How to set up mail server on a remote Virtualmin server for a Virtualmin domain?

21 posts / 0 new
Last post
#1 Fri, 11/21/2014 - 13:31
nobody

How to set up mail server on a remote Virtualmin server for a Virtualmin domain?

I have domain.com on a VPS and mail.domain.com on another VPS and both have Virtualmin installed.

domain.com has website but no email enabled. mail.domain.com has email but no website enabled.

I created an A record for mail.domain.com and set it as the MX for domain.com

What else do I need to do so that user@mail.domain.com can send and receive mail as user@domain.com ?????

PLEEEEEEEASE HELP ME.

Fri, 11/21/2014 - 15:08
ReArmedHalo

Hi,

What I would do, probably, is create domain.com on the second VPS as well (forget about mail.domain.com on there, unless you host a site for the mail virtual server) and just disable everything you can except for mail. Since in your DNS you have the MX records and A records pointing at it, any mail that is attempted to be delivered will be sent to the second VPS.

In my mind, this should work. I cannot test it to be 100% sure at this time. Let me know how it works out for you.

-Dustin

Fri, 11/21/2014 - 15:36
nobody

Thank you for the reply. I had already tried that but the mail server bounced the mail saying it refused relaying, so I added domain.com to the Postfix Restrict mail relaying in Webmin ( I set = $mydestination domain.com)

At this point if I try to send an email to user@domain.com, the mail bounces from mail.domain.com with the different message: "mail for domain.com loops back to myself".

So while this looks like somewhat of a progress, I still need to convince mail.domain.com that mail to user@domain.com needs to be delivered locally to the user@mail.domain.com mailbox.

Also, I need to have all mail from user@mail.domain.com be delivered anywhere as mail from user@domain.com .

After achieving that, I can have a beer. And you can too.

Fri, 11/21/2014 - 15:58
ReArmedHalo

Hello,

Well it was worth a shot :)

How did you try to send the test messages? From an external server or from the domain.com server? I am confused about the "refused relay" message as I don't believe mail should be getting relayed at all. It is simply being delivered at a different server. If you wouldn't mind, I would like to write out my idea a little bit more and ask if you can confirm it matches one of your tests?

  • Server 1
    • Virtual server "domain.com" with DNS enabled and Mail disabled ( Delete all created DNS records, except for name server ones, and create the ones below )
      • A record for domain.com > SERVER1_IP
      • A record for mail.domain.com > SERVER2_IP
      • MX record for domain.com > mail.domain.com
  • Server 2
    • Virtual server "domain.com" with Mail enabled

Let DNS propagate for an hour or so, so grab a coffee... or three... and some chips... great now I'm hungry! :)

Using third party email, such as Gmail, send a message to "test1@domain.com". Login to usermin on "Server 2" as "test1@domain.com" and you should receive the message. Feel free to reply to it, you should receive the reply. Also create a new message and send it to a third party, such as that gmail address, and you should receive it on Gmail.

This should work because it is how I understand that I am using Office365 for my email and how things worked when I ran my own Exchange server.

Please confirm and/or try to replicate this configuration if you can and let me know how things turn out. Make sure to undo any configuration changes you tried, like the restrict mail relay option, before attempting this configuration again.

-Dustin

Fri, 11/21/2014 - 16:48 (Reply to #4)
nobody

Thank you, but that was my first attempt, and when I do that, I get: "Relay access denied" .

That's why I went and add domain.com to the Restrict mail relaying field. Then the error changes to the "loop to myself".

So it looks like I should not have domain.com relayed because then mail.domain.com sends it back to the origin in a loop, but then at the same time I need to inform mail.domain.com that it needs to accept email from domain.com.

Just setting the MX record does not seem to be enough.

Fri, 11/21/2014 - 16:57
ReArmedHalo

Hi,

That is interesting. I have no idea why it is attempting to relay it. I'm going to try to research this a bit more and get back to you. Maybe somebody else who is more knowledgeable than me will answer you before then and has the right solution :)

-Dustin

EDIT: Could you post the relevant entries from the postfix log (/var/log/maillog) from both servers? Still trying to understand the relay error.

Fri, 11/21/2014 - 18:45
nobody

Sure

mail.domain.com maillog entry:

<user@domain.com>: Relay access denied; from=<otheruser@otherdomain.com> to=<user@domain.com> proto=ESMTP helo=<xxx.com>

domain.com maillog entry: no entry (the email was sent from a 3rd party account), but the bouced email had:

The error that the other server returned was:
554 5.7.1 <user@domain.com>: Relay access denied
Fri, 11/21/2014 - 19:16
nobody

OK then if I add domain.com to the Webmin > Postfix general options > What domains to receive mail for (= $mydestination) , the email still bounces but this time with the error:

The error that the other server returned was:
550 5.1.1 <user@domain.com>: Recipient address rejected: User unknown in local recipient table

I think I see this type of error when someone enters a random name for the correct domain.

