DNS Registrar vs Virtualmin

11 posts / 0 new
Last post
#1 Thu, 12/05/2019 - 22:28
jehy

DNS Registrar vs Virtualmin

I'm trying to setup Virtualmin on a VPS to host a couple websites with email. I've been having troubles the whole week and I'm not sure what to do anymore. Any help on this would be greatly appreciated.

I have been able to get the websites online with a "hello world" HTML page that I loaded into the file manager. Getting email to work has been harder and I think all of my issues seem to be stemming from DNS configurations.

I have registered the domains with porkbun.com and they have a UI to manage DNS records that looks like this:

Type, Host, Answer, TTL, Priority
A, excelblade.com, 107.181.191.83, 300
MX, excelblade.com, excelblade.com, 300, 10
SRV, _autodiscover._tcp.excelblade.com, 10 443 webmail.porkbun.com, 300, 10
TXT, excelblade.com, v=spf1 mx ~all, 300

(107.181.191.83 is the ip for my VPS)

This is what I'm using, but shouldn't I let Virtualmin handle that? What would I need to do to make that happen?

My ultimate goal is to host 3 websites, each with email.

I am checking my MX config using https://mxtoolbox.com/SuperTool.aspx I am getting the following results: No DMARC Record found DNS Record found DMARC Quarantine/Reject policy not enabled

Sat, 12/07/2019 - 02:06
adamjedgar

Hi jehy, I use my external registrars free dns hosting for all domains and email.

in my examples below, you should be able to substitute your webmin host.domain.com and ip address and client virtual server/domain.com and it should also work for you.

Firstly, a caveat...

I always setup the very first virtual server on my virtualmin system to be my business domain name. Because that is the default website that apache automatically displays in the event that a client dns A record is pointed at my server, however, no website has actually been installed on it (ie a new client virtual server has not yet been created on my system for this client dns A record). This is always good practise because it promotes your business...not one of your own client domains (should one of them be first in the list). You can of course change this in Virtualmin at any time.

Please note...before doing any of the following and because you are trying to use SSL with "web1.adamshosting.com", this Webmin server must have its own Letsencrypt SSL certificate in addition to the domains on it. Webmin has a guide on how to set up this and some googling will find plenty of tutorials on how to do this.

OK, so once you have your Webmin VPS system "web1.adamshosting.com" using its own CA authority SSL certificate...on to your problem.

Things to check in Virtualmin for new virtual server (another name used by other control panels is "domains") that you create for each client website and email...

  1. virtualmin>Edit Virtual Server>Enabled Features
  • make sure that DNS domain enabled is "unchecked" (this will tell Virtualmin not to host dns for this domain)

  • apache website http://, and if you want https:// apache SSL website, are both "checked"

  • mail for domain is "checked"

if you want to be able to login to Webmin/Virtualmin as the server administrator for just this virtual server/domain, then also

  • Webmin login enabled "checked"

Now for dns at your clients registrars...

let pretend that the following is our setup details

  • webhosting server (Webmin/Virtualmin) host.fqdn is web1.adamshosting.com with "static" ip address 12.34.56.78

  • clients virtual server/domains is jacksmotorcycles com

at your client registrar under free dns hosting add the following records (minimum to get it working):

  1. jacksmotorcyles A record 12.34.56.78
  2. jacksmotorcycles MX record web1.adamshosting.com

that is all that is needed for both website to resolve for http://jacksmotorcycles.com or https://jacksmotorcycles.com (https:// with an ssl warning because initially, Virtualmin will automatically use a"self-signed ssl certificate") and for email to work (via Usermin login https://jacksmotorcycles.com:20000)

remember that in order to get into Usermin via port 20000, you need to go to your VPS providers own network firewall and ensure that port TCP 20000 is open (remember Virtualmin requires TCP 10000 open...both of these can be customized in Virtualmin but don't play with default until you understand how to do this properly)

Once your server has its own SSL certificate from a licensed CA provider (such as Letsencrypt), you can then set up client email apps to work through that via either START TLS/SSL or just SSL. To install Letsencrypt SSL:

  1. Choose which Virtual server you wish to add Letsencrypt Certificate for.

  2. Virtualmin>Server Configuration> SSL Certificate>Letsencrypt

fill in the domains associated with this virtual server (usually the Virtualmin defaults work)

  1. click on "request certificate"

copy these to dovecot, webmin etc (but i do not copy to postfix...that stuffs up the servers own postfix SSL on my installation...i believe this is because postfix cannot handle more than one ssl per ip address and all virtual servers are already using my server ip address...if you want to fix this, each Virtual Server needs to have its own IP address, then you can copy that particular Virtual Server's SSL to postfix)

now for clients desktop pc email apps (such as Thunderbird and Outlook) set incoming and outgoing mail servers as follows

"START TLS"

Incoming mail server: web1.adamshosting.com SMTP Port=587
Outgoing mail server: web1.adamshosting.com IMAP port = 143

or just plain "SSL"

incoming mail server= web1.adamshosting.com SMTP port = 465
Outgoing mail server= web1.adamshosting.com IMAP port = 993


I have found many mobile email client apps (particularly Outlook) to be extremely frustrating to get working with Virtualmin. I think its just a matter of understanding exactly what settings get Outlook working. A couple of mobile apps that do work quite easily are (android) gmail and samsungs default email. I found both of these work quite well (particularly the gmail one). for Desktop PC, thunderbird is the easiest to get work by far, although Microsoft Outlook (office 365) is also quite good too. Windows 10 mail is a pain in the bum until you figure out how to get round all the automated stuff it tries to do (same with Apple Mail on the IMAC...which is particuarly quirky).

I can provide you with working examples for all of the above email apps if you have any problems.

To fix your _DMARC issue...

Google the following:

  1. reverse PTR (you need this setup at your VPS provider)

  2. spf generator (mxtoolbox has one of these but there are others)

  3. _DMARC generator (again mxtoolbox but also others)

add spf and _dmarc records for each virtual server/domain on your Virtualmin system at their respective registrars free dns hosting along with A records and MX records.

hope this helps...its a crash course, but should be enough to get things working for you.

please note, do not play with the default Virtualmin install. Keep everything as default as is possible otherwise you will stuff your Virtualmin install very easily "with great power comes great responsibility"

kind regards Adam

p.s i would like to give a lot of credit to my own learning experience with this to dibbs on this forum. He spent quite a few hours on a Teamviewer session with me one weekend recently to help sort this for me (i just had great trouble visualizing how to make it work). Hopefully my examples above make it easy for you too.

Please ensure you first have Webmin SSL setup for (web1.adamshosting.com) before doing any of the above!

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Mon, 12/09/2019 - 22:28
jehy

@adamjedgar Thank you very much for this. It has been very helpful! I have managed to get all my DNS records figured out and SSL certificates for my domains. I even have email working except for one issue:

I can send and receive mail through the webmail interface, but I'm having trouble getting desktop email clients to work. I am able to connect and read mail with Windows 10 Mail, but I can't send mail. I can't connect at all with Outlook.

  • I'm using "name@domain.tld" usernames.
  • I copied my LetsEncrypt certificate to dovecot and postfix.
  • I'm trying to connect using port 465.

Could you help me? How do I approach debugging this?

Mon, 12/09/2019 - 22:46 (Reply to #3)
calport

Assuming you do not have a firewall blocking the port on the server, try port 587 instead of 465. Also, on Windows Mail 10, check if "Outgoing server requires authentication" is checked. This is accessed via Settings | Manage Accounts | Select Account | Options | Advanced | Incoming and outgoing server info

Mon, 12/09/2019 - 23:32
jehy

@calport I got send and receive working now thanks for pointing me to those settings :).

I am getting a warning though saying the certificate doesn't match the name I'm connecting to. Would this happen because I didn't register the certificate with imap/smtp subdomains?

Current SSL certificate details: "Other domain names": autoconfig.domain.tld, autodiscover.domain.tld, mail.domain.tld, www.domain.tld, domain.tld

Do I also need the following?: "Other domain names": imap.domain.tld, smtp.domain.tld

Tue, 12/10/2019 - 02:05
adamjedgar

I am not sure about registering imap.domain.com and smtp.domain.com...As these subdomains don't technically exist. Having said tat i have seen those records in cpanel servers so I am not sure.

Also, I have found it's a bad idea to copy virtual server SSL certificates to Postfix unless the Virtual Servers have their own IP address (which would be different to the webmin IP address.)

The reason for this, Postfix cannot handle multiple SSL certificates on a single "Shared ip address".

Doing thus will almost certainly cause problems because client email apps are looking for the "mail server" SSL certificate.

The Mail server would be your webmin system itself. If you copy an SSL certificate from a clients virtual server/domain to "Postfix", you will overwrite your webmin servers own SSL certificate for Postfix.

Then when a client email app belonging to a different domain is looking for the Postfix SSL cert for webmin.fqdn, it instead gets the Postfix cert for a different domain (clients virtual server). That will immediately cause an error on the client email app.

The above is my understanding...someone else may be able to correct my understanding if it's wrong.

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Tue, 12/10/2019 - 10:09
Dibs

You want (ideally) to have a master domain for your VPS (Virtualmin) - create a VirtualServer for it & enable mail, web (can just be a holding page) & SSL.

Generate a LE SSL cert for it - and copy that SSL to Postfix.

Let's say your master domain is - masterdomain.com, so you will\should have mail.masterdomain.com in the cert.

