How to Host Multiple Mail Domains in PostfixAdmin on Ubuntu

This tutorial will be showing you how to set up multiple mail domains (virtual hosting) on Ubuntu server with PostfixAdmin, which is an open-source web-based interface to configure and manage a Postfix based email server for many domains and users.

Prerequisites

To follow this tutorial, it’s assumed that you have already configured PostfixAdmin with one mail domain and you have followed part 4 to set up SPF and OpenDKIM.

What You Need to Do

If you want to host multiple mail domains, then you need to

  • Add a new mail domain and user in PostfixAdmin web-based panel.
  • Create MX, A and SPF record for the new mail domain.
  • Set up DKIM signing for the new domain.
  • Create DMARC Record for the new domain.
  • Set up RoundCube Webmail, Postfix and Dovecot for multiple domains
Reverse DNS check is used to check if the sender’s IP address matches the HELO hostname. You don’t need to add another PTR record when adding a new mail domain.

Step 1: Adding Additional Domains in PostfixAdmin Panel

Log into PostfixAdmin panel with the postmaster account. (https://postfixadmin.your-domain.com/) Then go to Domain List -> New Domain to add a new domain.

postfixadmin multiple domains

Next, add a user under the new domain.

postfixadmin add new mailbox

Step 2: Creating MX, A and SPF record for the new mail domain

In your DNS manager, add MX record for the new domain like below.

Record Type    Name      Value

MX             @         mail.domain2.com

The A record points to your mail server’s IP address.

Record Type    Name     Value

A              mail     IP-address-of-mail-server

If your server uses IPv6 address, be sure to add AAAA record.

Then create SPF record to allow the MX host to send email for the new mail domain.

Record Type    Name      Value

TXT            @         v=spf1 mx ~all

Step 3: Setting up DKIM signing for the new domain

We have installed and configured OpenDKIM for a single domain in part 4 of this tutorial series. Now we need to tell OpenDKIM to sign every outgoing email for the new mail domain.

Edit the OpenDKIM signing table file.

sudo nano /etc/opendkim/signing.table

Add the second domain like below.

*@domain1.com       default._domainkey.domain1.com
*@domain2.com       default._domainkey.domain2.com

Edit the key table file.

sudo nano /etc/opendkim/key.table

Add the second domain like below.

default._domainkey.domain1.com     domain1.com:default:/etc/opendkim/keys/domain1.com/default.private
default._domainkey.domain2.com     domain2.com:default:/etc/opendkim/keys/domain2.com/default.private

Edit the trusted hosts file.

sudo nano /etc/opendkim/trusted.hosts

Add the second domain like below.

127.0.0.1
localhost

*.domain1.com
*.domain2.com

Next, we need to generate a priavte/public keypair for the second domain. Create a separate folder for the second domain.

sudo mkdir /etc/opendkim/keys/domain2.com

Generate keys using opendkim-genkey tool.

sudo opendkim-genkey -b 2048 -d domain2.com -D /etc/opendkim/keys/domain2.com -s default -v

The above command will create 2048 bits keys. -d (domain) specifies the domain. -D (directory) specifies the directory where the keys will be stored and we use default as the selector (-s). Once the command is executed, the private key will be written to default.private file and the public key will be written to default.txt file.

Make opendkim as the owner of the private key.

sudo chown opendkim:opendkim /etc/opendkim/keys/domain2.com/default.private

Display the public key

sudo cat /etc/opendkim/keys/domain2.com/default.txt

The string after the p parameter is the public key.

add a new domain in opendkim

In your DNS manager, create a TXT record for the second domain. Enter default._domainkey in the Name field. Copy everything in the parentheses and paste into the value field. Delete all double-quotes. (You can paste it into a text editor first, delete all double quotes, then copy it to your DNS manager. Your DNS manager may require you to delete other invalid characters, such as carriage return.)

create dkim record

After saving your changes. Check the TXT record with this command.

dig TXT default._domainkey.domain2.com

Now you can run the following command to test if your DKIM DNS record is correct.

sudo opendkim-testkey -d domain2.com -s default -vvv

If everything is OK, you will see

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'default._domainkey.domain2.com'
opendkim-testkey: key secure
opendkim-testkey: key OK

If you see “Key not secure”, don’t panic. This is because DNSSEC isn’t enabled on your domain name. DNSSEC is a security standard for secure DNS query. Most domain names haven’t enabled DNSSEC. You can continue to follow this guide.