So I guess there must be a way to map username@domain.com to username@mail.domain.com ?

Fri, 11/21/2014 - 22:45
ReArmedHalo

Hi,

I don't think you should have to map mail.domain.com to domain.com, the second server should just know it. On your second server you have the virtual server "domain.com"? As I understand what you have been saying, your second server has the virtual server "mail.domain.com"? Please correct me if I am mistaken. Also it is my understanding that you don't need to add "domain.com" to the postfix "domain to receive mail for" as it is set correctly as needed by virtualmin, although that field never appears to change values when you add or remove virtual servers. At least that is what I am told.

-Dustin

Sat, 11/22/2014 - 04:42
nobody

Hi Dustin,

the two servers are totally separated, so domain.com is the web server at IP1 and mail.domain.com is the mail server at IP2. All they have in common is the Registered domain and the MX record pointing to mail.domain.com

But the MX record is only there to indicate to 3rd parties which MX is supposed to handle mail to/from domain.com, so the above information is not enough for mail.domain.com because the mail server should already know what to do without having to look up the DSN records.

So by adding domain.com to mail.domain.com $mydestination I have reached the point where mail.domain.com knows that domain.com is its destination.

But what it still does not know is how to interpret the usernames. So there must be some way to rewrite or map them to existing usernames on mail.domain.com.

I guess this is a quite common user case so I am surprised I cannot find some detailed explanations on how to set up this common scheme.

All mail accounts, mailboxes and SMTP / IMAP servers on mail.domain.com and the web server on domain.com it's a normal setup so why it's so hard to find a down to earth tutorial?

I hope we can find the way (or maybe there is more than one way) and perhaps contribute to the Webmin / Virtualmin documentation.

PS: I guess this is relevant documentation: http://www.postfix.org/postconf.5.html#local_recipient_maps

Sat, 11/22/2014 - 07:17
ReArmedHalo

Hi,

Is your second servers hostname "mail.domain.con" by chance? If so, I have been told that causes issues. Change it to srv2.donain.com for example if you can. Also, the virtual server on said server should be domain.com, it doesn't and shouldn't be configured for mail.donain.com otherwise it will be accepting mail for test1@mail.domain.com.

-Dustin

Sat, 11/22/2014 - 08:45
nobody

Hey Justin thank you so much for your help.

However, the two servers have different IPs so I need to set an A record for the mail server as well. I called it mail.domain.com but the prefix can be anything else. And I guess the MX records does not accepts IPs but only names.

The internal hostname can be anything as well and it does not have to be the same as the A record I guess.

I am afraid I have to read the Postfix documentation even though what I was hoping for was just a simple example since this scenario is very common.

For example, having user homes and mail under the same user as the website is a security risk. I saw recently a number of compromised sites because of the recent Drupal exploit and so I rather keep users and mail separated from the public folder. Also, some businesses keep many GB of mail so they may need the larger storage space while for a web server performance is more important etc.

Thanks again.

Sat, 11/22/2014 - 08:54
nobody

In fact, by the same token even on the same shared IP one should be easily able to create two Virtualmin virtual servers under separate acconts, and use one for mail and the other for web.

Everything else stays the same as far as my initial question except that the IP is shared in this case. So in this case the A record for mail.domain.com will show the same IP as www.domain.com, but then internally Virtualmin will treat them as two separate virtual servers under separate user accounts and permissions. This is more secure than having everything under the same user account.

Sat, 11/22/2014 - 09:40
ReArmedHalo

Hi,

Actually the internal hostname does matter. I don't know the specifics of why it matters but apparently it does. The A records and MX records are fine, but the hostname should not be mail.domain.com on the server itself. Perhaps someone who knows more about this can provide the specific reason.

I don't have time to read your entire reply at the moment but I will come back later and read and reply to what you said.

If you wish, I can perhaps Skype with you and we can try to work on your issue in more detail? If so, my skype username is the same as my forum username on here.

-Dustin

Sun, 11/23/2014 - 08:18
nobody

Ok I started figuring out something.

After adding domain.com to $mydestination in mail.domain.com ( Webmin > Servers > Postfix Mail Server > General Options > What domains to receive mail for ), then Postfix will accept mail sent to domain.com.

However, it will then look for an actually existing user. So, it will deliver only to usernames that actually exist as linux accounts (this is the way Virtualmin works as opposite to using virtual email addresses in the database).

So for example user1@mail.domain.com is in reality named after the account owner (= mail.domain) so the real username will be user1.mail.domain.

Therefore if I send a message to user1.mail.domain@domain.com, the message gets successfully delivered to the inbox of user1.mail.domain@mail.domain.com (after I add domain.com to $mydestination).

