      Then restart Postfix.

      PS: This has already been mentioned in part 2 of this tutorial series.

  • This website is the best one that I’ve searched for long time. Help me so much. Really Thanks for the author to share suche detailed knowledge on internet.

  • Hey. First of all, you made a great tutorial for setting up a mail server and it all works fine as long as I have all the domains on the same server where this is set up. I’ve tried setting this part of the tutorial for a domain that is on a different server than where my postfix admin is set. Since I’m new to this and I assume that I made an error in my thinking process I have a question.

    My question is, can this work like this if domains are on different server than where postfix admin is, and if not, what would I actually need to do to make it work?

    • Xiao Guoan (Admin)
      4 years ago

      If you have PostfixAdmin on one server, and a domain name is using another mail server to send and receive emails, you can follow this tutorial to add that domain to your PostfixAdmin server, then move your existing email files to the PostfixAdmin server.

      • So I still need to do part 1 of this entire tutorial series on every server where my domains are to just setup Postfix and then I can follow up this part of the series?

        Or do I need to do everything besides setting up new PostfixAdmin on each of the servers?

    • Xiao Guoan (Admin)
      4 years ago

      Suppose you have server A, on which you have installed Postfix, Dovecot, PostfixAdmin and OpenDKIM by following part 1 to part 4, so your server A has one mail domain.

      If you need to host a second domain name on server A, then follow this tutorial. You don’t need to do any thing on other servers.

      • That part I know and I’m sorry if I haven’t been very clear up to now, but what you’re explaining to me here revolves only around 1 server and domains on that server, so I’ll try to be as specific as I can be.

        I have Postfix, Dovecot, PostfixAdmin and OpenDKIM all set up on server A which has my main domain and that works great.

        But I also have servers B and C in different areas of the world and I would like, for the domains that are on them ( servers B and C ), to use server A for sending and receiving mail.

        I have tried setting up this part of the tutorial on server A ( considering all the linux part) and server B ( all the MX, TXT, A and AAAA records ), hoping that it’ll be simple as that, but it didn’t work. So that’s where I’m stuck at this point.

    • Xiao Guoan (Admin)
      4 years ago

      If you want server B and C to use server A for sending and receiving mail, that’s not hosting multiple domains on one mail server. And it will require some advanced skills. Basically, you need to set up SMTP and IMAP proxy like in this article:, although it’s not 100% in line with your situation.

      • Ah, I see. Well, I did mention that I’m new to this 🙂

        But ok, thanks for the information and the link. I’ve checked it out and I think I understand the process and in worst case scenario, at least I know what to look for and how to explain my problem and that makes a world of difference 🙂

  • Can I add 2 more domains using this guide ?

  • Marshall
    3 years ago

    I am getting the following message from PostfixAdmin: Invalid domain, and/or not discoverable in DNS. I don’t understand what I am doing wrong. I have this domain hosted on a VPS from ScalaHosting using Nginx. With just a few snags I was able to get the up and running from your tutorials (actually using the email address I configured using your tutorials), but now that I am trying to get a second domain in the system, the control panel is preventing me. I have configured the following:

    Type	Name	Value
    A	mail	
    MX	0
    A	www	

    I have the actual ip4 and ip6 address in the system without the . You can navigate to the under construction web page by going to address. Any idea what I might be missing?

    • Marshall
      3 years ago

      I wasn’t thinking about the information inside of angle braces being removed. The values for the DNS records are the appropriate ip4 and ip6 addresses. These ip addresses are the same as the ip addresses because they are on the same server.

    • Xiao Guoan (Admin)
      3 years ago

      I’m also confused. I can visit in my web browser. However, If I use dig to find the A or AAAA record, it seems there’s no such record for your domain.

      dig A +short

      Doing a DNS propagation check on also indicates there’s no A or AAAA record for this domain.

    • Xiao Guoan (Admin)
      3 years ago

      I can find the A record for and

      The A record and MX record for can’t be found.

      • Marshall
        3 years ago

        Thank you. I will check that out again and see if I can add some records that might make a difference. I appreciate you looking into this for me. Your tutorials have been a great help to me.