Restart OpenDKIM so it will start signing emails for the second domain.

sudo systemctl restart opendkim

Step 4: Creating DMARC Record For the New Domain

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following. Note that you need to create the [email protected] email address.

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

create dmarc record txt

The above DMARC record is a safe starting point. To see the full explanation of DMARC, please check the following article.

Step 5: Setting up RoundCube, Postfix and Dovecot for Multiple Domains

It makes sense to let users of the first domain use mail.domain1.com and users of the second domain use mail.domain2.com when using RoundCube webmail. I will show you how to do it with Apache and Nginx.

Apache

If Roundcube is served by Apache web server, then create a virtual host for the second domain.

sudo nano /etc/apache2/sites-available/mail.domain2.com.conf

Put the following text into the file.

<VirtualHost *:80>
  ServerName mail.domain2.com
  DocumentRoot /var/www/roundcube/

  ErrorLog ${APACHE_LOG_DIR}/mail.domain2.com_error.log
  CustomLog ${APACHE_LOG_DIR}/mail.domain2.com_access.log combined

  <Directory />
    Options FollowSymLinks
    AllowOverride All
  </Directory>

  <Directory /var/www/roundcube/>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
  </Directory>

</VirtualHost>

Save and close the file. Then enable this virtual host with:

sudo a2ensite mail.domain2.com.conf

Reload Apache for the changes to take effect.

sudo systemctl reload apache2

Nginx

If Roundcube is served by Nginx web server, then create a virtual host for the second domain.

sudo nano /etc/nginx/conf.d/mail.domain2.com.conf

Put the following text into the file.

server {
  listen 80;
  server_name mail.domain2.com;
  root /var/www/roundcube/;
  index index.php index.html index.htm;

  error_log /var/log/nginx/mail.domain2.com.error;
  access_log /var/log/nginx/mail.domain2.com.access;

  location / {
    try_files $uri $uri/ /index.php;
  }

  location ~ \.php$ {
   try_files $uri =404;
    fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }

  location ~ /.well-known/acme-challenge {
    allow all;
  }
 location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
    deny all;
  }
  location ~ ^/(bin|SQL)/ {
    deny all;
  }
 # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;
  }
}

Save and close the file. Then test Nginx configurations.

sudo nginx -t

If the test is successful, reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Obtaining TLS Certificate

Now use Certbot to obtain TLS certificate for all your mail domains, so you will have a single TLS certificate with multiple domain names on it.

Apache

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email [email protected]

Nginx

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email [email protected]

Notice that in the above command, we specified the cert name using the first mail domain, which will be used in the file path, so you don’t have to change the file path in Postfix or Dovecot configuration file.

When it asks if you want to update the existing certificate to include the new domain, answer U and hit Enter.

certbot multi-domain iredmail

Now you should see the following message, which indicates the multi-domain certificate is successfully obtained.

iredmail nginx multiple domain

Reload Apache or Nginx to pick up the new certificate.

sudo systemctl reload apache2
sudo systemctl reload nginx

You should now be able to use different domains to access RoundCube webmail. Also you need to reload Postfix SMTP server and Dovecot IMAP server in order to let them pick up the new certificate. That’s all you need to do for Postfix and Dovecot to serve multiple domains.

sudo systemctl reload postfix dovecot

Using Mail Client on Your Computer or Mobile Device

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account of the second domain.

  • In the incoming server section, select IMAP protocol, enter mail.domain2.com as the server name, choose port 993 and SSL/TLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter mail.domain2.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

iredmail multiple domain postfix dovecot

Although Postfix SMTP server and Dovecot IMAP server are using the hostname of the first mail domain (mail.domain1.com) when communicating with others, they are now using a multi-domain certificate, so the mail client won’t display certificate warnings.

