How to Host Multiple Mail Domains in iRedMail with Nginx

This tutorial will be showing you how to set up multiple email domains (virtual hosting) with iRedMail, which is an easy way to set up your own email server.

Prerequisites

To follow this tutorial, it’s assumed that

What You Need to Do

If you want to host multiple mail domains, then you need to

  • Add a new mail domain and user in iRedMail admin panel.
  • Create MX, A and SPF record for the new mail domain.
  • Set up DKIM signing for additional domains
  • Set up DMARC Record for the new domain.
  • Set up RoundCube Webmail, Postfix and Dovecot for multiple domains
Reverse DNS check is used to check if the sender’s IP address matches the HELO hostname. You don’t need to add another PTR record when adding a new mail domain.

Step 1: Adding Additional Domains in iRedMail Admin Panel

Log into iRedMail admin panel with the postmaster account. (https://mail.your-domain.com/iredadmin) Then add domains in the Add tab.

iredmail multiple domains

Next, add a user under the new domain.

iredmail multiple domains ssl

Step 2: Creating MX, A and SPF record for the new mail domain

In your DNS manager, add MX record for the new domain like below.

Record Type    Name      Value

MX             @         mail.domain2.com

The A record points to your mail server’s IP address.

Record Type    Name     Value

A              mail     IP-address-of-mail-server

If your server uses IPv6 address, be sure to add AAAA record.

Then create SPF record to allow the MX host to send email for the new mail domain.

Record Type    Name      Value

TXT            @         v=spf1 mx ~all

Step 3: Setting up DKIM signing for the new domain

You need to tell amavisd to sign every outgoing email for the new mail domain. Edit /etc/amavis/conf.d/50-user file.

sudo nano /etc/amavis/conf.d/50-user

Find the following line,

dkim_key('domain1.com', 'dkim', '/var/lib/dkim/domain1.com.pem');

Add another line to specify the location of the private key of the second domain.

dkim_key('domain2.com', 'dkim', '/var/lib/dkim/domain2.com.pem');

In @dkim_signature_options_bysender_maps section, add the following line.

 "domain2.com" => { d => "domain2.com", a => 'rsa-sha256', ttl => 10*24*3600 },

amavis dkim signing

Save and close the file. Then generate the private key for the second domain.

sudo amavisd-new genrsa /var/lib/dkim/domain2.com.pem 2048

Restart Amavis.

sudo systemctl restart amavis

If Amavis fails to restart, you might need to change ownership of the key and restart again.

sudo chown amavis:amavis /var/lib/dkim/ -R

Next, display the public keys.

sudo amavisd-new showkeys

All public keys will be displayed. We need the public key of the second domain, which is in the parentheses.

amavis show keys

In your DNS manager, create a TXT record for the second domain. Enter dkim._domainkey in the Name field. Copy everything in the parentheses and paste into the value field. Delete all double quotes. (You can paste it into a text editor first, delete all double quotes, the copy it to your DNS manager. Your DNS manager may require you to delete other invalid characters, such as carriage return.)

amavisd-new ubuntu

After saving your changes. Check the TXT record with this command.

dig TXT dkim._domainkey.domain2.com

Now you can run the following command to test if your DKIM DNS record is correct.

sudo amavisd-new testkeys

If the DNS record is correct, the test will pass.

TESTING#1 domain1.com: dkim._domainkey.domain1.com => pass
TESTING#2 domain2.com: dkim._domainkey.domain2.com => pass

Note that your DKIM record may need sometime to propagate to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://www.dmarcanalyzer.com/dkim/dkim-check/, enter dkim as the selector and enter your domain name to check DKIM record propagation.

Step4: Setting Up DMARC Record For the New Domain

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following:

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

create dmarc record txt

The above DMARC record is a safe starting point. To see the full explanation of DMARC, please check the following article.

Step 5: Setting up RoundCube, Postfix and Dovecot for Multiple Domains

It makes sense to let users of the first domain use mail.domain1.com and users of the second domain use mail.domain2.com when using RoundCube webmail.

Change the working directory to /etc/nginx/.

cd /etc/nginx/

Create a blank server block file for the second domain in /etc/nginx/sites-enabled/ directory.

sudo touch sites-enabled/mail.domain2.com.conf

Copy the default HTTP site configurations to the file.

cat sites-enabled/00-default.conf | sudo tee -a sites-enabled/mail.domain2.com.conf

Copy the default SSL site configurations to the file.

cat sites-enabled/00-default-ssl.conf | sudo tee -a sites-enabled/mail.domain2.com.conf

Edit the virtual host file.

sudo nano sites-enabled/mail.domain2.com.conf

Find the following line.

server_name _;

We need to change the server_name to mail.domain2.com, because later we need to use Certbot to generate a new tls certificate.

server_name mail.domain2.com;

There are 2 instances of server_name, you need to change both of them. Save and close the file. Then test Nginx configuration.

sudo nginx -t

If the test is successful, reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Now use Certbot webroot plugin to obtain TLS certificate for all your mail domains, so you will have a single TLS certificate with multiple domain names on it and mail clients won’t throw security warnings.

sudo certbot certonly --webroot --agree-tos -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email your-email-address -w /var/www/html

Notice that in the above command, we specified the cert name using the first mail domain, which will be used in the file path, so you don’t have to change the file path in Postfix or Dovecot configuration file.

When it asks if you want to update the existing certificate to include the new domain, answer U and hit Enter.

certbot multi-domain iredmail

Now you should see the following message, which indicates the multi-domain certificate is successfully obtained.

iredmail nginx multiple domain

If you encounter the following error,

Detail: Invalid response from
https://mail.domain2.com/.well-known/acme-challenge/j3Nd2mNFQ43P9xLJSP4IFAiRytDCb3bemZwuAxDzWQc
[xx.xx.xx.xx]: 404

then you need to use the certbot nginx plugin to obtain TLS certificate.

sudo apt install python3-certbot-nginx

sudo certbot certonly -a nginx --agree-tos -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email your-email-address

Once the TLS certificate is obtained, reload Nginx to pick up the new certificate.

sudo systemctl reload nginx

You should now be able to use different domains to access RoundCube webmail. Also you need to reload Postfix SMTP server and Dovecot IMAP server in order to let them pick up the new certificate.

sudo systemctl reload postfix dovecot

Using Mail Client on Your Computer or Mobile Device

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account of the second domain.

  • In the incoming server section, select IMAP protocol, enter mail.domain2.com as the server name, choose port 143 and STARTTLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter mail.domain2.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

iredmail multiple domain postfix dovecot

Hint: You can also use port 993 with SSL/TLS encryption for IMAP, and use port 465 with SSL/TLS encryption for SMTP. You should not use port 25 as the SMTP port to submit outgoing emails.

Although Postfix SMTP server and Dovecot IMAP server are using the hostname of the first mail domain (mail.domain1.com) when communicating with others, they are now using a multi-domain certificate, so the mail client won’t display certificate warnings.

SPF and DKIM Check

Now you can use your desktop email client or webmail client to send a test email to [email protected] and get a free email authentication report. Here’s the report I got from port25.com

postfix spf dkim ubuntu

Don’t forget to test your email score at https://www.mail-tester.com and also test email placement with GlockApps.

If DKIM check fails, you can go to https://www.dmarcanalyzer.com/dkim/dkim-check/ to see if there are any errors with your DKIM record.

dmarc analyzer dkim record checker

What if Your Emails Are Still Being Marked as Spam?

