Suggestion to have option to set Cloudflare ports for Webmin and Usermin during automated install script

I just wanted to suggest a future feature for the automated install script to let the user choose to switch Webmin 10000 port and usermin 20000 port so that they can use Cloudflare as their DNS on install. Currently you just change the ports in /etc/webmin/miniserv.conf and /etc/usermin/miniserv.conf to one of the SSL ports Cloudflare provides. And restart webmin. I chose 2083 for Webmin and 2096 for Usermin (webmail) since I read those line up with what cPanel uses. I’m reading the reason Cloudflare has these ports open is for cPanel evidently: I guess 2087 would line up with Webmin/Virtualmin also.

  • Port 2083: Often used by cPanel for secure connections to the cPanel interface.
  • Port 2087: Often used by cPanel for secure connections to the WHM (Web Host Manager) interface.
  • Port 2096: Often used by cPanel for secure webmail access.

But those ports are not as easy to remember as 10000 and 20000. So I thought maybe add a redirect like the does on the virtual server websites. or maybe?

Just wanted to make the suggestion since it took a little digging to configure it for Cloudflare.

OS type and version Debian 12
Webmin version 2.111
Virtualmin version 7.10.0
Related packages SUGGESTED
1 Like

This is a very bad idea in my opinion and here’s why…

What ever you choose to be your hostname will become your postfix email server. This HOSTNAME under any circumstances CAN NOT BE PROXIED. Anything mail server related for that matter can’t be proxied.

What you can do after install is create a domain name of your choice to proxie into Webmin/Virtualmin

There is way to many problems on this board already cloudflare related because people are setting their server hostname and email servers on proxie.

I just turn the proxy off at Cloudflare for the FQDN records ( records). I’m not actually wanting to use the mail services anyway. Since I don’t think they are worth the configuration hassle and the spam filters aren’t that great in my experience either. I’d rather just use Gmail. But if you want to use the Dovecot and Postfix you can turn off the proxy for the mail servers and name servers at Cloudflare. I still run Postfix just so I can have the setup emails sent to the webmail at usermin. I have it setup and it works fine. I don’t use the Virtualmin Pro version but I know they offer a Cloudflare script if you use the paid version. I haven’t used it but I would think it needs to change the ports to work. I think the advantage of that one is that it sets up the records and maybe even the domain account at Cloudflare for you. But to do it manually you can change the ports in the Webmin and Usermin config files.

That’s not how it works. Your system hostname does not matter. It doesn’t matter to Webmin/Virtualmin, it does not matter to Postfix, but that’s not what OP is suggesting, anyway. OPs suggestion has nothing to do with Postfix or with the system hostname. It’s just about what port Webmin (and Usermin) listens on, which has nothing to do with anything other than what port Webmin listens on.

The problem with Postfix and system hostname is when you try to virtually host mail for a name that is the system hostname you’re telling Postfix to accept mail for, e.g. via the virtual map, and then rewrite that mail to be for, which doesn’t make sense (it was already for, you don’t need a virtual map for the system itself, but Virtualmin only manages virtual mail), but lots of people try to do it. But, again, not at all related to OPs request. It just means name your system anything other than the names you host in Virtualmin. I might name my system and then host virtually, managed in Virtualmin. That’s it. Use any other FQDN.

So, in short: Stop making system hostname mean anything. It doesn’t mean anything. It will be the default HELO/EHLO name Postfix uses (that’s also configurable without changing hostname, but it doesn’t matter), and it will be a value contained in mydestination and myhostname will be the system hostname. That’s all it is. The problem only comes when you try to make a Virtualmin domain that is identical to the system hostname.

I feel like I’m explaining this every day, and I don’t know how to make it clearer, and I feel like we get weirder and weirder theories for why hostname is important (it’s only important that you not make it match a Virtualmin-hosted domain if you don’t really know what you’re doing and understand why I tell people not to do it). Sorry if it seems like I’m picking on you cyrberndt, you’re nowhere near alone in ascribing meaning to the system hostname that it doesn’t have or assuming the advice about mail means something other than just advice about naming.

All that said, I also think folks should understand Cloudflare before they start using it. There are infinite ways to make things work with Cloudflare, but if changing the port is the simplest for folks, go for it. I don’t care what ports you run Webmin on, and Postfix/mail certainly doesn’t care. I recommend you also have a name you can reach your server on that has nothing to do with Cloudflare, because you do not want to be stuck on the wrong sided of Cloudflare if something goes weird on your system.

