How to Host Multiple Mail Domains in iRedMail with Nginx
This tutorial will be showing you how to set up multiple email domains (virtual hosting) with iRedMail, which is an easy way to set up your own email server.
Prerequisites
To follow this tutorial, it’s assumed that
- You have already set up an iRedMail server with one domain.
- You are using iRedMail 0.9.8 or above, which uses Nginx to serve webmail. Support for Apache web server is removed in version 0.9.8.
What You Need to Do
If you want to host multiple mail domains, then you need to
- Add a new mail domain and user in iRedMail admin panel.
- Create MX, A and SPF record for the new mail domain.
- Set up DKIM signing for additional domains
- Set up DMARC Record for the new domain.
- Set up RoundCube Webmail, Postfix and Dovecot for multiple domains
Step 1: Adding Additional Domains in iRedMail Admin Panel
Log into iRedMail admin panel with the postmaster account. (https://mail.your-domain.com/iredadmin
) Then add domains in the Add
tab.
Next, add a user under the new domain.
Step 2: Creating MX, A and SPF record for the new mail domain
In your DNS manager, add MX record for the new domain like below.
Record Type Name Value
MX @ mail.domain2.com
The A record points to your mail server’s IP address.
Record Type Name Value
A mail IP-address-of-mail-server
If your server uses IPv6 address, be sure to add AAAA record.
Then create SPF record to allow the MX host to send email for the new mail domain.
Record Type Name Value TXT @ v=spf1 mx ~all
Step 3: Setting up DKIM signing for the new domain
You need to tell amavisd to sign every outgoing email for the new mail domain. Edit /etc/amavis/conf.d/50-user
file.
sudo nano /etc/amavis/conf.d/50-user
Find the following line,
dkim_key('domain1.com', 'dkim', '/var/lib/dkim/domain1.com.pem');
Add another line to specify the location of the private key of the second domain.
dkim_key('domain2.com', 'dkim', '/var/lib/dkim/domain2.com.pem');
In @dkim_signature_options_bysender_maps
section, add the following line.
"domain2.com" => { d => "domain2.com", a => 'rsa-sha256', ttl => 10*24*3600 },
Save and close the file. Then generate the private key for the second domain.
sudo amavisd-new genrsa /var/lib/dkim/domain2.com.pem 2048
Restart Amavis.
sudo systemctl restart amavis
If Amavis fails to restart, you might need to change ownership of the key and restart again.
sudo chown amavis:amavis /var/lib/dkim/ -R
Next, display the public keys.
sudo amavisd-new showkeys
All public keys will be displayed. We need the public key of the second domain, which is in the parentheses.
In your DNS manager, create a TXT record for the second domain. Enter dkim._domainkey
in the Name field. Copy everything in the parentheses and paste into the value field. Delete all double quotes. (You can paste it into a text editor first, delete all double quotes, the copy it to your DNS manager. Your DNS manager may require you to delete other invalid characters, such as carriage return.)
After saving your changes. Check the TXT record with this command.
dig TXT dkim._domainkey.domain2.com
Now you can run the following command to test if your DKIM DNS record is correct.
sudo amavisd-new testkeys
If the DNS record is correct, the test will pass.
TESTING#1 domain1.com: dkim._domainkey.domain1.com => pass TESTING#2 domain2.com: dkim._domainkey.domain2.com => pass
Note that your DKIM record may need sometime to propagate to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://www.dmarcanalyzer.com/dkim/dkim-check/, enter dkim
as the selector and enter your domain name to check DKIM record propagation.
Step4: Setting Up DMARC Record For the New Domain
To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc
. In the value field, enter the following:
v=DMARC1; p=none; pct=100; rua=mailto:[email protected]
The above DMARC record is a safe starting point. To see the full explanation of DMARC, please check the following article.
Step 5: Setting up RoundCube, Postfix and Dovecot for Multiple Domains
It makes sense to let users of the first domain use mail.domain1.com
and users of the second domain use mail.domain2.com
when using RoundCube webmail.
Change the working directory to /etc/nginx/
.
cd /etc/nginx/
Create a blank server block file for the second domain in /etc/nginx/sites-enabled/
directory.
sudo touch sites-enabled/mail.domain2.com.conf
Copy the default HTTP site configurations to the file.
cat sites-enabled/00-default.conf | sudo tee -a sites-enabled/mail.domain2.com.conf
Copy the default SSL site configurations to the file.
cat sites-enabled/00-default-ssl.conf | sudo tee -a sites-enabled/mail.domain2.com.conf
Edit the virtual host file.
sudo nano sites-enabled/mail.domain2.com.conf
Find the following line.
server_name _;
We need to change the server_name to mail.domain2.com
, because later we need to use Certbot to generate a new tls certificate.
server_name mail.domain2.com;
There are 2 instances of server_name
, you need to change both of them. Save and close the file. Then test Nginx configuration.
sudo nginx -t
If the test is successful, reload Nginx for the changes to take effect.
sudo systemctl reload nginx
Now use Certbot webroot plugin to obtain TLS certificate for all your mail domains, so you will have a single TLS certificate with multiple domain names on it and mail clients won’t throw security warnings.
sudo certbot certonly --webroot --agree-tos -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email your-email-address -w /var/www/html
Notice that in the above command, we specified the cert name using the first mail domain, which will be used in the file path, so you don’t have to change the file path in Postfix or Dovecot configuration file.