I have more tips for you in this article: 7 effective tips to stop your emails being marked as spam. Although it requires some time and effort, your emails will eventually be placed in the inbox after applying these tips.

rDNS for Multiple Mail Domains?

Reverse DNS (rDNS), aka PTR record, is used to check if the sender’s IP address matches the HELO hostname. You don’t need to add another PTR record when adding a new mail domain. Your rDNS should be set to just one hostname, i.e. the hostname set in Postfix, which can be shown with the following command.

postconf myhostname

rDNS is a record for IP addresses. It’s not a record for domain name. If you have just one IP address, then you need just one rDNS record pointing to one hostname. Reverse DNS check doesn’t verify what From: domain is in your email, as long as your IP address has an rDNS record and the hostname can resolve back to the same IP address, you can pass reverse DNS check.

Also, you don’t need to change the following settings in Postfix when hosting multiple domains on one server.

  • myhostname
  • myorigin
  • mydestination

Hosted email services like G Suite and Microsoft Exchange Online all use one hostname for a server to send an email for their customers. Emails sent from G Suite users all use google.com in the hostname and emails sent from Microsoft Exchange Online users all use outlook.com in the hostname. This is also true for other email service providers like Mailchimp, SendinBlue, SendPluse, etc. They all use one hostname for a single server and one IP address has just one rDNS record.

Multiple TLS Certificates

If you manage email servers for lots of clients, you might not want to bundle all TLS certificates into one file, as it tells the information of your clients. If you prefer to create a separate SSL certificate for each domain name, then you should not copy the default SSL configuration to the new virtual host file. That is to say, don’t run the following command in step 5.

cat sites-enabled/00-default-ssl.conf | sudo tee -a sites-enabled/mail.domain2.com.conf

Instead of using the following command to obtain a multi-domain certificate,

sudo certbot certonly --webroot --agree-tos -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com -w /var/www/html

You can use the following command to obtain a separate TLS certificate for the second mail domain.

sudo certbot -a webroot -i nginx --agree-tos -d mail.domain2.com -w /var/www/html

Next, you need to configure Postfix and Dovecot.

Postfix Multiple TLS Certificates

If you use Postfix version 3.4 or higher, you can use multiple TLS certificates. Edit the main.cf file.

sudo nano /etc/postfix/main.cf

Add the following line at the end of this file to enable multiple TLS certificates.

tls_server_sni_maps = hash:/etc/postfix/sni_maps

Save and close the file. Then create the sni_maps file.

sudo nano /etc/postfix/sni_maps

In this file, add each mail hostname and its certificate file.

mail.domain1.com   /etc/letsencrypt/live/mail.domain1.com/privkey.pem    /etc/letsencrypt/live/mail.domain1.com/fullchain.pem
mail.domain2.com   /etc/letsencrypt/live/mail.domain2.com/privkey.pem     /etc/letsencrypt/live/mail.domain2.com/fullchain.pem

Save and close the file. Next, build the lookup table.

sudo postmap -F /etc/postfix/sni_maps

Restart Postfix.

sudo systemctl restart postfix

You must use the -F option in postmap to base64-decode each value in the SNI map, or Postfix will throw the malformed BASE64 value error in the /var/log/mail.log file. The following command is wrong.

sudo postmap /etc/postfix/sni_maps

Dovecot Multiple TLS Certificates

If you use multiple TLS certificates in Postfix, you should also enable it in Dovecot. Edit the Dovecot 10-ssl.conf file.

sudo nano /etc/dovecot/conf.d/10-ssl.conf

You can find the following lines.

ssl_cert =</etc/letsencrypt/live/mail.domain1.com/fullchain.pem 
ssl_key =</etc/letsencrypt/live/mail.domain1.com/privkey.pem

Then add the following lines.

local_name mail.domain1.com {
ssl_cert =</etc/letsencrypt/live/mail.domain1.com/fullchain.pem
ssl_key =</etc/letsencrypt/live/mail.domain1.com/privkey.pem
}

local_name mail.domain2.com {
ssl_cert =</etc/letsencrypt/live/mail.domain2.com/fullchain.pem
ssl_key =</etc/letsencrypt/live/mail.domain2.com/privkey.pem
}

Save and close the file. Then restart Dovecot.

sudo systemctl restart dovecot

Wrapping Up

That’s it! I hope this tutorial helped you host multiple email domains with iRedMail. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 10 Average: 5]

78 Responses to “How to Host Multiple Mail Domains in iRedMail with Nginx

  • Klaus
    5 years ago

    Thank you for this interesting read.
    Is there any encryption implemented for mail data stored at the server?
    If not, how would I add this?

    • Xiao Guo An (Admin)
      5 years ago

      Emails are not encrypted at rest. The root user can access all emails on the server.

  • shuggar
    5 years ago

    You’re tutorials are great, I have been following a few of them.

    Right now I have a problem, when trying to setup a second domain like in this tutorial.
    My second domain can send mails without a problem, but it does not receive any email.
    The strange thing is, that the sender also does not get an error message. The mail just disappears and is neither delivered nor rejected.

    DNS settings are all correct. I do not know where else to look.

    Thanks for helping

    • Xiao Guo-An (Admin)
      5 years ago

      You should check the mail log (/var/log/mail.log) on the receiving email server. If DNS records are correct, you will see the sender in the mail log and it will tell you the reason why the email wasn’t delivered.

  • shuggar
    5 years ago

    Hi Xiao,
    that definitely gives me more info about the problem. It seems that all mails send to this domain are queued indefinitely

    Dec  1 22:18:14 mail postfix/postscreen[10894]: PASS NEW [209.85.214.178]:44948
    Dec  1 22:18:14 mail postfix/smtpd[10902]: connect from mail-pl1-f178.google.com[209.85.214.178]
    Dec  1 22:18:14 mail postfix/smtpd[10902]: Anonymous TLS connection established from mail-pl1-f178.google.com[209.85.214.178]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    Dec  1 22:18:15 mail postfix/smtpd[10902]: 28E18414F8: client=mail-pl1-f178.google.com[209.85.214.178]
    Dec  1 22:18:15 mail postfix/cleanup[10911]: 28E18414F8: message-id=
    Dec  1 22:18:15 mail postfix/qmgr[10781]: 28E18414F8: from=, size=2777, nrcpt=1 (queue active)
    Dec  1 22:18:15 mail postfix/smtpd[10902]: disconnect from mail-pl1-f178.google.com[209.85.214.178] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
    

    I do not know why this happens.

    I restarted amavis and nginx and now it is working. This seems strange.
    Thanks

    Really appreciate your tutorials! 5 out of 5

  • Dave Kimble
    5 years ago

    The only weakness of iRedMail is that if it fails to install correctly, or gets corrupted later, they recommend reinstalling the OS then iRedMail again. This wouldn’t be necessary if they kept a strict log of all the changes made with the location, old-value and new-value, so that “apt purge” could use the log to undo all changes.

    • Xiao Guo An (Admin)
      5 years ago

      Yes, a small mistake like pressing the space bar after the domain name in the setup wizard can cause installation failure. I think Modoboa is less error-prone.

