Host Multiple Mail Domains in PostfixAdmin on CentOS/RHEL

This tutorial will be showing you how to set up multiple mail domains (virtual hosting) on CentOS/RHEL server with PostfixAdmin, which is an open-source web-based interface to configure and manage a Postfix based email server for many domains and users.

Prerequisites

To follow this tutorial, it’s required that

Once the above requirements are met, follow the instructions below.

What You Need to Do

If you want to host multiple mail domains, then you need to

  • Add a new mail domain and user in PostfixAdmin web-based panel.
  • Create MX, A and SPF record for the new mail domain.
  • Set up DKIM signing for the new domain.
  • Create DMARC Record for the new domain.
  • Set up RoundCube Webmail, Postfix and Dovecot for multiple domains
Reverse DNS check is used to check if the sender’s IP address matches the HELO hostname. You don’t need to add another PTR record when adding a new mail domain.

Step 1: Adding Additional Domains in PostfixAdmin Panel

Log into PostfixAdmin panel with the postmaster account. (https://postfixadmin.your-domain.com/) Then go to Domain List -> New Domain to add a new domain.

postfixadmin multiple domains

Next, add a user under the new domain.

postfixadmin add new mailbox

Step 2: Creating MX, A and SPF record for the new mail domain

In your DNS manager, add MX record for the new domain like below.

Record Type    Name      Value

MX             @         mail.domain2.com

The A record points to your mail server’s IP address.

Record Type    Name     Value

A              mail     IP-address-of-mail-server

If your server uses IPv6 address, be sure to add AAAA record.

Then create SPF record to allow the MX host to send email for the new mail domain.

Record Type    Name      Value

TXT            @         v=spf1 mx ~all

Step 3: Setting up DKIM signing for the new domain

We have installed and configured Amavis for a single domain in part 4 of this tutorial series. Now we need to make Amavis sign every outgoing email for the new mail domain. Edit the Amavis configuration file.

sudo nano /etc/amavisd/amavisd.conf

Find the following line. Note that 20200119 is the DKIM selector for my domain name. You might have a different DKIM selector.

dkim_key('domain1.com', '20200119', '/var/spool/amavisd/dkim/domain1.com.pem');

Add another line to specify the DKIM selector and location of the private key for the second domain. You can use whatever name for the DKIM selector, but I found it’s convienent to use the current date (Feburary 24, 2020) as the DKIM selector.

dkim_key('domain2.com', '20200224', '/var/spool/amavisd/dkim/domain2.com.pem');

In @dkim_signature_options_bysender_maps section, you have

"domain1.com" => { d => "domain1.com", a => 'rsa-sha256', ttl => 10*24*3600 },

Now we need to add a new line for the second domain.

"domain2.com" => { d => "domain2.com", a => 'rsa-sha256', ttl => 10*24*3600 },

Like this:

@dkim_signature_options_bysender_maps = ( {
    # 'd' defaults to a domain of an author/sender address,
    # 's' defaults to whatever selector is offered by a matching key

    # explicit 'd' forces a third-party signature on foreign (hosted) domains
    "domain1.com"  => { d => "domain1.com", a => 'rsa-sha256', ttl => 10*24*3600 },
    "domain2.com"  => { d => "domain2.com", a => 'rsa-sha256', ttl => 10*24*3600 },

    # catchall defaults
    '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
} );

Save and close the file. Then generate the private key for the second domain.

sudo amavisd genrsa /var/spool/amavisd/dkim/domain2.com.pem 2048

Restart Amavis.

sudo systemctl restart amavisd

Display the public keys.

sudo amavisd -c /etc/amavisd/amavisd.conf showkeys

All public keys will be displayed. We need the public key of the second domain, which is in the parentheses.

amavis show public keys

In you DNS manager, create a TXT record, enter 20200224._domainkey in the name field. If you used a different DKIM selector, replace 20200224 with your real DKIM selector.

Then go back to the terminal window, copy everything in the parentheses and paste it into the value field of the DNS record. You need to delete all double quotes and line breaks in the value field. If you don’t delete them, then key test will probably fail.

postfix multiple domains centos red hat

After saving your changes. Check the TXT record with this command.

dig TXT 20200224._domainkey.domain2.com

Now you can run the following command to test if your DKIM DNS record is correct.

sudo amavisd -c /etc/amavisd/amavisd.conf testkeys

If the DNS record is correct, the test will pass.

TESTING#1 domain1.com: 20200119._domainkey.domain1.com => pass
TESTING#2 domain2.com: 20200224._domainkey.domain2.com => pass

Step 4: Creating DMARC Record For the New Domain

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following. Note that you need to create the [email protected] email address.

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

create dmarc record txt

The above DMARC record is a safe starting point. If you want to read a detailed explanation of DMARC, please check the following article.

Step 5: Setting up RoundCube, Postfix and Dovecot for Multiple Domains

It makes sense to let users of the first domain use mail.domain1.com and users of the second domain use mail.domain2.com when using RoundCube webmail. I will show you how to do it with Apache and Nginx.