When it asks if you want to update the existing certificate to include the new domain, answer U and hit Enter.
Now you should see the following message, which indicates the multi-domain certificate is successfully obtained.
If you encounter the following error,
Detail: Invalid response from https://mail.domain2.com/.well-known/acme-challenge/j3Nd2mNFQ43P9xLJSP4IFAiRytDCb3bemZwuAxDzWQc [xx.xx.xx.xx]: 404
then you need to use the certbot nginx plugin to obtain TLS certificate.
sudo apt install python3-certbot-nginx sudo certbot certonly -a nginx --agree-tos -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email your-email-address
Once the TLS certificate is obtained, reload Nginx to pick up the new certificate.
sudo systemctl reload nginx
You should now be able to use different domains to access RoundCube webmail. Also you need to reload Postfix SMTP server and Dovecot IMAP server in order to let them pick up the new certificate.
sudo systemctl reload postfix dovecot
Using Mail Client on Your Computer or Mobile Device
Fire up your desktop email client such as Mozilla Thunderbird and add a mail account of the second domain.
- In the incoming server section, select IMAP protocol, enter
mail.domain2.com
as the server name, choose port 143 and STARTTLS. Choosenormal password
as the authentication method. - In the outgoing section, select SMTP protocol, enter
mail.domain2.com
as the server name, choose port 587 and STARTTLS. Choosenormal password
as the authentication method.
Hint: You can also use port 993 with SSL/TLS encryption for IMAP, and use port 465 with SSL/TLS encryption for SMTP. You should not use port 25 as the SMTP port to submit outgoing emails.
Although Postfix SMTP server and Dovecot IMAP server are using the hostname of the first mail domain (mail.domain1.com) when communicating with others, they are now using a multi-domain certificate, so the mail client won’t display certificate warnings.
SPF and DKIM Check
Now you can use your desktop email client or webmail client to send a test email to [email protected]
and get a free email authentication report. Here’s the report I got from port25.com
Don’t forget to test your email score at https://www.mail-tester.com and also test email placement with GlockApps.
If DKIM check fails, you can go to https://www.dmarcanalyzer.com/dkim/dkim-check/ to see if there are any errors with your DKIM record.
What if Your Emails Are Still Being Marked as Spam?
I have more tips for you in this article: 7 effective tips to stop your emails being marked as spam. Although it requires some time and effort, your emails will eventually be placed in the inbox after applying these tips.
rDNS for Multiple Mail Domains?
Reverse DNS (rDNS), aka PTR record, is used to check if the sender’s IP address matches the HELO hostname. You don’t need to add another PTR record when adding a new mail domain. Your rDNS should be set to just one hostname, i.e. the hostname set in Postfix, which can be shown with the following command.
postconf myhostname
rDNS is a record for IP addresses. It’s not a record for domain name. If you have just one IP address, then you need just one rDNS record pointing to one hostname. Reverse DNS check doesn’t verify what From:
domain is in your email, as long as your IP address has an rDNS record and the hostname can resolve back to the same IP address, you can pass reverse DNS check.
Also, you don’t need to change the following settings in Postfix when hosting multiple domains on one server.
- myhostname
- myorigin
- mydestination
Hosted email services like G Suite and Microsoft Exchange Online all use one hostname for a server to send an email for their customers. Emails sent from G Suite users all use google.com
in the hostname and emails sent from Microsoft Exchange Online users all use outlook.com
in the hostname. This is also true for other email service providers like Mailchimp, SendinBlue, SendPluse, etc. They all use one hostname for a single server and one IP address has just one rDNS record.
Multiple TLS Certificates
If you manage email servers for lots of clients, you might not want to bundle all TLS certificates into one file, as it tells the information of your clients. If you prefer to create a separate SSL certificate for each domain name, then you should not copy the default SSL configuration to the new virtual host file. That is to say, don’t run the following command in step 5.
cat sites-enabled/00-default-ssl.conf | sudo tee -a sites-enabled/mail.domain2.com.conf
Instead of using the following command to obtain a multi-domain certificate,
sudo certbot certonly --webroot --agree-tos -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com -w /var/www/html
You can use the following command to obtain a separate TLS certificate for the second mail domain.
sudo certbot -a webroot -i nginx --agree-tos -d mail.domain2.com -w /var/www/html
Next, you need to configure Postfix and Dovecot.
Postfix Multiple TLS Certificates
If you use Postfix version 3.4 or higher, you can use multiple TLS certificates. Edit the main.cf
file.
sudo nano /etc/postfix/main.cf
Add the following line at the end of this file to enable multiple TLS certificates.
tls_server_sni_maps = hash:/etc/postfix/sni_maps
Save and close the file. Then create the sni_maps file.
sudo nano /etc/postfix/sni_maps
In this file, add each mail hostname and its certificate file.
mail.domain1.com /etc/letsencrypt/live/mail.domain1.com/privkey.pem /etc/letsencrypt/live/mail.domain1.com/fullchain.pem mail.domain2.com /etc/letsencrypt/live/mail.domain2.com/privkey.pem /etc/letsencrypt/live/mail.domain2.com/fullchain.pem
Save and close the file. Next, build the lookup table.
sudo postmap -F /etc/postfix/sni_maps
Restart Postfix.
sudo systemctl restart postfix
You must use the -F
option in postmap to base64-decode each value in the SNI map, or Postfix will throw the malformed BASE64 value error in the /var/log/mail.log
file. The following command is wrong.