  • Hi Xiao,
    I set up the mail-server with iRedMail on Ubuntu 16.04 for one domain without any problems. Your guide is great.
    But I try to set up multiple domains and problems start.
    Can not set up dkim._domainkey in my DNS zone. I get a message: “The hostname of the record does not match the name of the zone.”
    The main domain (mydomain.com) is pointed to a different IP address than the mail subdomain (mail.domain.com).
    I have website on other VPS than mail-server. How to fix it?
    In my DNS zone I have:
    mydomain.com | A | IP 1 (111.111.11.11)
    www.mydomain.com | CNAME | mydomain.com
    mail.mydomain.com | A | IP 2 (222.222.22.22)
    mydomain.com | MX | 10 | mail.mydomain.com
    mydomain.com | TXT | v=spf1 mx ~all

    • OK – I fixed it. The question from the previous comment is out of date.
      Everything working fine with two domains and different IP addresses.
      Score 10/10 for both domains.
      Thank you again for great tutorials.

    • Xiao Guo An (Admin)
      5 years ago

      Glad to know it’s working for you now 🙂

  • Fantastic job! It is nice to see a tutorial which actually works! Most of these kind of tutorials have a ton of errors and they don’t work exactly right so you have to do a lot of digging on your own. Yours are spot on!

    This got me up and running perfectly. The only gap I have now is how to configure and administer the spam components and whitelists/blacklists for iRedMail. Do you have a tutorial on that or can you recommend a good resource?

    • Xiao Guo An (Admin)
      5 years ago

      iRedMail uses Postscreen and SpamAssassin for spam filtering, which is configured in /etc/postfix/main.cf file. Another good tool is rspamd, which has a nice web-based graphical interface. I will write an article about rspamd.

      • Thank you! I am really looking forward to that! I know iRedMail uses Amavised-new, SpamAssassin & ClamAV. Are these (or suitable replacements) integrated into rspamd so we only have one interface to deal with for virus filtering, spam and whitelists/blacklists? Or do I need to look at other solutions for some of that? I glanced at rspamd.com really quickly but couldn’t tell what components they are using. Thank you again for everything. I will be donating to support the site!

  • tom_cr00z
    5 years ago

    clarification in order this to work i have to get another domain right and point with the same public ip address of my current iredmail server?

    • Xiao Guo An (Admin)
      5 years ago

      I suppose that you asked “The A record for mail.domain2.com should be pointed to the public IP address of the current iRedMail server?”

      The answer is Yes.

  • tom_cr00z
    5 years ago

    your the best bro

  • Hello Xiao, you mentioned in another post that it was possible to run other sites alongside this setup. How can this be done? I had it working previously, but I have no idea how I did it. Any tips? Thanks.

  • Ralle
    5 years ago

    Hello Xiao,

    i see that you want to write an article about rspamd, it is possible to do it with a howto for switching from amavis(spamassasin) to rspamd I. iredmail?

    Thx

  • astrid
    5 years ago

    Hello xiao

    in this article , every new added domain name here are redirected to new entry like mail.domain2.com , mail.domain3.com etc…

    can I do it like this ? every new added domain name are all managed by mail.domain.com

    • Xiao Guo An (Admin)
      5 years ago

      Yes, you can use the same hostname for MX record and webmail. You can even use the same DKIM key for all domain names, but I recommend using unique DKIM key for each domain name to have better email deliveribility.

      • astrid
        5 years ago

        Hello

        I have setup hostname mail.domain1.com and first email domain domain2.com.

        The admin url :https://mail.domain1.com/iredadmin/

        admin acccount :[email protected]

        how to setup my dns records ? so that all email domains are managed by mail.domain1.com and all new domains client login is https://mail.domain1.com/mail/

    • Xiao Guo An (Admin)
      5 years ago

      You can set the MX record of domain2.com to use mail.domain1.com. Then simply add email accounts at the admin panel. By default, all email accounts can login at https://mail.domain1.com/mail/.

      • astrid
        5 years ago

        so I need only set MX record for domain2.com as below ?

        MX @ mail.domain1.com

    • Xiao Guo An (Admin)
      5 years ago

      Yes, use that MX record. Then set up DKIM key and create DMARC record.

  • Waleed Talaat
    5 years ago

    hi thnx for posting it really did help …. when cert expires how to renew it and if there is any way to auto renew the cert

    • Xiao Guo An (Admin)
      5 years ago

      The certbot debian package ships with its own cron job (/etc/cron.d/certbot) and a systemd timer (/lib/systemd/system/certbot.timer) to automatically renew TLS certificate. So you don’t need to manually add cron job or systemd timer. The timer runs certbot.service twice a day. You can check its status with:

      systemctl status certbot.timer
  • Anantha Raman Lakshmipathi
    5 years ago

    Hi everyone. I have created a bash script which can execute the entire above mentioned commands in a single step. Code pasted below:

    Note: Before running script edit host ip, primary mail domain and email id inside the script

    #!/bin/bash
    # define ipaddress variable
    # define primary mail domain
    # define ssl cert email id
    ipaddress=”1.2.3.4″
    primarymaildomain=”mail.myprimarydomain.com”
    sslemail=”[email protected]
    echo ” ”
    sleep 2
    echo “Add new email domain script started”
    echo ” ”
    sleep 2
    echo “Add domain and user in iRedAdmin”
    echo ” ”
    sleep 2
    read -p “Press enter if added?”
    echo ” ”
    sleep 2
    echo “Enter domain name without www ; Eg: mywebsite.com”
    echo ” ”
    read domainname
    echo ” ”
    sleep 2
    echo “Adding new domain DKIM Key now”
    var1=’dkim_key(‘”‘”$domainname”‘”‘, ‘”‘”‘dkim'”‘”‘, ‘”‘”‘/var/lib/dkim/’$domainname’.pem'”‘”‘);’
    sed -i -e “/\# Add dkim_key here./a $var1″ /etc/amavis/conf.d/50-user
    var2=” “‘”‘$domainname'”‘”=> { d => “‘”‘$domainname'”‘”, a => “”‘””rsa-sha256″”‘””, ttl => 10*24*3600 },”
    sed -i -e “/\# Per-domain dkim key/a $var2″ /etc/amavis/conf.d/50-user
    echo ” ”
    sleep 2
    echo “New Domain DKIM key added”
    echo ” ”
    sleep 2
    echo “Generating DNS records”
    echo ” ”
    var3=’/var/lib/dkim/’$domainname’.pem’
    sudo amavisd-new genrsa $var3 2048
    sudo systemctl restart amavis
    var3a=’/etc/dnsrecords/’$domainname’.txt’
    if [ -f $var3a ] ; then
    sudo rm $var3a
    fi
    echo ” ” >> $var3a
    echo “; DKIM Record” >> $var3a
    sudo amavisd-new showkeys $domainname >> $var3a
    echo “; MX Record” >> $var3a
    echo $domainname’ 1 IN MX 1 mail.’$domainname’.’ >> $var3a
    echo “; A Record” >> $var3a
    echo ‘mail.’$domainname’. 1 IN A ‘$ipaddress >> $var3a
    echo “; TXT Records” >> $var3a
    echo $domainname’. 1 IN TXT ”””v=spf1 mx ~all””‘ >> $var3a
    echo ‘_dmarc.’$domainname’. 1 IN TXT ”””v=DMARC1; p=none; pct=100; rua=mailto:dmarc-reports@’$domainname'”‘ >> $var3a
    echo ” ” >> $var3a
    echo ” ”
    echo “DNS records generated. Download it @ /etc/dnsrecords folder. Import in DNS as BIND file”
    echo ” ”
    sleep 2
    read -p “Press enter to continue after updating dns records?”
    sleep 2
    echo ” ”
    echo “Testing DKIM record key”
    echo ” ”
    sudo amavisd-new testkeys $domainname
    echo ” ”
    var4=’/etc/nginx/sites-enabled/mail.’$domainname’.conf’
    sudo touch $var4
    var5=’/etc/nginx/sites-enabled/00-default.conf’
    cat $var5 | sudo tee -a $var4 > /dev/null
    var6=’/etc/nginx/sites-enabled/00-default-ssl.conf’
    cat $var6 | sudo tee -a $var4 > /dev/null
    var7=’server_name _;’
    var8=’server_name mail.’$domainname’;’
    sed -i -e ‘s/'”$var7″‘/'”$var8″‘/g’ $var4
    sleep 2
    echo “Testing nginx configuration”
    echo ” ”
    sudo nginx -t
    sudo systemctl reload nginx
    echo ” ”
    ls /etc/nginx/sites-enabled > /etc/dnsrecords/aaaexistingdomains.txt
    sed -e s/00-default.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
    sed -e s/00-default-ssl.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
    sed -e s/.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
    sed -i ‘/^$/d’ /etc/dnsrecords/aaaexistingdomains.txt
    sed -i ‘:a;N;$!ba;s/\n/,/g’ /etc/dnsrecords/aaaexistingdomains.txt
    var8a=”/etc/dnsrecords/aaaexistingdomains.txt”
    var8b=$(cat “$var8a”)
    var9=’mail.hexacubeindia.com,’$var8b
    sleep 2
    echo “Updating SSL certificates”
    echo ” ”
    sleep 2
    echo “Click ‘u’ when prompted”
    echo ” ”
    sleep 2
    sudo certbot certonly –webroot –agree-tos -d $var9 –cert-name $primarymaildomain –email $sslemail -w /var/www/html
    echo ” ”
    sleep 2
    echo “Restarting nginx, postfix and dovecot”
    echo ” ”
    sudo systemctl reload nginx
    sudo systemctl reload postfix
    sudo systemctl reload dovecot
    sleep 2
    echo “Add new email domain script ended”
    echo ” ”
    var10=’https://mail.’$domainname’/’
    sleep 2
    echo Now u can visit $var10
    echo ” ”
    sleep 2
    echo “Thank You”
    echo ” ”
    sleep 2

