I'm trying to setup Virtualmin on a VPS to host a couple websites with email. I've been having troubles the whole week and I'm not sure what to do anymore. Any help on this would be greatly appreciated.
I have been able to get the websites online with a "hello world" HTML page that I loaded into the file manager. Getting email to work has been harder and I think all of my issues seem to be stemming from DNS configurations.
I have registered the domains with porkbun.com and they have a UI to manage DNS records that looks like this:
Type, Host, Answer, TTL, Priority
A, excelblade.com, 107.181.191.83, 300
MX, excelblade.com, excelblade.com, 300, 10
SRV, _autodiscover._tcp.excelblade.com, 10 443 webmail.porkbun.com, 300, 10
TXT, excelblade.com, v=spf1 mx ~all, 300
(107.181.191.83 is the ip for my VPS)
This is what I'm using, but shouldn't I let Virtualmin handle that? What would I need to do to make that happen?
My ultimate goal is to host 3 websites, each with email.
I am checking my MX config using https://mxtoolbox.com/SuperTool.aspx I am getting the following results: No DMARC Record found DNS Record found DMARC Quarantine/Reject policy not enabled
Hi jehy, I use my external registrars free dns hosting for all domains and email.
in my examples below, you should be able to substitute your webmin host.domain.com and ip address and client virtual server/domain.com and it should also work for you.
Firstly, a caveat...
I always setup the very first virtual server on my virtualmin system to be my business domain name. Because that is the default website that apache automatically displays in the event that a client dns A record is pointed at my server, however, no website has actually been installed on it (ie a new client virtual server has not yet been created on my system for this client dns A record). This is always good practise because it promotes your business...not one of your own client domains (should one of them be first in the list). You can of course change this in Virtualmin at any time.
Please note...before doing any of the following and because you are trying to use SSL with "web1.adamshosting.com", this Webmin server must have its own Letsencrypt SSL certificate in addition to the domains on it. Webmin has a guide on how to set up this and some googling will find plenty of tutorials on how to do this.
OK, so once you have your Webmin VPS system "web1.adamshosting.com" using its own CA authority SSL certificate...on to your problem.
Things to check in Virtualmin for new virtual server (another name used by other control panels is "domains") that you create for each client website and email...
make sure that DNS domain enabled is "unchecked" (this will tell Virtualmin not to host dns for this domain)
apache website http://, and if you want https:// apache SSL website, are both "checked"
mail for domain is "checked"
if you want to be able to login to Webmin/Virtualmin as the server administrator for just this virtual server/domain, then also
Now for dns at your clients registrars...
let pretend that the following is our setup details
webhosting server (Webmin/Virtualmin) host.fqdn is web1.adamshosting.com with "static" ip address 12.34.56.78
clients virtual server/domains is jacksmotorcycles com
at your client registrar under free dns hosting add the following records (minimum to get it working):
that is all that is needed for both website to resolve for http://jacksmotorcycles.com or https://jacksmotorcycles.com (https:// with an ssl warning because initially, Virtualmin will automatically use a"self-signed ssl certificate") and for email to work (via Usermin login https://jacksmotorcycles.com:20000)
remember that in order to get into Usermin via port 20000, you need to go to your VPS providers own network firewall and ensure that port TCP 20000 is open (remember Virtualmin requires TCP 10000 open...both of these can be customized in Virtualmin but don't play with default until you understand how to do this properly)
Once your server has its own SSL certificate from a licensed CA provider (such as Letsencrypt), you can then set up client email apps to work through that via either START TLS/SSL or just SSL. To install Letsencrypt SSL:
Choose which Virtual server you wish to add Letsencrypt Certificate for.