        • Marshall
          3 years ago

          The problem was fixed by a support agent re-entering the DNS records. Thanks again for looking into the problem for me.

  • Hello Xiao
    when using multiple domain we have to have the second domain hosted on the same company? I mean can be on, let’s say’ DigitalOcean and on Vultr?

    Thank You!

    • Xiao Guoan (Admin)
      3 years ago

      Your mail server ( and your main website ( can run on different boxes. As a matter of fact, I don’t recommend running mail server and the main website on the same box, because if the main website is behind a CDN (content delivery network), the mail server will leak the website’s real IP address, and the mail server will slow down your website’s page loading speed.

  • Zeeshan Mustafa
    3 years ago

    one issue

    1- modoboa always uses first domain hostname

  • Zeeshan Mustafa
    3 years ago

    i have already follow this but issue is that is using hostname

    what abouot revrse dns

    • Xiao Guoan (Admin)
      3 years ago

      There is nothing wrong with that.

      Actually, you should use only one HELO/EHLO hostname in Postfix, and the PTR record should be associated with only one hostname.

  • Zeeshan
    3 years ago

    i have done this but gmail is sending my email to spam
    if u say i can give you control or SSH

  • Hristo Karadzhov
    3 years ago

    Hello Xiao,
    Thank you for the easy to follow and well explained tutorial.
    Fantastic work! It helped me learn a lot.

    With regards to the hosting of multiple domains, is there method of hosting them on a different IPs so the rDNS-es resolve correctly on each domain.
    And also would it be necessary to point different SSL certificate at each domain, so the mail clients don’t scream every time we try to connect.

    hostname =

    Domain IP MX SSL /etc/letsencrypt/live/ … /etc/letsencrypt/live/ … /etc/letsencrypt/live/ …

    Something like that may be if exists…

    Many thanks

    • Xiao Guoan (Admin)
      3 years ago

      rDNS is designed to associate one IP address to one hostname. The receiving SMTP server doesn’t care what From: domain is in your email, as long as your IP address has an rDNS record and that hostname can resolve back to the same IP address.

      The certificate in this tutorial is a multi-domain certificate, so mail clients won’t throw security warnings.

  • Cristian
    3 years ago

    Hello Xiao,

    First of all, thank you for your valuable articles, you make our live easier.
    I have successfully configured the email server on one box.
    On a different box I have a website which needs to send reset password emails to the users. Normally I use smtp configuration on the website, I indicate a dedicated email address with password. Well, my email server does not send the emails, most probably because they’re originated from another IP address than the email server’s.
    What would you recommend to make that work?

    Thank you,

    • Cristian
      3 years ago

      Please ignore my message. I discovered it was working, yet I had not configured correctly the smtp port. Thank you anyway.

  • Frederic
    3 years ago

    Hello Xiao, I’m getting an error after trying to update the certificate

    sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp -d, --cert-name --email [email protected]


    We were unable to find a vhost with a ServerName or Address of
    Which virtual host would you like to choose?

    it displays several apache conf file, I’ve selected the #5 but it failed (see the attached screenshot)

    Enhancement Strict-Transport-Security was already set.
    Enhancement Strict-Transport-Security was already set.
    Failed redirect for
    Unable to set enhancement redirect for
    Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

    I’ve 2 domains ( and both have been configured for running Apache and I’ve followed your Apache tutorial (part 1 & 2 about TLS)…no issue
    The initial mail server is called (works fine here also) and the one I was trying to configure is named

    Any idea what I might be missing ?

    Thank you

    • Frederic
      3 years ago

      Nevermin, you can ignore my message, I just missed the part 5 where I needed to configure the vhost for the secodn mail server !

      My bad !!

      Thanks anyway for your GREAT tutorial !

  • Hi, thanks for another great tutorial. I have a question about Let’s Encrypt and server configuration. Is it possible, with this configuration with PostfixAdmin, to assign a different certificate to each domain ?

  • Hi Xiao, I have been folowing your guides, first setting up a single domain mail server and all is fine and it works, however, after this guide, I get a “An error occurred while sending mail. The mail server responded: 451 4.7.1 Service unavailable – try again later.” from thunderbird. I can recieve mail all fine but not send and I am at a loss to what to do.

    • Xiao Guoan (Admin)
      3 years ago

      Always check the mail log file (/var/log/mail.log) on the server.

      • Thanks for the replay Xiao Guoan,
        Yes indeed, so as I said, the first domain works.
        Servers name is
        [email protected] sends and receives mails via laptop client
        [email protected] receives fine but can’t send.

        # mail.log says:

        mail dovecot: imap-login: Login: user=, method=PLAIN, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, mpid=xxxxx, TLS, session=
        mail dovecot: imap([email protected]): Logged out in=36 out=521 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
        mail postfix/smtpd[xxxxx]: connect from[xx.xx.xx.xx]
        mail postfix/smtpd[xxxxx]: Anonymous TLS connection established from[xx.xx.xx.xx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
        mail postfix/smtpd[xxxxx]: NOQUEUE: reject: RCPT from[xx.xx.xx.xx]: 454 4.7.1 : Relay access denied; from= to= proto=ESMTP helo=
        mail postfix/smtpd[xxxxx]: disconnect from[xx.xx.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

        I have been googling the NOQUEUE: reject & Relay access denied errors and I find a log of tips that what I can see is already in your great guides.

      • Hi Xiao Guoan,

        So I found a spelling error in my OpenDKIM signing table, for some reason this caused to get that NOQUEUE: reject error.
        So for the sake of experiments, I tried to send a mail from using as smtp server and then I got a different error in mail.log saying that “defauld._domankey” did not exist, that’s when it hit me and I went looking and found my spelling error and now it all works.
        Weird that I did not get any error message about this in the first case, just a reject.
        If anyone else gets this error, here is a solution.

    • Xiao Guoan (Admin)
      3 years ago

      Apart from the spelling error, it seems you are using port 25 as the SMTP port in Thunderbird. The best practice is to use port 587 or 465.

  • Matoskah
    3 years ago

    Hi Xiao et thanks for your great tutorial.

    I followed all of your 4 parts and today I have a great mail server.
    I block on the other hand on a part. For the moment, I want the server to send my messages outside the domain it owns to reach the DNS zone of the domain name.

    Basically I don’t want it to check and go through the local transport for a particular domain, no matter how much I modify the “myhostname = ”
    it doesn’t change anything, it always tries to check the database to see if the user exists, how can I do this?

    Example, I have the name I send an email to [email protected], it will tell me that the user does not exist in the virtual_mail table, I want the server to send its mail to mail., basically, this server is only used to send mails not to receive them.

    RCPT : Recipient address rejected: User unknown in virtual mailbox table

    And with, i have another problem :

    SSL_connect error to[]:25: -1
    sendmail postfix/smtp[94379]: warning: TLS library problem: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1941:

    Because they seem to be using tls 1.0…

    How can I go about it please

    Thank you in advance !

    • Matoskah
      3 years ago

      While waiting for a more professional answer, I modified the SQL request so that:
      query = SELECT domain FROM domain WHERE domain = ‘% s’ AND active = ‘1’ AND domain NOT LIKE ‘’;

      now the mails go out out but I have an error from my main mail server:
      said: 450 4.1.8 : Sender address rejected: Domain not found (in reply to RCPT TO command)

      • Matoskah
        3 years ago


        I had to lower the security to TLS v1 for
        However, I still need help on one last topic:

         pam_authenticate() failed: Authentication failure (Password mismatch?)

        Any idea ? 🙂

    • Xiao Guoan (Admin)
      3 years ago

      You sent an email from to [email protected], i.e, to your own domain. Since you have installed PostfixAdmin and enabled virtual mailbox, Postfix will surely check the database to see if [email protected] exists on your mail server.

  • George P
    3 years ago

    Hi Xiao,

    Great article.
    I have a bit of an issue and not sure if you answered this in another reply, if so please point me to it.