sudo postmap /etc/postfix/sni_maps
Dovecot Multiple TLS Certificates
If you use multiple TLS certificates in Postfix, you should also enable it in Dovecot. Edit the Dovecot 10-ssl.conf
file.
sudo nano /etc/dovecot/conf.d/10-ssl.conf
You can find the following lines.
ssl_cert =</etc/letsencrypt/live/mail.domain1.com/fullchain.pem ssl_key =</etc/letsencrypt/live/mail.domain1.com/privkey.pem
Then add the following lines.
local_name mail.domain1.com { ssl_cert =</etc/letsencrypt/live/mail.domain1.com/fullchain.pem ssl_key =</etc/letsencrypt/live/mail.domain1.com/privkey.pem } local_name mail.domain2.com { ssl_cert =</etc/letsencrypt/live/mail.domain2.com/fullchain.pem ssl_key =</etc/letsencrypt/live/mail.domain2.com/privkey.pem }
Save and close the file. Then restart Dovecot.
sudo systemctl restart dovecot
Wrapping Up
That’s it! I hope this tutorial helped you host multiple email domains with iRedMail. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂
Thank you for this interesting read.
Is there any encryption implemented for mail data stored at the server?
If not, how would I add this?
Emails are not encrypted at rest. The root user can access all emails on the server.
You’re tutorials are great, I have been following a few of them.
Right now I have a problem, when trying to setup a second domain like in this tutorial.
My second domain can send mails without a problem, but it does not receive any email.
The strange thing is, that the sender also does not get an error message. The mail just disappears and is neither delivered nor rejected.
DNS settings are all correct. I do not know where else to look.
Thanks for helping
You should check the mail log (/var/log/mail.log) on the receiving email server. If DNS records are correct, you will see the sender in the mail log and it will tell you the reason why the email wasn’t delivered.
Hi Xiao,
that definitely gives me more info about the problem. It seems that all mails send to this domain are queued indefinitely
I do not know why this happens.
I restarted amavis and nginx and now it is working. This seems strange.
Thanks
Really appreciate your tutorials! 5 out of 5
The only weakness of iRedMail is that if it fails to install correctly, or gets corrupted later, they recommend reinstalling the OS then iRedMail again. This wouldn’t be necessary if they kept a strict log of all the changes made with the location, old-value and new-value, so that “apt purge” could use the log to undo all changes.
Yes, a small mistake like pressing the space bar after the domain name in the setup wizard can cause installation failure. I think Modoboa is less error-prone.
Hi Xiao,
I set up the mail-server with iRedMail on Ubuntu 16.04 for one domain without any problems. Your guide is great.
But I try to set up multiple domains and problems start.
Can not set up dkim._domainkey in my DNS zone. I get a message: “The hostname of the record does not match the name of the zone.”
The main domain (mydomain.com) is pointed to a different IP address than the mail subdomain (mail.domain.com).
I have website on other VPS than mail-server. How to fix it?
In my DNS zone I have:
mydomain.com | A | IP 1 (111.111.11.11)
www.mydomain.com | CNAME | mydomain.com
mail.mydomain.com | A | IP 2 (222.222.22.22)
mydomain.com | MX | 10 | mail.mydomain.com
mydomain.com | TXT | v=spf1 mx ~all
OK – I fixed it. The question from the previous comment is out of date.
Everything working fine with two domains and different IP addresses.
Score 10/10 for both domains.
Thank you again for great tutorials.
Glad to know it’s working for you now 🙂
Fantastic job! It is nice to see a tutorial which actually works! Most of these kind of tutorials have a ton of errors and they don’t work exactly right so you have to do a lot of digging on your own. Yours are spot on!
This got me up and running perfectly. The only gap I have now is how to configure and administer the spam components and whitelists/blacklists for iRedMail. Do you have a tutorial on that or can you recommend a good resource?
iRedMail uses Postscreen and SpamAssassin for spam filtering, which is configured in /etc/postfix/main.cf file. Another good tool is rspamd, which has a nice web-based graphical interface. I will write an article about rspamd.
Thank you! I am really looking forward to that! I know iRedMail uses Amavised-new, SpamAssassin & ClamAV. Are these (or suitable replacements) integrated into rspamd so we only have one interface to deal with for virus filtering, spam and whitelists/blacklists? Or do I need to look at other solutions for some of that? I glanced at rspamd.com really quickly but couldn’t tell what components they are using. Thank you again for everything. I will be donating to support the site!
clarification in order this to work i have to get another domain right and point with the same public ip address of my current iredmail server?
I suppose that you asked “The A record for mail.domain2.com should be pointed to the public IP address of the current iRedMail server?”
The answer is Yes.
your the best bro
Hello Xiao, you mentioned in another post that it was possible to run other sites alongside this setup. How can this be done? I had it working previously, but I have no idea how I did it. Any tips? Thanks.
Hello Xiao,
i see that you want to write an article about rspamd, it is possible to do it with a howto for switching from amavis(spamassasin) to rspamd I. iredmail?
Thx
Hello xiao
in this article , every new added domain name here are redirected to new entry like mail.domain2.com , mail.domain3.com etc…
can I do it like this ? every new added domain name are all managed by mail.domain.com
Yes, you can use the same hostname for MX record and webmail. You can even use the same DKIM key for all domain names, but I recommend using unique DKIM key for each domain name to have better email deliveribility.
