This tutorial will be showing you how to set up multiple mail domains (virtual hosting) on Ubuntu server with PostfixAdmin, which is an open-source web-based interface to configure and manage a Postfix based email server for many domains and users.
Prerequisites
To follow this tutorial, it’s assumed that you have already configured PostfixAdmin with one mail domain and you have followed part 4 to set up SPF and OpenDKIM.
What You Need to Do
If you want to host multiple mail domains, then you need to
- Add a new mail domain and user in PostfixAdmin web-based panel.
- Create MX, A and SPF record for the new mail domain.
- Set up DKIM signing for the new domain.
- Create DMARC Record for the new domain.
- Set up RoundCube Webmail, Postfix and Dovecot for multiple domains
Reverse DNS check is used to check if the sender’s IP address matches the HELO hostname. You don’t need to add another PTR record when adding a new mail domain.
Step 1: Adding Additional Domains in PostfixAdmin Panel
Log into PostfixAdmin panel with the postmaster account. (https://postfixadmin.your-domain.com/) Then go to Domain List -> New Domain to add a new domain.
Next, add a user under the new domain.
Step 2: Creating MX, A and SPF record for the new mail domain
In your DNS manager, add MX record for the new domain like below.
Record Type Name Value
MX @ mail.domain2.com
The A record points to your mail server’s IP address.
Record Type Name Value
A mail IP-address-of-mail-server
If your server uses IPv6 address, be sure to add AAAA record.
Then create SPF record to allow the MX host to send email for the new mail domain.
Record Type Name Value TXT @ v=spf1 mx ~all
Step 3: Setting up DKIM signing for the new domain
We have installed and configured OpenDKIM for a single domain in part 4 of this tutorial series. Now we need to tell OpenDKIM to sign every outgoing email for the new mail domain.
Edit the OpenDKIM signing table file.
sudo nano /etc/opendkim/signing.table
Add the second domain like below.
*@domain1.com default._domainkey.domain1.com *@domain2.com default._domainkey.domain2.com
Edit the key table file.
sudo nano /etc/opendkim/key.table
Add the second domain like below.
default._domainkey.domain1.com domain1.com:default:/etc/opendkim/keys/domain1.com/default.private default._domainkey.domain2.com domain2.com:default:/etc/opendkim/keys/domain2.com/default.private
Edit the trusted hosts file.
sudo nano /etc/opendkim/trusted.hosts
Add the second domain like below.
127.0.0.1 localhost *.domain1.com *.domain2.com
Next, we need to generate a priavte/public keypair for the second domain. Create a separate folder for the second domain.
sudo mkdir /etc/opendkim/keys/domain2.com
Generate keys using opendkim-genkey tool.
sudo opendkim-genkey -b 2048 -d domain2.com -D /etc/opendkim/keys/domain2.com -s default -v
The above command will create 2048 bits keys. -d (domain) specifies the domain. -D (directory) specifies the directory where the keys will be stored and we use default as the selector (-s). Once the command is executed, the private key will be written to default.private file and the public key will be written to default.txt file.
Make opendkim as the owner of the private key.
sudo chown opendkim:opendkim /etc/opendkim/keys/domain2.com/default.private
Display the public key
sudo cat /etc/opendkim/keys/domain2.com/default.txt
The string after the p parameter is the public key.
In your DNS manager, create a TXT record for the second domain. Enter default._domainkey in the Name field. Copy everything in the parentheses and paste into the value field. Delete all double-quotes. (You can paste it into a text editor first, delete all double quotes, then copy it to your DNS manager. Your DNS manager may require you to delete other invalid characters, such as carriage return.)
After saving your changes. Check the TXT record with this command.
dig TXT default._domainkey.domain2.com
Now you can run the following command to test if your DKIM DNS record is correct.
sudo opendkim-testkey -d domain2.com -s default -vvv
If everything is OK, you will see
opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: checking key 'default._domainkey.domain2.com' opendkim-testkey: key secure opendkim-testkey: key OK
If you see “Key not secure”, don’t panic. This is because DNSSEC isn’t enabled on your domain name. DNSSEC is a security standard for secure DNS query. Most domain names haven’t enabled DNSSEC. You can continue to follow this guide.
