How to Easily Set Up a Full-Featured Mail Server on Ubuntu 18.04 with iRedMail

Setting up your own email server on Linux from scratch is a pain in the butt, if you are not an advanced user. This tutorial will be showing you how to use iRedMail to quickly set up a full-featured mail server on Ubuntu 18.04, saving you lots of time and headaches.

What is iRedMail?

iRedMail is a shell script that automatically install and configure all necessary mail server components on your Linux/BSD server, thus eliminating manual installation and configuration. With iRedMail, you can easily create unlimited mailboxes and unlimited mail domains in a web-based admin panel. Mailboxes can be stored in MariaDB/MySQL, PostreSQL database or OpenLDAP. Open-source software used in iRedMail are as follows:

  • Postfix SMTP server
  • Dovecot IMAP server
  • Nginx web server
  • OpenLDAP, ldapd
  • MySQL/MariaDB, PostgreSQL
  • Amavised-new
  • SpamAssassin
  • ClamAV
  • Roundcube webmail
  • SOGo Groupware
  • Fail2ban
  • mlmmj mailing list manager
  • Netdata server monitoring
  • iRedAPD Postfix policy server for greylisting


To set up a complete email server with iRedMail, you need a server with at least 2GB RAM, because after the installation, your server will use more than 1GB of RAM. This tutorial is done on a $10/month Linode VPS (virtual private server). I recommend Linode because it doesn’t block port 25, so you can send unlimited emails with no extra cost.

Other VPS providers like DigitalOcean blocks port 25, and you will need to set up SMTP relay to bypass port 25 blocking, which can cost you additional money. Once you have a VPS, install Ubuntu on it and follow the instructions below. You also need a domain name. I registered my domain name from NameCheap because the price is low and they give whois privacy protection free for life.

It is recommended that you follow the instructions below on a clean install of Ubuntu 18.04 system. Installing a piece of complex server software like iRedMail on a non-LTS Ubuntu is discouraged as you will probably encounter problems when upgrading your OS every 9 months. The software author doesn’t have time to support every Ubuntu release. It is far better for your mail server to stay stable for 2 or 5 years.

Also, make sure your server IP address isn’t listed in any email blacklist. You can go to and to check your server IP address. If it’s in a blacklist, you can delete your VPS instance in Linode and create a new one. As Linode uses an hourly billing model, you won’t be charged by month, but by how many hours you used, which makes it convenient to delete a VPS instance at any time.

Step 1: Creating DNS MX Record

The MX record specifies which host or hosts handle emails for a particular domain name. For example, the host that handles emails for is If someone with a Gmail account sends an email to [email protected], then Gmail server will query the MX record of When it finds out that is responsible for accepting email, it then query the A record of to get the IP address, thus the email can be delivered.

In your DNS manager, create a MX record for your domain name. Enter @ in the Name field to represent the main domain name, then enter in the Value field.

modoboa web interface

Note: The hostname for MX record can not be an alias to another name. Also, It’s highly recommended that you use hostnames, rather than bare IP addresses for MX record.

Your DNS manager may require you to enter a preference value (aka priority value). It can be any number between 0 and 65,356. A small number has higher priority than a big number. You can enter 0 for your email server, or accept the default value. After creating MX record, you also need to create an A record for , so that it can be resolved to an IP address. If your server uses IPv6 address, be sure to add AAAA record.

Step 2: Configuring Hostname

SSH into your server, then update software packages.

sudo apt update

sudo apt upgrade

Then set a fully qualified domain name (FQDN) for your server with the following command.

sudo hostnamectl set-hostname

We also need to update /etc/hosts file.

sudo nano /etc/hosts

Edit it like below: localhost

Save and close the file. To see the changes, re-login and then run the following command to see your hostname.

hostname -f

Step 3: Setting up Mail Server on Ubuntu 18.04 with iRedMail

Run the following command download the iRedMail Bash installer with wget. At the time of this writing, the latest version of iRedMail is 0.9.8, released on April 3, 2018. Please go to iRedMail download page  to check out the latest version.


You can always use the above URL format to download the latest version. Just replace 0.9.8 with the new version number.

Extract the tarball.

tar xvf iRedMail-0.9.8.tar.bz2

Then cd into the newly created directory.

cd iRedMail-0.9.8/

Add executable permission to the script.

chmod +x

Next, run the Bash script with sudo privilege.

sudo bash

The ncurse-based setup wizard will appear. Select Yes and press Enter.

ubuntu 18.04 iredmail

The next screen will ask you to select the mail storage path. You can use the default one /var/vmail, so simply press Enter.

iredmail default storage path

Then choose whether you want to run a web server. It’s highly recommended that you choose to run a web server because you need the web-based admin penal to add email accounts. Also it allows you to access the Roundcube webmail. By default, Nginx web server is selected, so you can simply press Enter.  (An asterisk indicates the item is selected.)

iredmail nginx web server

Then select the storage backend. Choose one that you are familiar with. This tutorial chose MariaDB. Press up and down arrow key and press the space bar to select.

ubuntu 18.04 email server

If you selected MariaDB or MySQL, then you will need to set the MySQL root password.

ubuntu 18.04 mail server

Note that if you selected MariaDB, then you don’t need password to log into MariaDB shell. Instead of running the normal command mysql -u root -p, you can run the following command to login, with sudo and without providing MariaDB root password.

sudo mysql -u root

This is because the MariaDB package on Ubuntu 18.04 uses unix_socket authentication plugin, which allows users to use OS credentials to connect to MariaDB, but you still need to set root password in iRedMail setup wizard.

Next, enter your first mail domain. You can add additional mail domains later in the web-based admin panel. This tutorial assumes that you want an email account like [email protected], in that case, you need to enter here, without sub-domain. Do not press the space bar after your domain name. I think iRedMail will copy the space character along with your domain name, which can result in installation failure.

set up mail server on ubuntu 18.04

Next, set a password for the mail domain administrator.

ubuntu 18.04 email server step by step

Choose optional components. By default, 4 items are selected. If you like to have SOGo groupware, then select it and press Enter.

iredmail component

Now you can review your configurations. Type Y to begin the installation of all mail server components.

iredmail review

At the end of installation, choose y to use firewall rules provided by iRedMail and restart firewall.

iredmail firewall rules fail2ban

Now iRedMail installation is complete. You will be notified the URL of webmail, SOGo groupware and web admin panel and the login credentials. The file contains important information about your iRedMail server.

iredmail full featured mail server

Reboot your Ubuntu 18.04 server.

sudo shutdown -r now

Once your server is back online, you can visit the web admin panel.

