Changing DOMAIN doesn't work

[MarekSuchanek]

I use Mailu 1.5 and I changed DOMAIN in .env but only change visible is for DNS DMARC, suggested MX and SPF remains for the old domain...

I used Mailu for single domain domain1.tld used in DOMAIN and HOSTNAMES. Now I want new primary domain domain2.tld but have the mail server on mail.domain2.tld. So i changed the .env:

DOMAIN=mail.domain2.tld
HOSTNAMES=domain1.tld,domain2.tld

and then docker-compose down + docker-compose up -d, but it won't get new certificate with TLS_FLAVOR=letsencrypt (still has cert for domain1.tld) and suggests domain1.tld for MX and SPF.

What else needs to be done to get it working correctly?

Thanks in advance for any advice...

[muhlemmer]

DOMAIN is the main mail domain. Aka, server identification for outgoing mail. DMARC reports point to POSTMASTER@DOMAIN. These are really the only things it is used for. You don't need a cert for DOMAIN, as it is a mail domain only and not used as host in any sense. However, it is usual that DOMAIN gets setup as one of the many mail domains. None of the mail domains ever need a certificate. TLS certificates work on host connection level only.

HOSTNAMES however, can be used to connect to the server. All host names supplied in this variable will need a certificate. When TLS_FLAVOR=letsencrypt is set, then a certificate is requested automatically for all those domains.

So when you have something like this:

DOMAIN=example.com
POSTMASTER=me
HOSTNAMES=mail.example.com,mail.foo.com,bar.com
TLS_FLAVOR=letsencrypt

• You'll end up with a DMARC address to me@example.com`.
• Server identifies itself as the SMTP server of @example.com when sending mail. Make sure your reverse DNS hostname is part of that domain!
• Your server will have certificates for the 3 hostnames. You will need to create A and AAAA records for those names, pointing to the IP addresses of your server. Note that is this example your server will not be reachable on example.com.
• You'll get MX and SPF examples which point to the first entry of HOSTNAMES but these are only examples. You can modify them to use any other HOSTNAMES entry.

You're mail service will be reachable for IMAP, POP3, SMTP and Webmail at the addresses:

• mail.example.com
• mail.foo.com
• bar.com

However, example.com is not reachable and will not have a certificate. If you would want that, include it in HOSTNAMES.

Since this lead to confusion to more users, I will include the above text in the documentation.

[MarekSuchanek]

Thank you @muhlemmer , very much for clarification...

So it is correct when I have config like this:

DOMAIN=our-server.hosting.com
POSTMASTER=me
HOSTNAMES=foo.com,bar.com
TLS_FLAVOR=letsencrypt

and I set DNS:

foo.com. MX 10 foo.com.
foo.com. 599 IN TXT "v=spf1 mx a:foo.com -all"
bar.com. MX 10 bar.com.
bar.com. 599 IN TXT "v=spf1 mx a:bar.com -all"

• DKIM & DMARC.

When I use reverse lookup on IP A.B.C.D that is used for A records for foo.com, bar.com and our-server.hosting.com, it should return our-server.hosting.com?

Then I can use emails with both user@foo.com and user@bar.com - it shouldn't end up in spam?