Virtualmin>Server Configuration> SSL Certificate>Letsencrypt
fill in the domains associated with this virtual server (usually the Virtualmin defaults work)
jacksmotorcycles.com
www.jacksmotorcycles.com
mail.jacksmotorcycles.com
copy these to dovecot, webmin etc (but i do not copy to postfix...that stuffs up the servers own postfix SSL on my installation...i believe this is because postfix cannot handle more than one ssl per ip address and all virtual servers are already using my server ip address...if you want to fix this, each Virtual Server needs to have its own IP address, then you can copy that particular Virtual Server's SSL to postfix)
now for clients desktop pc email apps (such as Thunderbird and Outlook) set incoming and outgoing mail servers as follows
"START TLS"
Incoming mail server: web1.adamshosting.com SMTP Port=587
Outgoing mail server: web1.adamshosting.com IMAP port = 143
or just plain "SSL"
incoming mail server= web1.adamshosting.com SMTP port = 465
Outgoing mail server= web1.adamshosting.com IMAP port = 993
I have found many mobile email client apps (particularly Outlook) to be extremely frustrating to get working with Virtualmin. I think its just a matter of understanding exactly what settings get Outlook working. A couple of mobile apps that do work quite easily are (android) gmail and samsungs default email. I found both of these work quite well (particularly the gmail one). for Desktop PC, thunderbird is the easiest to get work by far, although Microsoft Outlook (office 365) is also quite good too. Windows 10 mail is a pain in the bum until you figure out how to get round all the automated stuff it tries to do (same with Apple Mail on the IMAC...which is particuarly quirky).
I can provide you with working examples for all of the above email apps if you have any problems.
To fix your _DMARC issue...
Google the following:
reverse PTR (you need this setup at your VPS provider)
spf generator (mxtoolbox has one of these but there are others)
_DMARC generator (again mxtoolbox but also others)
add spf and _dmarc records for each virtual server/domain on your Virtualmin system at their respective registrars free dns hosting along with A records and MX records.
hope this helps...its a crash course, but should be enough to get things working for you.
please note, do not play with the default Virtualmin install. Keep everything as default as is possible otherwise you will stuff your Virtualmin install very easily "with great power comes great responsibility"
kind regards Adam
p.s i would like to give a lot of credit to my own learning experience with this to dibbs on this forum. He spent quite a few hours on a Teamviewer session with me one weekend recently to help sort this for me (i just had great trouble visualizing how to make it work). Hopefully my examples above make it easy for you too.
Please ensure you first have Webmin SSL setup for (web1.adamshosting.com) before doing any of the above!
https://ajecreative.com.au
@adamjedgar Thank you very much for this. It has been very helpful! I have managed to get all my DNS records figured out and SSL certificates for my domains. I even have email working except for one issue:
I can send and receive mail through the webmail interface, but I'm having trouble getting desktop email clients to work. I am able to connect and read mail with Windows 10 Mail, but I can't send mail. I can't connect at all with Outlook.
Could you help me? How do I approach debugging this?
Assuming you do not have a firewall blocking the port on the server, try port 587 instead of 465. Also, on Windows Mail 10, check if "Outgoing server requires authentication" is checked. This is accessed via Settings | Manage Accounts | Select Account | Options | Advanced | Incoming and outgoing server info
@calport I got send and receive working now thanks for pointing me to those settings :).
I am getting a warning though saying the certificate doesn't match the name I'm connecting to. Would this happen because I didn't register the certificate with imap/smtp subdomains?
Current SSL certificate details: "Other domain names": autoconfig.domain.tld, autodiscover.domain.tld, mail.domain.tld, www.domain.tld, domain.tld
Do I also need the following?: "Other domain names": imap.domain.tld, smtp.domain.tld
I am not sure about registering imap.domain.com and smtp.domain.com...As these subdomains don't technically exist. Having said tat i have seen those records in cpanel servers so I am not sure.
Also, I have found it's a bad idea to copy virtual server SSL certificates to Postfix unless the Virtual Servers have their own IP address (which would be different to the webmin IP address.)
The reason for this, Postfix cannot handle multiple SSL certificates on a single "Shared ip address".
Doing thus will almost certainly cause problems because client email apps are looking for the "mail server" SSL certificate.
The Mail server would be your webmin system itself. If you copy an SSL certificate from a clients virtual server/domain to "Postfix", you will overwrite your webmin servers own SSL certificate for Postfix.
Then when a client email app belonging to a different domain is looking for the Postfix SSL cert for webmin.fqdn, it instead gets the Postfix cert for a different domain (clients virtual server). That will immediately cause an error on the client email app.
The above is my understanding...someone else may be able to correct my understanding if it's wrong.
https://ajecreative.com.au
You want (ideally) to have a master domain for your VPS (Virtualmin) - create a VirtualServer for it & enable mail, web (can just be a holding page) & SSL.
Generate a LE SSL cert for it - and copy that SSL to Postfix.
Let's say your master domain is - masterdomain.com, so you will\should have mail.masterdomain.com in the cert.
You should add an SPF record to your "child" or "client" domain DNS's (assuming they are external) so that other mail servers realise\accept that mail.masterdomain.com is authorised to send mail on behalf of the child\client domains.