Because it’s using a self-signed TLS certificate, you need to add security exception.

Step 4: Installing Let’s Encrypt TLS Certificate

Since the mail server is using a self-signed TLS certificate, both desktop mail client users and webmail client users will see a warning. To fix this, we can obtain and install a free Let’s Encrypt TLS certificate.

Obtaining the Certificate

First, install Let’s Encrypt (certbot) client on Ubuntu 18.04

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt install certbot

iRedMail has already configured TLS settings in the default Nginx virtual host, so here I recommend using the webroot plugin, instead of nginx plugin, to obtain certificate. Run the following command. Replace red text with your actual data.

sudo certbot certonly --webroot --agree-tos --email your-email-address -d -w /var/www/html/

When it asks you if you want to receive communications from EFF, you can choose No.

iredmail letsencrypt

If everything went well, you will see the following text indicating that you have successfully obtained a TLS certificate. Your certificate and chain have been saved at /etc/letsencrypt/live/ directory.

iredmail certbot

Note that sometimes, the self-signed certificate can prevent Let’s Encrypt ACME server from connecting to your server and the certificate won’t be issued. You can disable HTTPS on the default virtual host to fix this problem, then re-enable HTTPS after a valid Let’s Encrypt certificate is obtained.

Installing the Certificate in Nginx

After obtaining a TLS certificate, let’s configure Nginx web server to use it. Edit the SSL template file.

sudo nano /etc/nginx/templates/ssl.tmpl

Find the following 2 lines.

ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

Replace them with:

ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

Save and close the file. Then test nginx configuration and reload.

sudo nginx -t

sudo systemctl reload nginx

Visit iRedMail admin panel again, your web browser won’t warn you any more because Nginx is now using a valid TLS certificate.


Installing TLS Certificate in Postfix and Dovecot

We also need to configure Postfix SMTP server and Dovecot IMAP server to use the Let’s Encrypt issued certificate so that desktop mail client won’t display security warning. Edit the main configuration file of Postfix.

sudo nano /etc/postfix/

Find the following 3 lines. (line 95, 96, 97).

smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

Replace them with:

smtpd_tls_key_file = /etc/letsencrypt/live/
smtpd_tls_cert_file = /etc/letsencrypt/live/
smtpd_tls_CAfile = /etc/letsencrypt/live/

Save and close the file. Then reload Postfix.

sudo systemctl reload postfix

Next, edit the main configuration file of Dovecot.

sudo nano /etc/dovecot/dovecot.conf

Fine the following 2 lines. (line 47, 48)

ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key

Replace them with:

ssl_cert = </etc/letsencrypt/live/
ssl_key = </etc/letsencrypt/live/

Save and close the file. Then reload dovecot.

sudo systemctl reload dovecot

From now on, desktop mail users won’t see security warnings.

Step 5: Sending Test Email

Log into iredadmin panel with the postmaster mail account. In the Add tab, you can add additional domains or email addresses.

add email addresses in iredadmin

If you see “no domain under control” error, please refer to this article.

After you create a user, you can visit the Roundcube webmail address and login with the new mail user account.

roundcube webmail

Now you can test email sending and receiving. Please note that you may need to wait a few minutes to receive emails because iRedMail by default enables greylisting, which is a way to tell other sending SMTP servers to try again in a few minutes. The following line in mail log file /var/log/mail.log indicates greylisting is enabled.

Recipient address rejected: Intentional policy rejection, please try again later;

If your hosting provider or ISP blocks port 25, ask them to open it for you. If they refuse to open it, then you can’t send emails directly. You need to set up SMTP relay to solve this problem. The following message in /var/log/mail.log indicates port 25 is blocked.

Nov 3 10:43:43 mail postfix/smtp[9969]: connect to[]:25: Connection timed out
Nov 3 10:44:13 mail postfix/smtp[9969]: connect to[2404:6800:4003:c03::1b]:25: Connection timed out

Linode doesn’t block port 25, so you don’t need to set up SMTP relay if you use Linode.

Step 6: Using Mail Clients on Your Computer or Mobile Device

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account.

  • In the incoming server section, select IMAP protocol, enter as the server name, choose port 993 and SSL/TLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.


Step 7: Improving Your Email Server Reputation

To prevent your emails from being flagged as spam, you should set PTR, SPF, DKIM and DMARC records.

PTR record

A pointer record, or PTR record, maps an IP address to a FQDN (fully qualified domain name). It’s the counterpart to the A record and is used for reverse DNS lookup, which can help with blocking spammers. Many SMTP servers reject emails if no PTR record is found for the sending server.

To check the PTR record for an IP address, run this command:

dig -x IP-address +short


host IP-address

Because you get IP address from your hosting provider or ISP, not from your domain registrar, so you must set PTR record for your IP in the control panel of your hosting provider, or ask your ISP.  Its value should be your mail server’s hostname: If your server uses IPv6 address, be sure to add a PTR record for your IPv6 address as well.

To edit the reverse DNS record for your Linode server, log into Linode control panel, select your server and the networking tab. Click the 3 dots and Edit RDNS.

mail server ptr record

SPF Record

SPF (Sender Policy Framework) record specifies which hosts or IP address are allowed to send emails on behalf of a domain. You should allow only your own email server or your ISP’s server to send emails for your domain. In your DNS management interface, create a new TXT record like below.

modoboa spf record


  • TXT indicates this is a TXT record.
  • Enter @ in the name field to represent the main domain name.
  • v=spf1 indicates this is a SPF record and the version is SPF1.
  • mx means all hosts listed in the MX records are allowed to send emails for your domain and all other hosts are disallowed.
  • ~all indicates that emails from your domain should only come from hosts specified in the SPF record. Emails that are from other hosts will be flagged as forged.

To check if your SPF record is propagated to the public Internet, you can use the dig utility on your Linux machine like below:

dig txt

The txt option tells dig that we only want to query TXT records.

DKIM Record

DKIM (DomainKeys Identified Mail) uses a private key to digitally sign emails sent from your domain. Receiving SMTP servers verify the signature by using the public key, which is published in the DNS DKIM record.