You should add an SPF record to your "child" or "client" domain DNS's (assuming they are external) so that other mail servers realise\accept that mail.masterdomain.com is authorised to send mail on behalf of the child\client domains.

Tue, 12/10/2019 - 14:34
adamjedgar

Wouldnt that only be the case Dibbs if the subdomain "mail" is the server hostname?

Example

Server host.fqdn = mail.hostdomain.com

Otherwise, if server hostname is "web1" than it would be

Server.fqdn = web1.hostdomain.com

Mxrecord for all clients using your servers email capability would be

clientomain.com MX web1.hostdomain.com

Wouldnt "mail" actually have to be the servers hostname to use for dns MX record?

Examples

mail.godaddy.com

mail.microsoft.com

mail.adamshosting.com

Going to the command line and reading the/etc/hosts file for all of the above examples would show the servername "mail" in it.

For example, take a look at the tend micro mx record...

clientdomain.com MX Record in.hes.trendmicro.eu

This article has an example of dremhosts client mx records

https://help.dreamhost.com/hc/en-us/articles/215035818-Locating-your-Dre... (notice the full server name "vade-int1...")

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Tue, 12/10/2019 - 21:49
Dibs

@Adam - thinking about it, if your subdomain or server name was mail, then it YES, it would be the case. In the example you give about web1.hostdomain.com (that's the FQDN for your VPS & it has an A record) then you could have

A mail.clientdomain.com 1.2.3.4

MX mail.clientdomaincom 10

mail.clientdomain.com will resolve but you'd want to put in an SPF record for clientdomain.com referencing web1.hostdomain.com so that other MX's know that web1.hostdomain,com is authorised to send mail for clientdomain.com, if that makes sense?

In adding a VirtualServer for Hostdomain.com (ensuring web1.hostdomain.com & maybe mail, www, root domain) are all in the SSL cert (LE) - you could just copy that cert to Postfix. To my mind Postfix (with only 1 IP) should really have the SSL associated with the FQDN of the Master Host (or VPS). Additional subdomains won't hurt nor will having mail associated with it. Having mail might be necessary in the case of having to deal with removal from blacklists or similar.

Thu, 12/12/2019 - 13:06
adamjedgar

Trend micro for example, require the user to add their mail server in the mx record itself.

Mx in.hes.trendmicro.eu

This I think is what makes this so confusing. So the virtualmin user is left wondering after confiuring dns, what am I supposed to input for mxrecords ...I think even the default virtualmin "suggested dns" uses mail.clientdomain.com. it's ridiculously confusing...the bewildered virtualmin user is then left asking the question so which is it? When the client email app on their desktop PC throws an error when mx server.hostdomain.com is added, they are even more confused. A choice between

Mx mail.clientdomain.com or

MX server.hostdomain.com

And almost no idea which one of the above should be utilised,

Looking at the trend micro example, it appears it should be the latter? And yet, whenever one adds a new mail account to say a computer app such as Outlook, the program always defaults to mail.clientdomain.com (where clientdomain.com matches user email address.)

The confused virtualmin user then goes online looking for help and finds numerous tutorials where the server has a single domain on it...which is useless for a Shared hosting environment...that only confuses things more. Virtualmin isn't for just a single domain...this is a webhosting control panel where most people host multiple domains. We don't bloody want tutorials reflecting a single user, domain, and email where said domain is also the server...that is zero help!

This is as bad as all these webserver setup tutorials where the server ipaddress is given as 192.168.0.1. That is a local LAN default given by internet service providers for you desktop PC to interact with your internet modem. Why would one be told to use that same IP address for a webhosting server? How many people actually have static ipaddresses at the home to even run a webserver? Internet service providers intentionally limit upload bandwidth to discourage this. The tutorials should never do these dumbass things...it confuses the hell out of newbies and we end up with NAT being thrown into the mix...and the cascading nightmare begins.

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Thu, 12/12/2019 - 15:00 (Reply to #10)
Dibs

It kind of makes sense that if you are using a hosted mail service like Trend (I am assuming it's the hosted version) that you your domains MX is pointing to their (MX) server. I would expect an SPF record that say Trend are authorised to send emails for your domain too.

Tutorials - I can understand someone putting in 192.168.0.1 as an IP address as they may well be doing the build on their LAN. I would hope it's clear in the tutorial that it's just an example etc and needs to be replaced with whatever the person reading the tutorial is actually doing.

But therein lies a bit of a grey area. If I'm building a server that is public facing (directly) it will have a Public IP, but if it's behind a firewall, it may well be on a LAN and have a non-routable IP, and Newbies may not understand the differences etc.

Most books - so why not tutorials - have a paragraph in the opening pages stating what the intended audience is (and their expected level of knowledge).

Topic locked