Hello
I have setup hostname mail.domain1.com and first email domain domain2.com.
The admin url :https://mail.domain1.com/iredadmin/
admin acccount :[email protected]
how to setup my dns records ? so that all email domains are managed by mail.domain1.com and all new domains client login is https://mail.domain1.com/mail/
You can set the MX record of domain2.com to use mail.domain1.com. Then simply add email accounts at the admin panel. By default, all email accounts can login at https://mail.domain1.com/mail/.
so I need only set MX record for domain2.com as below ?
MX @ mail.domain1.com
Yes, use that MX record. Then set up DKIM key and create DMARC record.
hi thnx for posting it really did help …. when cert expires how to renew it and if there is any way to auto renew the cert
The certbot debian package ships with its own cron job (/etc/cron.d/certbot) and a systemd timer (/lib/systemd/system/certbot.timer) to automatically renew TLS certificate. So you don’t need to manually add cron job or systemd timer. The timer runs certbot.service twice a day. You can check its status with:
Hi everyone. I have created a bash script which can execute the entire above mentioned commands in a single step. Code pasted below:
Note: Before running script edit host ip, primary mail domain and email id inside the script
#!/bin/bash
# define ipaddress variable
# define primary mail domain
# define ssl cert email id
ipaddress=”1.2.3.4″
primarymaildomain=”mail.myprimarydomain.com”
sslemail=”[email protected]”
echo ” ”
sleep 2
echo “Add new email domain script started”
echo ” ”
sleep 2
echo “Add domain and user in iRedAdmin”
echo ” ”
sleep 2
read -p “Press enter if added?”
echo ” ”
sleep 2
echo “Enter domain name without www ; Eg: mywebsite.com”
echo ” ”
read domainname
echo ” ”
sleep 2
echo “Adding new domain DKIM Key now”
var1=’dkim_key(‘”‘”$domainname”‘”‘, ‘”‘”‘dkim'”‘”‘, ‘”‘”‘/var/lib/dkim/’$domainname’.pem'”‘”‘);’
sed -i -e “/\# Add dkim_key here./a $var1″ /etc/amavis/conf.d/50-user
var2=” “‘”‘$domainname'”‘”=> { d => “‘”‘$domainname'”‘”, a => “”‘””rsa-sha256″”‘””, ttl => 10*24*3600 },”
sed -i -e “/\# Per-domain dkim key/a $var2″ /etc/amavis/conf.d/50-user
echo ” ”
sleep 2
echo “New Domain DKIM key added”
echo ” ”
sleep 2
echo “Generating DNS records”
echo ” ”
var3=’/var/lib/dkim/’$domainname’.pem’
sudo amavisd-new genrsa $var3 2048
sudo systemctl restart amavis
var3a=’/etc/dnsrecords/’$domainname’.txt’
if [ -f $var3a ] ; then
sudo rm $var3a
fi
echo ” ” >> $var3a
echo “; DKIM Record” >> $var3a
sudo amavisd-new showkeys $domainname >> $var3a
echo “; MX Record” >> $var3a
echo $domainname’ 1 IN MX 1 mail.’$domainname’.’ >> $var3a
echo “; A Record” >> $var3a
echo ‘mail.’$domainname’. 1 IN A ‘$ipaddress >> $var3a
echo “; TXT Records” >> $var3a
echo $domainname’. 1 IN TXT ”””v=spf1 mx ~all””‘ >> $var3a
echo ‘_dmarc.’$domainname’. 1 IN TXT ”””v=DMARC1; p=none; pct=100; rua=mailto:dmarc-reports@’$domainname'”‘ >> $var3a
echo ” ” >> $var3a
echo ” ”
echo “DNS records generated. Download it @ /etc/dnsrecords folder. Import in DNS as BIND file”
echo ” ”
sleep 2
read -p “Press enter to continue after updating dns records?”
sleep 2
echo ” ”
echo “Testing DKIM record key”
echo ” ”
sudo amavisd-new testkeys $domainname
echo ” ”
var4=’/etc/nginx/sites-enabled/mail.’$domainname’.conf’
sudo touch $var4
var5=’/etc/nginx/sites-enabled/00-default.conf’
cat $var5 | sudo tee -a $var4 > /dev/null
var6=’/etc/nginx/sites-enabled/00-default-ssl.conf’
cat $var6 | sudo tee -a $var4 > /dev/null
var7=’server_name _;’
var8=’server_name mail.’$domainname’;’
sed -i -e ‘s/'”$var7″‘/'”$var8″‘/g’ $var4
sleep 2
echo “Testing nginx configuration”
echo ” ”
sudo nginx -t
sudo systemctl reload nginx
echo ” ”
ls /etc/nginx/sites-enabled > /etc/dnsrecords/aaaexistingdomains.txt
sed -e s/00-default.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
sed -e s/00-default-ssl.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
sed -e s/.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
sed -i ‘/^$/d’ /etc/dnsrecords/aaaexistingdomains.txt
sed -i ‘:a;N;$!ba;s/\n/,/g’ /etc/dnsrecords/aaaexistingdomains.txt
var8a=”/etc/dnsrecords/aaaexistingdomains.txt”
var8b=$(cat “$var8a”)
var9=’mail.hexacubeindia.com,’$var8b
sleep 2
echo “Updating SSL certificates”
echo ” ”
sleep 2
echo “Click ‘u’ when prompted”
echo ” ”
sleep 2
sudo certbot certonly –webroot –agree-tos -d $var9 –cert-name $primarymaildomain –email $sslemail -w /var/www/html
echo ” ”
sleep 2
echo “Restarting nginx, postfix and dovecot”
echo ” ”
sudo systemctl reload nginx
sudo systemctl reload postfix
sudo systemctl reload dovecot
sleep 2
echo “Add new email domain script ended”
echo ” ”
var10=’https://mail.’$domainname’/’
sleep 2
echo Now u can visit $var10
echo ” ”
sleep 2
echo “Thank You”
echo ” ”
sleep 2
Also, the above script will generate dns records in BIND format, which can be directly in almost all DNS providers like Clouflare, GoDaddy etc.,
No need to edit anything inside bash script. Directly run the following script and give inputs when prompted. DNS records will be generated and new email domain will be added automatically.
#!/bin/bash
ipaddress=$(dig +short myip.opendns.com @resolver1.opendns.com)
primaildom=$(hostname -f)
echo ” ”
sleep 2
echo “Add new email domain script started”
echo ” ”
sleep 2
echo “Add domain and user in iRedAdmin”
echo ” ”
sleep 2
read -p “Press enter if added?”
echo ” ”
sleep 2
echo “Enter domain name without www ; Eg: mywebsite.com”
echo ” ”
read domainname
echo ” ”
sleep 2
echo “Adding new domain DKIM Key now”
var1=’dkim_key(‘”‘”$domainname”‘”‘, ‘”‘”‘dkim'”‘”‘, ‘”‘”‘/var/lib/dkim/’$domainname’.pem'”‘”‘);’
sed -i -e “/\# Add dkim_key here./a $var1″ /etc/amavis/conf.d/50-user
var2=” “‘”‘$domainname'”‘”=> { d => “‘”‘$domainname'”‘”, a => “”‘””rsa-sha256″”‘””, ttl => 10*24*3600 },”
sed -i -e “/\# Per-domain dkim key/a $var2″ /etc/amavis/conf.d/50-user
echo ” ”
sleep 2
echo “New Domain DKIM key added”
echo ” ”
sleep 2
echo “Generating DNS records”
echo ” ”
var3=’/var/lib/dkim/’$domainname’.pem’
sudo amavisd-new genrsa $var3 2048
sudo systemctl restart amavis
var3a=’/etc/dnsrecords/’$domainname’.txt’
if [ -f $var3a ] ; then
sudo rm $var3a
fi
echo ” ” >> $var3a
echo “; DKIM Record” >> $var3a
sudo amavisd-new showkeys $domainname >> $var3a
echo “; MX Record” >> $var3a
echo $domainname’ 1 IN MX 1 mail.’$domainname’.’ >> $var3a
echo “; A Record” >> $var3a
echo ‘mail.’$domainname’. 1 IN A ‘$ipaddress >> $var3a
echo “; TXT Records” >> $var3a
echo $domainname’. 1 IN TXT ”””v=spf1 mx ~all””‘ >> $var3a
echo ‘_dmarc.’$domainname’. 1 IN TXT ”””v=DMARC1; p=none; pct=100; rua=mailto:dmarc-reports@’$domainname'”‘ >> $var3a
echo ” ” >> $var3a
echo ” ”
echo “DNS records generated. Download it @ /etc/dnsrecords folder. Import in DNS as BIND file”
echo ” ”
sleep 2
read -p “Press enter to continue after updating dns records?”
sleep 2
echo ” ”
echo “Testing DKIM record key”
echo ” ”
sudo amavisd-new testkeys $domainname
echo ” ”
var4=’/etc/nginx/sites-enabled/mail.’$domainname’.conf’
sudo touch $var4
var5=’/etc/nginx/sites-enabled/00-default.conf’
cat $var5 | sudo tee -a $var4 > /dev/null
var6=’/etc/nginx/sites-enabled/00-default-ssl.conf’
cat $var6 | sudo tee -a $var4 > /dev/null
var7=’server_name _;’
var8=’server_name mail.’$domainname’;’
sed -i -e ‘s/'”$var7″‘/'”$var8″‘/g’ $var4
sleep 2
echo “Testing nginx configuration”
echo ” ”
sudo nginx -t
sudo systemctl reload nginx
echo ” ”
ls /etc/nginx/sites-enabled > /etc/dnsrecords/aaaexistingdomains.txt
sed -e s/00-default.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
sed -e s/00-default-ssl.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
sed -e s/.conf//g -i /etc/dnsrecords/aaaexistingdomains.txt
sed -i ‘/^$/d’ /etc/dnsrecords/aaaexistingdomains.txt
sed -i ‘:a;N;$!ba;s/\n/,/g’ /etc/dnsrecords/aaaexistingdomains.txt
var8a=”/etc/dnsrecords/aaaexistingdomains.txt”
var8b=$(cat “$var8a”)
var9=’mail.hexacubeindia.com,’$var8b
sleep 2
echo “Updating SSL certificates”
echo ” ”
sleep 2
echo “Enter email id required for ssl certificate generation”
echo ” ”
read sslemailid
echo ” ”
echo “Click ‘u’ when prompted”
echo ” ”
sleep 2
sudo certbot certonly –webroot –agree-tos -d $var9 –cert-name $primaildom –email $sslemailid -w /var/www/html
echo ” ”
sleep 2
echo “Restarting nginx, postfix and dovecot”
echo ” ”
sudo systemctl reload nginx
sudo systemctl reload postfix
sudo systemctl reload dovecot
sleep 2
echo “Add new email domain script ended”
echo ” ”
var10=’https://mail.’$domainname’/’
sleep 2
echo Now u can visit $var10
echo ” ”
sleep 2
echo “Thank You”
echo ” ”
sleep 2
Hi,
Is the PTR record required for the second mail domain ?
