# Steps:
Note:
- "$maildomain" = mail.example.org
- "$domain" = example.org
- "$subdom" = mail

# Run `emailwiz.sh`

Set it up normally for your first domain, check that it works fine.
Then continue with the next step

# Generate new certificate

Not totally necessary for mail to "just work" but it will help, in this case I specified --standalone but do use --nginx or --apache instead, if your email service depends on one of those, if not sure, leave it as standalone.
This is the line from the script:

```sh
certbot -d "$maildomain" certonly --standalone --register-unsafely-without-email --agree-tos
```

Note: Redirect at least your mail subdomain from your OTHER domain(s). Later on you'll have to also add other records for emails to work! See DNS Records step.

# Dovecot
Dovecot is easier, you should be good by just adding these lines to `/etc/dovecot/dovecot.conf`
Note: Remember to actually generate the keys with certbot, like in the "Generate new certificate" step below.
Note: Uses TLS SNI, according to [Dovecot's docs](https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/), it is tested in clients:
- Thunderbird (Linux)
- K-9 on Android (merged Sept 2015 - https://github.com/k9mail/k-9/pull/718)
- Apple Mail (according to https://forums.cpanel.net/threads/mail-ssl-sni.454592/ )
- Mutt (ticket https://dev.mutt.org/trac/ticket/3923)
- NeoMutt (since 2016-03-07 according to https://www.neomutt.org/feature/tls-sni )

```
# mail.domain.org
local_name mail.domain.org {
    ssl_cert = </etc/letsencrypt/live/mail.domain.org/fullchain.pem
    ssl_key = </etc/letsencrypt/live/mail.domain.org/privkey.pem
}

# mail.otherdomain.org
local_name mail.otherdomain.org {
    ssl_cert = </etc/letsencrypt/live/mail.otherdomain.org/fullchain.pem
    ssl_key = </etc/letsencrypt/live/mail.otherdomain.org/privkey.pem
}
```

# Create vmail map for the certificates
Add these entries in the vmail map to specify the certificate for each domain you need. You have to add them also for your already configred domain.
This file is in `/etc/postfix/vmail_ssl.map`
```
mail.domain.org /etc/letsencrypt/live/mail.domain.org/privkey.pem /etc/letsencrypt/live/mail.domain.org/fullchain.pem
mail.otherdomain.org /etc/letsencrypt/live/mail.otherdomain.org/privkey.pem /etc/letsencrypt/live/mail.otherdomain.org/fullchain.pem

```

# Generate a new DKIM key
Technically this is not necessary either since you can use the same key as your main domain, generated by emailwiz. However, some email clients and/or recipients might complain.
Note: These lines are totally ripped off from the emailwiz script, I didn't come up with this I just found it useful to share the steps to reproduce my setup for multiple domains.
Note: Obviously use your second domain name, first one is already generated.

```sh
mkdir -p "/etc/postfix/dkim/$domain"
opendkim-genkey -D "/etc/postfix/dkim/$domain" -d "$domain" -s "$subdom"
chgrp -R opendkim /etc/postfix/dkim/*
chmod -R g+r /etc/postfix/dkim/*
```

# Add DKIM key to keytable
This file is in `/etc/postfix/dkim/keytable`
The first one should already be filled out.
```
    mail._domainkey.domain.org domain.org:mail:/etc/postfix/dkim/domain.org/mail.private
 +  mail._domainkey.otherdomain.org otherdomain.org:mail:/etc/postfix/dkim/otherdomain.org/mail.private
```

# Add entry in signing table
This file is in `/etc/postfix/dkim/signingtable`
Again, first one should already be there.
```
    *@domain.org mail._domainkey.domain.org
 +  *@otherdomain.org mail._domainkey.otherdomain.org
```

Make sure both signing and keytable paths are present in `/etc/opendkim.conf`, like this:
```
KeyTable file:/etc/postfix/dkim/keytable
SigningTable refile:/etc/postfix/dkim/signingtable
```

# Virtual alias
Add your desired email address, followed by the user the mail should be sent to.
As stated before, you will need to do this for existing and new users.
This file is in `/etc/postfix/virtual`
```
exampleuser@domain.org exampleuser
eggsample@domain.org eggsample
otheruser@otherdomain.org otheruser
yetanother@otherdomain.org yetanother
```

# Tell postfix about it
Add these lines at the end of your postfix configuration.
This file is in `/etc/postfix/main.cf`
```
virtual_alias_domains = otherdomain.org
virtual_alias_maps = hash:/etc/postfix/virtual

# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
```

# Apply and restart

Run these to apply the new configs and
restart the services.

Note (edit): I had some issues when NOT using the `-F` option
in `postmap -F /etc/postfix/vmail_ssl.map`, it references files, so make sure to use it.

```sh
postmap /etc/postfix/virtual
postmap -F /etc/postfix/vmail_ssl.map
systemctl restart postfix
systemctl restart dovecot
systemctl restart opendkim
```
# DNS Records
In your second domain's panel, point the mail subdomain to the VPS, as usual, then add the same DNS records in `dns_emailwizard`, but do swap the domain name, for example:
```
domain.org        TXT     v=spf1 mx a:mail.domain.org -all
```
Would be
```
otherdomain.org        TXT     v=spf1 mx a:mail.otherdomain.org -all
```

Also, the output of the following commands is the TXT record for the new DKIM key (generated in the "Generate a new DKIM key" step).
```
pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"
echo "$subdom._domainkey.$domain   TXT     v=DKIM1; k=rsa; $pval"
```

# For new accounts

- Add unix user as explained in the main emailwiz documentation.
- Add new entry in /etc/postfix/virtual
- `postmap /etc/postfix/virtual`
- `systemctl restart postfix`

# References:
[Dovecot SSL configuration - TLS SNI Support](https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/)
[Set up certs for multiple domains in Postfix and Dovecot](https://serverfault.com/questions/920436/set-up-certs-for-multiple-domains-in-postfix-and-dovecot)

# Notes & edits

Note: I had an issue with thunderbird where it could not verify server configuration. Checking `systemctl status dovecot`, it was a login issue even though I'm not trying to log in. I just clicked "done" when adding new email account without checking for server configuration and it works just fine.

Note (edit 2023-07-20): I noticed when using **Thunderbird**, for whatever reason it grabs OTHER domain names if you have multiple subdomains, for example, Thunderbird would get turn.example.org's cert instead of the appropriate mail.example.org. I noticed this because I was getting flagged mail when sending to corporate or institutions mail, BUT when using claws-mail (based, lightweight, simple client), it would actually get the mail.example.org cert. I don't know how to fix this since I'm not a Thunderbird user and I couldn't find any obvious way to do it. But note that it might happen :)

Note: (edit 2023-07-21): Gmail will complain about PTR records:
"_Gmail does not accept messages from IPs with missing PTR records._"
This is expected since you have (ideally) only one reverse DNS record for IPv4 (A) and IPv6 (AAAA), which is probably for your main domain. According to what I looked up online you COULD have multiple reverse DNS addresses but people say it might be worse than having one or even none. I don't exactly know the implications of this approach because I'm no expert, but receiving mail should work just fine.