But, if I send a message to user1@domain.com, then it bounces with :

Recipient address rejected: User unknown in local recipient table

The reason it bounces is of course that there is no such user named "user1" on the linux box.

So what needs to be done next is to create an alias that maps user1@domain.com to user1.mail.domain.

Not only that, but also the @domain.com mail aliases need to be mapped to @mail.domain.com aliases (such as the hostmaster@, webmaster@ etc default email aliases).

Finally, the outgoing mail needs to be somehow rewritten so that instead of being from @mail.domain.com , it appears as from @domain.com

If someone can help me here I'd appreciate it. If not, I'll have to keep RTFMs.

Sun, 11/23/2014 - 08:33
nobody

PS and another thing to keep in mind:

when an email account user authenticates, it has to use a username such as user1.mail.domain.

But then in this setup, the default naming convention is not appropriate.

If on the other hand, I had named the account owner as "domain" instead of "mail.domain", then this would be better for the normal email account users because then they would authenticate as "user1.domain" rather than "user1.mail.domain".

So in other words, in this setup the mail.domain.com administration user should be named after the domain name (less the extension), and not after the subdomain name.

Of course if the mail virtual host is on the same machine as the www virtual host, then it is the www virtual host account owner than needs to be named differently to avoid a conflict, eg "www.domain".

So in this case the mail.domain.com owner will be "domain" and the domain.com owner will be "www.domain".

(So I am almost there except for the aliases and for the outgoing mail domain rewrite issue).

Sun, 11/23/2014 - 10:12
ReArmedHalo

Hello,

Yes you are correct, which is why you should create the virtual server in Virtualmin on your second server (mail.domain.com) to be "domain.com" as well. Then just create users as normal and everything should work out fine. You shouldn't need to mess with the postfix settings or aliases.

I was able to get a hold of two servers and I tested the configuration I have been referencing and it worked as I had expected it should.

-Dustin

Mon, 11/24/2014 - 06:38
nobody

Thank you for your help, Dustin.

Yes using the shorter name for the virtual host is the thing to do.

However, if the mail server is on a separate VPS with a separate Virtualmin panel, then I found that I need to add "domain.com" to Postfix $mydestination variable or else I get a "Relay access denied" error.

This is probably not the case if the mail and the web servers are under the same Virtualmin machine.

Mon, 11/24/2014 - 12:03
ReArmedHalo

Hi,

You shouldn't have to add it manually as Virtualmin will handle that when you enable mail for a virtual server, at least that is what I am told. I am clueless as to what is causing your issue. As I said, I replicated your setup and I had no issues. If you'd like, I can provide you login details to my two test servers and you can compare my configurations to yours and perhaps spot the difference?

-Dustin

Tue, 11/25/2014 - 18:34
ReArmedHalo

Hi,

Well I made a mistake... :P When I was testing the configuration you wanted I forgot to update a DNS record. I was using my old server which was working. So it is not simple to do at all! I did manage to make it work though. I haven't nailed down all steps yet but here is basically what I did:

  • Copied virtualmin.repo file to my webmin server (Shouldn't need this step as you are using Virtualmin on both systems)
  • yum install procmail procmail-wrapper (Shouldn't need to do this step either)
  • I copied my configuration files for postfix (/etc/postfix/main.cf and master.cf) to my webmin server. Attached is my "General Options" for Postfix from Webmin.

I will try to nail down exactly what is required and exact steps but hopefully this gets you started.

  • Virtualmin server (web server) hostname: web1-useast.voltark.com
  • Webmin server (mail server) hostname: mx1-useast.voltark.com

Virtual users only exist on my web server, but for your configuration:

  • Web server: Virtual server "domain.com" created to serve websites; Apache, DNS and Webmin login enabled
  • DNS Record: "A" record for mail.domain.com pointed at your mail server
  • DNS Record: "MX" record for domain.com pointed at mail.domain.com
  • Mail server: Virtual server "domain.com" created to serve mail; Mail for domain, Webmin login enabled
  • Mail users created here
  • Postfix configuration should resemble mine

In my attached image:

  • Replace "voltark.com" in the field "Local internet domain name" with "domain.com"
  • Replace "mx1-useast.voltark.com" in the field "Internet hostname of this mail system" with "mail.domain.com"
  • "Local networks" was populated for me so I would leave whatever Virtualmin configured as default.

I hope this was helpful somewhat. I can provide more assistance if this still isn't working for you. -Dustin

Wed, 01/06/2016 - 15:31
marcnz

Hi,

A year has passed and not sure if the issue has been resolved for the user.

I had a similar issue with the loop to itself error.

I fixed it once I noticed the entries in the /etc/hosts file.Once rectified, the error went away.

I hope this helps.

Topic locked