Wouldnt that only be the case Dibbs if the subdomain "mail" is the server hostname?
Example
Server host.fqdn = mail.hostdomain.com
Otherwise, if server hostname is "web1" than it would be
Server.fqdn = web1.hostdomain.com
Mxrecord for all clients using your servers email capability would be
clientomain.com MX web1.hostdomain.com
Wouldnt "mail" actually have to be the servers hostname to use for dns MX record?
Examples
mail.godaddy.com
mail.microsoft.com
mail.adamshosting.com
Going to the command line and reading the/etc/hosts file for all of the above examples would show the servername "mail" in it.
For example, take a look at the tend micro mx record...
clientdomain.com MX Record in.hes.trendmicro.eu
This article has an example of dremhosts client mx records
https://help.dreamhost.com/hc/en-us/articles/215035818-Locating-your-Dre... (notice the full server name "vade-int1...")
https://ajecreative.com.au
@Adam - thinking about it, if your subdomain or server name was mail, then it YES, it would be the case. In the example you give about web1.hostdomain.com (that's the FQDN for your VPS & it has an A record) then you could have
A mail.clientdomain.com 1.2.3.4
MX mail.clientdomaincom 10
mail.clientdomain.com will resolve but you'd want to put in an SPF record for clientdomain.com referencing web1.hostdomain.com so that other MX's know that web1.hostdomain,com is authorised to send mail for clientdomain.com, if that makes sense?
In adding a VirtualServer for Hostdomain.com (ensuring web1.hostdomain.com & maybe mail, www, root domain) are all in the SSL cert (LE) - you could just copy that cert to Postfix. To my mind Postfix (with only 1 IP) should really have the SSL associated with the FQDN of the Master Host (or VPS). Additional subdomains won't hurt nor will having mail associated with it. Having mail might be necessary in the case of having to deal with removal from blacklists or similar.
Trend micro for example, require the user to add their mail server in the mx record itself.
Mx in.hes.trendmicro.eu
This I think is what makes this so confusing. So the virtualmin user is left wondering after confiuring dns, what am I supposed to input for mxrecords ...I think even the default virtualmin "suggested dns" uses mail.clientdomain.com. it's ridiculously confusing...the bewildered virtualmin user is then left asking the question so which is it? When the client email app on their desktop PC throws an error when mx server.hostdomain.com is added, they are even more confused. A choice between
Mx mail.clientdomain.com or
MX server.hostdomain.com
And almost no idea which one of the above should be utilised,
Looking at the trend micro example, it appears it should be the latter? And yet, whenever one adds a new mail account to say a computer app such as Outlook, the program always defaults to mail.clientdomain.com (where clientdomain.com matches user email address.)
The confused virtualmin user then goes online looking for help and finds numerous tutorials where the server has a single domain on it...which is useless for a Shared hosting environment...that only confuses things more. Virtualmin isn't for just a single domain...this is a webhosting control panel where most people host multiple domains. We don't bloody want tutorials reflecting a single user, domain, and email where said domain is also the server...that is zero help!
This is as bad as all these webserver setup tutorials where the server ipaddress is given as 192.168.0.1. That is a local LAN default given by internet service providers for you desktop PC to interact with your internet modem. Why would one be told to use that same IP address for a webhosting server? How many people actually have static ipaddresses at the home to even run a webserver? Internet service providers intentionally limit upload bandwidth to discourage this. The tutorials should never do these dumbass things...it confuses the hell out of newbies and we end up with NAT being thrown into the mix...and the cascading nightmare begins.
https://ajecreative.com.au
It kind of makes sense that if you are using a hosted mail service like Trend (I am assuming it's the hosted version) that you your domains MX is pointing to their (MX) server. I would expect an SPF record that say Trend are authorised to send emails for your domain too.
Tutorials - I can understand someone putting in 192.168.0.1 as an IP address as they may well be doing the build on their LAN. I would hope it's clear in the tutorial that it's just an example etc and needs to be replaced with whatever the person reading the tutorial is actually doing.
But therein lies a bit of a grey area. If I'm building a server that is public facing (directly) it will have a Public IP, but if it's behind a firewall, it may well be on a LAN and have a non-routable IP, and Newbies may not understand the differences etc.
Most books - so why not tutorials - have a paragraph in the opening pages stating what the intended audience is (and their expected level of knowledge).