    I have two domains. and everything is working, both can receive and send email, at this stage just using the one to login.

    In the second domains emails, when I view the source from that domain there is this error:

    Received: from ( [27.xx.xx.xx])
            by with ESMTPS id y12si7290570pfm.287.2020.
            (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
            Sat, 21 Nov 2020 22:13:16 -0800 (PST)
     Received-SPF: pass ( domain of [email protected] designates 27.xx.xx.xx as permitted sender) client-ip=27.xx.xx.xx;
           dkim=temperror (no key for signature) [email protected] header.s=dkim header.b=Cbi9sl4b;
           spf=pass ( domain of [email protected] designates 27.xx.xx.xx as permitted sender) [email protected];
           dmarc=pass (p=NONE sp=NONE dis=NONE)
    Received: from  (ip6-localhost []) by (Postfix) with ESMTP id 4Cf0MW3qNszKnR1 for ; Sun, 22 Nov 2020 17:13:11 +1100 (AEDT)
    Authentication-Results:; dkim=fail reason="key not found in DNS" [email protected] header.a=rsa-sha256 header.s=dkim header.b=Cbi9sl4b; dkim-atps=neutral

    postfix sections

    Most Useful General options
    What domain to use in outbound mail:	Use hostname    Use domainname  
    # hostname
    myhostname =
    myorigin =
    mydomain =
    # Accepted local emails
    mydestination = $myhostname, localhost, localhost.localdomain,,  localhost.$mydomain, $mydomain,

    The issue is that all email from seem to be coming from (which is the primary domain) and configured in postfix.

    how can this be resolve so the “” is replaced with or

    This seem to be causing the dkim to fail

    • Xiao Guoan (Admin)
      3 years ago

      DKIM check has nothing to do with the Postfix hostname. The error displayed in the Gmail headers is self-explanatory: “key not found in DNS”. Gmail can’t find the DKIM record for the second domain. Perhaps the DKIM record isn’t propagated to the Internet yet. You can go to to check if there are any errors with your DKIM record.

  • George P
    3 years ago

    Hi Xiao,

    Thanks for the quick response.

    I thought it did have something to do with it because the “Received: from”, this is seems to be coming from host and not the “” domains. I will try again a little later.

    So is there a way to fix the “Received: from” part of the header?

    • Xiao Guoan (Admin)
      3 years ago

      If the Postfix hostname can cause DKIM failure, who will use a hosted email service from G Suite or Microsoft Exchange Online to send emails?

      Emails sent from G Suite users all use in the hostname and emails sent from Microsoft Exchange Online users all use in the hostname.

      If the hostname can cause DKIM failure, who will use their services?

      The best way to use the same hostname for the same From: domain is to run a dedicate email server just for one domain, when you need a second domain, spin up another email server.

  • George P
    3 years ago

    Hi Xiao,

    Thanks, that make sense, just not thinking straight at the moments.

    But I might have narrowed down the issue, and it ha to do with the opendkim.

    It seem that when I add the second domain to the signing.table file I cannot send email from the second domain.


    Error I et for the second domain is : “cannot send message: (smtp) failure when sending data”

    I have tested with both domains and followed the same instructions

    • Xiao Guoan (Admin)
      3 years ago

      You use default as the DKIM selector in OpenDKIM, but Gmail headers indicate you used dkim as the selector.

      Authentication-Results:; dkim=fail reason="key not found in DNS" [email protected] header.a=rsa-sha256 header.s=dkim header.b=Cbi9sl4b; dkim-atps=neutral
  • George P
    3 years ago

    Hi Xiao,

    Thanks for the reply.

    I have found that as well but just does not make sense.
    My mail server is based on the iredmail, hence using opendkim with amavis.

    Something strange is going on, rebooted system and now things seem to be passing.
    This could alos be the result of a DNS propagation delays.

    Thanks again for your help.