Restart OpenDKIM so it will start signing emails for the second domain.
sudo systemctl restart opendkim
Step 4: Creating DMARC Record For the New Domain
To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following. Note that you need to create the [email protected] email address.
v=DMARC1; p=none; pct=100; rua=mailto:[email protected]
The above DMARC record is a safe starting point. To see the full explanation of DMARC, please check the following article.
Step 5: Setting up RoundCube, Postfix and Dovecot for Multiple Domains
It makes sense to let users of the first domain use mail.domain1.com and users of the second domain use mail.domain2.com when using RoundCube webmail. I will show you how to do it with Apache and Nginx.
Apache
If Roundcube is served by Apache web server, then create a virtual host for the second domain.
sudo nano /etc/apache2/sites-available/mail.domain2.com.conf
Put the following text into the file.
ServerName mail.domain2.com DocumentRoot /var/www/roundcube/ ErrorLog ${APACHE_LOG_DIR}/mail.domain2.com_error.log CustomLog ${APACHE_LOG_DIR}/mail.domain2.com_access.log combined Options FollowSymLinks AllowOverride All Options FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all
Save and close the file. Then enable this virtual host with:
sudo a2ensite mail.domain2.com.conf
Reload Apache for the changes to take effect.
sudo systemctl reload apache2
Nginx
If Roundcube is served by Nginx web server, then create a virtual host for the second domain.
sudo nano /etc/nginx/conf.d/mail.domain2.com.conf
Put the following text into the file.
Save and close the file. Then test Nginx configurations.
If the test is successful, reload Nginx for the changes to take effect.
Now use Certbot to obtain TLS certificate for all your mail domains, so you will have a single TLS certificate with multiple domain names on it.
Apache
sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email [email protected]
Nginx
sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email [email protected]
Notice that in the above command, we specified the cert name using the first mail domain, which will be used in the file path, so you don’t have to change the file path in Postfix or Dovecot configuration file.
When it asks if you want to update the existing certificate to include the new domain, answer U and hit Enter.
Now you should see the following message, which indicates the multi-domain certificate is successfully obtained.
Reload Apache or Nginx to pick up the new certificate.
sudo systemctl reload apache2 sudo systemctl reload nginx
You should now be able to use different domains to access RoundCube webmail. Also you need to reload Postfix SMTP server and Dovecot IMAP server in order to let them pick up the new certificate. That’s all you need to do for Postfix and Dovecot to serve multiple domains.
sudo systemctl reload postfix dovecot
Using Mail Client on Your Computer or Mobile Device
Fire up your desktop email client such as Mozilla Thunderbird and add a mail account of the second domain.
- In the incoming server section, select IMAP protocol, enter
mail.domain2.comas the server name, choose port 993 and SSL/TLS. Choosenormal passwordas the authentication method. - In the outgoing section, select SMTP protocol, enter
mail.domain2.comas the server name, choose port 587 and STARTTLS. Choosenormal passwordas the authentication method.
Although Postfix SMTP server and Dovecot IMAP server are using the hostname of the first mail domain (mail.domain1.com) when communicating with others, they are now using a multi-domain certificate, so the mail client won’t display certificate warnings.
SPF and DKIM Check
Now you can use your desktop email client or webmail client to send a test email to [email protected] and get a free email authentication report. Here’s the report I got from port25.com
Don’t forget to test your email score at https://www.mail-tester.com and also test email placement with GlockApps.
What if Your Emails Are Still Being Marked as Spam?
I have more tips for you in this article: How to stop your emails being marked as spam. Although it requires some time and effort, your emails will eventually be placed in the inbox after applying these tips.
Wrapping Up
That’s it! I hope this tutorial helped you host multiple email domains with PostfixAdmin. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂
