New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple domains (w/ SSL Cert & DKIM for each) #283
Comments
Thanks, good advice. One question, though. What is the purpose of hostname mail.otherdomain.org? I ha multiple domains (example1.fi, example2 and example3), but only one A (and AAAA) record for mail server itself. MX record in example2.fi and example3.fi point to mx.example1.fi. I am a bit baffled on what I should use as subdomain i.e. selector in example2.fi and example3.fi in this case. I ended up substituting mail with "default" and everything seems to be working. (Also in SPF-record just "mx" instead of "mx a=example2.org" should work, right?) |
what about dmarc for otherdomain |
My current configuration with two domains it something along these lines. Domains: Mail server: mail.domain.example DNS zonefiles: domain.example
otherdomain.example
|
@LukeSmithxyz it'd be nice if u could do all of this with the script, it works but it's kinda tedious |
Or maybe this could be turned into a separate script file like "emailwiz-add-domain.sh", that way it can be run additional times whenever you want to add support for another domain? In other words, run emailwiz-add-domain.sh to add otherdomain1.org, then run it again to add otherdomain2.org, etc. |
I'm not very good at this, but here's my attempt to make a separate script for adding domains and a separate script for adding users. I haven't tested yet as I'm afraid of breaking my server and haven't set up a test server yet. I think a couple other modifications to the main script will be necessary to support the 1st domain as well. EDIT: I don't know about adding virtual domains to main.cf. Not sure how to do that properly from a script. Below is probably only going to work for the 2nd domain, but not a 3rd. sudo tee -a /etc/postfix/main.cf <<EOF virtual_alias_domains = ${domain} |
After editing /etc/postfix/virtual you should run postmap to update the lookup table, which is /etc/postfix/virtual.db. Updated adduser -script:
|
I tried to make a fork that has extra scripts for adding domains and adding users for a multi-domain server: https://github.com/adamzea/emailwiz |
im using this and it works fine with thunderbird and apple mail but trying to use it with mutt wizard doesn't work, if i use a vanilla muttrc (like the one in lukes 4 year old video) it works but i am prompted saying that the certificate doesn't match the hostname. (i am trying to add an email on the first domain but it's giving a certificate of the second domain i added) edit: this might help, im about to try it https://unix.stackexchange.com/questions/592341/mutt-smtp-certificate-hostname-does-not-match edit fixed with this: https://serverfault.com/questions/1032855/postfix-not-using-ssl-certificate |
also to fix dovecot returning the wrong certificates it should be
|
I was also looking for a way to support multiple domains via emailwiz about a year ago, and ended up working on a new script from scratch (ansible, not bash). I just came back to point this out in-case someone needs an out-of-the-box solution: https://github.com/programmer-ke/replatform/ |
Steps:
Note:
Run
emailwiz.sh
Set it up normally for your first domain, check that it works fine.
Then continue with the next step
Generate new certificate
Not totally necessary for mail to "just work" but it will help, in this case I specified --standalone but do use --nginx or --apache instead, if your email service depends on one of those, if not sure, leave it as standalone.
This is the line from the script:
certbot -d "$maildomain" certonly --standalone --register-unsafely-without-email --agree-tos
Note: Redirect at least your mail subdomain from your OTHER domain(s). Later on you'll have to also add other records for emails to work! See DNS Records step.
Dovecot
Dovecot is easier, you should be good by just adding these lines to
/etc/dovecot/dovecot.conf
Note: Remember to actually generate the keys with certbot, like in the "Generate new certificate" step below.
Note: Uses TLS SNI, according to Dovecot's docs, it is tested in clients:
Create vmail map for the certificates
Add these entries in the vmail map to specify the certificate for each domain you need. You have to add them also for your already configred domain.
This file is in
/etc/postfix/vmail_ssl.map
Generate a new DKIM key
Technically this is not necessary either since you can use the same key as your main domain, generated by emailwiz. However, some email clients and/or recipients might complain.
Note: These lines are totally ripped off from the emailwiz script, I didn't come up with this I just found it useful to share the steps to reproduce my setup for multiple domains.
Note: Obviously use your second domain name, first one is already generated.
Add DKIM key to keytable
This file is in
/etc/postfix/dkim/keytable
The first one should already be filled out.
Add entry in signing table
This file is in
/etc/postfix/dkim/signingtable
Again, first one should already be there.
Make sure both signing and keytable paths are present in
/etc/opendkim.conf
, like this:Virtual alias
Add your desired email address, followed by the user the mail should be sent to.
As stated before, you will need to do this for existing and new users.
This file is in
/etc/postfix/virtual
Tell postfix about it
Add these lines at the end of your postfix configuration.
This file is in
/etc/postfix/main.cf
Apply and restart
Run these to apply the new configs and
restart the services.
Note (edit): I had some issues when NOT using the
-F
optionin
postmap -F /etc/postfix/vmail_ssl.map
, it references files, so make sure to use it.DNS Records
In your second domain's panel, point the mail subdomain to the VPS, as usual, then add the same DNS records in
dns_emailwizard
, but do swap the domain name, for example:Would be
Also, the output of the following commands is the TXT record for the new DKIM key (generated in the "Generate a new DKIM key" step).
For new accounts
postmap /etc/postfix/virtual
systemctl restart postfix
References:
Dovecot SSL configuration - TLS SNI Support
Set up certs for multiple domains in Postfix and Dovecot
Notes & edits
Note: I had an issue with thunderbird where it could not verify server configuration. Checking
systemctl status dovecot
, it was a login issue even though I'm not trying to log in. I just clicked "done" when adding new email account without checking for server configuration and it works just fine.Note (edit 2023-07-20): I noticed when using Thunderbird, for whatever reason it grabs OTHER domain names if you have multiple subdomains, for example, Thunderbird would get turn.example.org's cert instead of the appropriate mail.example.org. I noticed this because I was getting flagged mail when sending to corporate or institutions mail, BUT when using claws-mail (based, lightweight, simple client), it would actually get the mail.example.org cert. I don't know how to fix this since I'm not a Thunderbird user and I couldn't find any obvious way to do it. But note that it might happen :)
Note: (edit 2023-07-21): Gmail will complain about PTR records:
"Gmail does not accept messages from IPs with missing PTR records."
This is expected since you have (ideally) only one reverse DNS record for IPv4 (A) and IPv6 (AAAA), which is probably for your main domain. According to what I looked up online you COULD have multiple reverse DNS addresses but people say it might be worse than having one or even none. I don't exactly know the implications of this approach because I'm no expert, but receiving mail should work just fine.
The text was updated successfully, but these errors were encountered: