I’m happily using my FBX as an email server for my main domain and all is well. I’ve setup the applications, completed configuration for DKIM, SPF and ARC and have been using my server for well over a year now.
One thing that I wanted to achieve, but couldn’t get my head into how to do it was to add other domains that I own for sending / receiving email. Recently, I’ve found a “hack” to do this. Having come to a point, I wanted to share what I discovered with everyone else.
Now, please take all I’m sharing here with a pinch of salt as I have done all the below through online reading and overall experience over the past year. I am not by any any means proficient and I’m only sharing what just works for me. So, any risks are on you : ) If you have, please do share your comments to make better this thread below.
If you decide to proceed, one thing to get out of the way is that with the below steps, you will not be creating a new e-mail server or a new mailbox. All the domains that you setup will work with the single server and mailbox that comes bundled with FBX. In simple terms, when receiving email, you’ll have only one inbox and all your mail will fall there. Your credentials will be your FBX credentials and all your FBX users (and aliases) will work for the new domains. When sending emails, you’ll see below how to setup DKIM signatures (while configuring ARC). In this respect, you will need to create new “sender identities” in your mail clients and your messages will be signed and sent accordingly.
One downside to this method is, if you’ve properly configured your domain with rDNS (PTR), your other domains will have the same sender IP. Although this is “frowned upon” in means of email security, with DKIM, DMARC, SPF and ARC properly setup, all my emails are making it to Gmail Inbox and I’m getting top scores from all mail testers.
STEP 0
Now, before getting the hands dirty, it’s important that you have initially setup your mail server server for your primary domain and have correctly configured DKIM, DMARC, SPF and ARC. I’m sharing this link on how to achieve this. If you come across any problems, please post you comments below. I’ve done all my configuration with a single static IP so, I may not have answers to other setups.
Next, connect to your (secondary) domain registrars administration page and set your A record in accordance with your static IP. While you’re at it, add an MX record as well. For TLS purposes, make sure that you’ve obtained a LetsEncrypt certificate for your new domain on FBX.
Throughout this thread, I’ll be referring to your initial FBX domain as the PRIMARY_DOMAIN and all other domains that you configure as SECONDARY_DOMAIN.
| Domain | TTL | Type | Priority | Host/Target/Value |
|---|---|---|---|---|
| 300 | A | YOUR_STATIC_IP | ||
| 300 | MX | 10 | SECONDARY_DOMAIN. |
These setting are crucial for receiving you email. We will be adding more for sending mail, I’ll be sharing them below (in Step 2)
STEP 1 Receiving Email
Once you’ve configured your DNS serttings as above, edit the Postfix main configuration file with the below command.
sudo nano /etc/postfix/main.cf
Towards the end of the file, you’ll notice a mydestination variable. Add to the same line (seperated with commas) you new - secondary - domains.
mydestination = $myhostname, PRIMARY_DOMAIN.com, SECONDARY_DOMAIN.com, localhost.$mydomain, freedombox.local, localhost
Save and exit your file, and restart postfix with
sudo systemctl restart postfix
Now you (and all your users) can receive email from your secondary domain.
STEP 2 Sending Email
Normally, with just the above settings you can technically send emails. Though, if you’ve properly setup your primary domain with the necessary spam-proof settings, there’s a good chance all mail you send from your new domain will be treated as spam.
To overcome this, we’ll be setting up a DKIM signature for your new domain, adding a DMARC and SPF record in your DNS and creating your new ARC file.
DKIM
We’ll be having rspamd generate a dkim key pair in /var/lib/rspamd/dkim/
sudo su
cd /var/lib/rspamd/dkim/
rspamadm dkim_keygen -s 'dkim' -b 2048 -d seondary_domain.com -k secondary_domain.private > secondary_domain.txt
Once rspamd generates the key pair, you’ll be able to see them in the .txt file. But before getting to that, lets give ownership of the dkim directory to _rpsamd
sudo su
chown -R _rspamd:_rspamd /var/lib/rspamd/dkim
chmod 440 /var/lib/rspamd/dkim/*
The .txt file contians both your private and public DKIM keys. We’re going to put to use the public key given to us in out DNS settings.
