This is actually a question for Virtualmin Pro and GPL.
I use our domain name, ew3d.com as the base domain for all of our Virtualmin installs. For instance, during installation I will create a hostname such as titan.ew3d.com.
I have been using the hostname to login via https. Virtualmin no longer allows setting a hostname as a virtual server, an alias server nor a subserver. I will create another suedo hostname, or not the real hostname to keep operating this way. In my private office, I like to keep tabs open for all the systems. The best reason is to see when there are updates. I also like it because I label my servers, if one acts up, I can immediately go there without any confusion about what virtual domain is on which server.
Question:
What is the best way to set up subdomains under the main ew3d.com domain? Recently I have been adding ew3d.com as a virtual server to all my systems. Then I edit the http.com file removing things like www.ew3d.com except for the server where it actually lives and adding other ServerAlias entries for what it needs. For instance, for a single system, I may need for a mailserver only, something like mail20.ew3d.com, mail21.ew3d.com and I will be adding something like suedohostname.ew3d.com.
I have needed to disable mail for ew3d.com so that system and other virtualhost emails come through to the right server.
Is this the best practice for this or should I be using the subdomain method to add these under the main ew3d.com virtualhost?
My method is only creating one set of LetsEncrypt certs. I fear that disabling email for ew3d.com may be causing some issues that I am not yet aware of. It looks like the subdomain method creates certs for each subdomain? Sorry, I havenât played with this new feature but one quick time. Most systems are still in a bit of a fragile state due to using hostname with LetsEncrypt.
As I remove hostname.ew3d.com from Virtualmin systems, what other services should I look at? SSH, ProFTP, Postfix, Dovecot? The original Virtual Host created emails norally list the hostname. Some of our clients are using that name for SFTP. How should I deal with these other situations? Perhaps I should create new hostnames for the systems and use the original hostname as the suedo hostname. I try really hard not to rock the boat with our clients. They expect things to work. Little changes like this drives them nuts.
From the LetsEncrypt interface, I see I can choose a cert to be the used for Postfix, Dovecot, etc. I then see a list of where it is used. When I see âGlobalâ I am assuming that means for the entire system. Please let me know if this is correct vs. maybe global for just that domain and itâs subdomains.
I really would like to get this right. I know it seems elementary, but it is getting harder to follow what Virtualmin is doing behind the scenes.
Technically it does. However out of the box, a new feature has been implemented and turned on by default which creates a hidden domain based on the âhostnameâ of the server. The idea as I recall was to allow for the hostname of the server to get setup with SSL right away.
Personally, Iâm on the fence about the idea, and typically turn off the feature, then go about setting up a Virtual Server with the hostname per the older way⊠But thatâs just my preference.
The feature in question is located at:
Simply toggle to ânoâ and save. Refresh the configuration:
Just to be sure everything takes, and youâll then be able to setup the ole school way.
That magic domain doesnât need to be the system hostname.
It can be a regular Virtualmin virtual server, and the system hostname can be anything else. That simplifies validating Letâs Encrypt certs.
But, yeah, if you were happy with that way of doing things, just turn it off. I donât think Virtualmin actually stops you from doing it, it just tells you youâre going to have problems (mostly with mail delivery).
Thatâs what Iâm worried about. I now must create a vhost for ew3d.com and then aliases for mail20.ew3d.com, etc. to use to connect securely to only dovecot and postfix. ew3d.com is not on this particular system. Outgoing email stops works as it is looking locally if I leave Enable Mail for this Domain turned on. So, client and system emails fail with no user or aliases found. Thatâs no good. So yes, I am worried about mail20.ew3d.com as a ServerAlias and what may not function within email on the system.
Why mail20.ew3d.com? Apple jumped the gun taking away the âSkipâ feature during domain verification. We had to buy a wildcard cert and put it into place for use across all mail systems. This happened before LetsEncrypt was available or not widely accepted. Tons of our users are still using those aliases. I donât want to break their email. Many canât even find the settings in their email programs to make the changes.
So, ServerAlias method or subserver method? If I do subservers will I be able to set enable email for domain without having email enabled for the main domain? I would test this myself but Iâm a bit spooked. I just found on one system where a domain name disappeared and is showing only the ID but I canât get to any of that domainâs settings. Yeah, that system has a bunch of virtualhost like dev.somedomain.com or mautic.somedomain.com. It had the hostname set, that has also disappeared, but I canât say that I didnât delete that over the last several weeks. This has been a rough ride.
You donât technically have to port âew3d.comâ, you could simply setup âmail20.ew3d.comâ, just make sure you setup the appropriate DNS record pointing to this server wherever âew3d.comâ zone is being hosted.
My DNS is great. Iâve been running my own nameservers since back in the 90âs. Not that I havenât made some mistakes.
I did run into a fight with subdomains recently. When I tried to set up a virtualhost for domain.tld and then something like dev.domain.tld on the same system, things went wonky. Later I found some oddities in Dovecotâs conf file. Oddly even after deleting the dev. vhost, the entries were still in dovecot and dovecot would not restart.
I assumed this was why hostname canât be a vhost anymore? Or one reason.
No, that just sounds like a bug or a misconfiguration somewhere.
Virtualmin should create and manage any domain just fine, even if itâs a bad idea.
Delivery is the primary issue. If you try to deliver mail to a user named joe@virtualmin.com in a Virtualmin virtual server named virtualmin.com on a system with hostname virtualmin.com, Postfix will try to remap virtual mail address joe@virtualmin.com to actual user joe@virtualmin.com which doesnât make sense. Virtualmin manages virtual resources, itâs right in the name. So, everything in Virtualmin should ideally be a virtual domain, and not the system hostname (there is the newish automatic host domain, which I hate, but Ilia insists is better for user experience, and Iâll trust that it is for some usersâŠit does address the problem of browser warnings on first visit to Virtualmin/Webmin after installation for some users, which canât easily be solved any other wayâŠthat is special and disables mail, to protect you from making mistakes).
Weâre just trying to make it harder to break the system. People still try really hard to break things, and sometimes they succeed.
I suspect my issue with trying to do a vhost was due to domain.com being on a system and then trying to add dev.domain.com to the same system. It sounds like this can be done now using the new sub-domain feature. I was trying to do this before that was added.
Dovecot creates entries for both domain.com and *.domain.com. Obviously *.domain.com would conflict with dev.domain.com and *.dev.domain.com. So domain.com should never be added to a system where dev.domain.com exist nor the other way around. Unless Iâm all wet behind the ears.
Iâve been wondering if this may be the root reason why Virtualmin no longer allows by default and vhost for hostnames.
I think I need to build a new system to try to âbreak itâ. Something to play with so I donât break a live system.
âSub-domainsâ (in the create virtual-server form) are not new, and theyâre terrible. We borrowed the idea from cPanel because people kept asking for it, but then we spent some time with it, and it was an awful idea. They are disabled by default, you wonât even see them, unless you import a cPanel backup that includes subdomains. You should never use them for new sites, and I tend to recommend you stop using them in cPanel-derived sites, too (cPanel has removed the feature, because they also eventually realized it was stupid).
A subdomain (in the DNS and Virtualmin sense, when not using the wrong-header Sub-domain feature that comes from cPanel) is just a name. A virtual server named dev.domain.tld and one named domain.tld do not have to have any relationship in Virtualmin (except if youâre hosting DNS locally, in which case, delegation will show up). You could make it a Sub-server (which is not the same as a Sub-domain, in the cPanel sense, it is a virtual server owned by another virtual server), but you do not have to.
Summary:
Never use sub-domains. The feature is hidden when you first install Virtualmin, for good reason. If you import a cPanel backup with subdomains in it, itâll turn the feature on, for the purpose of importing the abominations. That does not mean you should use subdomains in the future for new domains (you definitely should not). It is not an improvement, or a valuable addition. This place is not a place of honor⊠no highly esteemed deed is commemorated here⊠nothing valued is here.
If you want a virtual server to be owned by the same user as another, no matter what the name is, make it a sub-server (could be a subdomain name of the parent virtual server, could be a wholly unrelated domain name, could even be a lower levelâŠi.e. domain.tld could be a sub-server of sub.domain.tld, but that would have tricky delegation consequences if you host DNS locally, so probably donât do that, unless you host DNS externally and know what youâre doing). Sub-server is about ownership, not names.
If youâre the only admin, just make everything its own virtual server, regardless of name. Names donât matter. Nothing is special about sub.domain.tld vs. domain.tld to Virtualmin.
Everything works if you let it, donât go out of your way to make dependencies where there donât have to be dependencies. And, donât ever think subdomains (in Virtualmin or cPanel) are good or easy or make sense from a technical or security perspective, because they do not.
My apologies. I used sub-domain, most likely throughout this thread, when I meant to say sub-server. Am I correct in finding it as a fairly new feature in Virtualmin?
Iâve never used sub-domains. I have used aliased domains⊠aliases directed to virtualmin domain. Extremely useful I suppose only for multiple domain names or thatâs all I have ever used it for.
Ok, for hostname you could use any random (but non-reserved) name as subdomain - such as randomone.ew3d.com. You could then create a virtual server for ew3d.com and freely create as many subdomains on as many virtual servers as you like. I feel this would be the best way.
For example, I have a white label domain Indiax.com. I use vps01.indiax.com as hostname for one server, vps02.indiax.com as hostname for another sever and so on and so forth. This does not prevent me from showing a website on www.indiax.com or, say, qr.indiax.com or running a SaaS on crm.indiax.com (under which can be created potentially unlimited subdomains under the subdomain crm.indax.com). I mention real examples of domain names in order to enable you and others to use DNS lookup tools on the domains that I have mentioned to see how they have been configured. It is possible to plan a deep and potentially unlimited hierarchy of subdomains under a single domain which spans multiple servers.
Nope, Sub-servers have existed pretty much from the beginning, coming up on a couple decades.
But, to repeat myself (since it does confuse a lose of people): You do not need to use a Sub-server for a subdomain name. Sub-servers are only about ownership and have nothing to do with names. If you want multiple websites on multiple domains to be owned by the same user, you can make one Virtual Server and several Sub-servers under that Virtual Server (the parent). They can be any name. Virtualmin does not care about names. (Again, there are delegation implications of subdomain names in DNS, but Virtualmin is configurable in how it works with thoseâŠa Sub-server that happens to be a subdomain name of the parent can either be added to the same zone or delegated to a new zone. Thatâs DNS management stuff, which is off-topic for this thread, I just want to mention it.)
Similarly, if you are the only administrator on the server, or everyone involved is trusted with admin for all sites, the simplest (and usually best) option is to make everything its own Virtual Server. Once again, completely unrelated to what name it has. Virtualmin continues to not care about names (and I have to once again mention the zones and delegation caveat in DNS, because for names, there is a relationship between domain.tld and sub.domaint.tld even if itâs just delegation with another zone).
OK, so in summary, it sounds like I should be creating Virtual Servers for subdomains unless the main domain is on that system.
So, if domain.tld is on the system, subdomain1.domain.tld cannot be a Virtual Server on that system. However, subdomain1.domain.tld and subdomain2.domain.tld can both be set up as separate Virtual Servers as long as domain.tld is not a Virtual Server on that system.
I suppose it could be done by manually editing dovecot and postfix ssl paths in confs, but invites breakage in Dovecot and Postfix as those edited entries donât get removed when the Virtual Host is deleted, or at least in Dovecot. It will not restart when the cert files are deleted. *.domain.tld conflicts with *.subdomain1.domain.tld.
You can create a Virtual Server even in that case. There is no reason to create a sub-server related to names.
Sub-servers are about ownership, not about names. If youâre the only admin, or all admins should have admin access to all domains, you can just create Virtual Servers.
In this case, I was not talking about using sub-servers, but truly a sub-domain.
On one system, if I create a Virtual Server for domain.tld and then another Virtual Server using a subdomain, such as sub1.domain.tld, what about the conflict with the entries put into Dovecot?
For instance, *.domain.tld can conflict with *.sub1.domain.tld because *.domain.tld could also be picking up sub1.domain.tld. This is where I have had problems.
A sub-domain name or a Sub-domain in the âCreate Virtual Serverâ page? (The cPanel style âSub-domainâ website feature.)
You said earlier you were not using the Sub-domain feature (and you should not, you never should under any circumstance, if you can avoid itâŠthey should only be used for sites migrated from cPanel that were using the cPanel Sub-domains feature).
What conflict? There shouldnât be a problem with that.
Youâre right, that is off-topic. Make a new one.
It sounded like you were saying I should simply create a Virtual Server for sub1.ew3d.com. However, if ew3d.com exist on that system, and if both the main domain and the sub domain need email and ssl, Virtualmin adds entries for both as expected. Example from dovecot:
I assume * is implied in sni_map, since other subdomains such as mail.ew3d.com operate properly from this mapping.
What prevents .ew3d.com from answering for nextcloud.ew3d.com other than perhaps the order of the entry. It seems that Virtualmin always adds to the end as new Virtual Servers are created. In my examples, if the order is important, all should work since nextcloud.ew3d.com is listed before ew3d.com. Like apache entries. The default domain is first in the list.