    • Anantha Raman Lakshmipathi
      5 years ago

      Also, the above script will generate dns records in BIND format, which can be directly in almost all DNS providers like Clouflare, GoDaddy etc.,

    • Anantha Raman Lakshmipathi
      5 years ago

      No need to edit anything inside bash script. Directly run the following script and give inputs when prompted. DNS records will be generated and new email domain will be added automatically.

      #!/bin/bash
      ipaddress=$(dig +short myip.opendns.com @resolver1.opendns.com)
      primaildom=$(hostname -f)
      echo ” ”
      sleep 2
      echo “Add new email domain script started”
      echo ” ”
      sleep 2
      echo “Add domain and user in iRedAdmin”
      echo ” ”
      sleep 2
      read -p “Press enter if added?”
      echo ” ”
      sleep 2
      echo “Enter domain name without www ; Eg: mywebsite.com”
      echo ” ”
      read domainname
      echo ” ”
      sleep 2
      echo “Adding new domain DKIM Key now”
      var1=’dkim_key(‘”‘”$domainname”‘”‘, ‘”‘”‘dkim'”‘”‘, ‘”‘”‘/var/lib/dkim/’$domainname’.pem'”‘”‘);’
      sed -i -e “/\# Add dkim_key here./a $var1″ /etc/amavis/conf.d/50-user
      var2=” “‘”‘$domainname'”‘”=> { d => “‘”‘$domainname'”‘”, a => “”‘””rsa-sha256″”‘””, ttl => 10*24*3600 },”
      sed -i -e “/\# Per-domain dkim key/a $var2″ /etc/amavis/conf.d/50-user
      echo ” ”
      sleep 2
      echo “New Domain DKIM key added”
      echo ” ”
      sleep 2
      echo “Generating DNS records”
      echo ” ”
      var3=’/var/lib/dkim/’$domainname’.pem’
      sudo amavisd-new genrsa $var3 2048
      sudo systemctl restart amavis
      var3a=’/etc/dnsrecords/’$domainname’.txt’
      if [ -f $var3a ] ; then
      sudo rm $var3a
      fi
      echo ” ” >> $var3a
      echo “; DKIM Record” >> $var3a
      sudo amavisd-new showkeys $domainname >> $var3a
      echo “; MX Record” >> $var3a
      echo $domainname’ 1 IN MX 1 mail.’$domainname’.’ >> $var3a
      echo “; A Record” >> $var3a
      echo ‘mail.’$domainname’. 1 IN A ‘$ipaddress >> $var3a
      echo “; TXT Records” >> $var3a
      echo $domainname’. 1 IN TXT ”””v=spf1 mx ~all””‘ >> $var3a
      echo ‘_dmarc.’$domainname’. 1 IN TXT ”””v=DMARC1; p=none; pct=100; rua=mailto:dmarc-reports@’$domainname'”‘ >> $var3a
      echo ” ” >> $var3a
      echo ” ”
      echo “DNS records generated. Download it @ /etc/dnsrecords folder. Import in DNS as BIND file”
      echo ” ”
      sleep 2
      read -p “Press enter to continue after updating dns records?”
      sleep 2
      echo ” ”
      echo “Testing DKIM record key”
      echo ” ”
      sudo amavisd-new testkeys $domainname
      echo ” ”
      var4=’/etc/nginx/sites-enabled/mail.’$domainname’.conf’
      sudo touch $var4
      var5=’/etc/nginx/sites-enabled/00-default.conf’
      cat $var5 | sudo tee -a $var4 > /dev/null
      var6=’/etc/nginx/sites-enabled/00-default-ssl.conf’
      cat $var6 | sudo tee -a $var4 > /dev/null
      var7=’server_name _;’
      var8=’server_name mail.’$domainname’;’
      sed -i -e ‘s/'”$var7″‘/'”$var8″‘/g’ $var4
      sleep 2
      echo “Testing nginx configuration”
      echo ” ”
      sudo nginx -t
      sudo systemctl reload nginx
      echo ” ”
      ls /etc/nginx/sites-enabled > /etc/dnsrecords/aaaexistingdomains.txt
      sed -e s/00-default.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
      sed -e s/00-default-ssl.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
      sed -e s/.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
      sed -i ‘/^$/d’ /etc/dnsrecords/aaaexistingdomains.txt
      sed -i ‘:a;N;$!ba;s/\n/,/g’ /etc/dnsrecords/aaaexistingdomains.txt
      var8a=”/etc/dnsrecords/aaaexistingdomains.txt”
      var8b=$(cat “$var8a”)
      var9=’mail.hexacubeindia.com,’$var8b
      sleep 2
      echo “Updating SSL certificates”
      echo ” ”
      sleep 2
      echo “Enter email id required for ssl certificate generation”
      echo ” ”
      read sslemailid
      echo ” ”
      echo “Click ‘u’ when prompted”
      echo ” ”
      sleep 2
      sudo certbot certonly –webroot –agree-tos -d $var9 –cert-name $primaildom –email $sslemailid -w /var/www/html
      echo ” ”
      sleep 2
      echo “Restarting nginx, postfix and dovecot”
      echo ” ”
      sudo systemctl reload nginx
      sudo systemctl reload postfix
      sudo systemctl reload dovecot
      sleep 2
      echo “Add new email domain script ended”
      echo ” ”
      var10=’https://mail.’$domainname’/’
      sleep 2
      echo Now u can visit $var10
      echo ” ”
      sleep 2
      echo “Thank You”
      echo ” ”
      sleep 2

  • Alexandru Gagea
    5 years ago

    Hi,

    Is the PTR record required for the second mail domain ?

    • Xiao Guo An (Admin)
      5 years ago

      PTR record is for an IP address. If you have already created PTR record when you first set up your mail server, you don’t need to change it when you add a second mail domain.

  • Alexandru Gagea
    5 years ago

    I’ve just noticed that only emails sent from “[email protected]” and “[email protected]” reach the inbox. All other emails sent from both domains goes to the spam folder.

    Ideas ?

  • ckhatton
    5 years ago

    As I am creating more and more mail servers, is it a good idea that they are all sharing the same certificate? Anyone can look at the certificate and see all the servers it has been allocated to.

    • Xiao Guo An (Admin)
      5 years ago

      You can get certbot to issue separate SSL certificate for each mail domain, but if you need to remotely login from a desktop/mobile mail client or another web application, you need to enter the first hostname (mail.domain1.com) for the server address, because Postfix does not support multiple SSL certificates on single IP address yet.

      • ckhatton
        5 years ago

        Thank you. Interesting – I might actually do that, as the first domain (mail.domain1.com) can act the main server address. What would be the command to create a separate SSL certificate?

    • Xiao Guo An (Admin)
      5 years ago

      If you prefer to create separate SSL certificate for each domain name, then you should not copy the default SSL configuration to new virtual host file. That’s is to say, don’t run the following command:

      cat sites-enabled/00-default-ssl.conf | sudo tee -a sites-enabled/mail.domain2.com.conf

      Then use certbot to create single-domain SSL certificate.

      sudo certbot  --nginx --agree-tos --hsts --staple-ocsp --email your-email-address -d mail.domain2.com
      • ckhatton
        5 years ago

        Thank you! 🙌

        • ckhatton
          5 years ago

          Hi Xiao! I’ve followed that, but when I go to mail.domain2.com it redirects too many times. This is the conf for it… https://www.pastiebin.com/5d5aa095af09b

  • shaady
    5 years ago

    Hi There,

    i followed your steps but if i test the keys i’ll get this error

    amavisd-new testkeys

    TESTING#1 easyvoiceonline.nl: dkim._domainkey.easyvoiceonline.nl => fail (bad RSA signature)
    TESTING#2 easyvoiceonline.co.uk: dkim._domainkey.easyvoiceonline.co.uk => invalid (public key: invalid data)
    TESTING#3 easyvoiceonline.be: dkim._domainkey.easyvoiceonline.be => pass

    these are the keys:

    key#1 1024 bits, i=dkim, d=easyvoiceonline.nl, /var/lib/dkim/easyvoiceonline.nl.pem
    dkim._domainkey.easyvoiceonline.nl.     3600 TXT (
      "v=DKIM1; p="
      "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2ixN7MLLfSm1zxnjnTp+RiyN"
      "9wRXbULxsoY0qxd/YubSsR03nZ1yiu9eebG4IGqaVXjNhi7ICp6ZIk2TS7/4DyFy"
      "6HA7ADEjcHFECtwyupSXdMXFlfuQDV8nAwm7Jz/M86BX5UCO/ipd8SbMyfJL1UxW"
      "w+LTR/aMEAXqYBV8ZwIDAQAB")
    
    ; key#2 2048 bits, i=dkim, d=easyvoiceonline.co.uk, /var/lib/dkim/easyvoiceonline.co.uk.pem
    dkim._domainkey.easyvoiceonline.co.uk.  3600 TXT (
      "v=DKIM1; p="
      "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl/yioBrjbEHgFomTFtAV"
      "pKQEqPHaY5Ut8VZH1y4jQu3HySWIAXErhmAp5TCUwZd2U9xuWSy8Tp1Zn6sgaJg5"
      "VmbYDw6GVneocTou9KIM5ns1C173D538hkoKRBFfMvrMwp8jfyb/1e4S9E4NH8nM"
      "aaSEiwRpK1lWqck7927K33BAKyC2kUBN4Ldmee6wqI9x8bjICMMryfN5JLLJscfp"
      "h+f2ue2gTbwW5AL7dwVPiadIA/8yvjcWdCbzG6obf8KEK3Y83vbLunqHISCndG8o"
      "5+t3kRkH6chgtmSH5HuCzZ+3KYf6dpV+SHUBJ5Q6KDeh/iHPjR0xY6M3xs5E/vU6"
      "SwIDAQAB")
    
    ; key#3 2048 bits, i=dkim, d=easyvoiceonline.be, /var/lib/dkim/easyvoiceonline.be.pem
    dkim._domainkey.easyvoiceonline.be.     3600 TXT (
      "v=DKIM1; p="
      "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzjze8mMeJ1uNkQeRB0i8"
      "PChpVWq8LuGYO5h5h+MLrU69fHbgA6HZ2AZQIH3gP1JI9Max6Yp/Bs8Og8tqvLE5"
      "EVW27JfxrNRSKHzLUfMfOT/4hhyDlIgA10QqDV+Ns9AvE3nloF2WMUQBdAQDE5/p"
      "bo09PmaCqUHgVQf40UluqUKIc9NewdVjvNKwc96gH5RIglKSbatEfrGc0bSBh45a"
      "ihSdm5CVnZ5i499Cpc0EWY3q64m9gxxP5QE7Jujf/GR7HGMHT3nhV1I3A/KtvfaF"
      "ut0PjHB2h2r71iZGiSUhlHwwfGta6Pvqw3eV+xun1KWk2k7RIvtbZTy+t8BbG//m"
      "tQIDAQAB")

    Here are the dig results;

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dkim._domainkey.easyvoiceonline.co.uk. IN TXT
    
    ;; ANSWER SECTION:
    dkim._domainkey.easyvoiceonline.co.uk. 861 IN TXT "v=DKIM1; p=   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl/yioBrjbEHgFomTFtAV   pKQEqPHaY5Ut8VZH1y4jQu3HySWIAXErhmAp5TCUwZd2U9xuWSy8Tp1Zn6sgaJg5   VmbYDw6GVneocTou9KIM5ns1C173D538hkoKRBFfMvrMwp8jfyb/1e4S9E4NH8nM   aaSEiwRpK1lWqck7927K33BAKyC2kUBN4Ldmee6w" "qI9x8bjICMMryfN5JLLJscfp   h+f2ue2gTbwW5AL7dwVPiadIA/8yvjcWdCbzG6obf8KEK3Y83vbLunqHISCndG8o   5+t3kRkH6chgtmSH5HuCzZ+3KYf6dpV+SHUBJ5Q6KDeh/iHPjR0xY6M3xs5E/vU6   SwIDAQAB)"
    