    FYI, keys in DNS server are ( both domains the same format ) are like this.
    v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtal4WvZDjdrN3ahdJ2S4AKXu6pzNusGek5rBjaAwmVqYXhp34YAprSzrpRFIbWAxUx8e6PZuJSizAdFBSfGqWD3+jQZ/t5T5zyMg+gyg5b1Kxlny2hqRdGsfd3BvJAeE4xVPySs1MRDIRQ3RCJzsbE/MCc5yj/Tu0ulo0b6Ut2kB19+asA/hZe9Y0naRnooc2lltqlSrGlyFz0N1kgvuQjiMzINYQZUvml4YlfNDVNsJAjZIfXax0gRUcFnByvTJBktGUFiEG06H7mDfljHsban/7JyWB5qA8ubwyS1w10sZQvcOjMKfaaCGUzEUcGHFIkFMtcGZ4PKHekpoRkbFrQIDAQXX

    v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRn0BDuragKhZBxBd7CNqC5gc3bOBBrktcEALvKmE1SlSQhko3M/g3hQTnr3g/5Y6pdiZGZkeSLBg3jHmGG7UeqG4+wR2PMGj86EWvdmmzOzoEc1tl0XpwMREajLkXUkbmiyS7GchqEpLzHZWzqGBlVpKUyw1KDtAl8zK23jCajKs5aibIBeMfiKtl4xy6q5KDuCBoHOnXLNqw/T26cGZcNfCqUiNGlLVNnTPh8OgcrgvXGkfECNPHDfayy917OMjuCqGxmB1sVWjvL9ARqh+6La1WXhF3KabGCyHYVUyOqgzAJ72CEoEU/FrpfA3j6CwcPHG/vp6M8kXO5ixTNwawIDAQXX
  • Thank you Xiao for this phenomenal tutorial series. I’m curious – is Roundcube mandatory for a mail server with multiple domains? I intend to use POP3 to route my email through Gmail, which I’ve done successfully for the first domain. Initially I tried skipping the Roundcube step, and I was able to connect Gmail POP3 to the server for my 2nd and 3rd domains, but I’ve yet to successfully deliver an email. For one of my test emails (but not for others) I received this error:

    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.
    For further assistance, please send mail to postmaster.
    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.
                       The mail system
    : User unknown in virtual alias table

    I also tried installing Roundcube, but I got the following error when running composer install –no-dev:

    Your requirements could not be resolved to an installable set of packages.
      Problem 1
        - pear/net_ldap2 v2.2.0 requires ext-ldap * -> the requested PHP extension ldap is missing from your system.

    The download page for pear/net_ldap2 says it’s not maintained, so not sure whether I should download it. Like I said, though, ideally I wouldn’t need Roundcube at all. Thank you for any help you can offer.

    • Xiao Guoan (Admin)
      3 years ago

      I don’t think the “User unknown in virtual alias table” error is related to Roundcube. Maybe you should create the alias in PostfixAdmin?

      The Roundcube installation error message tells you to install the PHP-LDAP extension.

      sudo apt install php-net-ldap2 php-net-ldap3
      • Thank you for your prompt reply. Regarding the virtual alias table error, I have a mailbox created for the user under the appropriate domain in the Postfixadmin web portal. Given that I have yet to see that error again, I don’t believe it’s the root of my issue. Also, I tried installing PHP-LDAP and rerunning composer install –no-dev, but I got new errors. Since I don’t need Roundcube, I’m hoping there’s another solution.

        Another wrinkle to mention is that I’m using Mailjet as SMTP relay and have verified all three domains and added senders.

        I’ve now reverted my /etc/nginx/conf.d/ file to the version you specified in Part 2: Install Dovecot & Enable TLS Encryption, and I’ve duplicated the conf for domain2 and domain3. I’ve also created /var/www/ directories for both domains, set www-data as the owner of both, and obtained a TLS cert for all 3.

        Should this approach work?

  • Sheik manayil
    3 years ago

    Thanks for this – amazing
    I set up virtual mail server with multiple domains. now the issue is how to handle spam for Gmail. when we send to Gmail most of them detected spam. Would you advise what is the solution for that

  • For anyone who has gotten the mail server working for a first domain but not others, I was able to get multiple domains working by changing the MX record of all domains to point to I now have mail sending to and from three domains, though having some issue with the fourth.

    • Curious if this change to MX record will cause any issues for Spam filters?

    • Cancel my “solution” above – not sure why it worked temporarily but it was not my core issue. I had set virtual_alias_domains = in my file – this was incorrect. I had added it at some point while searching for a solution. When I commented this out, all domains began working. I changed MX records back to and respectively, and everything is still good.

      In short, ignore my novice suggestion to divert from Xaio’s instructions. Good luck!

  • This is a great tutorial. Thank you for taking the time to write this.
    I sent you a small donation as your articles are some of the best I’ve seen.

    When I set a client, I get a certificate error using –staple-ocsp option. It basically tells me that owns the cert.

    Error Messages from let’s encrypt below. Any suggestions?

    You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
    (ref: /etc/letsencrypt/renewal/
    Failed staple-ocsp for
    Unable to set enhancement staple-ocsp for
    • Xiao Guoan (Admin)
      3 years ago

      This article explains how to obtain multi-domain certificate, i.e, a TLS certificate with multiple domain names on it. The certificate is saved using the first mail domain (/etc/letsencrypt/live/ In Postfix and Dovecot configurations, you need to use the file name (/etc/letsencrypt/live/ and /etc/letsencrypt/live/ You don’t need to use a separate file to hold TLS certificates for additional domains.

      You can check which file holds your TLS certificate with the following command.

      sudo certbot certificates

      If there are two files hold the same certificates, you can revoke one of them like so

      sudo certbot revoke --cert-name
  • T. J. Brumfield
    3 years ago

    When I followed your guide for a single domain, that worked. I tried adding other domains, and I can forward email to aliases for each of the domains, but I can’t create a mailbox on a new domain and test it, or try to send outgoing mail from the additional domain.

    If I try to connect in Thunderbird to a mailbox for the additional domain, it thinks the certificate is for the first domain and not the additional one. Thunderbird tells me the cert for is actually the cert for The weird thing is that isn’t my first domain I started with, but Thunderbird only pulls the cert for that, no matter what domain I try to connect to.

    I do a basic test from the command line with sendmail, trying to send from other domains and tells me the DKIM signature it pulls back is always from

    But I check with dig and all the DNS records look good, and opendkim-testkey shows all my domains should be working with DKIM correctly.

    Is there something I can do with MX priority levels?

    When you’re hosting multiple domains, web servers use SNI to figure out how to handle multiple domains on a web server.

    • T. J. Brumfield
      3 years ago

      When hosting multiple domains on one server, what should your postfix settings be for:


      • Xiao Guoan (Admin)
        3 years ago

        You don’t need to change any of these in Postfix.

    • Xiao Guoan (Admin)
      3 years ago

      This tutorial showed you how to obtain a multiple domain certificate, which means a single certificate has multiple domain names on it like and on one certificate. If Thunderbird doesn’t throw a security warning, then your setup is fine.

    • Xiao Guoan (Admin)
      3 years ago

      When using sendmail, you should use the -f option to specify the sender’s email address.

      echo "test email" | sendmail -f [email protected] [email protected]

      You can’t add a new email address for the second domain in PostfixAdmin? That’s really odd. Is there any error message displayed in PostfixAdmin?

  • T. J. Brumfield
    3 years ago

    Okay, I had two issues but I’m down to one.

    I had a stupid mistake with /etc/opendkim/key.table

    I copy/pasted lines from the first domain and then went to change them for the additional domains. But I only changed one part, so I had:

    However, I still have the second issue. I can’t connect from a mail client. I think I may know somewhat why. So in your guide, you say to use ARGON2I for the password encryption method. When I first followed your tutorials when I had only one domain I did that way back when and it worked. However, eventually postfixadmin broke for me, and Googling the errors it seemed the real problem was with an update to dovecot where it needs to be able to read your Let’s Encrypt certs. I tried a bunch of supposed fixes for that, and none of them work. I see your tutorials are now updated with a step that says:

    sudo setfacl -R -m u:www-data:rx /etc/letsencrypt/live/
    sudo setfacl -R -m u:www-data:rx /etc/letsencrypt/archive/

    Those steps don’t resolve the issue for me. I still get failures when postfixadmin in turn then calls /usr/bin/doveadm

    Someone else said the best solution is to just avoid doveadm doing password checks and change your password encryption method. I’ve done that. So in
    /usr/share/postfixadmin/config.local.php I have:

    $CONF['encrypt'] = 'php_crypt:SHA256';

    The good news is that I’m not really using this test server for much yet so I haven’t really been using mailboxes yet because I understand changing the password encryption method means all old passwords are now effectively broken (stored in a different encryption method). I went through postfixadmin setup, created a new SuperAdmin, reset passwords on all the other admins and mailboxes. From postfixadmin itself I can successfully log into a mailbox and it sees the password is correct.

    But that meant I needed to tell dovecot not to expect the passwords to be in ARGON2I now I presume. So I went into /etc/dovecot/dovecot-sql.conf.ext

    And I’ve both tried:

    default_pass_scheme = SHA256


    default_pass_scheme = SSHA256

    But when I attempt to connect with a mail client, it tells me it can’t connect so password isn’t correct. But the mail log shows me:

    SASL LOGIN authentication failed: UGFzc3dvcmQ6


    dovecot: imap-login: Disconnected (auth failed, 3 attempts in 14 secs): user=, method=PLAIN,,, TLS, session=
  • thanks Xiao. this tutorial series was awesome!!! you’re the best.

  • diego J
    2 years ago

    Hi Xiao, thanks again and again for your blog. I would really appreciate your help man.
    I have a problem with a mail server:
    1. A year ago had configured my mail server:, just made one user.
    2. Today, followed this to make a new domain: and Made one user.
    3. I was able to configure thunderbird and gmail as web client for the user. I can receive but not to send.
    4. Saw more than 7000 mails in queue then deleted them (sudo postsuper -d ALL).
    5. Then sent some new emails with no luck. Everything is still at queue
    6. Tried : Sudo postqueue -f with no luck
    7. Saw on a forum maybe it would be this: sudo nano /etc/postfix/ , changed inet_protocols = all for ipv4 only. Reloaded postfix with no luck.
    8. This is the Queue log:

    -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
    1E84713BF9A*     751 Wed May 26 22:46:42  [email protected]
                                             [email protected]
                                             [email protected]
    429F313B004*     752 Wed May 26 22:06:52  [email protected]
                                             [email protected]
                                             [email protected]
    5378813C013*    1507 Wed May 26 23:53:46  [email protected]
                                             [email protected]

    1. This is part of the mail.log:

    • Xiao Guoan (Admin)
      2 years ago

      “Connection timed out” indicates the outbound TCP port 25 is blocked.

      • Yes, I run:

        telnet 25

        Resulting on:
        Trying 2607:f8b0:4023:1402::1b…
        telnet: Unable to connect to remote host: Network is unreachable

        On it appears to be open.

        Talked to provider and sent a bunch of questions. Now waiting them to open the port.


    • Xiao Guoan (Admin)
      2 years ago

      There is inbound port 25 and outbound port 25. Inbound allows you to receive emails, outbound allows you to send emails.

      Online port scanners show you the inbound ports only.

  • iswandi
    2 years ago

    Hi, do i need to setup the ssl cert for adding the second domain? if so, can you show how to?

    • Xiao Guoan (Admin)
      2 years ago

      If you follow the instructions in the “Obtaining TLS Certificate” section, the TLS setup for the second domain will be automatically configured.

  • Thanks for such a great tutorial, however, i am having some questions. When running the command “dig TXT” on my server (after setting up the proper records”, I get the error message

    ";; global options: +cmd
    ;; connection timed out; no servers could be reached". 

