LukeSmithxyz
commented
3 years ago I know this is possible, but I haven't had to do it myself yet. Do you have an MX record for the new domain?
Closed toto112358 closed 2 years ago
LukeSmithxyz
commented
3 years ago I know this is possible, but I haven't had to do it myself yet. Do you have an MX record for the new domain?
itwizrd
commented
3 years ago As Luke mentioned, you'll need your MX record on your new domain to receive mail.
Configuring postfix for multiple domains can be done a number of ways (http://www.postfix.org/VIRTUAL_README.html) . By adding newdomain.tld to $mydestination (and adding newdomain.tld to the hostnamectl) it makes it so user1 will get mail from both olddomain and newdomain, there is no separation, but its the simplest.
The other easiest way to do it with system accounts would be configuring virtual hosted domains (see readme linked above) (it is a "hosted" domain because it does not match the server's hostname). This way you can add @newdomain.tld friend in /etc/postfix/virtual where friend is the local account. This will setup a catch-all address for your friend so any mail that goes to newdomain.tld is sent to their mailbox. This will likely increase spam so alternatively you can just configure the one address in /etc/postfix/virtuals whatever@newdomain.tld friend
I haven't yet implemented this myself yet but when I do I will gladly report back if there were any hangups.
toto112358
commented
3 years ago I will try that, thanks!
douwedevries
commented
3 years ago I have tried this solution and it works! But... don't we forget DMARC here? Or is that not necessary in this case.
itwizrd
commented
3 years ago After more hours than it should have taken, I figured out how to extend Luke's script's base config to support multiple domains.
I'm not sure if just having the TLS for $myhostname will work, but I opted for Let's Encrypt wildcard certs.
as per Postfix Virtual Readme I choose the setup with Separate Domains, UNIX accounts.
You need to specify your virtual alias domains (example2.tld, example3.tld) in a distinct file such as /etc/postfix/virtual. Within this file be sure to specify what domain goes to which UNIX user. My configuration looks like this (this also sets up catch-all addresses):
@example2.tld user2
@example3.tld user3Run postmap /etc/postfix/virtual so postfix will make/utilize a hashtable
/etc/postfix/main.cfYou need to include all you domains in relay_domains otherwise you wont recieve email due to "relay denied". Do not put any of your virtual domains under $mydestination, you should leave that as default.
The changes I made are below:
relay_domains = example1.tld, example2.tld, example3.tld...
....
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtualCheck where your DKIM tables are, Luke's script creates them in /etc/postfix/dkim/. Make sure all your domains are there, and you can use a newly generated DKIM key that will be valid for those domains.
mx:~# cat /etc/postfix/dkim/keytable
mail._domainkey.example1.tld example1.tld:mail:/etc/postfix/dkim/mail.private
mail._domainkey.example2.tld example2.tld:mail:/etc/postfix/dkim/mail.private
mail._domainkey.example3.tld example3.tld:mail:/etc/postfix/dkim/mail.private
mx:~# cat /etc/postfix/dkim/signingtable
*@example1.tld mail._domainkey.example1.tld
*@example2.tld mail._domainkey.example2.tld
*@example3.tld mail._domainkey.example3.tld
mx:~# cat /etc/postfix/dkim/trustedhosts
127.0.0.1
localhost
*.example1.tld
*.example2.tld
*.example3.tldYou can rerun Luke's script to have it generate DMARC, DKIM, SPF entries. You will need a new DKIM that includes all your domains.
Go to your DNS and you can use your new DKIM key on all the domains, and change your DMARC "rua=mailto:dmarc@example1.tld" to the correct domain, so it will send reports to the correct email (really though the p=none just means dont do anything if an email fails the DMARC checks (this is more to stop others from spoofing your domain) I would say consider changing it to p=quarantine or p=reject once you get your mail working)
On example2.tld and example3.tld set your MX to point to example1.tld, and have your SPF have an include your servers hostname, like: v=spf1 mx include:mail.example1.tld -all
douwedevries
commented
3 years ago You can rerun Luke's script to have it generate DMARC, DKIM, SPF entries. You will need a new DKIM that includes all your domains.
Go to your DNS and you can use your new DKIM key on all the domains, and change your DMARC "rua=mailto:dmarc@example1.tld" to the correct domain, so it will send reports to the correct email (really though the p=none just means dont do anything if an email fails the DMARC checks (this is more to stop others from spoofing your domain) I would say consider changing it to p=quarantine or p=reject once you get your mail working)
On example2.tld and example3.tld set your MX to point to example1.tld, and have your SPF have an include your servers hostname, like:
v=spf1 mx include:mail.example1.tld -all
Now I'm a bit of a noob. But do all domains share the same DKIM key?
itwizrd
commented
3 years ago So doing it the way I described, yes they would all share the same key
hard-tek
commented
3 years ago Hello, I want to do the same thing, to use two domains and looke like is harder than it looks. Anyone want to give a hand?
I managed to make one domain to work, now im learning keybindings in neomutt but i really want to add a second domain. Im willing to pay for the trouble.
itwizrd
commented
3 years ago @Goth, can you be more specific? Have you tried the steps from above?
hard-tek
commented
3 years ago @Goth, can you be more specific? Have you tried the steps from above?
No. I'm afraid not to break something.
itwizrd
commented
3 years ago @Goth in DevOps world you Move Fast and Break Things. Breaking things and fixing them is how you learn, especially on your home/not business critical services.. My servers were broken for a few days until I figured it out, hence the explanation above. What I laid out above is what's running my 3 email domains; I can reach gmail, o365, other business addresses perfectly fine. If you're still unsure, read through the postfix documentation; learn the technologies youre implementing. You can always just wipe and reinstall. So we don't clutter up this issue, If you really need more specific help DM me on telegram or twitter @TheTajmaha
timbeach
commented
3 years ago @Tajmaha, are you saying that you have wildcard TLS certs for: example1.tld, example2.tld, example3.tld hosted all on the same vps?
Here are the steps I'm taking:
Configure nginx something like this:
server {
listen 80 ;
listen [::]:80 ;
server_name yourdomain1.com mail.yourdomain1.com ;
root /var/www/yourdomain1.com ;
index index.html index.htm index.nginx-debian.html ;
location / {
try_files $uri $uri/ =404 ;
}
}
server {
listen 80 ;
listen [::]:80 ;
server_name yourdomain2.com mail.yourdomain2.com ;
root /var/www/yourdomain2 ;
index index.html index.htm index.nginx-debian.html ;
location / {
try_files $uri $uri/ =404 ;
}
}run certbot such that we have the subdomain mail.yourdomain1.com and mail.yourdomain2.com covered.. after certbot, an example of one would be:
server {
server_name yourdomain1.com mail.yourdomain1.com ;
root /var/www/yourdomain1.com ;
index index.html index.htm index.nginx-debian.html ;
location / {
try_files $uri $uri/ =404 ;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/yourdomain1.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yourdomain1.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}run emailwiz.sh and specify yourdomain1.com from the prompt
Manual postfix/dkim Configuration -- adding the 2 and 3 entries for the other domains manually /etc/postfix/dkim/keytable
mail._domainkey.yourdomain1.com yourdomain1.com:mail:/etc/postfix/dkim/mail.private
mail._domainkey.yourdomain2.com yourdomain2.com:mail:/etc/postfix/dkim/mail.private
mail._domainkey.yourdomain3.com yourdomain3.com:mail:/etc/postfix/dkim/mail.private/etc/postfix/dkim/signingtable
*@yourdomain1.com mail._domainkey.example1.com
*@yourdomain2.com mail._domainkey.example2.com
*@yourdomain3.com mail._domainkey.example3.com/etc/postfix/dkim/trustedhosts
127.0.0.1
localhost
*.yourdomain1.com
*.yourdomain2.com
*.yourdomain3.comManual postfix/main.cf & postfix/virtual Configuration Create this file “/etc/postfix/virtual” with contents mapping the email addresses you want to use with unix users. For example:
user1@yourdomain1.com user1
user2@yourdomain1.com user2
user3@yourdomain1.com user3Then execute postmap /etc/postfix/virtual. Edit “/etc/postfix/main.cf” and add the following to the bottom of it:
# Multi-domain Params
relay_domains = yourdomain1.com, yourdomain2.com, yourdomain3.com
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtualThen execute postfix reload.