Apache

If Roundcube is served by Apache web server, then create a virtual host for the second domain.

sudo nano /etc/httpd/conf.d/mail.domain2.com.conf

Put the following text into the file.

<VirtualHost *:80>
  ServerName mail.domain2.com
  DocumentRoot /var/www/roundcube/

  ErrorLog /var/log/httpd/mail.domain2.com_error.log
  CustomLog /var/log/httpd/mail.domain2.com_access.log combined

  <Directory />
    Options FollowSymLinks
    AllowOverride All
  </Directory>

  <Directory /var/www/roundcube/>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
  </Directory>

</VirtualHost>

Save and close the file. Reload Apache for the changes to take effect.

sudo systemctl reload httpd

Nginx

If Roundcube is served by Nginx web server, then create a virtual host for the second domain.

sudo nano /etc/nginx/conf.d/mail.domain2.com.conf

Put the following text into the file.

server {
  listen 80;
  server_name mail.domain2.com;
  root /var/www/roundcube/;
  index index.php index.html index.htm;

  error_log /var/log/nginx/roundcube.error;
  access_log /var/log/nginx/roundcube.access;

  location / {
    try_files $uri $uri/ /index.php;
  }

  location ~ \.php$ {
   try_files $uri =404;
    fastcgi_pass unix:/run/php-fpm/www.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }

  location ~ /.well-known/acme-challenge {
    allow all;
  }
 location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
    deny all;
  }
  location ~ ^/(bin|SQL)/ {
    deny all;
  }
 # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;
  }
}

Save and close the file. Then test Nginx configurations.

sudo nginx -t

If the test is successful, reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Obtaining TLS Certificate

Now use Certbot to obtain TLS certificate for all your mail domains, so you will have a single TLS certificate with multiple domain names on it.

Apache

sudo /usr/local/bin/certbot --apache --agree-tos --redirect --hsts --staple-ocsp -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email [email protected]

Nginx

sudo /usr/local/bin/certbot --nginx --agree-tos --redirect --hsts --staple-ocsp -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email [email protected]

Notice that in the above command, we specified the cert name using the first mail domain, which will be used in the file path, so you don’t have to change the file path in Postfix or Dovecot configuration file.

When it asks if you want to update the existing certificate to include the new domain, answer U and hit Enter.

certbot letsencrypt multi-domain postfixadmin

Now you should see the following message, which indicates the multi-domain certificate is successfully obtained.

postfixadmin roundcube multiple domains

Reload Apache or Nginx to pick up the new certificate.

sudo systemctl reload httpd
sudo systemctl reload nginx

You should now be able to use different domains to access RoundCube webmail. Also you need to reload Postfix SMTP server and Dovecot IMAP server in order to let them pick up the new certificate. That’s all you need to do for Postfix and Dovecot to serve multiple domains.

sudo systemctl reload postfix dovecot

Using Mail Client on Your Computer or Mobile Device

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account of the second domain.

  • In the incoming server section, select IMAP protocol, enter mail.domain2.com as the server name, choose port 143 and STARTTLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter mail.domain2.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

postfixadmin-mail-server-desktop-mail-client-configuration

Although Postfix SMTP server and Dovecot IMAP server are using the hostname of the first mail domain (mail.domain1.com) when communicating with others, they are now using a multi-domain certificate, so the mail client won’t display certificate warnings.

SPF and DKIM Check

Now you can use your desktop email client or webmail client to send a test email to [email protected] and get a free email authentication report. Here’s the report I got from port25.com

postfix spf dkim ubuntu

Don’t forget to test your email score at https://www.mail-tester.com and also test email placement with GlockApps.

What if Your Emails Are Still Being Marked as Spam?

I have more tips for you in this article: How to stop your emails being marked as spam. Although it requires some time and effort, your emails will eventually be placed in the inbox after applying these tips.

Wrapping Up

That’s it! I hope this tutorial helped you host multiple email domains with PostfixAdmin. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 2 Average: 5]

4 Responses to “Host Multiple Mail Domains in PostfixAdmin on CentOS/RHEL

  • Justin Lawrence
    4 weeks ago

    some webpages are showing your webpage as logged into wordpress on your account in my browser. Not able to access your account though because everything reaches 403 forbidden. Doesn’t show on all posts, either. Just one that I’ve seen so fair. I took screenshots if you want them.

    I tried emailing you from gmail but got rejected.

    • Thanks for telling me. It’s likely because I accidentally logged in to my WordPress dashboard via the CDN. I just purged the page cache, so visitors won’t see the WordPress toolbar at the top of the page.

      I just saw your email rejected. Your email contains a large image with little text, so it got a high score with SpamAssassin. I should have set the reject threshold a little higher.

  • Will the fact that I have one server hosting multiple domains cause an issue with dkim or spamassian or any other item. The PRT record for the IP points to the mail server and it’s domain. Will adding additional domains cause problems with mail delivery?

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.