The iRedMail script automatically configured DKIM for your server. The only thing left to do is creating DKIM record in DNS manager. Open the file under iRedMail-0.9.8 directory.

sudo nano

Scroll down to DNS record for DKIM support section. The DKIM public key is in the parentheses.

iredmail amavis dkim

You can also show the public key with the following command.

sudo amavisd-new showkeys

Then in your DNS manager, create a TXT record, enter dkim._domainkey in the name field. Copy everything in the parentheses and paste into the value field. Delete all double quotes.

amavisd-new ubuntu

After saving your changes, run the following command to test if your DKIM record is correct.

sudo amavisd-new testkeys

If the DKIM record is correct, the test will pass. Note that your DNS record may need sometime to propagate to the Internet.

TESTING#1 => pass

DMARC Record

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. DMARC can help receiving email servers to identify legitimate emails and prevent your domain name from being used by email spoofing.

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following:

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

create dmarc record txt

The above DMARC record is a safe starting point. To see the full explanation of DMARC, please check the following article.

Step 8: Testing Email Score and Placement

After creating PTR, SPF, DKIM record, go to You will see a unique email address. Send an email from your domain to this address and then check your score. As you can see, I got a perfect score. In the test result, you should check if your PTR record, SPF and DKIM record is valid.

imporve email server can only show you a sender score. There’s a another service called GlockApps that allow you to check if your email is landed in the recipient’s inbox or spam folder, or rejected outright. It supports many popular email providers like Gmail, Outlook, Hotmail, YahooMail, iCloud mail, etc

glockapps email placement test

Adding Multiple Mail Domains

I wrote this article to show you how to add multiple mail domains in iRedMail.

How to Disable Greylisting

By default, iRedMail has enabled greylisting, which tells other sending SMTP servers to try again in a few minutes. This is mainly useful to block spam, but it also degrades user experience. If you prefer to disable greylisting, follow the instructions below.

Add write permission to the /opt/iredapd/ file.

sudo chmod 600 /opt/iredapd/

Then edit the configuration file.

sudo nano /opt/iredapd/

Find the following line.

plugins = ["reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy"]

Remove "greylisting" from the list. Save and close the file. Then restart iredapd.

sudo systemctl restart iredapd

Change the configuration file back to read only mode.

sudo chmod 400 /opt/iredapd/

Enabling SMTPS Port 465

If you are going to use Microsoft Outlook client, then you need to enable SMTPS port 465 in Postfix SMTP server.

How to Renew TLS Certificate

Let’s Encrypt issued TLS certificate is valid for 90 days only and it’s important that you set up a Cron job to automatically renew the certificate. You can run the following command to renew certificate.

sudo certbot renew

You can use the --dry-run option to test the renewal process, instead of doing a real renewal.

sudo certbot renew --dry-run

Error #1

If you see the following error when renewing TLS certificate:

The server could not connect to the client to verify the domain. Timeout during connect (likely firewall problem). Skipping.

This is mostly because you didn’t add AAAA record for, so create AAAA record in your DNS manager. You also need to enable IPv6 in Nginx virtual host. Edit the /etc/nginx/sites-enabled/000-default.conf file and find the following line.

#listen [::]:80;

Remove the # symbol to enable IPv6.

listen [::]:80;

Save and close the file. Then edit the SSL virtual host /etc/nginx/sites-enabled/00-default-ssl.conf. Add the following line.

listen [::]:443 ssl http2;

iredmail certbot renew

Save and close the file. Then test Nginx configuration.

sudo nginx -t

If the test is successful, reload Nginx for the change to take effect.

sudo systemctl reload nginx

Error #2

If you see the following error when renewing TLS certificate.

The client lacks sufficient authorization :: Invalid response

Then you need to create the hidden directory.

sudo mkdir -p /var/www/html/.well-known/acme-challenge

And set www-data as the owner of the webroot.

sudo chown www-data:www-data /var/www/html/ -R

Also, edit the SSL virtual host /etc/nginx/sites-enabled/00-default-ssl.conf. Add the following lines.

location ~ /.well-known/acme-challenge {
     root /var/www/html/;
     allow all;

iredmail letsencrypt renew

Save and close the file. Test Nginx configuration and reload.

sudo nginx -t
sudo systemctl reload nginx

Create Cron Job

If now the dry run is successful, you can create Cron job to automatically renew certificate. Simply open root user’s crontab file.

sudo crontab -e

Then add the following line at the bottom of the file.

@daily letsencrypt renew --quiet && systemctl reload postfix dovecot nginx

Reloading Postfix, Dovecot and Nginx is necessary to make these programs pick up the new certificate and private key.

Setting Up Backup Mail Server

Your primary mail server could be down sometimes. If you host your mail server in a data center, then the downtime is very minimal, so you shouldn’t be worried about losing inbound emails. If you host your mail server at home, the downtime can’t be predicted so it’s a good practice for you to run a backup mail server in a data center to prevent losing inbound emails. The backup mail server needs just 512MB RAM to run. Please check the full detail in the following article.

For Advanced Users

iRedMail doesn’t include a DMARC verification service, you can check out the following tutorial to set up OpenDMARC to block email spoofing.

You may want to customize the SpamAssassin content filter to better detect spam.

If your website and mail server are running on two different VPS (virtual private server), you can set up SMTP relay between your website and mail server, so that your website can send emails through your mail server. See the following article.

Wrapping Up

That’s it! I hope this tutorial helped you set up a mail server on Ubuntu 18.04 with iRedMail. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 19 Average: 4.7]

142 Responses to “How to Easily Set Up a Full-Featured Mail Server on Ubuntu 18.04 with iRedMail

  • Will this work with Ubuntu Desktop?

    • To make it work on Ubuntu desktop in your home, you need to

      1). Have a static IP address, or set up dynamic DNS if your have a dynamic IP address.

      2). Configure port forwarding in your router. (SMTP port 25, IMAP port 993, submission port 587)

      3). If your ISP blocks port 25, then set up SMTP relay.

      It’s totally doable, if you are willing to get your hands dirty.

  • hi thanks for the nice tutorial,

    i have one problem i have set the hostname of my amazon ec2 server on (myec2 ist the ec2 link of my server) but i can only reache the panel with and not with have someone a solution ?


    • Hi Niklas,

      I’m having the same issue as you. I’m able to access the iredadmin panel through but not through I’m also using EC2. Were you able to resolve why that was happening?



  • i can send mail but no mail is being received atm, i dont why ?

  • after disabled the “grey list” it works. thank you very much this tutorial. appreicate

  • Farax Abdi
    9 months ago

    Could we use another port (NOT 25) for sending email WITHOUT SMPT relay?

    • No. Receiving email servers expect you to hit them on port 25. They are listening on port 25 to accept incoming email.

      You can’t ask them to change the port. It’s SMTP standard. Similarly, you can’t ask websites to change port 80 to another port.

  • Farax Abdi
    9 months ago

    i thought so, im using AWS instead of Linode .


  • ihasaface
    9 months ago

    The first time i go to, I don’t get anything whatsoever… my website is up and running just fine though. Maybe because I have my webserver on a different VM than mail? please help.

    • To use iredadmin, you need to install a web server along with other components of iRedMail, preferably on the same VM. If you didn’t choose to run web server in the setup wizard, you can’t use iredadmin.

      • ihasaface
        9 months ago

        Is that going to mess with my website though? Changing hostname and hosts files and whatnot.

    • Changing hostname and hosts file won’t affect your website. The Nginx web server installed by iRedmail could interrupt your the operation of your website.

      And it’s a good idea to separate your website and email server on different boxes, because your email server can leak the origin IP address of your website if they are on the same box. To protect your website from DDoS attack, you probably want to use a CDN service, which will hide the IP address of your website.

      • Ihasaface
        9 months ago

        I’m confused…. I had my webserver on a different virtual box than my mail server…. But installing this on a separate box didn’t work. What am I missing?

    • Maybe you can just start it over.

  • How to create PTR, SPF, DKIM and DMARK records on Ubutu Desktop?

    • They are not created using command line. You need to ask your ISP or hosting provider to set the PTR record. For SPF, DKIM and DMARC records, create them in the DNS manager (on your domain registrar’s website).

  • Hi, I have two VPS servers with different IP addresses. On one of these servers I have my websites. Can I install iRedmail on second VPS and use it as mail server for domains from first server (with websites)?

  • Hey all,

    Was just trying this out on my AWS t2.micro EC2 instance. I got all the way up to the reboot just after the initial installation. I rebooted the machine and it is showing as running in the AWS EC2 console but I can’t SSH to it. I destroyed the instance, built a new one, and tried saying no to changing the firewall rules and I get the same result. Any ideas?

    • iRedMail uses the Linux iptables firewall, but you also need to make sure port 22 is opened at the AWS firewall.

      • Thanks for the reply. I configured the AWS firewall as you said. It ended up being the fact that the t2.micro instance in EC2 only has 1GB of RAM. That’s not enough to run the whole suite and you kind of end up DOSing yourself if you use it. The t2.medium has 2GB of RAM which is enough. My server is up and running well.

        For those that come after me and are doing this on AWS here’s a couple things to look out for:

        As Xiao Guo An said, make sure your iptables allow all the necessary ports. There’s a good table of ports that iRedMail needs open at this link

        Like I said, use a t2.medium or larger EC2 instance. t2.micro doesn’t provide enough resources.

        If you’re using Route53 for DNS, the syntax is a little bit different on there than it shows in the pictures. Pay attention to the syntax that Route53 likes.

        If you’ve attempted to use AWS SES in the past, be sure to remove any mention of it from your DNS records. They don’t play well together, especially when it comes to DKIM.

        • zydecci
          8 months ago

          When I said “make sure your iptables allow all the necessary ports” I really meant “make sure your security groups allow all the necessary groups.”

  • Steve Johnson
    8 months ago

    I understand why you need to setup mail.mydomain in /etc/hosts, but what is the purpose of changing the hostname itself? Because if there are multiple domains setup in the mailserver, you can only have one hostname.

    • If you don’t explicitly set a hostname in /etc/postfix/ file, Postfix will use the OS hostname by default, so changing the OS hostname can prevent Postfix from using other hostnames that may be unresolvable.

    • When you add additional domains in iRedMail, you don’t need to change the hostname. This hostname should have an A record, pointing to the IP address of the server and the IP address should have a PTR record, pointing back to the same hostname. This is a good practice to pass spam filters.

  • Thanks for that.
    One question, is there a way to autorenew letsencrypt certificates or is that always a manual task?

  • Maybe you will expand this tutorial to add email aliases via MariaDB? E.g. webmaster, admin.

  • In my /etc/hosts file I have:       localhost
    IP-address vpsName
    ::1     localhost ip6-localhost ip6-loopback
    xx02::1 ip6-allnodes
    xx02::2 ip6-allrouters
    IP-address vpsName

    Should the second line be after changes? Like this: localhost
    IP-address vpsName

    And what with IPv6 lines?
    I ask because when I run

    dig -x IP-address +short

    I get:

    And I think that something is wrong…

  • How do I create virtual hosts for each sub domain?

  • Hi, Everything seems to be working but I get the following meaages sent to the postmaster:

    netdata notification is critical

    ram available = 4.5%
    estimated amount of RAM available for userspace processes, without causing swapping

    Is this because my server is only 2gb ram?
    Could this stop emails being sent?

    I am having trouble working out how to monitor things to see if emails are being rejected or sent etc. Any guidance appreciated, thanks

    • On a fresh installed Ubuntu server, the RAM usage is little more than 1GB after installing iRedMail. You might have other software installed that causes such high RAM usage. Use htop to find RAM-hungry programs on your server and stop those services that you don’t need. You can also enable swap space to prevent OOM (Out of Memory) problems.

      If your emails cannot be sent at all, there will be logs generated in /var/log/mail.log and if your emails are rejected, you will receive an automated email from the Postfix daemon.

      • It seems something is being rejected but cant understand why? When I try to register on a list using a form using email: [email protected] I get the folowing mail.log error:

        Jan 23 11:01:54 mail postfix/submission/smtpd[11910]: warning: hostname does not resolve to address
        Jan 23 11:01:54 mail postfix/submission/smtpd[11910]: connect from unknown[]
        Jan 23 11:01:55 mail postfix/submission/smtpd[11910]: Anonymous TLS connection established from unknown[]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
        Jan 23 11:01:56 mail postfix/submission/smtpd[11910]: NOQUEUE: reject: RCPT from unknown[]: 554 5.7.1 : Recipient address rejected: Sender is not same as SMTP authenticate username; from= to= proto=ESMTP helo=
        Jan 23 11:01:56 mail postfix/submission/smtpd[11910]: disconnect from unknown[] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7

        • Stephen
          8 months ago

          So is this the main reason emails arent being sent?