So,
cat /var/lib/rspamd/dkim/secondary_domain.txt
should give us something like (your keys will differ)
dkim._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2/al5HqXUpe+HUazCr6t9lv2VOZLR369PPB4t+dgljZQvgUsIKoYzfS/w9NagS32xZYxi1dtlDWuRfTU/ahHO2MYzE0zHE4lMfwb6VkNCG+pM6bAkCwc5cFvyRygwxAPEiHAtmtU5b0i9LY25Z/ZWgyBxEWZ0Wf+hLjYHvnvMqewPsduUqKVjDOdUqeBb1VAu3WFErOAGVUYfKqFX"
"+yfz36Alb7/OMAort8A5Vo5t5k0vxTHzkYYg5KB6tLS8jngrNucGjyNL5+k0ijPs3yT7WpTGL3U3SEa8cX8WvOO1fIpWQz4yyZJJ1Mm62+FskSc7BHjdiMHE64Id/UBDDVjxwIDAQAB"
) ;
Punch these values into your DNS as a TXT record.
| Domain | TTL | Type | Priority | Host/Target/Value |
|---|---|---|---|---|
| dkim._domainkey | 300 | TXT | 10 | “v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2/al5HqXUpe+HUazCr6t9lv2VOZLR369PPB4t+dgljZQvgUsIKoYzfS/w9NagS32xZYxi1dtlDWuRfTU/ahHO2MYzE0zHE4lMfwb6VkNCG+pM6bAkCwc5cFvyRygwxAPEiHAtmtU5b0i9LY25Z/ZWgyBxEWZ0Wf+hLjYHvnvMqewPsduUqKVjDOdUqeBb1VAu3WFErOAGVUYfKqFX” “+yfz36Alb7/OMAort8A5Vo5t5k0vxTHzkYYg5KB6tLS8jngrNucGjyNL5+k0ijPs3yT7WpTGL3U3SEa8cX8WvOO1fIpWQz4yyZJJ1Mm62+FskSc7BHjdiMHE64Id/UBDDVjxwIDAQAB” |
Now, to add your SECONDARY_DOMAIN to the dkim selectors;
sudo su
nano /etc/rspamd/local.d/dkim_selectors.map
making sure the contents of the file are aligned with below
{primary_domain.com} dkim
{secondary_domain.com} dkim
and, adjusting the signing module with
nano /etc/rspamd/local.d/dkim_signing.conf
you should have initially onfigured this file when setting up for your primary domain so I2m just adding the last part
...
# Domain specific settings
primary_domain.com {
# Domain name is used as key
primary_domain.com {
# Private key path
path = "/var/lib/rspamd/dkim/primary_domain.com.dkim.key";
# Selector
selector = "ds";
}
}
# Domain specific settings
secondary_domain.com {
# Domain name is used as key
secondary_domain {
# Private key path
path = "/var/lib/rspamd/dkim/secondary_domain.com.dkim.key";
# Selector
selector = "ds";
}
}
After saving and exiting, you may restart rspamd here. However, I suggest you continue with ARC setup and then do the restart.
ARC
With DKIM setup above, we quickly setup ARC with a single copy command
sudo cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
And finally, restart rspamd with
sudo systemctl restart rspamd
DMARC and SPF
Now that things are straight with our server, it’s best to add DMARC and SPF policies to our secondary domain DNS server. Feel free to check online DMARC and SPF generators, but I did my settings with the below.
| Domain | TTL | Type | Priority | Host/Target/Value |
|---|---|---|---|---|
| 300 | TXT | “v=spf1 mx a ip4:YOUR_STATIC_IP -all” | ||
| _dmarc | 300 | TXT | “v=DMARC1; p=none; sp=quarantine; rua=mailto:postmaster@my_domain.com;” |
Should you wish to recieve DMARC reports to your primary domain mail adress, add the following to your primary domain DNS
| Domain | TTL | Type | Priority | Host/Target/Value |
|---|---|---|---|---|
| secondary_domain.com._report._dmarc | 300 | TXT | “v=DMARC1” |
Identities
The above should clear you up. Now, create a new identity in your email client with your secondary domain name and do a test drive.
Good luck!