PTR record is for an IP address. If you have already created PTR record when you first set up your mail server, you don’t need to change it when you add a second mail domain.
I’ve just noticed that only emails sent from “[email protected]” and “[email protected]” reach the inbox. All other emails sent from both domains goes to the spam folder.
Ideas ?
Each email address from the same domain name has its own individual reputation. For more tips to getting out of spam folder, read this article: How to stop your emails from being marked as spam.
As I am creating more and more mail servers, is it a good idea that they are all sharing the same certificate? Anyone can look at the certificate and see all the servers it has been allocated to.
You can get certbot to issue separate SSL certificate for each mail domain, but if you need to remotely login from a desktop/mobile mail client or another web application, you need to enter the first hostname (mail.domain1.com) for the server address, because Postfix does not support multiple SSL certificates on single IP address yet.
Thank you. Interesting – I might actually do that, as the first domain (mail.domain1.com) can act the main server address. What would be the command to create a separate SSL certificate?
If you prefer to create separate SSL certificate for each domain name, then you should not copy the default SSL configuration to new virtual host file. That’s is to say, don’t run the following command:
Then use certbot to create single-domain SSL certificate.
Thank you! 🙌
Hi Xiao! I’ve followed that, but when I go to mail.domain2.com it redirects too many times. This is the conf for it… https://www.pastiebin.com/5d5aa095af09b
Hi There,
i followed your steps but if i test the keys i’ll get this error
amavisd-new testkeys
these are the keys:
Here are the dig results;
Hope fully you can help me?
Little edit, the dig results you’ll see ” which i currently removed the ttl is 3600 so should i just be patience?
You didn’t enter the DKIM record correctly. For easyvoiceonline.nl, the public key is different in the DNS record. For easyvoiceonline.co.uk, there are many carriage return characters in the DNS record. Remove them.
it’s working now thank you, although i do not get emails on a 4th added domain @easyvoicetelecom.co.uk it sends but i cannot receive? any suggestions?
I run a (non-iRedMail) mail server for multiple domains. The reverse DNS points to the main domain, e.g. mail.somename.net, the mail domains are mail.domain1.net and mail.domain2.net without a rDNS record, but with correct PTR and SPF records.
Some receiving mail servers reject mails from mail.domain1.net or mail.domain2.net because the reverse DNS points to mail.somename.net instead. In Europe many mail providers are very restrictive in this regard (e.g. t-online.de, gmx.de or bluewin.ch).
How can this howto work in such an environment?
You can try adding multiple hostnames to your PTR record, or add more IP addresses to your server and use different IP address to send email for each domain name on your mail server.
Hi, can you decribe how to use/configure subdomain like “shop.mypage.com” ?
It’s simple. Use mail.shop.mypage.com as the mail host. Treat the subdomain shop.mypage.com as if it is a different apex domain name.
Hi Xiao! Not sure if you missed this but I’ve followed your comment on how to create a separate SSL certificate for each domain, and when I go to mail.domain2.com it redirects too many times. This is the conf for it… https://www.pastiebin.com/5d5aa095af09b
I think you should learn the basics of Nginx web server, understand what each line in the configuration file means and compare each Nignx virtual host file, so you can troubleshoot some of the problems by yourself.
Ok! Fair enough 😊 I am guessing it something obvious that I am not paying enough attention to.
I followed your other great tutorial on setting-up iRedMail on a single domain – let’s call it mail-server.com – and it works as expected. Many thanks.
I have a website on a separate server – let’s call this one website.com – and have followed this tutorial about hosting multiple domains to the letter apart from setting-up Roundcube as website.com runs Apache not NGINX. I’ve also used slightly different DNS records for website.com.
For example, I’ve not created an additional A record for the reason already stated and website.com’s MX record is…
..and not what I think you say it should be…
However, I can send and receive mail using [email protected] without issue.
As my approach is different to yours, yet mail still appears to work correctly for website.com, what is the difference between the two and which, if any, is the preferred method? Does my approach have any downside?
Many thanks, Steve.
You can use mail.domain1.com as the MX host for the second domain, so you don’t need to create A record. As long as you can get a 10/10 score at mail-tester.com, you can use either approach.
You can still configure Roundcube for multiple domains on the mail server. Apache is running on a separate server, it won’t interfere with the mail server.
Many thanks for the very prompt reply and confirmation.
mail-tester.com gives a score of 10/10 with the usual caveat of missing an unsubscribe header.
Hi,
I had lately cert renewal issues. So I have solved that finally. If you have multiple domains, in this case, there need to be separate lines which indicates a domains respectively under webroot_map in a cfg file (/etc/letsencrypt/renewal/mail.dainmain1.conf):
[[webroot_map]]
mail.domain1.com = /var/www/html
mail.domain2.com = /var/www/html
Originally there was only one domain in cfg file which caused renewal issues.