          Recipient address rejected: Sender is not same as SMTP authenticate username

        • Stephen
          8 months ago

          I believe its sorted now? I added this to
          ALLOWED_LOGIN_MISMATCH_SENDERS = [‘[email protected]’]

          Is this safe? Thanks for letting my (pardon the pun) BOUNCE off of you. Much appreciated. for the great post.

    • It seems you are trying to send email from another server using the SMTP submission port but the login name isn’t the same as the sender email address.

      If I were you, I would just create an separate email account for that sender, but you can add exceptions in /opt/iredapd/ It is safe in my opinion.

      • Thank you, It is working fine now after much frustration. I just need to find the cause of the high ram usage. But at least its working now. Il dig deeper based on your comment above. Thanks again, I couldnt have done this without you.

    • Glad to know it’s working now 🙂

      • Using htop it seems most of the 1.49GB memory being used is used by the following two processes:

        clamav – 31.4% /usr/sbin/clamd –forground=true
        mysql – 18.6% /usr/sbin/mysql –daemonize –pid-file=/run/mysqld/

        Not sure what that means though.

    • That means ClamAV (Clam Antivirus) is using 31.4% of RAM and MySQL/MariaDB database server is using 18.6% of RAM. This is normal.

      I can see that you are running netdata on your mail server. If you selected all components in the iRedMail setup wizard, your server will use more RAM.

      My iRedMail server is using about 1.1GB RAM. I didn’t install netdata.

  • Thanks Xiao, I will leave it installed for now and see if I can learn from it over the long term. When I get up and running I can easily update the vps at a reasonable cost. So thanks for the help. I do appreciate it.

  • Andrei Valentin Niculae
    8 months ago


    I used your tutorial and everything went smooth until I tried sending an email with a newly created account. In Roundcube I am seeing the following error: “SMTP Error (454): Authentication failed.”

    Looking into postmaster account I can see an email with containing the following:

    Transcript of session follows.
     Out: 220 ESMTP Postfix
     In:  EHLO _
     Out: 250-PIPELINING
     Out: 250-SIZE 15728640
     Out: 250-ETRN
     Out: 250-STARTTLS
     Out: 250-8BITMIME
     Out: 250-DSN
     Out: 250 SMTPUTF8
     In:  STARTTLS
     Out: 454 4.7.0 TLS not available due to local problem
     In:  RSET
     Out: 530 5.7.0 Must issue a STARTTLS command first
     In:  QUIT
     Out: 221 2.0.0 Bye
    For other details, see the local mail logfile

    Can you please give me an idea where I should look and what I need to do to fix this?

    Thank you!

    • This line

      454 4.7.0 TLS not available due to local problem

      indicates that there might be a problem with your TLS configuration in either Postfix or Dovecot.

      • Andrei Valentin Niculae
        8 months ago

        Now I found the error in the Postfix configuration, but another problem appeared. I can send emails but the ones that I should receive don’t arrive in my inbox. I don’t have any error now in the postmaster account. What should I look for?

    • Check /var/log/mail.log file.

      • Andrei Valentin Niculae
        7 months ago

        The file seems to be empty. Is there a know reason why it shouldn’t have any data?

        • Andrei Valentin Niculae
          7 months ago

          Do you have any feedback in regards to what I need to look forward from here? It seems that my emails are sent but the ones that I receive are not arriving in my inbox.

    • Your domain name doesn’t have a MX record.

  • ckhatton
    8 months ago

    DigitalOcean now allows port 25 by default. They must have had too many complaints and gave up.

  • recently i tried to send bulk mails, but gmail and outlook marked mail as spam. Any idea?

    • There are many things you need to pay attention to when sending bulk email from your own email server. Here are some of my advice.

      1. Make sure the recipient gave you permission to send email.

      2. Warm up your IP address. Don’t send email to all your recipients on day 1. For example, send 500 emails on day 1, then send 1000 emails on day 2, send 2000 emails on day 3.

      3. Clean your email list. For example, delete email subscribers that haven’t opened your email in the last 30 days.

      4. Include your contact information and your mailing address at the bottom of the email message.

      5. Personalize the email message as much as possible. For example, include the recipient’s name in the email.

      6. Conform to CAN-SPAM Act

      7. Avoid large attachments.

      8. Get approved as Return Path Certified Sender.

  • First! Thanks for a great howto! It is one of the best out there! So thank you for making it and sharing it!

    On that note, is it possible to be updated maybe with Spamhaus Project ( and ufw??
    To even get more security on the service!


  • Hey, i recently realised this error :

    “Feb  6 01:09:51 mail postfix/dnsblog[Feb  6 01:09:51 mail postfix/dnsblog[28913]: warning: dnsblog_query: lookup error for DNS query Host or domain name not found. Name service error for type=A: Host not found, try again]: warning: dnsblog_query: lookup error for DNS query Host or domain name not found. Name service error for type=A: Host not found, try again

    Any idea to correct it. Thank you

  • First of all, thank you very much for your great and very useful work.
    My new installation with 0.9.9 iRedMail work great but… no way to connect from client… no outlook 2019, no Samsung Android mail, no Thunderbird…
    My server is at my home no way nor inside my home network nor outside (I’ve forwarded all necessary ports…).
    Till some days ago, with 0.9.8 all worked fine, after that my SSD crashed and I started from scratch again but with 0.9.9.
    Any idea?
    Thank you

    • Also in local no way to connect to server, using dovecot webmail all works correct

  • And also this one:)

  • Monsieur Apple
    7 months ago

    Thanks for the guide! I got Let’s Encrypt working on my mail server, which is great, though the problem is that I am no longer able to send emails from the same domain as my mail server. For example, like [email protected] to [email protected] I get SMTP error 454: authentication failed when sending though Roundcube. How can I fix this? It seems to have something to do with not finding a certificate, I checked but I think I spelled them all properly. What should I do?

