Setup Email Server From Scratch On FreeBSD #2 - 09 Create Virtual Domains

07 RoundCube WebMail <- Intro -> 10 Blocking Spam With Postfix

We believe in data independence, and support others who want data independence.
This tutorial is complete 2025-08-14 except there is no page for setting up postscreen.
This is version 2 and everthing works.

#################################
# How to Create Virtual Domains #
#################################

This page of the "FreeBSD Email From Scratch" tutorial assumes successful setup of the following ...

1. FreeBSD Server
2. FAMP - FreeBSD Apache MySQL/MariaDB PHP
3. Postfix - smtp server
4. Dovecot - imap server
5. PostfixAdmin - Postfix Web Administration
6. SPF DMARC and DKIM - email authentication and spam filters
7. Roundcube - Webmail

Setup DNS for New Domain(s) in NameCheap, we'll use the name okfig.com in this example. Change your IPv4 IPV4 and domain name as appropriate. Example DNS for coragarden.com.

A @ 147.135.37.135
AAAA @ 2604:2dc0:200:187::1
A imap 147.135.37.135
AAAA imap 2604:2dc0:200:187::1
A mail 147.135.37.135
AAAA mail 2604:2dc0:200:187::1
A smtp 147.135.37.135
AAAA smtp 2604:2dc0:200:187::1
CNAME autoconfig mail.coragarden.com
CNAME autodiscover mail.coragarden.com
CNAME www okfig.com
TXT @ v=spf1 ip4:147.135.37.135 ip6:2604:2dc0:200:187::1/64 mx ~all
TXT _dmarc v=DMARC1; p=quarantine; rua=mailto:postmaster@coragarden.com; ruf=mailto:postmaster@coragarden.com; sp=quarantine

Type Service Protocol Priority Weight Port Target
SRV _autodiscover _tcp 5 0 443 mail.coragarden.com

In Custom MX Records
MX @ smtp.coragarden.com 0
MX @ mail.coragarden.com 10

If one administrator handles all the dmarc reports it is easier to just use one address for all the domains managed. But if you use an email address outside of the virtual domain for sending dmarc reports modify the DNS of the target domain. Example postmaster@okbsd.com recieves dmarc reports from coragarden.com so the TXT _dmarc.coragarden.com uses rua=mailto:postmaster@okbsd.com; ruf=mailto:postmaster@okbsd.com.

Add the following to okbsd.com DNS to allow dmarc reports from coragarden.com.

TXT okfig.com._report._dmarc v=DMARC1;


Add these to the hosts file
nano /etc/hosts

Setup DKIM Records For New Domain

mkdir /usr/local/etc/mail/keys/coragarden.com

opendkim-genkey -b 2048 -d coragarden.com -D /usr/local/etc/mail/keys/coragarden.com -s 20250808 -v

Set permissions, if not set opendkim will report key not secure.

chown -R opendkim:opendkim /usr/local/etc/mail/keys
find /usr/local/etc/mail/keys -type d -exec chmod 500 {} \;
find /usr/local/etc/mail/keys -type f -exec chmod 400 {} \;

Create the TXT record in DNS for coragarden.com.

cat /usr/local/etc/mail/keys/coragarden.com/20250808.txt
20250808._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIj ... 5V/XUwIDAQAB" ) ; ----- DKIM key 20250808 for coragarden.com

Copy the keys to your name server record and remember to remove the extra quotes and spaces ..." "... in 2 sections of the DKIM line or paste 3 parts between the quotes together.

TXT 20250808._domainkey v=DKIM1; k=rsa; p=MIIBIj ... /XUIDAQAB

Check the record with google name server.

nslookup -type=txt 20250808._domainkey.coragarden.com 8.8.8.8

If you're using bind locally you may need to reload the server.

service named restart

Check if the record is available locally. The output will contain quotes and space but that doesn't mean the entry is wrong, check with mxtoolbox.com.

nslookup -type=txt 20250808._domainkey.coragarden.com
20250808._domainkey.coragarden.com text = "v=DKIM1; k=rsa;p=MIIBIj ... 5V/XUwIDAQAB"

Add the new entries to the opendkim keytable, signingtable, and trustedhosts files.

cat /usr/local/etc/mail/keys/coragarden.com/*.txt >> /usr/local/etc/mail/keytable

nano /usr/local/etc/mail/keytable

nano /usr/local/etc/mail/signingtable

nano /usr/local/etc/mail/trustedhosts

service milter-opendkim restart

By the time this is created the DNS has hopefully propagated and can be tested, test the key. Without -x /usr/local/etc/mail/opendkim.conf opendkim-testkey will report key not secure. If not secure it's not a big issue, but check DNSSEC is enabled with your DNS provider, file permissions in the mail/keys directory, and TrustAnchorFile in mail/opendkim.conf

Update your root.key if needed.

unbound-anchor

Check TrustAnchorFile

nano /usr/local/etc/mail/opendkim.conf

Test the new DKIM key.

opendkim-testkey -d coragarden.com -s 20250808 -vvv -x /usr/local/etc/mail/opendkim.conf
opendkim-testkey: checking key '20250808._domainkey.coragarden.com'
opendkim-testkey: key secure
opendkim-testkey: key OK

Setup Domain in PostfixAdmin. Choose if you want to setup the default aliases. It may be easier to choose No, uncheck the box, and create a postmaster account and a catchall alias that points to postmaster. Alternatively, make a forward or alias for postmaster to another account. Adding abuse@, hostmaster@ and webmaster@ adds complexity and will increase time spent on maintenance (with many domains alias lists will be longer).

Domain List -> New Domain
Domain: coragarden.com
Description: Dry Land Corn
Pass expires : 3650
Add Domain

Virtual List - Add Mailbox
postmaster@coragarden.com
jack@coragarden.com

Virtual List - Add Alias (Catchall)
*@coragarden.com postmaster@coragarden.com


Virtual List - A real postmaster@domain.tld is recommended by RFC and real time blacklist ,RBL services, require mail from postmaster@domain.tld to request blacklist removal.

mkdir -p /usr/local/www/coragarden/html
mkdir -p /usr/local/www/coragarden/mail
echo '<?php print "<!DOCTYPE html lang=\"en\"><html><head><title>Title</title></head><body><h1>Hello World!</h1></body></html>"; ?>' > /usr/local/www/coragarden/html/index.php

chown -R root:www /usr/local/www/coragarden
find /usr/local/www/coragarden -type d -exec chmod 750 {} \;
find /usr/local/www/coragarden -type f -exec chmod 640 {} \;

nano /usr/local/etc/apache24/Includes/coragarden.conf

nano /usr/local/etc/apache24/Includes/mail.coragarden.conf

Certbot needs the virtual host enabled so restart apache. Do you know apache was first created by patching httpd, so was named after 'a-patch-y'.

apachectl configtest
apachectl restart

Test that the non-ssl website works.

http://coragarden.com
http://mail.coragarden.com

Create certificates with certbot.

certbot certonly --apache --agree-tos --redirect --hsts --staple-ocsp --email postmaster@okbsd.com --cert-name coragarden.com -d coragarden.com,www.coragarden.com

Create a certificate for mail services, and mail. web services.
certbot certonly --apache --agree-tos --redirect --hsts --staple-ocsp --email postmaster@okbsd.com --cert-name mail.coragarden.com -d mail.coragarden.com,smtp.coragarden.com,imap.coragarden.com

Secure private key certificate files.

chown -R root:www /usr/local/etc/letsencrypt/live
find /usr/local/etc/letsencrypt/live -type d -exec chmod 755 {} \;
find /usr/local/etc/letsencrypt/live -type f -exec chmod 644 {} \;

chown -R root:www /usr/local/etc/letsencrypt/archive
find /usr/local/etc/letsencrypt/archive -type d -exec chmod 755 {} \;
find /usr/local/etc/letsencrypt/archive -type f -exec chmod 644 {} \;
chmod o-rwx /usr/local/etc/letsencrypt/archive/*/privkey*.pem

Create ssl configurations for new virtual hosts.

nano /usr/local/etc/apache24/Includes/ssl-coragarden.conf

nano /usr/local/etc/apache24/Includes/ssl-mail.coragarden.conf

To allow customer/admin's to add and remove mail accounts, assign them as regular admin's with the domains they are to manage. These regular domain admins can only manage those domains and users they have been assigned. And only the assigned domains show up in postfixadmin.

If not assigning customer/admin's to add and remove mail accounts, the postfixadmin section can be removed from the virtual domain. Use one main host for postfixadmin.