Run emailwiz.sh again
TXT Domain key Update domainkey based on output of fresh run of emailwiz.sh for yourdomain1.com Use the same value for yourdomain2 and yourdomain3
DMARC Update the mailto to match the domain in question for yourdomain2 and yourdomain3
SPF Use the same value for all three domains as generated by emailwiz.sh
MX Use the same yourdomain1.com value for yourdomain2 and yourdomain3
test appmaildev.com test gives this result: DKIM-Result: permerror (no key)
I updated the /etc/postfix/main.cf to this:
# Multi-domain Params
#relay_domains = yourdomain1.com, yourdomain2.com
#virtual_alias_domains = $virtual_alias_maps
virtual_alias_domains = yourdomain1.com yourdomain2.com
virtual_alias_maps = hash:/etc/postfix/virtualinstead of this
# Multi-domain Params
relay_domains = yourdomain1.com, yourdomain2.com
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtualand reloaded postfix.. but still getting error.. must be a problem with the MX or TXT records.. any thoughts?
... in protonmail tests I was seeing the "loops" error which the postfix documentation mentioned:
Line 2: the virtual_alias_domains setting tells Postfix that example.com is a so-called virtual alias domain. If you omit this setting then Postfix will reject mail (relay access denied) or will not be able to deliver it (mail for example.com loops back to myself).
First the sender and the signer didn't match.. So for testing purposes, I updated the MX record and the spf to the yourdomain2.com for yourdomain2, rather than the MX and SPF of yourdomain1 for yourdomain2 per your suggestion.. After making that update, the sender and the signer are the same, but now I'm still seeing DKIM permerror
DKIM-Result: permerror (no key)
Btw, if I try to test DKIM from user1@yourdomain1.com everything passes.
itwizrd
commented
3 years ago @timbeach Yes I have one Let's Encrypt wildcard cert that serves example1.tld, example2.tld, example3.tld. Still running smoothly after all this time (although cert renewals have to be done manually with wildcards).
Did you rerun the emailwiz.sh after creating those entries in /etc/postfix/dkim/keytable and /etc/postfix/dkim/signingtable and /etc/postfix/dkim/trustedhosts?
You have to regenerate DKIM after because it's only valid for what was in there when it generated, hence why domain1 works but 2 and 3 don't.
timbeach
commented
3 years ago Thanks for the response, @Tajmaha !
Yes. I did run emailwiz.sh after creating the additional entries in /etc/postfix/dkim/keytable and /etc/postfix/dkim/signingtable and /etc/postfix/dkim/trustedhosts.
My questions are now around the MX and TXT records required.
I used example1.tld in the initial run of the emailwiz.sh script.
Made the additional entries.
Ran it again. The second run doesn't ask for a domain value, assuming it uses what's already there.
Will you pls help me out with what these MX & TXT records should look like for example1.tld, example2.tld, example3.tld ?
MX
-- example1.tld, example2.tld, example3.tld all share the same value?
ie, each of the three will use the same: mail.example1.tld.
(which is currently working for me for example1.tld email accounts)
TXT - DKIM -- Same for all domains? Host: mail._domainkey | TXT Value: "same value for all domains"
TXT - DMARC -- unique for each domain (although this might not matter). ie: example1.tld = Host: _dmarc | TXT Value: "v=DMARC1; p=reject; rua=mailto:dmarc@example1.tld; fo=1" example2.tld = Host: _dmarc | TXT Value: "v=DMARC2; p=reject; rua=mailto:dmarc@example1.tld; fo=1" example3.tld = Host: _dmarc | TXT Value: "v=DMARC3; p=reject; rua=mailto:dmarc@example1.tld; fo=1"
TXT SPF -- Same for all domains? example1.tld = Host: | TXT Value: "v=spf1 mx a:mail.example1.tld -all" example2.tld = Host: | TXT Value: "v=spf1 mx a:mail.example1.tld -all" example3.tld = Host: | TXT Value: "v=spf1 mx a:mail.example1.tld -all"
Then, when connecting to, let's say, user2@example2.tld via mutt-wizard, what are we using as the mail server's IMAP and SMTP address?