    Feb 14 20:26:51 mail postfix/submission/smtpd[3677]: cannot load Certification Authority data, CAfile="/etc/letsencrypt/live/mail/", CApath="/etc/ssl/certs": disabling TLS support
    Feb 14 20:26:51 mail postfix/submission/smtpd[3677]: warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/etc/letsencrypt/live/mail/','r'):
    Feb 14 20:26:51 mail postfix/submission/smtpd[3677]: warning: TLS library problem: error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
    Feb 14 20:26:51 mail postfix/submission/smtpd[3677]: warning: TLS library problem: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:../crypto/x509/by_file.c:199:
    Feb 14 20:26:51 mail postfix/submission/smtpd[3677]: connect from[]
    Feb 14 20:26:51 mail roundcube: ERROR: Invalid response code received from server (454)
    Feb 14 20:26:51 mail roundcube: ERROR: Invalid response code received from server (530)
  • Hi Xiao,

    Thanks for your incredible guide, i wonder how to change a little thing on my config, but i can not find the way to do it, i would like that the when people type my ip adress in the url bar 162.x.x.x.x it will be redirected directly on

    How can i do that ?

    Thanks a lot 🙂

    • Create a new virtual host in /etc/nginx/sites-enabled/ directory.

      sudo nano /etc/nginx/sites-enabled/ip.conf

      Copy and paste the following text into the file.

      server {
              server_name your-server-ip-address;
              listen 80;
              return 301$request_uri;

      Replace with your own IP address and domain name. Save and close the file. Then reload Nginx.

      sudo systemctl reload nginx
  • Hi Xiao,

    I followed your instructions, but i still have this page 🙁

    I searched but i did not find why it was not working …

    Thanks in advance for your help.


  • Hello,

    Thank you for this guide it is very well laid out and easy to follow. I was wondering if you could add hot to setup the mailcrypt plugin for Dovecot? It wold be really cool to have the email encrypted at rest on the vps.


  • I have done everything as per ur tutorial but on final step I got this error. I have copied the error text from console below. will you please review what to do to solve this problem????

    php-xml is already the newest version (
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:
    The following packages have unmet dependencies:
     mariadb-server : Depends: mariadb-server-10.1 (>= 1:10.1.29-6ubuntu2) but it is not going to be installed
    E: Unable to correct problems, you have held broken packages.
    <> Installation failed, please check the terminal output.
    <> If you're not sure what the problem is, try to get help in iRedMail
    <> forum:
    • Please run this command.

       sudo apt install mariadb-server-10.1 mariadb-server
      • please give me a solution. After successfully installing all i am getting error when i go to my roudcube webmail .
        it says database error. and also when i tried to connect on webadmin panle its says Internal Server error.

        Unable to connect to the database!
        Please contact your server-administrator.

    • Run the following command to check if you can log into MariaDB server.

      mysql -u root -p

      You need to enter the MariaDB root password.

  • Thank you for making this guide. It helped me quickly setup an email server for one of my clients. Much appreciated for the work you put in! It worked flawlessly without needing any additional configuration.

    • I got this type of Error “”ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (2 “No such file or directory”)

  • Hi, Salut! Great! Xiao Guo-An (Admin) Can you help me please?

    Error setup SSL certificate. Worked up to add account, less to send and receive messages – don’t.

    What happening if talk/ask (for change IP, because appear in blacklist)
    my ISP to change IPV from v4 in v6, including dynamic IP address , or vice-versa,
    that affect functioning my initial setup mail server? Now does not work anymore. Not at all.

    I must to redone steps by first?
    My mail server starting automatically when I restart Ubuntu?

    I want totally free my mail server hosted by my PC, in Ubuntu desktop 18.04, don’t pay for (“hosted on”)
    DigitalOcean or else.


    5 months ago 
    Will this work with Ubuntu Desktop?
          Xiao Guo-An (Admin)
          5 months ago 
          To make it work on Ubuntu desktop in your home, you need to 
          1). Have a static IP address, or set up dynamic DNS if your have a dynamic IP address.
          2). Configure port forwarding in your router. (IMAP port 993)
          3). If your ISP blocks port 25, then set up SMTP relay. 
          It’s totally doable, if you are willing to get your hands dirty.

    3). My ISP says not only port blocks – appear OK.

    1). I have a dynamic IP address . How setup dynamic DNS? – tutorial link.

    2). Configure port forwarding in your router. (IMAP port 993). How – tutorial link. My ISP?

    Why you say “It’s totally doable, if you are willing to get your hands dirty.”, is so hard to do that?

    Thank you!

    PS. I think, it is useful for us to number steps to follow if we are not missing any step.

    • I can’t show you how to set up dynamic DNS or configure port forwarding in router, because of a number of reasons. Actually they are not hard to do. Just search on the Internet.

      If you change IP address, you also need to change the DNS A record. No need to reinstall iRedMail.

    • First, dynamic DNS won’t work on my network. Second, my router user interface is in Chinese. No English is available.

    • Please note that I do not recommended setting up mail server with a dynamic IP address, because your emails are more likely to be put into spam folder. Just think that your IP address changes every few days and you could be using a blaclisted IP address one day. It’s unpredictable.

      If you have dynamic IP address, set up SMTP relay to get better email deliverability.

      • Wtf, what happening, now working again. IRedMail may be updown/offline sometimes?
        Modoboa it is better?
        Can i have simultaneous iRedMail and Modoboa, can work toghether, in parallel?

    • Sorry, I don’t know exactly what you mean by “iRedMail offline”.

      You can’t install Modoboa and iRedMail on the same server. That will create more problems.

      They are equally good, I think.

      • I want to say:
        Initialy work to create new account,
        and Then not work anymore. Not at all.
        I can’t to understand this oscillation behaviour.

      • Hi,

        after talk my ISP support and unblocked ports, working now to send messages

        to [email protected] but not to gmail,

        and not works to send back from them both

    • Sorry, but I forgot to tell you to configure port forwarding for the SMTP port 25, and also port 587.

  • ckhatton
    5 months ago

    How do you set the Let’s Encrypt to auto renew? I am getting firewall errors when I type `certbot renew –dry-run`

    • The certbot package on Ubuntu ships with a systemd timer (/lib/systemd/system/certbot.timer) and a Cron job (/etc/cron.d/certbot). That’s why I didn’t write about certificate auto renewal.

      Sometimes certbot can have weird problems. You can try using another ACME challenge like tls-alpn-01.

  • let’s encrypt failed. tried to disable https. now letsencrpypt wont issue cert for another week after 5 tries.

    • ckhatton
      5 months ago

      It sounds like you have the same problem as me! It reports that the firewall is preventing it from renewing.

      • Yes, that was it. Reinstalled making sure Nguni full was allowed. Ty

        • ckhatton
          5 months ago

          Oh really? Maybe I’ll try that then.

  • You… are absolutely amazing. Thanks, once again, for teaching me something new.

  • ckhatton
    5 months ago

    I am still having letsencrypt problems. I commented out the HTTPS redirect in the “00-default.conf”, and now I get…

    Invalid response from []: “\r\n404 Not Found.”

  • maximumwarp
    4 months ago

    Hello, I followed this guide and the other to use Mailjet as SMTP relay server and my mail everything works like a charm.
    I installed on a VirtualBox virtual machine with Debian 9.9 as OS.
    I need to use the same virtual machine as web server form my personal website (built with WordPress) and a couple of webapps, I can’t configure a different virtual machine because the real machine isn’t powerful enough to run 2 VMs at same time.
    How must I configure Nginx to host multiple websites? On a clean installation of Debian I follow this guide but with iRedMail it doesn’t work…
    I noticed changes in many configuration file, especially in /etc/php/7.0/fpm/pool.d/www.conf (listen = instead of listen = /run/php/php7.0-fpm.sock and others related modifications…)

    • iRedMail comes with a LEMP stack and there’s no need to change PHP configurations. To host multiple websites, you just need to create new virtual host file in /etc/nginx/conf.d/ directory.

      • maximumwarp
        4 months ago

        I solved changing .conf files in /etc/nginx/sites-enable of my websites, using server instead of unix:/run/php/php7.0-fpm.sock and everything works but I have another problem…

        At home I have a VDSL connection with dynamic public IP address. My home network is structured as follow: a VDSL modem-router with DHCP disabled and a Raspberry Pi 3 that runs Pi-hole with DHCP enabled and Google and Cloudfare upstream DNS servers. In my LAN there are many devices, some with dynamic IP assigned by the Pi-hole DHCP server and other with IP reserved by MAC address; one of these devices is a VirtualBox machine that runs a web/mail server (Debian 9.9, Nginx, PHP, MariaDB and Postfix). This virtual web server hosts my personal website and a couple of web apps. I bought a domain on and the server update public IP of my VDSL connection via ddclient if it changes.
        Often a strange problem occurs: the site and the webapps are not reachable if I try to navigate from any device within my LAN. Everything works perfectly trying to browse from the outside (for example, if I disconnect smartphones from the WiFi and try to surf with 4G connection, the site is aivailable). If I reboot the modem, Pi 3 and server, for a few minutes I can also navigate from the LAN then, suddenly, everything stops working.

  • Webmail from Roundcube works perfectly but I tried to configure a couple of email clients (Android and Windows) and they can’t reach the mail server, do I need to open/port-forward 993 and 587 ports on my modem-router?

    • Yes, if you set up a mail server at your home, you need to port forward 993 and 587 for mail client to login. You also need to port forward 25 to receive email from other mail servers.

  • Alexandru Gagea
    4 months ago


    I’m having issues with my DKIM record. I did exactly as instructed however, the command : sudo amavisd-new testkeys results in invalid. The test does not pass.

    Iredmail was installed on an ec2 instance.

    Please help.

    • It’s likely because you didn’t enter your DKIM record correctly in your DNS manager.

      • Alexandru Gagea
        4 months ago

        Solved it. I had to make the string on a single line. The current issue is with the SPF record. I’ve added in my DNS Manager the following : v=spf1 mx ~all and it says that i’m not fully authenticated. What am i missing ? I created the rule in Route 53.

  • hi all,
    I`m new in Linux.

    in the tutorial it says: Note that sometimes, the self-signed certificate can prevent Let’s Encrypt ACME server from connecting to your server and the certificate won’t be issued. You can disable HTTPS on the default virtual host to fix this problem, then re-enable HTTPS after a valid Let’s Encrypt certificate is obtained.

    but I didn`t find in internet how to do that. can some one give me a hint or even a link so I can read and understand how to do that to get the Let’s Encrypt TLS Certificate ? Thanks

  • Hello

    what is the exact difference with the article

    Sorry I am newbie with iredmail servers, I need your help.


    • They are no major differences between the two articles. One is for ubuntu 16.04 and this article is for ubuntu 18.04.

      • Thanks Xiao

        I have read through this article , it is great. I have some doubts about hostname and mx record value.

        1. the hostname must be the same with mx record value ?
        2. the hostname value must be a real FQDN domain name ? can I use something like “demo.demo.demo” ?

    • The hostname can be different than the MX record value.
      The hostname must be a real FQDN domain name, because many mail servers check the A record of the hostname. Hostname without a valid A record increases your chance of landing in spam folder or being rejected outright.

      • I have install it succesully , thanks xiao.

        I can see the tips in system dump like this

        * – Roundcube webmail:
        * – netdata (monitor):
        * – Web admin panel (iRedAdmin):

        I can see everything from iredmail resides in sub domain, is it possible to make it in root domain ?

        * – Roundcube webmail:
        * – netdata (monitor):
        * – Web admin panel (iRedAdmin):

    • Yes, you can.

      Just replace with in /etc/nginx/sites-enabled/ file and obtain a TLS certificate for with Certbot, then reload Nginx.

  • Hello

    if I do a fresh installation, how can I achive this ? I can see this tutoiral is for subdomain

  • Maxim Ellenberg
    3 months ago

    Very good article!

  • Hi Mr. Xiao,

    Very good article, how to make mail list or alias?

    Thank You very Much

    • iRedMail integrates mlmmj as the mailing list manager. However, it requires you to purchase a Pro account to use it in the web-based admin panel. If you don’t like spending money, I recommend using the Mailtrain self-hosted mailing list app.

      Creating alias in the web-based admin panel also requires purchasing a Pro account. However, you can create alias in the SQL database console. After creating alias, you can create the corresponding identity in RoundCube webmail, so you can use the alias address in the From header when replying emails.

    • Hi Mr.Xiao,

      thank you for your information, please provide information for creating email groups? can you use mailtrain?


  • Jeremy Willson
    3 months ago

    Hello linuxbabe
    Thank you for your tutorial for a ubuntu mail server. I am attempting to install using a clean Kubuntu 9.04.
    However, I get a message telling me of a failure to install. (see last few lines of install info below telling about missing packages.

    [ INFO ] Installing package(s): postfix postfix-pcre libsasl2-modules mariadb-client mariadb-server postfix-mysql libdbd-mysql-perl php-cli php-fpm php-json php-gd php-curl mcrypt php-intl php-xml php-mbstring php-mysql nginx-full dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-managesieved dovecot-sieve dovecot-mysql amavisd-new libcrypt-openssl-rsa-perl libmail-dkim-perl clamav-freshclam clamav-daemon spamassassin altermime arj nomarch cpio lzop cabextract p7zip-full rpm ripole libmail-spf-perl unrar-free pax lrzip mlmmj sogo sogo-activesync sope4.9-gdl1-mysql python-sqlalchemy python-dnspython python-mysqldb python-pymysql python-jinja2 python-netifaces python-webpy python-beautifulsoup python-lxml python-pycurl python-requests uwsgi uwsgi-plugin-python python-bcrypt fail2ban zlib1g libuuid1 libmnl0 curl lm-sensors netcat bzip2 acl patch cron tofrodos logwatch unzip bsdutils liblz4-tool
    Reading package lists...
    Building dependency tree...
    Reading state information...
    Package ripole is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    Package python-webpy is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    E: Package 'ripole' has no installation candidate
    E: Unable to locate package sogo-activesync
    E: Unable to locate package sope4.9-gdl1-mysql
    E: Couldn't find any package by glob 'sope4.9-gdl1-mysql'
    E: Couldn't find any package by regex 'sope4.9-gdl1-mysql'
    E: Package 'python-webpy' has no installation candidate
    <> Installation failed, please check the terminal output.
    <> If you're not sure what the problem is, try to get help in iRedMail
    <> forum:
    [email protected]:~/iRedMail-0.9.9$ 

    I did try using apt-get to install python-webpy, but it too failed as below.

    [email protected]:~/iRedMail-0.9.9$ sudo apt-get install python-webpy
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Package python-webpy is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source

    E: Package ‘python-webpy’ has no installation candidate
    [email protected]:~/iRedMail-0.9.9$

    Also, the script failed because iRedMail-0.9.8 wasn’t the latest, so I had to change the commands to iRedMail-0.9.9

    • iRedMail only supports LTS release of Ubuntu (Currently Ubuntu 16.04 & Ubuntu 18.04). I won’t try to install iRedMail on non-LTS Ubuntu to create unnecessary problems.

  • michaelIXOT
    2 months ago

    These were excellent instructions. With that said, now that it’s time to renew certbot certs I’m getting the following error:
    ‘Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Missing command line flag or config entry for this setting:
    Select the webroot for
    Choices: [‘Enter a new webroot’, ‘/var/www/html’]

    I want to try setting the webroot value, what should we use for iredmail?

  • Alexandru Gagea
    2 months ago


    All of the sudden my iredmail server stopped working.. I have no idea why and how. I did make a change in the iredapd I’ve added an email address to ALLOWED_LOGIN_MISMATCH_SENDERS. and restarted iredapd. After this restart everything worked fine.
    I don’t really know what to check … Any ideas ?

  • Alexandru Gagea
    2 months ago

    The issue is now solved. The cause was the linux firewall which for some reason stopped.

  • Gerald Blondel
    2 weeks ago

    Amazing page! Thanks a lot.
    fyi, there is absolutely no problem on digitalocean; but Google Cloud is the one blocking port 25! I gave up using them.

    • I did an iRedMail install on DigitalOcean two months ago. Port 25 (outbound) is blocked. Maybe the port 25 policy is different for each data center?

  • Hanson
    1 week ago

    Hi, Xiao…
    I am a newbie in Linux OS, I found your web so much knowledge and useful for me. I just setup iRedmail in ubuntu 18.04 lts with Linode server that had recommended by you and follow your instruction. However, I had face a problem in installing certbot Letsencrypt. Here is what I get:

    The following errors were reported by the server:

    Type: connection
    Detail: Fetching
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    – Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

    For the A & AAAA records for my Ipv4 & Ipv6 had been recorded in DNS.So I think the only error is in firewall. How can I fix this?Thank you

    • It’s likely because the Nginx virtual host didn’t enable IPv6. To enable IPv6 in Nginx virtual host. Open the /etc/nginx/sites-enabled/000-default.conf file

      sudo nano /etc/nginx/sites-enabled/000-default.conf

      and find the following line.

      #listen [::]:80;

      Remove the # symbol to enable IPv6.

      listen [::]:80;

      Save and close the file. Then edit the SSL virtual host /etc/nginx/sites-enabled/00-default-ssl.conf. Add the following line.

      listen [::]:443 ssl http2;

      Save and close the file. Then test Nginx configuration.

      sudo nginx -t

      If the test is successful, reload Nginx for the change to take effect.

      sudo systemctl reload nginx

      Next, run the certbot command to obtain TLS certificate.

      sudo certbot certonly --webroot --agree-tos --email your-email-address -d -w /var/www/html/
  • Hanson
    1 week ago

    Ok,thank you so much Xiao. As I had followed your instruction to enable the 80 port for ipV6, it still could not install the certificate. However I had try to remove the AAAA record from my server’s ipv6. Install the certbot using ipv4 A records,it works again. Just don’t know why ipv6 from this server had been blocked by Letsencrypt? Or letsencrypt blocked port 80?

    • If your mail server hostname has an IPv6 record, Let’s Encrypt validation server will try to reach your mail server via IPv6 protocol. If there’s no IPv6 record, it will do so via IPv4 protocol. Let’s Encrypt does not block anything. If you see errors when trying to obtain TLS certificate, it’s almost always due to something on your own server.

      It’s fine to only use IPv4 address on your mail server.

  • Alexandru Gagea
    4 days ago


    I’m trying to renew my certificate and I get the bellow error when using “sudo certbot renew”.

    Attempting to renew cert (my.domain) from /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: Missing command line flag or config entry for this setting: Select the webroot for my.domain:
    Choices: [‘Enter a new webroot’, ‘var/www/html’]

    Any ideas would be much appreciated.

    Thank you

  • Alexandru Gagea
    4 days ago

    I’ve solved the above issue myself. I’

    If anyone else will encounter this issue its because of multiple domains. So to fix it you have to go to /etc/letsencrypt/renewal/example.conf and under section [[webroot_map]] add the second domain.

    [[webroot_map]] = var/www/html = var/www/html

    After you save the file, run again sudo certbot renew –dry-run to see if the issue its fixed.
    The post that helped me fix this issue also says thats it’s a good idea to restart nginx after you renew the certificate.

    service nginx reload

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community ( for questions unrelated to this article.
  • If my answer helped you, please consider supporting this site. Thanks :)