    However, when I run the same command on a different machine, I get “;; Warning: Message parser reports malformed message packet. ;; WARNING: Message has 455 extra bytes at end”. What does this mean? Seems like some errors need to be resolved. How do I debug this?

  • Hi,
    I’ve done almost the entire series of how to setup a mail server of yours, but I ran into some problems with this tutorial.
    When I try to connect via a email client after this part, I get this in the logs:

    mail dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=, rip=myip, lip=serverip, session=.

    and thunderbird says it can’t find any settings of my mailserver. I even tried to add the details manually, now I can’t login anymore with any email address anymore connected to my mail server.

    • Xiao Guoan (Admin)
      2 years ago

      1. Run the following command to check the connectivity to IMAP port 143.

      telnet 143

      If everything is correct, you should see messages like below.

      Connected to
      Escape character is '^]'.

      2. Maybe you have a typo in the username/password?

      3. Your TLS certificate configuration could be wrong, so Thunderbird abort the connection. Be sure to reload Postfix and Dovecot after making changes in the configuration file.

      4. Use the correct TLS settings in Thunderbird.
      Port 587 and 143 should use STARTTLS
      Port 465 and 993 should use SSL/TLS

      5. Check the doveoct journal to see if there’s any errors.

      sudo journalctl -eu dovecot
  • Wondering if you could add a section on how to change the Roundcube Branding (logos, favicon.ico, etc.) for multiple domains. It would be nice to have company logos to help distinguish between the multiple domain setups. I’ve looked online and there is some documentation, but nothing that can really guide someone unfamiliar with each step.

    • Xiao Guoan (Admin)
      2 years ago

      In this article, all domains are using the same Roundcube instance.

      If you need to change the Roundcube branding, then you need to run a seperate Roundcube instance for each domain.

      Each Roundcube instance will have its own database and unique webroot directory.

  • Daniel
    1 year ago

    Hello Xiao

    Thank you very much for your guide on installing the mail server, I am already at the stage of adding more domains to my mail and this is where the problem arose,

    I am trying to add another domain for mail service, but when I try to create an account in Thunderbird or log in via www on the server is denied access,

    in /var/log/mail.log I get the following error:

    Oct 6 23:34:12 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: There is no valid PEM certificate .: user = , rip =, lip =, secured, session = 
    Oct 6 23:34:12 mail dovecot: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user = , rip =, lip =, secured, session = 
    Oct 6 23:34:12 mail dovecot: auth: Debug: auth client connected (pid = 121407)

    The configuration is: Multiple TLS Certificates, each domain a separate certificate, I did everything according to the guide and something is wrong,

    I do not know what to do anymore, please help.

    • Xiao Guoan (Admin)
      1 year ago
      Can't load SSL certificate: There is no valid PEM certificate

      It’s likely that there’s a syntax error or a typo in your /etc/dovecot/conf.d/10-ssl.conf file.

  • Hello

    I have one doubt for eg. I am setting up the multi sub domain email account

    How can I configure the DNS for this, whether I want to setup the A, MX, TXT, SPF, DKIM and DMARC separately for each sub domain ?

  • mendozal
    5 months ago

    This guide series is timeless =)
    Thanks for the effort involved in making it.

    I struggled a little because I wanted to host multiple domains and additionally use mail.domain.tld and webmail.domain.tld (for roundcube). I believe everything is working fine as far as I can tell. I used separate certificates for each domain but bundled the mail and webmail into one.

    Also, I noticed that the postfix service has an “active (exited)” status, but it seems to be working fine. Is this something happening to anyone here?

  • Fernando
    1 month ago

    Hi, I got a quick question. Let’s say that we have 1,500 domains on this server email, do we need to specify each one of them at the moment we generate a new TLS Certificate?

    I’m reffering to the following step:

    Obtaining TLS Certificate
    sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp -d, --cert-name --email [email protected]


  • Hello! I need a little help getting outbound email from multiple domains to send using mailjet as a relay. I am able to get the first domain that I set up to send outbound email without issue, however, all other domains that I have set up will receive inbound email but sit in the outbox when I try to send from those domains. Any ideas?

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community ( for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here