Configure certificates in Postfix and Dovecot

nano /usr/local/etc/postfix/sni_maps

postmap -F /usr/local/etc/postfix/sni_maps

nano /usr/local/etc/dovecot/conf.d/10-ssl.conf

service postfix restart
service dovecot restart

Install and edit the Autoconfig and Autodiscover.

cd /tmp
git clone https://github.com/smartlyway/email-autoconfig-php
mkdir -p /usr/local/www/coragarden/mail
cp /tmp/email-autoconfig-php/mail/config-v1.1.xml /usr/local/www/coragarden/mail
cp -r /tmp/email-autoconfig-php/Autodiscover/Autodiscover.xml /usr/local/www/coragarden/mail

Edit these files and change to suit your needs, this is tested and works with Thunderbird. Make sure change the SMTP settings to 587 with STARTTLS in config-v1.1.xml.

nano /usr/local/www/coragarden/mail/config-v1.1.xml

Do the same for Outlook clients.

nano /usr/local/www/coragarden/mail/Autodiscover.xml/index.php

You will need to add a SV records for Autodiscover

Type Service Protocol Priority Weight Port Target
SRV Record _autodiscover _tcp 5 0 443 mail.coragarden.com

Autoconfig needs the path http://autoconfig.okdeb.com/mail/config-v1.1.xml

Restart apache

apachectl configtest
apachectl restart

Test

https://mail.coragarden.com

Test valid xml for autoconfig.

https://mail.coragarden.com/mail/config-v1.1.xml

Test valid xml for autodiscover.

https://mail.coragarden.com/Autodiscover/Autodiscover.xml

Go to the main domain PostfixAdmin login page or the customer admin login page.

https://mail.okbsd.com/admin-login/
https://mail.coragarden.com/admin-login/

Domain List -> Add Domain

Domain: coragarden.com
Description: Cora's Fantastic Garden
Aliases: 0
Mailboxes: 0
Active: x
Add default mail aliaes: UNCHECK THE BOX
Pass expires: 3650

RFC requires that the domain has a postmaster account, and it's a good idea to set a catch all to alias unknown accounts and send to postmaster.

Virtual List -> Add Mailbox

Add Mail Account postmaster@coragarden.com
Username: postmaster
Domain: coragarden.com
Password: ****
Password: ****
Name: Cora Garden Postmaster
Quota: 0
Active: x
Pass expires : 3650
Send Welcome email: no
Add Mailbox

Virtual List -> Add Alias

Alias: *
Domain: coragarden.com
To: postmaster@coragarden.com

Virtual List -> Add Mailbox
Add Mail Account jack@coragarden.com
Username: jack
Domain: coragarden.com
Password: ****
Password: ****
Name: Jack Pumpkin
Quota: 0
Active: x
Send Welcome email: no
Add Mailbox

Add jack@coragarden.com to Thunderbird and test send and recieve to the account.

Login to roundcube to test the new virtual domain, send and recieve to make sure DKIM, DMARC, and SPF are working.

https://mail.coragarden.com
Login: jack@coragarden.com
Password: ***********

If the email was sent and recieved but DKIM signature is missing, check that the new domain was added to /usr/local/etc/mail/signingtable and restart milter-opendkim.

nano /usr/local/etc/mail/signingtable

service milter-opendkim restart

Check the source and the headers now have DKIM signature something like ...

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=coragarden.com;
s=Cy9jmkzC2USPfcJ4JIuzA07rpB0gS; t=1747783045;
bh=wiMQ3UTGd/zMN6+PeBSiAAUHXfKRtjj7J2UI7ZvJA+A=;
h=Date:From:To:Subject:From;
b=bkk87+VHY7HvSb1b9mq0b9bLc0XBMOzf6CnBMLcoLMAZ0yN1nDyrILNj9RiYUCJsq
hC6QsHu9S4t9Y8q85AoszhY78ddzfU8SLcg/IlTmWuiNWisrkKjAZ9ftPEtxVxkYKZ
VnpSveCK4O5Gw==

Change password worked, but setting identity had an error in roundcube. Fix as follows.

pkg install gnupg
pear install Crypt_GPG

cd /var/www/roundcube/plugins/enigma
cp config.inc.php.dist config.inc.php
$config['enigma_pgp_homedir'] = "/var/www/roundcube/plugins/enigma/home";
mkdir /var/www/roundcube/plugins/enigma/home
chown www:www /var/www/roundcube/plugins/enigma/home
chmod 750 /var/www/roundcube/plugins/enigma/home

Test that everything works with Thunderbird

Test Roundcube, identities, sending mail, recieving mail, filters, changing password, and calendar.
Login with the new account jack@coragarden.com

https://mail.coragarden.com

######################
# Next Blocking Spam #
######################

07 RoundCube WebMail <- Intro -> 10 Blocking Spam With Postfix