Please help, I want to get to the root of this problem… If I create a certificate via the normal method I get “connection refused” for each “/.well-known/acme-challenge/…”.
UFW settings… 443/tcp and Nginx Full have been set to Allow.
DNS settings are correct.
Permissions for /var/www/html…
drwxr-xr-x 2 www-data www-data 4096
I have to go the DNS verification route which is time taking and doesn’t auto renew, as it is manual.
DNS verification can be automated.
It’s not always possible to troubleshoot server problems just by looking at your configurations. And I do not have time to answer every visitor’s question. If you really need to make it work, you can give me access to your server and pay me to fix the error.
Yes please, I would like to get to the root of the problem, I would be happy to pay. Let me know how I can reach you. Thank you Xiao
Contact me: [email protected]
This is now no longer an issue. The normal method of “/var/www/html” is now working having given it another go again. It seems to have fixed itself maybe via an update.
How do I setup more IP Addresses? My server is currently configured with two domains and two IPs and Roundcube is working correctly for each IP (mail.domain1.com is .41 & mail.domain2.com is .241). All the mail message headers refer to mail.domain1.com & .41 IP
Thanks again for great tutorials. Very clear and concise. Everything is working, but this one issue has stopped everything for us. Unfortunately the only solution I’ve found so far to the PTR record issue with more than one domain is multiple ip’s (gets expensive). Hostwind and other providers don’t allow multiple PTR records to the same IP. While the rDNS spec allows multiple domains, apparently there are some drawbacks. Google is rejecting all the domains that aren’t the primary when sending to Gmail. Are there any other solutions to hosting multiple domains other than separate IP’s?
Is it possible to use Bind9 on the email server instead of the provider for DNS server roles to have multiple PTR records on the same i.p.?
This is just fantastic. I managed to add the second domain and everything works perfectly.
Thank you for your efforts. Well appreciated.
This is fantastic, thanks for putting this together. I’ve gotten the mail server up and running with no issues. When adding a domain, I am able to send e-mails from Domain2, but not receive. Nothing seems to show up in the mail.log file indicating incoming mail is hitting the server.
I am hosting a website in one location, and have an A record set to one IP address. I created a new A record pointing to my hosting provider (Scalahosting VPS IP address) with the name mail. I created an mx record for mail.domain2.com. The MX records seem to have propogated according to a number of DNS websites. Anything you can think of that I am missing? Thanks!
Hi Xaio,
Great tutorial; the install went well and everything looks okay; but I’m not receiving and inbound mail. I can send okay to my gmail accounts but I’m not getting anything back. I got the errors listed below from my logs.
**Unmatched Entries**
Jul 16 07:23:38 mail cron[880]: sendmail: warning: /etc/postfix/main.cf, line 374: overriding earlier entry: body_checks=pcre:/etc/postfix/body_checks.pcre
Jul 16 07:23:38 mail cron[880]: postdrop: warning: /etc/postfix/main.cf, line 374: overriding earlier entry: body_checks=pcre:/etc/postfix/body_checks.pcre.
Can you discern anything from those?
You have a duplicate
body_checks
parameter in/etc/postfix/main.cf
file.Hello Xiao, thanks for your great tutorial, I am been able to get the mailserver up and running in less than an hour! However I have a little problem, I hope you can address me to its resolution: I configured 2 domains with iRedmail, each with its own mail.domainX.com, both are sharing the same public IP address, let’s call them mail.domain1.com and mail.domain2.com. I can access user webmail via mail.domain1.com/mail , this happens with user on mail.domain2.com/mail too, everything is working fine. But I realized that if I go to mail.domain1.com/mail and put credentials of a user created on domain2.com I can still access the webmail of [email protected], I think it’s not the expected behaviour. I would like to isolate the domains, each user should login uniquely on its own domain. Thank you in advance for your help! Hugo
umm.. Help?
I installed Debian buster from scratch. Followed the instructions here to the letter. Email works. (Thank you!).
However.. I want to host a bunch of virtual domains most of which use drupal but one of which uses wordpress so I started with that as the easiest. Using the latest wordpress.tar file I uncompressed into /var/www/wordpress mv ‘d wordpress to wadonet ; chown -R www-data:www-data wadonet ; and copied the nginx vhost file from “recipes” to /etc/nginx/sites-available and ln -s ‘d it to enabled.
That vhost file is below, nginx -t says its fine. But the WP page comes up as unformatted text with no images and text only paragraphing.
—
root@mail:/etc/nginx/sites-available# cat wadocan_net.conf
# Upstream to abstract backend connection(s) for php
upstream php {
server unix:/tmp/php-cgi.socket;
server 127.0.0.1:9000;
}
server {
## Your website name goes here.
server_name wadocan.net www.wadocan.net;
## Your only path reference.
root /var/www/wadonet;
## This should be in your http block and if it is, it’s not needed here.
index index.php;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
# This is cool because no php is touched for static content.
# include the “?$args” part so non-default permalinks doesn’t break when using query string
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
#NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass php;
#The following parameter can be also included in fastcgi_params file
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
—
What am i missing?
Found it!
Firefox console shows many lines like this:
Content Security Policy: The page’s settings blocked the loading of a resource at http://wadocan.net/wp-includes/css/buttons.min.css?ver=5.5.1 (“default-src”).
Now how do I fix it?
p.s. while the error continues you can see it by pointing your b rowser at wadocan.net
Add this line:
add_header Content-Security-Policy “default-src ‘self’;” always;
within the server { } stuff.
ugh – not in any nginx doc that I could find to read.