SPF and DKIM Check

Now you can use your desktop email client or webmail client to send a test email to [email protected] and get a free email authentication report. Here’s the report I got from port25.com

postfix spf dkim ubuntu

Don’t forget to test your email score at https://www.mail-tester.com and also test email placement with GlockApps.

What if Your Emails Are Still Being Marked as Spam?

I have more tips for you in this article: How to stop your emails being marked as spam. Although it requires some time and effort, your emails will eventually be placed in the inbox after applying these tips.

Wrapping Up

That’s it! I hope this tutorial helped you host multiple email domains with PostfixAdmin. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 1 Average: 5]

14 Responses to “How to Host Multiple Mail Domains in PostfixAdmin on Ubuntu

  • Firstly, Thanks for the whole series, I really loved it and helped me a lot.

    If you can help, In Step 5 I cannot see the steps or configuration for Postfix and Dovecot for Multiple Domains.

    It will be really helpful if you can update it.

    Thank you!

    • You just need to reload Postfix and Dovecot to pick up the new certificate which has multiple domains on it. That’s all you need to do for Postfix and Dovecot, when you are using virtual mailbox domains.

      • Okay. Thank you very much!

        I’ll give it a try.

        Is there any changes I have to make in Postfix main.cf related myhostname or mymailname ? As I have two different @domain so while sending the emails form which domain it will go ? I might getting confused! 🙂

    • myhostname is only used when Postfix identifies itself to other SMTP servers. It won’t affect your sending domain. mymailname is used for emails without the sending domain specified. That usually happens on the command line.

      If you follow my tutorials, you don’t have to change any of that.

      • Got it! Thanks.

        One last question, I have followed your TLS for postfix using Let’s Encrypt but when I send email to gmail it is showing red lock and not encrypted. I have researched a lot. Mostly, this should resolve my problem smtpd_use_tls=yes but though not working.

        Any Idea!

    • smtpd_use_tls=yes is for the SMTP daemon when receiving emails from other SMTP server.

      To enable TLS when sending emails to other SMTP server, add the following two lines.

      smtp_tls_security_level = may
      smtp_tls_loglevel = 1

      Then restart Postfix.

      PS: This has already been mentioned in part 2 of this tutorial series.

  • This website is the best one that I’ve searched for long time. Help me so much. Really Thanks for the author to share suche detailed knowledge on internet.

  • Hi sir, I failed to crested a new mail user with mail client when followed every step of this article to set another domain mail with postfix.
    I got the error promt like [AUTHENTICATIONFAILED] Authentication failed.

    The maillog show below:

