7.3 KiB
Steps:
Note:
- "$maildomain" = mail.example.org
- "$domain" = example.org
- "$subdom" = mail
Run emailwiz.sh
Set it up normally for your first domain, check that it works fine. Then continue with the next step
Generate new certificate
Not totally necessary for mail to "just work" but it will help, in this case I specified --standalone but do use --nginx or --apache instead, if your email service depends on one of those, if not sure, leave it as standalone. This is the line from the script:
certbot -d "$maildomain" certonly --standalone --register-unsafely-without-email --agree-tos
Note: Redirect at least your mail subdomain from your OTHER domain(s). Later on you'll have to also add other records for emails to work! See DNS Records step.
Dovecot
Dovecot is easier, you should be good by just adding these lines to /etc/dovecot/dovecot.conf
Note: Remember to actually generate the keys with certbot, like in the "Generate new certificate" step below.
Note: Uses TLS SNI, according to Dovecot's docs, it is tested in clients:
- Thunderbird (Linux)
- K-9 on Android (merged Sept 2015 - https://github.com/k9mail/k-9/pull/718)
- Apple Mail (according to https://forums.cpanel.net/threads/mail-ssl-sni.454592/ )
- Mutt (ticket https://dev.mutt.org/trac/ticket/3923)
- NeoMutt (since 2016-03-07 according to https://www.neomutt.org/feature/tls-sni )
# mail.domain.org
local_name mail.domain.org {
ssl_cert = </etc/letsencrypt/live/mail.domain.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.domain.org/privkey.pem
}
# mail.otherdomain.org
local_name mail.otherdomain.org {
ssl_cert = </etc/letsencrypt/live/mail.otherdomain.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.otherdomain.org/privkey.pem
}
Create vmail map for the certificates
Add these entries in the vmail map to specify the certificate for each domain you need. You have to add them also for your already configred domain.
This file is in /etc/postfix/vmail_ssl.map
mail.domain.org /etc/letsencrypt/live/mail.domain.org/privkey.pem /etc/letsencrypt/live/mail.domain.org/fullchain.pem
mail.otherdomain.org /etc/letsencrypt/live/mail.otherdomain.org/privkey.pem /etc/letsencrypt/live/mail.otherdomain.org/fullchain.pem
Generate a new DKIM key
Technically this is not necessary either since you can use the same key as your main domain, generated by emailwiz. However, some email clients and/or recipients might complain. Note: These lines are totally ripped off from the emailwiz script, I didn't come up with this I just found it useful to share the steps to reproduce my setup for multiple domains. Note: Obviously use your second domain name, first one is already generated.
mkdir -p "/etc/postfix/dkim/$domain"
opendkim-genkey -D "/etc/postfix/dkim/$domain" -d "$domain" -s "$subdom"
chgrp -R opendkim /etc/postfix/dkim/*
chmod -R g+r /etc/postfix/dkim/*
Add DKIM key to keytable
This file is in /etc/postfix/dkim/keytable
The first one should already be filled out.
mail._domainkey.domain.org domain.org:mail:/etc/postfix/dkim/domain.org/mail.private
+ mail._domainkey.otherdomain.org otherdomain.org:mail:/etc/postfix/dkim/otherdomain.org/mail.private
Add entry in signing table
This file is in /etc/postfix/dkim/signingtable
Again, first one should already be there.
*@domain.org mail._domainkey.domain.org
+ *@otherdomain.org mail._domainkey.otherdomain.org
Make sure both signing and keytable paths are present in /etc/opendkim.conf, like this:
KeyTable file:/etc/postfix/dkim/keytable
SigningTable refile:/etc/postfix/dkim/signingtable
Virtual alias
Add your desired email address, followed by the user the mail should be sent to.
As stated before, you will need to do this for existing and new users.
This file is in /etc/postfix/virtual
exampleuser@domain.org exampleuser
eggsample@domain.org eggsample
otheruser@otherdomain.org otheruser
yetanother@otherdomain.org yetanother
Tell postfix about it
Add these lines at the end of your postfix configuration.
This file is in /etc/postfix/main.cf
virtual_alias_domains = otherdomain.org
virtual_alias_maps = hash:/etc/postfix/virtual
# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
Apply and restart
Run these to apply the new configs and restart the services.
Note (edit): I had some issues when NOT using the -F option
in postmap -F /etc/postfix/vmail_ssl.map, it references files, so make sure to use it.
postmap /etc/postfix/virtual
postmap -F /etc/postfix/vmail_ssl.map
systemctl restart postfix
systemctl restart dovecot
systemctl restart opendkim
DNS Records
In your second domain's panel, point the mail subdomain to the VPS, as usual, then add the same DNS records in dns_emailwizard, but do swap the domain name, for example:
domain.org TXT v=spf1 mx a:mail.domain.org -all
Would be
otherdomain.org TXT v=spf1 mx a:mail.otherdomain.org -all
Also, the output of the following commands is the TXT record for the new DKIM key (generated in the "Generate a new DKIM key" step).
pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"
echo "$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
For new accounts
- Add unix user as explained in the main emailwiz documentation.
- Add new entry in /etc/postfix/virtual
postmap /etc/postfix/virtualsystemctl restart postfix
References:
Dovecot SSL configuration - TLS SNI Support Set up certs for multiple domains in Postfix and Dovecot
Notes & edits
Note: I had an issue with thunderbird where it could not verify server configuration. Checking systemctl status dovecot, it was a login issue even though I'm not trying to log in. I just clicked "done" when adding new email account without checking for server configuration and it works just fine.
Note (edit 2023-07-20): I noticed when using Thunderbird, for whatever reason it grabs OTHER domain names if you have multiple subdomains, for example, Thunderbird would get turn.example.org's cert instead of the appropriate mail.example.org. I noticed this because I was getting flagged mail when sending to corporate or institutions mail, BUT when using claws-mail (based, lightweight, simple client), it would actually get the mail.example.org cert. I don't know how to fix this since I'm not a Thunderbird user and I couldn't find any obvious way to do it. But note that it might happen :)
Note: (edit 2023-07-21): Gmail will complain about PTR records: "Gmail does not accept messages from IPs with missing PTR records." This is expected since you have (ideally) only one reverse DNS record for IPv4 (A) and IPv6 (AAAA), which is probably for your main domain. According to what I looked up online you COULD have multiple reverse DNS addresses but people say it might be worse than having one or even none. I don't exactly know the implications of this approach because I'm no expert, but receiving mail should work just fine.