How to Host Multiple Mail Domains in iRedMail with Nginx

This tutorial will be showing you how to set up multiple email domains with iRedMail, which is an easy way to set up your own email server.

Prerequisites

To follow this tutorial, it’s assumed that

What You Need to Do

If you want to host multiple mail domains, then you need to

  • Add a new mail domain and user in iRedMail admin panel.
  • Create MX, A and SPF record for the new mail domain.
  • Set up DKIM signing for additional domains
  • Set up DMARC Record for the new domain.
  • Set up RoundCube Webmail, Postfix and Dovecot for multiple domains
Reverse DNS check is used to check if the sender’s IP address matches the HELO hostname. You don’t need to add another PTR record when adding a new mail domain.

Step 1: Adding Additional Domains in iRedMail Admin Panel

Log into iRedMail admin panel with the postmaster account. (https://mail.your-domain.com/iredadmin) Then add domains in the Add tab.

iredmail multiple domains

Next, add a user under the new domain.

iredmail multiple domains ssl

Step 2: Creating MX, A and SPF record for the new mail domain

In your DNS manager, add MX record for the new domain like below.

Record Type    Name      Value

MX             @         mail.domain2.com

The A record points to your mail server’s IP address.

Record Type    Name     Value

A              mail     IP-address-of-mail-server

If your server uses IPv6 address, be sure to add AAAA record.

Then create SPF record to allow the MX host to send email for the new mail domain.

Record Type    Name      Value

TXT            @         v=spf1 mx ~all

Step 3: Setting up DKIM signing for the new domain

You need to tell amavisd to sign every outgoing email for the new mail domain. Edit /etc/amavis/conf.d/50-user file.

sudo nano /etc/amavis/conf.d/50-user

Find the following line,

dkim_key('domain1.com', 'dkim', '/var/lib/dkim/domain1.com.pem');

Add another line to specify the location of the private key of second domain.

dkim_key('domain2.com', 'dkim', '/var/lib/dkim/domain2.com.pem');

In @dkim_signature_options_bysender_maps section, add the following line.

 "domain2.com" => { d => "domain2.com", a => 'rsa-sha256', ttl => 10*24*3600 },

amavis dkim signing

Save and close the file. Then generate the private key for the second domain.

sudo amavisd-new genrsa /var/lib/dkim/domain2.com.pem 2048

Restart Amavis.

sudo systemctl restart amavis

Display the public keys.

sudo amavisd-new showkeys

All public keys will be displayed. We need the public key of the second domain, which is in the parentheses.

amavis show keys

In your DNS manager, create a TXT record for the second domain. Enter dkim._domainkey in the Name field. Copy everything in the parentheses and paste into the value field. Delete all double quotes. (You can paste it into a text editor first, delete all double quotes, the copy it to your DNS manager. Your DNS manager may require you to delete other invalid characters, such as carriage return.)

amavisd-new ubuntu

After saving your changes. Check the TXT record with this command.

dig TXT dkim._domainkey.domain2.com

Now you can run the following command to test if your DKIM DNS record is correct.

sudo amavisd-new testkeys

If the DNS record is correct, the test will pass.

TESTING#1 domain1.com: dkim._domainkey.domain1.com => pass
TESTING#2 domain2.com: dkim._domainkey.domain2.com => pass

Step4: Setting Up DMARC Record For the New Domain

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following:

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

create dmarc record txt

The above DMARC record is a safe starting point. To see the full explanation of DMARC, please check the following article.

Step 5: Setting up RoundCube, Postfix and Dovecot for Multiple Domains

It makes sense to let users of the first domain use mail.domain1.com and users of the second domain use mail.domain2.com when using RoundCube webmail.

Change working directory to /etc/nginx/.

cd /etc/nginx/

Create a blank server block file for the second domain in /etc/nginx/sites-enabled/ directory.

sudo touch sites-enabled/mail.domain2.com.conf

Copy the default HTTP site configurations to the file.

cat sites-enabled/00-default.conf | sudo tee -a sites-enabled/mail.domain2.com.conf

Copy the default SSL site configurations to the file.

cat sites-enabled/00-default-ssl.conf | sudo tee -a sites-enabled/mail.domain2.com.conf

Edit the virtual host file.

sudo nano sites-enabled/mail.domain2.com.conf

Find the following line.

server_name _;

We need to change the server_name to mail.domain2.com, because later we need to use Certbot to generate a new tls certificate.

server_name mail.domain2.com;

There are 2 instances of server_name, you need to change both of them. Save and close the file. Then test Nginx configuartion.

sudo nginx -t

If the test is successful, reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Now use Certbot webroot plugin to obtain TLS certificate for all your mail domains, so you will have a single TLS certificate with multiple domain names on it.

sudo certbot certonly --webroot --agree-tos -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email your-email-address -w /var/www/html

Notice that in the above command, we specified the cert name using the first mail domain, which will be used in the file path, so you don’t have to change the file path in Postfix or Dovecot configuration file.