    ;; Query time: 1 msec
    ;; SERVER: 2a00:f10:ff04:153::53#53(2a00:f10:ff04:153::53)
    ;; WHEN: Mon Aug 05 19:54:27 CEST 2019
    ;; MSG SIZE  rcvd: 505
    
    root@easyvoicemail-nl:~# dig TXT dkim._domainkey.easyvoiceonline.be
    
    ; <> DiG 9.10.3-P4-Debian <> TXT dkim._domainkey.easyvoiceonline.be
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27854
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dkim._domainkey.easyvoiceonline.be. IN TXT
    
    ;; ANSWER SECTION:
    dkim._domainkey.easyvoiceonline.be. 852 IN TXT  "v=DKIM1; p=   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzjze8mMeJ1uNkQeRB0i8   PChpVWq8LuGYO5h5h+MLrU69fHbgA6HZ2AZQIH3gP1JI9Max6Yp/Bs8Og8tqvLE5   EVW27JfxrNRSKHzLUfMfOT/4hhyDlIgA10QqDV+Ns9AvE3nloF2WMUQBdAQDE5/p   bo09PmaCqUHgVQf40UluqUKIc9NewdVjvNKwc96g" "H5RIglKSbatEfrGc0bSBh45a   ihSdm5CVnZ5i499Cpc0EWY3q64m9gxxP5QE7Jujf/GR7HGMHT3nhV1I3A/KtvfaF   ut0PjHB2h2r71iZGiSUhlHwwfGta6Pvqw3eV+xun1KWk2k7RIvtbZTy+t8BbG//m   tQIDAQAB"
    
    ;; Query time: 1 msec
    ;; SERVER: 2a00:f10:ff04:153::53#53(2a00:f10:ff04:153::53)
    ;; WHEN: Mon Aug 05 19:54:36 CEST 2019
    ;; MSG SIZE  rcvd: 501
    
    root@easyvoicemail-nl:~# dig TXT dkim._domainkey.easyvoiceonline.nl
    
    ; <> DiG 9.10.3-P4-Debian <> TXT dkim._domainkey.easyvoiceonline.nl
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39534
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dkim._domainkey.easyvoiceonline.nl. IN TXT
    
    ;; ANSWER SECTION:
    dkim._domainkey.easyvoiceonline.nl. 489 IN TXT  "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRZC1bMjVivG2euM26uv/vUxIml511IxHAK2YFUcSJGwJ2MxjXVxEoIITD7KFmhupt4JD544ojKd4FASv+2VApgC/mx5U0Hc3aK9jOdFoTqsUKg6fZZHkkJObTAsLcvWLvZRQtlmx79t1eY34OgPDtKhMhSmFEuatdKWsREgFNKwIDAQAB"
    
    ;; Query time: 0 msec
    ;; SERVER: 2a00:f10:ff04:153::53#53(2a00:f10:ff04:153::53)
    ;; WHEN: Mon Aug 05 19:54:40 CEST 2019
    ;; MSG SIZE  rcvd: 303
    
    root@easyvoicemail-nl:~# 

    Hope fully you can help me?

    • shaady
      5 years ago

      Little edit, the dig results you’ll see ” which i currently removed the ttl is 3600 so should i just be patience?

    • Xiao Guo An (Admin)
      5 years ago

      You didn’t enter the DKIM record correctly. For easyvoiceonline.nl, the public key is different in the DNS record. For easyvoiceonline.co.uk, there are many carriage return characters in the DNS record. Remove them.

      • shaady
        5 years ago

        it’s working now thank you, although i do not get emails on a 4th added domain @easyvoicetelecom.co.uk it sends but i cannot receive? any suggestions?

  • Stephan
    4 years ago

    I run a (non-iRedMail) mail server for multiple domains. The reverse DNS points to the main domain, e.g. mail.somename.net, the mail domains are mail.domain1.net and mail.domain2.net without a rDNS record, but with correct PTR and SPF records.

    Some receiving mail servers reject mails from mail.domain1.net or mail.domain2.net because the reverse DNS points to mail.somename.net instead. In Europe many mail providers are very restrictive in this regard (e.g. t-online.de, gmx.de or bluewin.ch).

    How can this howto work in such an environment?

  • F.U.H. TECH-SAS Tadeusz Sasnal
    4 years ago

    Hi, can you decribe how to use/configure subdomain like “shop.mypage.com” ?

    • Xiao Guoan (Admin)
      4 years ago

      It’s simple. Use mail.shop.mypage.com as the mail host. Treat the subdomain shop.mypage.com as if it is a different apex domain name.

  • ckhatton
    4 years ago

    Hi Xiao! Not sure if you missed this but I’ve followed your comment on how to create a separate SSL certificate for each domain, and when I go to mail.domain2.com it redirects too many times. This is the conf for it… https://www.pastiebin.com/5d5aa095af09b

    • Xiao Guoan (Admin)
      4 years ago

      I think you should learn the basics of Nginx web server, understand what each line in the configuration file means and compare each Nignx virtual host file, so you can troubleshoot some of the problems by yourself.

      • ckhatton
        4 years ago

        Ok! Fair enough 😊 I am guessing it something obvious that I am not paying enough attention to.

  • Steve Ward
    4 years ago

    I followed your other great tutorial on setting-up iRedMail on a single domain – let’s call it mail-server.com – and it works as expected. Many thanks.

    I have a website on a separate server – let’s call this one website.com – and have followed this tutorial about hosting multiple domains to the letter apart from setting-up Roundcube as website.com runs Apache not NGINX. I’ve also used slightly different DNS records for website.com.

    For example, I’ve not created an additional A record for the reason already stated and website.com’s MX record is…

    MX          @          mail-server.com

    ..and not what I think you say it should be…

    MX          @          mail.website.com

    However, I can send and receive mail using [email protected] without issue.

    As my approach is different to yours, yet mail still appears to work correctly for website.com, what is the difference between the two and which, if any, is the preferred method? Does my approach have any downside?

    Many thanks, Steve.

    • Xiao Guoan (Admin)
      4 years ago

      You can use mail.domain1.com as the MX host for the second domain, so you don’t need to create A record. As long as you can get a 10/10 score at mail-tester.com, you can use either approach.

      You can still configure Roundcube for multiple domains on the mail server. Apache is running on a separate server, it won’t interfere with the mail server.

  • Steve Ward
    4 years ago

    Many thanks for the very prompt reply and confirmation.

    mail-tester.com gives a score of 10/10 with the usual caveat of missing an unsubscribe header.

  • TRI4X
    4 years ago

    Hi,

    I had lately cert renewal issues. So I have solved that finally. If you have multiple domains, in this case, there need to be separate lines which indicates a domains respectively under webroot_map in a cfg file (/etc/letsencrypt/renewal/mail.dainmain1.conf):

    [[webroot_map]]
    mail.domain1.com = /var/www/html
    mail.domain2.com = /var/www/html

    Originally there was only one domain in cfg file which caused renewal issues.

  • ckhatton
    4 years ago

    Please help, I want to get to the root of this problem… If I create a certificate via the normal method I get “connection refused” for each “/.well-known/acme-challenge/…”.

    UFW settings… 443/tcp and Nginx Full have been set to Allow.

    DNS settings are correct.

    Permissions for /var/www/html…
    drwxr-xr-x 2 www-data www-data 4096

    I have to go the DNS verification route which is time taking and doesn’t auto renew, as it is manual.

    • Xiao Guoan (Admin)
      4 years ago

      DNS verification can be automated.