SMTP and IMAP server specified from mutt-wizard as: mail.example1.tld for user2@example2.com email DKIM Failure
If I use mail.example1.tld (with the same MX, TXT configuration), I can BOTH send and receive email from this use2@example2.tld address, but my DKIM test are still bad
SMTP and IMAP server specified from mutt-wizard as: mail.example2.tld for user2@example2.com email DKIM Failure
DKIM test results from appmaildev.com are essentially the same SPF: pass 😄 DKIM: permerror 😦 DomainKey: none 😦 PTR: ExistsRecord 😄 RBL: NotListed 😄
At least I can send and receive email.. Just wondering if anyone can point out what I'm doing wrong to fail DKIM.. or if that's just inherrent to this setup.
Thanks for your help!
itwizrd
commented
3 years ago @timbeach I have DKIM working on my 3 domains, (dont worry about DomainKey when you test, its obsoleted by DKIM). Here is what I have for DNS records:
MX all the same: 1 mail.example1.tld
DKIM all the same: "v=DKIM1; k=rsa; p=[samekey]"
SPF all the same: "v=spf1 mx -all"
DMARC rua address is specific to each domain: "v=DMARC1; p=reject; sp=reject; pct=100; adkim=s; aspf=s; fo=1; rua=mailto:dmarc@example[1,2,3].tld"
There is no DMARC2 or DMARC3 only v=DMARC1 is valid. If you want to just send to one domain you'll need to do external verification (https://www.dmarcanalyzer.com/how-does-external-domain-verification-work/). Also I would recommend setting p=none until you get your email working, as reject may cause your mail to not get delivered if there's DKIM/SPF errors/failures.
Also try and see if you can use https://mxtoolbox.com/SuperTool.aspx to get your DKIM record. You need to include your selector in the lookup, so it would be example.tld:mail, where mail is the selector(as setup by emailwiz.sh).
If you have DKIM records in DNS setup the same across all 3 domains, then I would think the issue lies with your config. If you run emailwiz.sh again make sure to update your DKIM as it generates a new keypair. I'm not really sure why else example1.tls passes DKIM but 2 and 3 fail.
I don't use Neomutt/mutt, but for FairMail and Mailspring the ports I use are IMAP: 993; SMTP: 465. Both set to SSL/TLS, 587 is the proper port for SMTP submission but I could only get it to work with StartTLS which still sends plaintext passwords unlike TLS and I havent bothered to tweak the postfix config to force TLS over 587.
timbeach
commented
3 years ago I really appreciate your correspondence here @Tajmaha! Thank you. I can run multi-domain email services on a single vultr vps now. If I get the DKIM stuff sorted out perfectly, I'll post back here or write an article or something. Thanks
rsvdr
commented
3 years ago I can confirm my multi-domain server worked by following steps in https://github.com/LukeSmithxyz/emailwiz/issues/124#issuecomment-926806456 , with MX and TXT records as said in https://github.com/LukeSmithxyz/emailwiz/issues/124#issuecomment-927209483 . The only extra step I took was to restart my server from vultr before running emailwiz again (just to be sure services restart). DKIM test passes just fine.
adrientremblay
commented
2 years ago any luck @timbeach ? I'm in the same boat as you. Everything works perfectly, except DKIM.
itwizrd
commented
2 years ago @adrientremblay Do these files contain all your domains you want to use? /etc/postfix/dkim/keytable /etc/postfix/dkim/signingtable /etc/postfix/dkim/trustedhosts
Did you rerun the script after editing those files? Are your dns entries using the same key? (also lower the TTL to something like 300 or 600 so the DNS propagates quicker) I would agree with @rsaavedraxyz and give your server a reboot after to make sure all the services are restarted.
adrientremblay
commented
2 years ago @Tajmaha Appreciate the reply. Took a break and looked at it again today. So it seems the problem was that I had
*@mail.adrientremblay.xyz mail._domainkey.adrientremblay.xyz *@mail.adrientremblay.com mail._domainkey.adrientremblay.com
instead of
*@adrientremblay.xyz mail._domainkey.adrientremblay.xyz *@adrientremblay.com mail._domainkey.adrientremblay.com
In my /etc/postfix/dkim/signingtable for whatever dumb reason (my mistake). Once I sorted this out, and made sure my dns entries were using the right key things worked. I used the value from /etc/postfix/dkim/mail.txt I just removed the quotation marks and spaces.
user98765446
commented
1 year ago @Tajmaha I followed your guide (as carefully as I could). I now have two domains set up on one server and I am able to send from both (externally). However, external email sent to user2 goes to user1's inbox. Any idea what could be the cause?
itwizrd
commented
1 year ago @user98765446 , can you post your /etc/postfix/virtual file?
Make sure you've run postmap /etc/postfix/virtual after creating/editing that file.
Also check the $mydestination variable in /etc/postfix/main.cf and make sure none of your virtual domains are in there.
user98765446
commented
1 year ago @Tajmaha Yes.
hello@doman1.tld user1
info@domain2.tld user2
reachout@domain2.tld user2
contact@domain3.tld user3
@domain1.tld user4...and I know what is triggering it, but I don't know what to do about it? If I create a catch all for the main domain (domain1 in this case), One user receives all of the mail for all of the domains.
However, if I change the last entry to anything@domain1.tld, everything works as it should.
If I 'catch all' on any other domain, it also seems to work as it should.
I assume it is something to do with the main.cf file. If I could get some advice on this, it would be most appreciated.
For clarity, the following virtual layout is working (but not desired):
hello@doman1.tld user1
info@domain2.tld user2
reachout@domain2.tld user2
contact@domain3.tld user3
anything@domain1.tld user4For main.cf, the only changes made to those created by the script are:
# mydestination = $myhostname, domain1.tld, mail.domain1.tld, localhost.domain1.tld, localhost
mydestination = $myhostname, localhost.$mydomain, localhost# Multi-domain Params
virtual_alias_domains = domain1.tld domain2.tld domain3.tld
virtual_alias_maps = hash:/etc/postfix/virtual@user98765446 , huh, usually @domain is the last in the lookup, delivering to user@domain.tld first.
The "all of the mail for all of the domains" sounds a lot like an issue with having a virtual domain in your $mydestination.
try setting the $mydestination to just localhost, and try running postmap -q test@domain1.tld /etc/postfix/virtual to test that the maps are going to the correct user.
I no longer have my system available to check configs against, sorry.
user98765446
commented
1 year ago @Tajmaha Thank you for your thoughts on the issue. I got a warning in my log that my alias domain is in $mydestination. I tried just having localhost (as suggested) and this, unfortunately, caused a delivery failure. I also tried removing domain1.tld from the virtual_alias_domains and again domain1.tld absorbed all emails from all domains, as before.
The only thing I can think to do is to set up with a different domain that I don't use as my host. What do you think?
user98765446
commented
1 year ago @Tajmaha OK. I now seem to have fixed it. You were on the right lines. Thank you.
For anyone who is stuck on setting up a catch-all email address, try...
/etc/postfix/main.cf:
$mydestination = localhostvirtual_alias_domains = domain1.tld domain2.tld domain3.tld
virtual_alias_maps = hash:/etc/postfix/virtual/etc/postfix/virtual:
@domain1.tld user1@localhost
this@domain1.tld user2@localhost
that@domain2.tld user3@localhost
theother@domain2.tld user3@localhost
whichever@domain3.tld user4@localhostThen, let postfix know you are finished:
postmap /etc/postfix/virtual
postfix reload
programmer-ke
commented
1 year ago This was also an issue for me a while back because I wanted multiple domains which the script didn't easily support, and the workaround on this thread felt a bit to hacky.
In investigating how to make this work I ended up working on a new script based on declarative system configuration via ansible, instead of bash. It supports multiple domains via virtual domains and mailboxes. It seems to work fine now, in case anyone is interested: https://github.com/programmer-ke/replatform/
Dear Luke, I know I might not post this here, but I'm having trouble adding new domains for emailing on postfix. I added at line 41 of /etc/postfix/main.cf
mydestination = [...], mynewdomain.xyz, mail.mynewdomain.xyzI can send message without any problems. I can send and read mails sent to myemail@theorgininaldomain but I can't send any mails to myemail@mynewdomain.xyz I use two domains because giving my friend a mail @ his family name was his birthday present. I hope you can help me. Yes, configuring your own server is painful. #Chadunrelated: its been a few hours that a Chinese hacker is trying to bruteforce my vps
last lines of log: (output of
tail /var/log/mail.log)