When it asks if you want to update existing certificate to include the new domain, answer U and hit Enter.

certbot multi-domain iredmail

Now you should see the following message, which indicates the multi-domain certificate is successfully obtained.

iredmail nginx multiple domain

Reload Nginx to pick up the new certificate.

sudo systemctl reload nginx

You should now be able to use different domains to access RoundCube webmail. Also you need to reload Postfix SMTP server and Dovecot IMAP server in order to let them pick up the new certificate.

sudo systemctl reload postfix

sudo systemctl reload dovecot

Using Mail Client on Your Computer or Mobile Device

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account of the second domain.

  • In the incoming server section, select IMAP protocol, enter mail.domain2.com as the server name, choose port 993 and SSL/TLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter mail.domain2.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

iredmail multiple domain postfix dovecot

Although Postfix SMTP server and Dovecot IMAP server are using the hostname of the first mail domain (mail.domain1.com) when communicating with others, they are now using a multi-domain certificate, so the mail client won’t display certificate warnings.

SPF and DKIM Check

Now you can use your desktop email client or webmail client to send a test email to [email protected]r.port25.com and get a free email authentication report. Here’s the report I got from port25.com

postfix spf dkim ubuntu

Don’t forget to test your email score at https://www.mail-tester.com and also GlockApps.com.

That’s it! I hope this tutorial helped you host multiple email domains with iRedMail. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 3 Average: 5]

47 Responses to “How to Host Multiple Mail Domains in iRedMail with Nginx

  • Thank you for this interesting read.
    Is there any encryption implemented for mail data stored at the server?
    If not, how would I add this?

  • You’re tutorials are great, I have been following a few of them.

    Right now I have a problem, when trying to setup a second domain like in this tutorial.
    My second domain can send mails without a problem, but it does not receive any email.
    The strange thing is, that the sender also does not get an error message. The mail just disappears and is neither delivered nor rejected.

    DNS settings are all correct. I do not know where else to look.

    Thanks for helping

    • You should check the mail log (/var/log/mail.log) on the receiving email server. If DNS records are correct, you will see the sender in the mail log and it will tell you the reason why the email wasn’t delivered.

  • Hi Xiao,
    that definitely gives me more info about the problem. It seems that all mails send to this domain are queued indefinitely

    Dec  1 22:18:14 mail postfix/postscreen[10894]: PASS NEW [209.85.214.178]:44948
    Dec  1 22:18:14 mail postfix/smtpd[10902]: connect from mail-pl1-f178.google.com[209.85.214.178]
    Dec  1 22:18:14 mail postfix/smtpd[10902]: Anonymous TLS connection established from mail-pl1-f178.google.com[209.85.214.178]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    Dec  1 22:18:15 mail postfix/smtpd[10902]: 28E18414F8: client=mail-pl1-f178.google.com[209.85.214.178]
    Dec  1 22:18:15 mail postfix/cleanup[10911]: 28E18414F8: message-id=
    Dec  1 22:18:15 mail postfix/qmgr[10781]: 28E18414F8: from=, size=2777, nrcpt=1 (queue active)
    Dec  1 22:18:15 mail postfix/smtpd[10902]: disconnect from mail-pl1-f178.google.com[209.85.214.178] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
    

    I do not know why this happens.

    I restarted amavis and nginx and now it is working. This seems strange.
    Thanks

    Really appreciate your tutorials! 5 out of 5

  • Dave Kimble
    9 months ago

    The only weakness of iRedMail is that if it fails to install correctly, or gets corrupted later, they recommend reinstalling the OS then iRedMail again. This wouldn’t be necessary if they kept a strict log of all the changes made with the location, old-value and new-value, so that “apt purge” could use the log to undo all changes.

  • Hi Xiao,
    I set up the mail-server with iRedMail on Ubuntu 16.04 for one domain without any problems. Your guide is great.
    But I try to set up multiple domains and problems start.
    Can not set up dkim._domainkey in my DNS zone. I get a message: “The hostname of the record does not match the name of the zone.”
    The main domain (mydomain.com) is pointed to a different IP address than the mail subdomain (mail.domain.com).
    I have website on other VPS than mail-server. How to fix it?
    In my DNS zone I have:
    mydomain.com | A | IP 1 (111.111.11.11)
    www.mydomain.com | CNAME | mydomain.com
    mail.mydomain.com | A | IP 2 (222.222.22.22)
    mydomain.com | MX | 10 | mail.mydomain.com
    mydomain.com | TXT | v=spf1 mx ~all

    • OK – I fixed it. The question from the previous comment is out of date.
      Everything working fine with two domains and different IP addresses.
      Score 10/10 for both domains.
      Thank you again for great tutorials.

    • Glad to know it’s working for you now 🙂

  • Fantastic job! It is nice to see a tutorial which actually works! Most of these kind of tutorials have a ton of errors and they don’t work exactly right so you have to do a lot of digging on your own. Yours are spot on!

    This got me up and running perfectly. The only gap I have now is how to configure and administer the spam components and whitelists/blacklists for iRedMail. Do you have a tutorial on that or can you recommend a good resource?

    • iRedMail uses Postscreen and SpamAssassin for spam filtering, which is configured in /etc/postfix/main.cf file. Another good tool is rspamd, which has a nice web-based graphical interface. I will write an article about rspamd.

      • Thank you! I am really looking forward to that! I know iRedMail uses Amavised-new, SpamAssassin & ClamAV. Are these (or suitable replacements) integrated into rspamd so we only have one interface to deal with for virus filtering, spam and whitelists/blacklists? Or do I need to look at other solutions for some of that? I glanced at rspamd.com really quickly but couldn’t tell what components they are using. Thank you again for everything. I will be donating to support the site!

  • tom_cr00z
    8 months ago

    clarification in order this to work i have to get another domain right and point with the same public ip address of my current iredmail server?

    • I suppose that you asked “The A record for mail.domain2.com should be pointed to the public IP address of the current iRedMail server?”

      The answer is Yes.

  • tom_cr00z
    8 months ago

    your the best bro

  • Hello Xiao, you mentioned in another post that it was possible to run other sites alongside this setup. How can this be done? I had it working previously, but I have no idea how I did it. Any tips? Thanks.

  • Hello Xiao,

    i see that you want to write an article about rspamd, it is possible to do it with a howto for switching from amavis(spamassasin) to rspamd I. iredmail?

    Thx

  • Hello xiao

    in this article , every new added domain name here are redirected to new entry like mail.domain2.com , mail.domain3.com etc…

    can I do it like this ? every new added domain name are all managed by mail.domain.com

    • Yes, you can use the same hostname for MX record and webmail. You can even use the same DKIM key for all domain names, but I recommend using unique DKIM key for each domain name to have better email deliveribility.

      • Hello

        I have setup hostname mail.domain1.com and first email domain domain2.com.

        The admin url :https://mail.domain1.com/iredadmin/

        admin acccount :[email protected]

        how to setup my dns records ? so that all email domains are managed by mail.domain1.com and all new domains client login is https://mail.domain1.com/mail/

    • You can set the MX record of domain2.com to use mail.domain1.com. Then simply add email accounts at the admin panel. By default, all email accounts can login at https://mail.domain1.com/mail/.

      • so I need only set MX record for domain2.com as below ?

        MX @ mail.domain1.com

    • Yes, use that MX record. Then set up DKIM key and create DMARC record.

  • Waleed Talaat
    3 months ago

    hi thnx for posting it really did help …. when cert expires how to renew it and if there is any way to auto renew the cert

    • The certbot debian package ships with its own cron job (/etc/cron.d/certbot) and a systemd timer (/lib/systemd/system/certbot.timer) to automatically renew TLS certificate. So you don’t need to manually add cron job or systemd timer. The timer runs certbot.service twice a day. You can check its status with:

      systemctl status certbot.timer
  • Anantha Raman Lakshmipathi
    2 months ago

    Hi everyone. I have created a bash script which can execute the entire above mentioned commands in a single step. Code pasted below:

    Note: Before running script edit host ip, primary mail domain and email id inside the script

    #!/bin/bash
    # define ipaddress variable
    # define primary mail domain
    # define ssl cert email id
    ipaddress=”1.2.3.4″
    primarymaildomain=”mail.myprimarydomain.com”
    sslemail=”[email protected]
    echo ” ”
    sleep 2
    echo “Add new email domain script started”
    echo ” ”
    sleep 2
    echo “Add domain and user in iRedAdmin”
    echo ” ”
    sleep 2
    read -p “Press enter if added?”
    echo ” ”
    sleep 2
    echo “Enter domain name without www ; Eg: mywebsite.com”
    echo ” ”
    read domainname
    echo ” ”
    sleep 2
    echo “Adding new domain DKIM Key now”
    var1=’dkim_key(‘”‘”$domainname”‘”‘, ‘”‘”‘dkim'”‘”‘, ‘”‘”‘/var/lib/dkim/’$domainname’.pem'”‘”‘);’
    sed -i -e “/\# Add dkim_key here./a $var1″ /etc/amavis/conf.d/50-user
    var2=” “‘”‘$domainname'”‘”=> { d => “‘”‘$domainname'”‘”, a => “”‘””rsa-sha256″”‘””, ttl => 10*24*3600 },”
    sed -i -e “/\# Per-domain dkim key/a $var2″ /etc/amavis/conf.d/50-user
    echo ” ”
    sleep 2
    echo “New Domain DKIM key added”
    echo ” ”
    sleep 2
    echo “Generating DNS records”
    echo ” ”
    var3=’/var/lib/dkim/’$domainname’.pem’
    sudo amavisd-new genrsa $var3 2048
    sudo systemctl restart amavis
    var3a=’/etc/dnsrecords/’$domainname’.txt’
    if [ -f $var3a ] ; then
    sudo rm $var3a
    fi
    echo ” ” >> $var3a
    echo “; DKIM Record” >> $var3a
    sudo amavisd-new showkeys $domainname >> $var3a
    echo “; MX Record” >> $var3a
    echo $domainname’ 1 IN MX 1 mail.’$domainname’.’ >> $var3a
    echo “; A Record” >> $var3a
    echo ‘mail.’$domainname’. 1 IN A ‘$ipaddress >> $var3a
    echo “; TXT Records” >> $var3a
    echo $domainname’. 1 IN TXT ”””v=spf1 mx ~all””‘ >> $var3a
    echo ‘_dmarc.’$domainname’. 1 IN TXT ”””v=DMARC1; p=none; pct=100; rua=mailto:[email protected]’$domainname'”‘ >> $var3a
    echo ” ” >> $var3a
    echo ” ”
    echo “DNS records generated. Download it @ /etc/dnsrecords folder. Import in DNS as BIND file”
    echo ” ”
    sleep 2
    read -p “Press enter to continue after updating dns records?”
    sleep 2
    echo ” ”
    echo “Testing DKIM record key”
    echo ” ”
    sudo amavisd-new testkeys $domainname
    echo ” ”
    var4=’/etc/nginx/sites-enabled/mail.’$domainname’.conf’
    sudo touch $var4
    var5=’/etc/nginx/sites-enabled/00-default.conf’
    cat $var5 | sudo tee -a $var4 > /dev/null
    var6=’/etc/nginx/sites-enabled/00-default-ssl.conf’
    cat $var6 | sudo tee -a $var4 > /dev/null
    var7=’server_name _;’
    var8=’server_name mail.’$domainname’;’
    sed -i -e ‘s/'”$var7″‘/'”$var8″‘/g’ $var4
    sleep 2
    echo “Testing nginx configuration”
    echo ” ”
    sudo nginx -t
    sudo systemctl reload nginx
    echo ” ”
    ls /etc/nginx/sites-enabled > /etc/dnsrecords/aaaexistingdomains.txt
    sed -e s/00-default.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
    sed -e s/00-default-ssl.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
    sed -e s/.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
    sed -i ‘/^$/d’ /etc/dnsrecords/aaaexistingdomains.txt
    sed -i ‘:a;N;$!ba;s/\n/,/g’ /etc/dnsrecords/aaaexistingdomains.txt
    var8a=”/etc/dnsrecords/aaaexistingdomains.txt”
    var8b=$(cat “$var8a”)
    var9=’mail.hexacubeindia.com,’$var8b
    sleep 2
    echo “Updating SSL certificates”
    echo ” ”
    sleep 2
    echo “Click ‘u’ when prompted”
    echo ” ”
    sleep 2
    sudo certbot certonly –webroot –agree-tos -d $var9 –cert-name $primarymaildomain –email $sslemail -w /var/www/html
    echo ” ”
    sleep 2
    echo “Restarting nginx, postfix and dovecot”
    echo ” ”
    sudo systemctl reload nginx
    sudo systemctl reload postfix
    sudo systemctl reload dovecot
    sleep 2
    echo “Add new email domain script ended”
    echo ” ”
    var10=’https://mail.’$domainname’/’
    sleep 2
    echo Now u can visit $var10
    echo ” ”
    sleep 2
    echo “Thank You”
    echo ” ”
    sleep 2

    • Anantha Raman Lakshmipathi
      2 months ago

      Also, the above script will generate dns records in BIND format, which can be directly in almost all DNS providers like Clouflare, GoDaddy etc.,

    • Anantha Raman Lakshmipathi
      2 months ago

      No need to edit anything inside bash script. Directly run the following script and give inputs when prompted. DNS records will be generated and new email domain will be added automatically.

      #!/bin/bash
      ipaddress=$(dig +short myip.opendns.com @resolver1.opendns.com)
      primaildom=$(hostname -f)
      echo ” ”
      sleep 2
      echo “Add new email domain script started”
      echo ” ”
      sleep 2
      echo “Add domain and user in iRedAdmin”
      echo ” ”
      sleep 2
      read -p “Press enter if added?”
      echo ” ”
      sleep 2
      echo “Enter domain name without www ; Eg: mywebsite.com”
      echo ” ”
      read domainname
      echo ” ”
      sleep 2
      echo “Adding new domain DKIM Key now”
      var1=’dkim_key(‘”‘”$domainname”‘”‘, ‘”‘”‘dkim'”‘”‘, ‘”‘”‘/var/lib/dkim/’$domainname’.pem'”‘”‘);’
      sed -i -e “/\# Add dkim_key here./a $var1″ /etc/amavis/conf.d/50-user
      var2=” “‘”‘$domainname'”‘”=> { d => “‘”‘$domainname'”‘”, a => “”‘””rsa-sha256″”‘””, ttl => 10*24*3600 },”
      sed -i -e “/\# Per-domain dkim key/a $var2″ /etc/amavis/conf.d/50-user
      echo ” ”
      sleep 2
      echo “New Domain DKIM key added”
      echo ” ”
      sleep 2
      echo “Generating DNS records”
      echo ” ”
      var3=’/var/lib/dkim/’$domainname’.pem’
      sudo amavisd-new genrsa $var3 2048
      sudo systemctl restart amavis
      var3a=’/etc/dnsrecords/’$domainname’.txt’
      if [ -f $var3a ] ; then
      sudo rm $var3a
      fi
      echo ” ” >> $var3a
      echo “; DKIM Record” >> $var3a
      sudo amavisd-new showkeys $domainname >> $var3a
      echo “; MX Record” >> $var3a
      echo $domainname’ 1 IN MX 1 mail.’$domainname’.’ >> $var3a
      echo “; A Record” >> $var3a
      echo ‘mail.’$domainname’. 1 IN A ‘$ipaddress >> $var3a
      echo “; TXT Records” >> $var3a
      echo $domainname’. 1 IN TXT ”””v=spf1 mx ~all””‘ >> $var3a
      echo ‘_dmarc.’$domainname’. 1 IN TXT ”””v=DMARC1; p=none; pct=100; rua=mailto:[email protected]’$domainname'”‘ >> $var3a
      echo ” ” >> $var3a
      echo ” ”
      echo “DNS records generated. Download it @ /etc/dnsrecords folder. Import in DNS as BIND file”
      echo ” ”
      sleep 2
      read -p “Press enter to continue after updating dns records?”
      sleep 2
      echo ” ”
      echo “Testing DKIM record key”
      echo ” ”
      sudo amavisd-new testkeys $domainname
      echo ” ”
      var4=’/etc/nginx/sites-enabled/mail.’$domainname’.conf’
      sudo touch $var4
      var5=’/etc/nginx/sites-enabled/00-default.conf’
      cat $var5 | sudo tee -a $var4 > /dev/null
      var6=’/etc/nginx/sites-enabled/00-default-ssl.conf’
      cat $var6 | sudo tee -a $var4 > /dev/null
      var7=’server_name _;’
      var8=’server_name mail.’$domainname’;’
      sed -i -e ‘s/'”$var7″‘/'”$var8″‘/g’ $var4
      sleep 2
      echo “Testing nginx configuration”
      echo ” ”
      sudo nginx -t
      sudo systemctl reload nginx
      echo ” ”
      ls /etc/nginx/sites-enabled > /etc/dnsrecords/aaaexistingdomains.txt
      sed -e s/00-default.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
      sed -e s/00-default-ssl.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
      sed -e s/.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
      sed -i ‘/^$/d’ /etc/dnsrecords/aaaexistingdomains.txt
      sed -i ‘:a;N;$!ba;s/\n/,/g’ /etc/dnsrecords/aaaexistingdomains.txt
      var8a=”/etc/dnsrecords/aaaexistingdomains.txt”
      var8b=$(cat “$var8a”)
      var9=’mail.hexacubeindia.com,’$var8b
      sleep 2
      echo “Updating SSL certificates”
      echo ” ”
      sleep 2
      echo “Enter email id required for ssl certificate generation”
      echo ” ”
      read sslemailid
      echo ” ”
      echo “Click ‘u’ when prompted”
      echo ” ”
      sleep 2
      sudo certbot certonly –webroot –agree-tos -d $var9 –cert-name $primaildom –email $sslemailid -w /var/www/html
      echo ” ”
      sleep 2
      echo “Restarting nginx, postfix and dovecot”
      echo ” ”
      sudo systemctl reload nginx
      sudo systemctl reload postfix
      sudo systemctl reload dovecot
      sleep 2
      echo “Add new email domain script ended”
      echo ” ”
      var10=’https://mail.’$domainname’/’
      sleep 2
      echo Now u can visit $var10
      echo ” ”
      sleep 2
      echo “Thank You”
      echo ” ”
      sleep 2

  • Alexandru Gagea
    2 months ago

    Hi,

    Is the PTR record required for the second mail domain ?

    • PTR record is for an IP address. If you have already created PTR record when you first set up your mail server, you don’t need to change it when you add a second mail domain.

  • Alexandru Gagea
    2 months ago

    Hello again,

    I’m having issues with the 2nd domain. All the email sent to gmail, yahoo.. etc. goes directly to spam. I think I’ve set everything right..could anyone help me see if I’ve missed anything ?

    The 1st domain is working just fine, all the emails land into inbox. The second one is setup as bellow :

    MX : domain2.com mail.domain2.com
    A: domain2.com ip-address
    SPF: domain2.com v=spf1 mx ~all
    DKIM signature generated by amavisd was too long and not accepted by my dns manager so i generated another one with some online tool.
    The Dkim tests pass with :
    dig TXT dkim._domainkey.domain2.com

    sudo amavisd-new testkeys
    DMARC : _dmarc.domain2.com TXT “v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

    dig -x IP-address +short command points to mail.domain2.com ( it used to point to mail.domain1.com but it has changed after i sent a form to aws for the rdns to point to 2nd domain, the first domain still work fine. )

    So, with all of the above, mails still enter spam inbox. What should I do ?

  • Alexandru Gagea
    2 months ago

    I’ve just noticed that only emails sent from “[email protected]” and “[email protected]” reach the inbox. All other emails sent from both domains goes to the spam inbox.

    Ideas ?

    • The fact is even if you get a 10/10 score at mail-tester.com, your email can still be flagged as spam, especially for newly registered domain names.

      If you send transactional emails, you shouldn’t worry too much, because your users will mark your email as not spam and your email will eventually be put in inbox. You just need to wait some time to build your reputation.

      If you send marketing emails (bulk emails), you need to follow these rules or practices.

      1. Make sure the recipient gave you permission to send email. Use double opt-in to verify subscriber’s email address.
      2. Don’t send cold emails to thousands of people who have never received emails from you before. Instead, you need to warm up your IP address. For example, send 500 emails on day 1, then send 1000 emails on day 2, send 2000 emails on day
      3. Include your contact information and your mailing address at the bottom of the email message.
      4. Personalize the email message as much as possible. For example, include the recipient’s name in the email.
      5. Conform to CAN-SPAM Act
      6. Avoid large attachments.
      7. Clean your email list. For example, delete email subscribers that haven’t opened your email in the last 30 days.
      8. Get approved as Return Path Certified Sender.

      I also recommend you to check out Gmail, Yahoo, Hotmail’s bulk email best practices.

  • ckhatton
    2 months ago

    As I am creating more and more mail servers, is it a good idea that they are all sharing the same certificate? Anyone can look at the certificate and see all the servers it has been allocated to.

    • You can get certbot to issue separate SSL certificate for each mail domain, but if you need to remotely login from a desktop/mobile mail client or another web application, you need to enter the first hostname (mail.domain1.com) for the server address, because Postfix does not support multiple SSL certificates on single IP address yet.

      • ckhatton
        2 months ago

        Thank you. Interesting – I might actually do that, as the first domain (mail.domain1.com) can act the main server address. What would be the command to create a separate SSL certificate?

    • If you prefer to create separate SSL certificate for each domain name, then you should not copy the default SSL configuration to new virtual host file. That’s is to say, don’t run the following command:

      cat sites-enabled/00-default-ssl.conf | sudo tee -a sites-enabled/mail.domain2.com.conf

      Then use certbot to create single-domain SSL certificate.

      sudo certbot  --nginx --agree-tos --hsts --staple-ocsp --email your-email-address -d mail.domain2.com
      • ckhatton
        2 months ago

        Thank you! 🙌

        • ckhatton
          4 weeks ago

          Hi Xiao! I’ve followed that, but when I go to mail.domain2.com it redirects too many times. This is the conf for it… https://www.pastiebin.com/5d5aa095af09b

  • Hi There,

    i followed your steps but if i test the keys i’ll get this error

    amavisd-new testkeys

    TESTING#1 easyvoiceonline.nl: dkim._domainkey.easyvoiceonline.nl => fail (bad RSA signature)
    TESTING#2 easyvoiceonline.co.uk: dkim._domainkey.easyvoiceonline.co.uk => invalid (public key: invalid data)
    TESTING#3 easyvoiceonline.be: dkim._domainkey.easyvoiceonline.be => pass

    these are the keys:

    key#1 1024 bits, i=dkim, d=easyvoiceonline.nl, /var/lib/dkim/easyvoiceonline.nl.pem
    dkim._domainkey.easyvoiceonline.nl.     3600 TXT (
      "v=DKIM1; p="
      "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC2ixN7MLLfSm1zxnjnTp+RiyN"
      "9wRXbULxsoY0qxd/YubSsR03nZ1yiu9eebG4IGqaVXjNhi7ICp6ZIk2TS7/4DyFy"
      "6HA7ADEjcHFECtwyupSXdMXFlfuQDV8nAwm7Jz/M86BX5UCO/ipd8SbMyfJL1UxW"
      "w+LTR/aMEAXqYBV8ZwIDAQAB")
    
    ; key#2 2048 bits, i=dkim, d=easyvoiceonline.co.uk, /var/lib/dkim/easyvoiceonline.co.uk.pem
    dkim._domainkey.easyvoiceonline.co.uk.  3600 TXT (
      "v=DKIM1; p="
      "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl/yioBrjbEHgFomTFtAV"
      "pKQEqPHaY5Ut8VZH1y4jQu3HySWIAXErhmAp5TCUwZd2U9xuWSy8Tp1Zn6sgaJg5"
      "VmbYDw6GVneocTou9KIM5ns1C173D538hkoKRBFfMvrMwp8jfyb/1e4S9E4NH8nM"
      "aaSEiwRpK1lWqck7927K33BAKyC2kUBN4Ldmee6wqI9x8bjICMMryfN5JLLJscfp"
      "h+f2ue2gTbwW5AL7dwVPiadIA/8yvjcWdCbzG6obf8KEK3Y83vbLunqHISCndG8o"
      "5+t3kRkH6chgtmSH5HuCzZ+3KYf6dpV+SHUBJ5Q6KDeh/iHPjR0xY6M3xs5E/vU6"
      "SwIDAQAB")
    
    ; key#3 2048 bits, i=dkim, d=easyvoiceonline.be, /var/lib/dkim/easyvoiceonline.be.pem
    dkim._domainkey.easyvoiceonline.be.     3600 TXT (
      "v=DKIM1; p="
      "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzjze8mMeJ1uNkQeRB0i8"
      "PChpVWq8LuGYO5h5h+MLrU69fHbgA6HZ2AZQIH3gP1JI9Max6Yp/Bs8Og8tqvLE5"
      "EVW27JfxrNRSKHzLUfMfOT/4hhyDlIgA10QqDV+Ns9AvE3nloF2WMUQBdAQDE5/p"
      "bo09PmaCqUHgVQf40UluqUKIc9NewdVjvNKwc96gH5RIglKSbatEfrGc0bSBh45a"
      "ihSdm5CVnZ5i499Cpc0EWY3q64m9gxxP5QE7Jujf/GR7HGMHT3nhV1I3A/KtvfaF"
      "ut0PjHB2h2r71iZGiSUhlHwwfGta6Pvqw3eV+xun1KWk2k7RIvtbZTy+t8BbG//m"
      "tQIDAQAB")

    Here are the dig results;

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dkim._domainkey.easyvoiceonline.co.uk. IN TXT
    
    ;; ANSWER SECTION:
    dkim._domainkey.easyvoiceonline.co.uk. 861 IN TXT "v=DKIM1; p=   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl/yioBrjbEHgFomTFtAV   pKQEqPHaY5Ut8VZH1y4jQu3HySWIAXErhmAp5TCUwZd2U9xuWSy8Tp1Zn6sgaJg5   VmbYDw6GVneocTou9KIM5ns1C173D538hkoKRBFfMvrMwp8jfyb/1e4S9E4NH8nM   aaSEiwRpK1lWqck7927K33BAKyC2kUBN4Ldmee6w" "qI9x8bjICMMryfN5JLLJscfp   h+f2ue2gTbwW5AL7dwVPiadIA/8yvjcWdCbzG6obf8KEK3Y83vbLunqHISCndG8o   5+t3kRkH6chgtmSH5HuCzZ+3KYf6dpV+SHUBJ5Q6KDeh/iHPjR0xY6M3xs5E/vU6   SwIDAQAB)"
    
    ;; Query time: 1 msec
    ;; SERVER: 2a00:f10:ff04:153::53#53(2a00:f10:ff04:153::53)
    ;; WHEN: Mon Aug 05 19:54:27 CEST 2019
    ;; MSG SIZE  rcvd: 505
    
    [email protected]:~# dig TXT dkim._domainkey.easyvoiceonline.be
    
    ; <> DiG 9.10.3-P4-Debian <> TXT dkim._domainkey.easyvoiceonline.be
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27854
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dkim._domainkey.easyvoiceonline.be. IN TXT
    
    ;; ANSWER SECTION:
    dkim._domainkey.easyvoiceonline.be. 852 IN TXT  "v=DKIM1; p=   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzjze8mMeJ1uNkQeRB0i8   PChpVWq8LuGYO5h5h+MLrU69fHbgA6HZ2AZQIH3gP1JI9Max6Yp/Bs8Og8tqvLE5   EVW27JfxrNRSKHzLUfMfOT/4hhyDlIgA10QqDV+Ns9AvE3nloF2WMUQBdAQDE5/p   bo09PmaCqUHgVQf40UluqUKIc9NewdVjvNKwc96g" "H5RIglKSbatEfrGc0bSBh45a   ihSdm5CVnZ5i499Cpc0EWY3q64m9gxxP5QE7Jujf/GR7HGMHT3nhV1I3A/KtvfaF   ut0PjHB2h2r71iZGiSUhlHwwfGta6Pvqw3eV+xun1KWk2k7RIvtbZTy+t8BbG//m   tQIDAQAB"
    
    ;; Query time: 1 msec
    ;; SERVER: 2a00:f10:ff04:153::53#53(2a00:f10:ff04:153::53)
    ;; WHEN: Mon Aug 05 19:54:36 CEST 2019
    ;; MSG SIZE  rcvd: 501
    
    [email protected]:~# dig TXT dkim._domainkey.easyvoiceonline.nl
    
    ; <> DiG 9.10.3-P4-Debian <> TXT dkim._domainkey.easyvoiceonline.nl
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39534
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dkim._domainkey.easyvoiceonline.nl. IN TXT
    
    ;; ANSWER SECTION:
    dkim._domainkey.easyvoiceonline.nl. 489 IN TXT  "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRZC1bMjVivG2euM26uv/vUxIml511IxHAK2YFUcSJGwJ2MxjXVxEoIITD7KFmhupt4JD544ojKd4FASv+2VApgC/mx5U0Hc3aK9jOdFoTqsUKg6fZZHkkJObTAsLcvWLvZRQtlmx79t1eY34OgPDtKhMhSmFEuatdKWsREgFNKwIDAQAB"
    
    ;; Query time: 0 msec
    ;; SERVER: 2a00:f10:ff04:153::53#53(2a00:f10:ff04:153::53)
    ;; WHEN: Mon Aug 05 19:54:40 CEST 2019
    ;; MSG SIZE  rcvd: 303
    
    [email protected]:~# 

    Hope fully you can help me?

    • Little edit, the dig results you’ll see ” which i currently removed the ttl is 3600 so should i just be patience?

    • You didn’t enter the DKIM record correctly. For easyvoiceonline.nl, the public key is different in the DNS record. For easyvoiceonline.co.uk, there are many carriage return characters in the DNS record. Remove them.

      • it’s working now thank you, although i do not get emails on a 4th added domain @easyvoicetelecom.co.uk it sends but i cannot receive? any suggestions?

  • Certbot fails with the challenge of the second domain

    – The following errors were reported by the server:

    Domain: mydomain2.gr
    Type: unauthorized
    Detail: Invalid response from
    https://mydomain2.gr/.well-known/acme-challenge/_ZKOgvrQaKVeMt23sKDFksA4by2nGwyC-PlLST1W4ds
    [116.203.176.145]: “\r\n404 Not<br /> Found\r\n\r\n

    404
    Not Found

    \r\n


    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Stephan
    2 days ago

    I run a (non-iRedMail) mail server for multiple domains. The reverse DNS points to the main domain, e.g. mail.somename.net, the mail domains are mail.domain1.net and mail.domain2.net without a rDNS record, but with correct PTR and SPF records.

    Some receiving mail servers reject mails from mail.domain1.net or mail.domain2.net because the reverse DNS points to mail.somename.net instead. In Europe many mail providers are very restrictive in this regard (e.g. t-online.de, gmx.de or bluewin.ch).

    How can this howto work in such an environment?

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • If my answer helped you, please consider supporting this site. Thanks :)