      It’s not always possible to troubleshoot server problems just by looking at your configurations. And I do not have time to answer every visitor’s question. If you really need to make it work, you can give me access to your server and pay me to fix the error.

      • ckhatton
        4 years ago

        Yes please, I would like to get to the root of the problem, I would be happy to pay. Let me know how I can reach you. Thank you Xiao

    • Xiao Guoan (Admin)
      4 years ago

      Contact me: [email protected]

      • ckhatton
        4 years ago

        This is now no longer an issue. The normal method of “/var/www/html” is now working having given it another go again. It seems to have fixed itself maybe via an update.

  • Jeremy Bond
    4 years ago

    How do I setup more IP Addresses? My server is currently configured with two domains and two IPs and Roundcube is working correctly for each IP (mail.domain1.com is .41 & mail.domain2.com is .241). All the mail message headers refer to mail.domain1.com & .41 IP

    From [email protected]  Wed Feb 26 04:33:43 2020
    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from mail.fressen.me (mail.fressen.me [104.168.236.41])
    	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
    	(No client certificate requested)
    	by tools.mxtoolbox.com (Postfix) with ESMTPS id 01174BBB25
    	for <[email protected]>; Wed, 26 Feb 2020 04:33:43 +0000 (UTC)
    Received: from mail.fressen.me (mail.fressen.me [127.0.0.1])
    	by mail.fressen.me (Postfix) with ESMTP id 48S2xL1kjyz5sm6
    	for <[email protected]>; Wed, 26 Feb 2020 04:33:42 +0000 (UTC)
    Authentication-Results: mail.fressen.me (amavisd-new);
    	dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
    	header.d=rrcontractorsnw.com
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
    	rrcontractorsnw.com; h=message-id:user-agent:subject:to:from
    	:date:content-transfer-encoding:content-type:mime-version; s=
    	dkim; t=1582691621; x=1583555622; bh=BYZwR0pQrzIgE7rXIuSvIsBPKgd
    	/JPHIgviHrX5HqKg=; b=iq4szaV6+jM7QCQaECJQBDRD64XbmErJqNU7ZGJkOMU
    	8LElZr4ETNsUVwVKQBF6CHPF1Dex4oPvNtTO3YRP7YZPIbvNfp1/3QuVqaKGUEvg
    	KHRYJKtz67+l6hhrPfejFs6rHQV8EFZKW0zDWLxTpcvilTJcDwg/UIQ8ZpnQATr2
    	MiNBPByK27S8mJZTmQ/uRIbaWjP20XvSBE059krB130neqANfpUab41cxTxuIlGK
    	6KZXp+/KXquueyWhj2lwRzs3E7JV980LUahyCtRGk0oxfD8nPe5qmeBj9ZKlplOb
    	gJzcJrxI5xlDlsbQ6cmC5INKNHYcBaZDryB5R7NwPcA==
    X-Virus-Scanned: Debian amavisd-new at mail.fressen.me
    Received: from mail.fressen.me ([127.0.0.1])
    	by mail.fressen.me (mail.fressen.me [127.0.0.1]) (amavisd-new, port 10026)
    	with ESMTP id S7Hu_cFkvbq5 for <[email protected]>;
    	Wed, 26 Feb 2020 04:33:41 +0000 (UTC)
    Received: from mail.rrcontractorsnw.com (mail.fressen.me [127.0.0.1])
    	by mail.fressen.me (Postfix) with ESMTPSA id 48S2xK5sMCz5sm5
    	for <[email protected]>; Wed, 26 Feb 2020 04:33:41 +0000 (UTC)
    
  • Kevin
    4 years ago

    Thanks again for great tutorials. Very clear and concise. Everything is working, but this one issue has stopped everything for us. Unfortunately the only solution I’ve found so far to the PTR record issue with more than one domain is multiple ip’s (gets expensive). Hostwind and other providers don’t allow multiple PTR records to the same IP. While the rDNS spec allows multiple domains, apparently there are some drawbacks. Google is rejecting all the domains that aren’t the primary when sending to Gmail. Are there any other solutions to hosting multiple domains other than separate IP’s?

    Is it possible to use Bind9 on the email server instead of the provider for DNS server roles to have multiple PTR records on the same i.p.?

  • Retselisitsoe Moabi
    4 years ago

    This is just fantastic. I managed to add the second domain and everything works perfectly.

    Thank you for your efforts. Well appreciated.

  • Brett
    4 years ago

    This is fantastic, thanks for putting this together. I’ve gotten the mail server up and running with no issues. When adding a domain, I am able to send e-mails from Domain2, but not receive. Nothing seems to show up in the mail.log file indicating incoming mail is hitting the server.

    I am hosting a website in one location, and have an A record set to one IP address. I created a new A record pointing to my hosting provider (Scalahosting VPS IP address) with the name mail. I created an mx record for mail.domain2.com. The MX records seem to have propogated according to a number of DNS websites. Anything you can think of that I am missing? Thanks!

  • Johnny Benton
    4 years ago

    Hi Xaio,
    Great tutorial; the install went well and everything looks okay; but I’m not receiving and inbound mail. I can send okay to my gmail accounts but I’m not getting anything back. I got the errors listed below from my logs.
    **Unmatched Entries**
    Jul 16 07:23:38 mail cron[880]: sendmail: warning: /etc/postfix/main.cf, line 374: overriding earlier entry: body_checks=pcre:/etc/postfix/body_checks.pcre
    Jul 16 07:23:38 mail cron[880]: postdrop: warning: /etc/postfix/main.cf, line 374: overriding earlier entry: body_checks=pcre:/etc/postfix/body_checks.pcre.

    Can you discern anything from those?

    • Xiao Guoan (Admin)
      4 years ago

      You have a duplicate body_checks parameter in /etc/postfix/main.cf file.

  • Hello Xiao, thanks for your great tutorial, I am been able to get the mailserver up and running in less than an hour! However I have a little problem, I hope you can address me to its resolution: I configured 2 domains with iRedmail, each with its own mail.domainX.com, both are sharing the same public IP address, let’s call them mail.domain1.com and mail.domain2.com. I can access user webmail via mail.domain1.com/mail , this happens with user on mail.domain2.com/mail too, everything is working fine. But I realized that if I go to mail.domain1.com/mail and put credentials of a user created on domain2.com I can still access the webmail of [email protected], I think it’s not the expected behaviour. I would like to isolate the domains, each user should login uniquely on its own domain. Thank you in advance for your help! Hugo

  • rudy de haas - aka baffled by nginx..
    3 years ago

    umm.. Help?

    I installed Debian buster from scratch. Followed the instructions here to the letter. Email works. (Thank you!).

    However.. I want to host a bunch of virtual domains most of which use drupal but one of which uses wordpress so I started with that as the easiest. Using the latest wordpress.tar file I uncompressed into /var/www/wordpress mv ‘d wordpress to wadonet ; chown -R www-data:www-data wadonet ; and copied the nginx vhost file from “recipes” to /etc/nginx/sites-available and ln -s ‘d it to enabled.

