Build of New Host

Following on from my posts -

I deployed a Ubuntu 18.04 VPS and locked it down (SSH, non-root user, created private\public keys, etc.)

I actually installed iptables (and persistent) and closed everything down except 22. I also installed Fail2Ban - the sshd is active by default.

I installed Virtualmin GPL as per the instruction in the docs - and more less clicked Next, Next, etc and it finished without errors.

Paying attention - I realised it installed (again) Fail2Ban and FirewallD. I’m an iptables person, so it took a bit of time realising what had happened. I uninstalled firewallD manually. Now I just have iptables and a warning saying it thinks I’m using FirewallD - I just ignore that for now.

Then came the Postfix hardening - I just looked at the config of the existing host and copied all the “restriction” entries.

I created a new Virtual Server - a new domain. I had already created the DNS entries at the 3rd party control panel the evening before.

SSL - cert worked fine for the new domain\Virtual Server.

I also created the Virtual Server for the hosting\main domain. It’s SSL was only for the host - the exiting host has the “fuller” cert. Copied the cert to Postfix.

I ran the install script for Roundcube - no issues. going to https
://, the login appeared. Having created a new email user, I tried to login. No luck - I’ll post up another thread for help with that.

Using Virtualmin\Webmin I sent an email to and from a test account on the new host to an account on the exiting host - outbound worked fine. Inbound wouldn’t.

At this point I removed the Recipient Restrictions and inbound worked. Looking closely at the Recipient Restrictions - I recognised all of them except an spf-policy one.

A quick Google showed it related to “postfix-policyd-spf-python”. A quick check on the existing host showed the package to be installed, but not the new one. 1 apt-get install later it was installed on the new host.

Putting the Recipient Restrictions back - inbound emails worked.

One slight quirk - on the existing host the inbound email headers showed

Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=; helo=host2.myDomain2;;

Whilst inbound new emails to host2 showed

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=;;; receiver=

This stumped me. A quick Google shown that I needed to add the following line

Hide_Receiver = No



Once added - receiver= was no longer UNKNOWN. I still haven’t got to the bottom of by Host 1 says

Received-SPF: Pass (sender SPF authorized)

and Host2 (new one) says

Received-SPF: Pass (mailfrom)

On the list of things to do.

DKIM - I had to enable DNS for the new Virtual Server (the one with a new domain). Went to Email Settings>> Domain Identified Keys and hit the install button. In the hosts field I put in, put in a selector\descriptor for the key and clicked save.

Went back in the form and copied the key. I removed the "'s and spaces and as per suggestion from @calport I put it in the DNS 3rd party control panel as

v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5iUXsdYFAKne/qncNIGPOWJmApXZr+tmf4sEIudFl4hpY0KWLUQLZ7IqyB1dH6Mb60we3y1TkoOksXbOtBLIrfjp5DFI2KzvaQOGkTxMOSPF4J7gq98BmgdeActNli64WMZ0aOxXdePsslo6lmkenj+6Lz70QuUk0J/O7qZp4fWVpu560NkJ2AYvAGvRAVkdknm4ZdE8OukLH3K3lM+EnVv/o7Y5YgU1+40KfV2Z8rauVHpONJcNciw9YwLZhKLTefGUVj1F7IN5LvZNbZKz7zZitDGesVYDIbr4D20j6MGj+sGXBVOZQ8YBOOZSZnGKL5oFOKCAmbu9xln3jpj9+QIDAQAB

[That’s not my key.]

I wasted about an hour messing about as using DKIM key checking websites - they all said the key was invalid. Generated a new one - not really needed - and copying it from the form, I realised I hadn’t copied the previous key fully.

Once entered into the DNS panel - the “correct” checked out fine.

Then sending test emails to kept saying outbound emails from host2 (new one) were not being signed with DKIM. Googling and checking the forums - there were a few suggestions:

I set Postfix to use Domain name for outbound emails, and changed

Socket local:/var/run/opendkim/opendkim.sock


Socket inet:8891@localhost

That still didn’t cure it. So checking to see if anything was lsitening on 8891 - a qucik netstat command and I realised nothing was listing on 8891.

So a quick

service opendkim restart

and a netstat command showed opendkim was listening on 8891. I sent another test email to showed outbound emails were being signed with DKIM.

I have DMARC yet to setup and test and the Roundcube issue to deal with. Then I’ll be ready to start moving stuff across. Also check the same number of Fail2Ban jails are on both hosts (more a sanity check than anything else. And that they are set up the same).

Apologies for the long post - might be of use\interest to someone. LOL



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.