    Feb 24 09:44:01 mail postfix/pickup[9677]: 6F2784DF55: uid=0 from=
    Feb 24 09:44:01 mail postfix/cleanup[8622]: 6F2784DF55: message-id=
    Feb 24 09:44:01 mail postfix/qmgr[29753]: 6F2784DF55: from=, size=904, nrcpt=1 (queue active)
    Feb 24 09:44:01 mail postfix/pickup[9677]: 74CC84DF53: uid=0 from=
    Feb 24 09:44:01 mail postfix/cleanup[10366]: 74CC84DF53: message-id=
    Feb 24 09:44:01 mail dovecot[29704]: lmtp(10667): Connect from local
    Feb 24 09:44:01 mail dovecot[29704]: lmtp([email protected]): Error: Invalid settings in userdb: userdb returned 0 as uid
    Feb 24 09:44:01 mail postfix/lmtp[10654]: 6F2784DF55: to=, orig_to=, relay=mail.wayllex.com[private/dovecot-lmtp], delay=0.06, delays=0.05/0.01/0/0, dsn=4.3.0, status=deferred (host mail.wayllex.com[private/dovecot-lmtp] said: 451 4.3.0 Invalid user settings. Refer to server log for more information. (in reply to RCPT TO command))
    Feb 24 09:44:01 mail dovecot[29704]: lmtp(10667): Disconnect from local: Successful quit
    Feb 24 09:44:01 mail postfix/qmgr[29753]: 74CC84DF53: from=, size=950, nrcpt=1 (queue active)
    Feb 24 09:44:01 mail postfix/pickup[9677]: 78C9F4DF54: uid=0 from=
    Feb 24 09:44:01 mail postfix/cleanup[9970]: 78C9F4DF54: message-id=
    Feb 24 09:44:01 mail dovecot[29704]: lmtp(10646): Connect from local
    Feb 24 09:44:01 mail dovecot[29704]: lmtp([email protected]): Error: Invalid settings in userdb: userdb returned 0 as uid
    Feb 24 09:44:01 mail postfix/lmtp[10609]: 74CC84DF53: to=, orig_to=, relay=mail.wayllex.com[private/dovecot-lmtp], delay=0.05, delays=0.05/0/0/0, dsn=4.3.0, status=deferred (host mail.wayllex.com[private/dovecot-lmtp] said: 451 4.3.0 Invalid user settings. Refer to server log for more information. (in reply to RCPT TO command))
    Feb 24 09:44:01 mail dovecot[29704]: lmtp(10646): Disconnect from local: Successful quit
    Feb 24 09:44:01 mail postfix/qmgr[29753]: 78C9F4DF54: from=, size=913, nrcpt=1 (queue active)
    Feb 24 09:44:01 mail dovecot[29704]: lmtp(10658): Connect from local
    Feb 24 09:44:01 mail dovecot[29704]: lmtp([email protected]): Error: Invalid settings in userdb: userdb returned 0 as uid
    Feb 24 09:44:01 mail postfix/lmtp[10734]: 78C9F4DF54: to=, orig_to=, relay=mail.wayllex.com[private/dovecot-lmtp], delay=0.04, delays=0.04/0/0/0, dsn=4.3.0, status=deferred (host mail.wayllex.com[private/dovecot-lmtp] said: 451 4.3.0 Invalid user settings. Refer to server log for more information. (in reply to RCPT TO command))
    Feb 24 09:44:01 mail dovecot[29704]: lmtp(10658): Disconnect from local: Successful quit
    Feb 24 09:44:53 mail dovecot[29704]: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=, method=PLAIN, rip=185.172.112.74, lip=144.202.106.9, TLS, session=
    Feb 24 09:45:01 mail postfix/pickup[9677]: 8D27A4DF5C: uid=0 from=

    • Check your /etc/dovecot/conf.d/auth-sql.conf.ext file. It’s content should be like below.

      passdb {
        driver = sql
      
        args = /etc/dovecot/dovecot-sql.conf.ext
      }
      
      userdb {
        driver = sql
        args = /etc/dovecot/dovecot-sql.conf.ext
      }
      

      Also check the /etc/dovecot/conf.d/10-auth.conf file. Make sure you have the following line at the end of this file.

      !include auth-sql.conf.ext
  • Thanks for your kind response. I carefully check these files and everything seems right there.
    I also check the mysql settings in /etc/dovecot/dovecot-sql.conf.ext. It is also meet my mysql setting,correct username, password for connection, correct sql query from mailbox table, the new added domain mail user is also in mailbox table.

    So I hvae no idea about what wrong with it. It prompted error message like “domain is not allowed” when I tried to login with new mail address on RainLoop webmail.
    I think my mail server does not reconize of the new added domain. But the first domain I set up when install postfix works fine for me.

  • I checked your article step by step once again. Finally I found I set the setting auth_username_format = %n in file /etc/dovecot/conf.d/10-auth.conf when I used local server to send and receive email at begin for testing. The user name without domain part will be used for login with this setting.
    But now I am using the virtual mail box with mysql databse. User name in virtual mailbox is the whole email adress with domain part. So the previous setting caused login failed because the user name with this setting does not match the user name with domain part in virtual database . So I changed auth_username_format = %n to %u and another domain mail can login on both mail client and web mail now.
    But now I get a new problem with them. Both 2 domain mail now can only send mail but can not receive mail from external mail server. The primary domain email can send and recive mail before I changed above setting.

    • Send an email to your email address, then check the mail log again.

      • After I totally read the Doveco official document. I fix this problem. Maybe you can update your article with below link.
        For virtual user with new domain added by PostfixAdmin. The home directory setting for Virtual user is necessary.
        https://wiki2.dovecot.org/VirtualUsers/Home

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.