Wrong – I did not find it. The line above almost works – but javascript will not run on the page so wordpress looks almost but nothing actually works.
I found these headers on a site called pastebin.com:
# I have added ‘unsafe’ declarations as WordPress themes and plugins are relying on them and I am investigating for a proper minify solution
# Report-Only: For testing purpose use add_header Content-Security-Policy-Report-Only: …
add_header Content-Security-Policy: “default-src ‘self’;
script-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ *.wadocan.net *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
style-src ‘self’ ‘unsafe-inline’ *.wadocan.net *.googleapis.com *.bootstrapcdn.com;
img-src ‘self’ ‘unsafe-inline’ *.wadocan.net data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
frame-src ‘self’ maps.google.com ;
font-src ‘self’ data: *.gstatic.com *.bootstrapcdn.com;
connect-src ‘self’ *.googletagmanager.com;
report-uri /csp-report.php”;
add_header X-Content-Security-Policy: “default-src ‘self’;
script-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ *.wadocan.net *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
style-src ‘self’ ‘unsafe-inline’ *.wadocan.net *.googleapis.com *.bootstrapcdn.com;
img-src ‘self’ ‘unsafe-inline’ *.wadocan.net data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
frame-src ‘self’ maps.google.com ;
font-src ‘self’ data: *.gstatic.com *.bootstrapcdn.com;
connect-src ‘self’ *.googletagmanager.com;
report-uri /csp-report.php”;
add_header X-WebKit-CSP: “default-src ‘self’;
script-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ *.wadocan.net *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
style-src ‘self’ ‘unsafe-inline’ *.wadocan.net *.googleapis.com *.bootstrapcdn.com;
img-src ‘self’ ‘unsafe-inline’ *.wadocan.net data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
frame-src ‘self’ maps.google.com ;
font-src ‘self’ data: *.gstatic.com *.bootstrapcdn.com;
connect-src ‘self’ *.googletagmanager.com;
report-uri /csp-report.php”;
This works, but I have no idea either why (the documentation seems to say that setting the default src to self should cover it) or what this actually authorizes.
The worst thing is that when I set up the machine the first time earlier this week I simply reloaded nginx and certbot from scratch. That worked for the websites but killed iRedMail – and there’s nothing in any docs I’ve seen to tell me which mail settings need to survive changes to the nginx setup.
Maybe the best thing would be linuxbabe et al to add a section on what to do if mail works but you need to add some virtual host websites that work with the most recent browser mods.
Hi, on the last bit where you change the server name, is this step necessary to aquire the cert? What if you wanted to point 10 domains to one email server? Change server_name 10 times and run certbot 10 times instead of one giant run with the original server name?
Hi
Thank you for the great tutorials. Always check here first for linux setup guides.
Followed setting up iRedmail on CentOS8 succesfully. Now added the second domain. Everything working good but I cant send to gmail on second domain. See the below in /var/log/maillog: “Untrusted TLS connection established to gmail-smtp-in.l.google.com[209.85.232.26]:25: TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256…”
Searching on the web I see that this is my server not trusting google. They suggest editing /etc/postfix/main.cf with the below.
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs
Tried this an variations (e.g. smtpd_tls_CApath = /etc/pki/tls/certs) but no luck. Note that I can recieve emails from gmail and I can send on my first domain.
Thanks
This message
doesn’t mean your email server can’t send email to Gmail. It means your Postfix doesn’t verify the TLS certificate of gmail servers, which is a normal case for email servers, so the TLS connection is untrusted. You don’t need to edit the
smtp_tls_CApath
orsmtpd_tls_CApath
.You should look at the entire SMTP transaction to find out why your emails were not delivered to Gmail.
Very great guide!!! Took like 10 minute to do, ended up with a 10/10 Score on mail-tester.com
You are a truly god 🙂
Thanks you very much
Hi Xiao, thank for an incredible tutorial!
I followed the instructions and got a mail server with multiple domains on a raspberry pi 4 working succesfully
Now im trying to install a mail server on a Ubuntu Server VM and it works for the main domain, but I have found that after I add dkim_key(‘domain2.com’, ‘dkim’, ‘/var/lib/dkim/domain2.com.pem’); (with the correct domain) and restart amavis, I cant send emails anymore, even from the main domain.
On mail.log I found “Connection refused”
Jul 8 14:25:13 mail postfix/amavis/smtp[18675]: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused
Jul 8 14:25:13 mail postfix/submission/smtpd[18811]: disconnect from mail.empresa.com[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Jul 8 14:25:13 mail postfix/amavis/smtp[18675]: 4GLJV16557zvPwW: to=, relay=none, delay=0.08, delays=0.08/0/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)
As soon as I comment the line for the 2nd domain and restart amavis, Im able to send mails again correctly
What could be happening?
Some help please
Probably a syntax error. Check the log.
Is there any way to install iredmail or any other application without using letsencrypt? I’m trying to install Iredmail along with a control panel (aapnel) to manage the server and hosted websites.
I’ve done more than 30 installations in different orders to try to make them work together, but I always end up running into some DNS problem or authentication failure by lets encrypt.
I’ve been blocked several times for excessive attempts with multiple hostsnames. I can’t take it anymore, if someone can get in touch, I’ll pay a coffee for the help with the installation.