    That vhost file is below, nginx -t says its fine. But the WP page comes up as unformatted text with no images and text only paragraphing.

    root@mail:/etc/nginx/sites-available# cat wadocan_net.conf
    # Upstream to abstract backend connection(s) for php
    upstream php {
    server unix:/tmp/php-cgi.socket;
    server 127.0.0.1:9000;
    }

    server {
    ## Your website name goes here.
    server_name wadocan.net www.wadocan.net;
    ## Your only path reference.
    root /var/www/wadonet;
    ## This should be in your http block and if it is, it’s not needed here.
    index index.php;

    location = /favicon.ico {
    log_not_found off;
    access_log off;
    }

    location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
    }

    location / {
    # This is cool because no php is touched for static content.
    # include the “?$args” part so non-default permalinks doesn’t break when using query string
    try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
    #NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini
    include fastcgi_params;
    fastcgi_intercept_errors on;
    fastcgi_pass php;
    #The following parameter can be also included in fastcgi_params file
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires max;
    log_not_found off;
    }
    }


    What am i missing?

  • rudy de haas - aka baffled by nginx..
    3 years ago

    Found it!

    Firefox console shows many lines like this:

    Content Security Policy: The page’s settings blocked the loading of a resource at http://wadocan.net/wp-includes/css/buttons.min.css?ver=5.5.1 (“default-src”).

    Now how do I fix it?

    p.s. while the error continues you can see it by pointing your b rowser at wadocan.net

    • rudy de haas - aka baffled by nginx..
      3 years ago

      Add this line:

      add_header Content-Security-Policy “default-src ‘self’;” always;

      within the server { } stuff.

      ugh – not in any nginx doc that I could find to read.

      • rudy de haas - aka baffled by nginx..
        3 years ago

        Wrong – I did not find it. The line above almost works – but javascript will not run on the page so wordpress looks almost but nothing actually works.

        I found these headers on a site called pastebin.com:

        # I have added ‘unsafe’ declarations as WordPress themes and plugins are relying on them and I am investigating for a proper minify solution

        # Report-Only: For testing purpose use add_header Content-Security-Policy-Report-Only: …
        add_header Content-Security-Policy: “default-src ‘self’;
        script-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ *.wadocan.net *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
        style-src ‘self’ ‘unsafe-inline’ *.wadocan.net *.googleapis.com *.bootstrapcdn.com;
        img-src ‘self’ ‘unsafe-inline’ *.wadocan.net data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
        frame-src ‘self’ maps.google.com ;
        font-src ‘self’ data: *.gstatic.com *.bootstrapcdn.com;
        connect-src ‘self’ *.googletagmanager.com;
        report-uri /csp-report.php”;

        add_header X-Content-Security-Policy: “default-src ‘self’;
        script-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ *.wadocan.net *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
        style-src ‘self’ ‘unsafe-inline’ *.wadocan.net *.googleapis.com *.bootstrapcdn.com;
        img-src ‘self’ ‘unsafe-inline’ *.wadocan.net data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
        frame-src ‘self’ maps.google.com ;
        font-src ‘self’ data: *.gstatic.com *.bootstrapcdn.com;
        connect-src ‘self’ *.googletagmanager.com;
        report-uri /csp-report.php”;

        add_header X-WebKit-CSP: “default-src ‘self’;
        script-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ *.wadocan.net *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
        style-src ‘self’ ‘unsafe-inline’ *.wadocan.net *.googleapis.com *.bootstrapcdn.com;
        img-src ‘self’ ‘unsafe-inline’ *.wadocan.net data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
        frame-src ‘self’ maps.google.com ;
        font-src ‘self’ data: *.gstatic.com *.bootstrapcdn.com;
        connect-src ‘self’ *.googletagmanager.com;
        report-uri /csp-report.php”;

        This works, but I have no idea either why (the documentation seems to say that setting the default src to self should cover it) or what this actually authorizes.
        The worst thing is that when I set up the machine the first time earlier this week I simply reloaded nginx and certbot from scratch. That worked for the websites but killed iRedMail – and there’s nothing in any docs I’ve seen to tell me which mail settings need to survive changes to the nginx setup.

        Maybe the best thing would be linuxbabe et al to add a section on what to do if mail works but you need to add some virtual host websites that work with the most recent browser mods.

    • David Shelton
      3 years ago

      Hi, on the last bit where you change the server name, is this step necessary to aquire the cert? What if you wanted to point 10 domains to one email server? Change server_name 10 times and run certbot 10 times instead of one giant run with the original server name?

  • James
    3 years ago

    Hi

    Thank you for the great tutorials. Always check here first for linux setup guides.

    Followed setting up iRedmail on CentOS8 succesfully. Now added the second domain. Everything working good but I cant send to gmail on second domain. See the below in /var/log/maillog: “Untrusted TLS connection established to gmail-smtp-in.l.google.com[209.85.232.26]:25: TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256…”

    Searching on the web I see that this is my server not trusting google. They suggest editing /etc/postfix/main.cf with the below.
    smtp_tls_CApath = /etc/ssl/certs
    smtpd_tls_CApath = /etc/ssl/certs

    Tried this an variations (e.g. smtpd_tls_CApath = /etc/pki/tls/certs) but no luck. Note that I can recieve emails from gmail and I can send on my first domain.

    Thanks

    • Xiao Guoan (Admin)
      3 years ago

      This message

      Untrusted TLS connection established to gmail-smtp-in.l.google.com[209.85.232.26]:25: TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256

      doesn’t mean your email server can’t send email to Gmail. It means your Postfix doesn’t verify the TLS certificate of gmail servers, which is a normal case for email servers, so the TLS connection is untrusted. You don’t need to edit the smtp_tls_CApath or smtpd_tls_CApath.

      You should look at the entire SMTP transaction to find out why your emails were not delivered to Gmail.

  • Louis
    3 years ago

    Very great guide!!! Took like 10 minute to do, ended up with a 10/10 Score on mail-tester.com
    You are a truly god 🙂

  • jefcolbi
    3 years ago

    Thanks you very much

  • Sebastian Real
    3 years ago

    Hi Xiao, thank for an incredible tutorial!
    I followed the instructions and got a mail server with multiple domains on a raspberry pi 4 working succesfully
    Now im trying to install a mail server on a Ubuntu Server VM and it works for the main domain, but I have found that after I add dkim_key(‘domain2.com’, ‘dkim’, ‘/var/lib/dkim/domain2.com.pem’); (with the correct domain) and restart amavis, I cant send emails anymore, even from the main domain.
    On mail.log I found “Connection refused”
    Jul 8 14:25:13 mail postfix/amavis/smtp[18675]: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused
    Jul 8 14:25:13 mail postfix/submission/smtpd[18811]: disconnect from mail.empresa.com[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
    Jul 8 14:25:13 mail postfix/amavis/smtp[18675]: 4GLJV16557zvPwW: to=, relay=none, delay=0.08, delays=0.08/0/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)

    As soon as I comment the line for the 2nd domain and restart amavis, Im able to send mails again correctly

    What could be happening?

    Some help please

    • Xiao Guoan (Admin)
      3 years ago

      Probably a syntax error. Check the log.

      sudo journalctl -eu amavis
  • Fernando
    3 years ago

    Is there any way to install iredmail or any other application without using letsencrypt? I’m trying to install Iredmail along with a control panel (aapnel) to manage the server and hosted websites.

    I’ve done more than 30 installations in different orders to try to make them work together, but I always end up running into some DNS problem or authentication failure by lets encrypt.

    I’ve been blocked several times for excessive attempts with multiple hostsnames. I can’t take it anymore, if someone can get in touch, I’ll pay a coffee for the help with the installation.

Comments are closed. For paid support, please contact [email protected]