1 Like

Yeah I don’t use the default domain for a separate website in virtualmin. It’s just for access to the webmin and virtualmin adminstation pages. For DNS records at Cloudflare (or other DNS hosts) you only need 3. (Or 2 if you don’t have ipv6 enabled).
A host [ipv4 address]
AAAA host [ipv6 address]
CAA 0 issuewild

So the only domain that will work is . But you can’t access or if you use Cloudflare DNS. You have to change the ports to one of the ones that Cloudflare support for SSL or it won’t connect. 2083, 2087, 2096, etc. Might be more advanced methods I don’t know about. But that’s the simple way I did it. And when I changed the ports in the Webmin configuration file /etc/webmin/miniserv.conf and the Usermin configuraiton file /etc/usermin/miniserv.conf on Debian 12. The whole system picked up on the change including the email files that get sent to the user when the server is setup. There is an environment variable for the port.

Ah, I guess I should point out you can change this in the GUI, you don’t need to edit files. (And maybe that’s what you’re asking for, in which case you already have it.)

For Webmin:

Webmin->Webmin Configuration->Ports and Addresses

For Usermin:

Webmin->Usermin Configuration->Ports and Addresses

RIght. Yeah I did see that eventually. :slight_smile: That’s probably the easiest way.

If you go into /var/lib/bind/ you can see the dns records that Virtualmin sets up for Bind. The one for the default domain will look like this: and your virtual server domains will look like this:,, etc. If you look in the file that’s how you can know what virtualmin wants for dns records for the default domain.

There is also a secret menu I found on how to see the DNS records of the default domain inside Virtualmin. Go to Virtualmin, System Settings, Account Plans, Click on “Default Plan” . Then Click “Save” or “Save and Apply”. Now look at the drop-down menu. You will see an option to select your default domain. Select that. You now have more options in the menu for the default domain. Go to DNS Settings, DNS Records to see the DNS records for the default domain.

I hate that somehow the hostname of the system is being called “default domain” (again). I’m going to talk to somebody about that (I don’t know who, Ilia won’t listen, he keeps adding this feature back in and calling it “default domain”…I’m gonna have to resort to begging or threats or something to get some kind of sanity here). The system hostname is not the “default domain”, it’s just the system hostname. You never have to use it for anything once you have a Virtualmin domain setup. You never even have to know it exists. It’s there for that first interaction before you’ve created any domains so that we can try to get a TLS cert from Let’s Encrypt so you won’t get a browser warning when you login for the first time. That’s all it’s for. It isn’t default, it isn’t important.

And, I would encourage you to forget it even exists. Just use any name you host in Virtualmin to login to Webmin.

1 Like

Now what I’m wondering is if I were to setup the DNS records at Cloudflare before installing Virtualmin with the automated install script. Would the default domain still resolve and generate the Let’s Encrypt SSL certificates? would still resolve right? So I would just need to change the 10000 and 20000 ports in the webmin and usermin config files to 2083 and 2096 in order to perform the post installation I think. And restart webmin. (systemctl restart webmin) Or does the post installation need to happen first?

If you are serving the system hostname through Cloudflare, you cannot get a Let’s Encrypt certificate for it, as far as I know.

But, why on earth would you serve your system hostname through Cloudflare? You aren’t putting websites on that hostname, I hope? The system hostname shouldn’t be anything. It should be some name you don’t use for websites, email, etc. It’s just a name to uniquely identify the system.

You can change the port before post-install wizard.

I’m just putting it on Cloudflare so it’s faster to setup using a shell script and their API. And just so the records are in the same place as the other domains. Not sure if there is any advantage being at Cloudflare since I’m not using their proxy for the hostname. I would still be using the Let’s Encrypt certificate that Virtualmin generates during post installation. It does it when it asks for the hostname or fqdn step during post install. But it has to resolve to generate the Let’s Encrypt SSL Otherwise it generates a self-signed certificate. But to get to the virtualmin post installation I think I’d have to change the ports. I’m setting up shell scripts to make my setup faster if I ever have to do it again. And create less steps. So I’m wondering if I could just skip the registrar dns record step and go straight to Cloudflare. And part of the reason I want to skip the registrar step is to avoid having any dns records setup at the registrar. If you switch back to using the registrar. You have to delete the records at the registrar that were imported into Cloudflare first. Or it won’t let you change or delete them. So if I skip the whole step I don’t have to worry about that issue. My process is going to be delete all dns records at the registrar. Then transfer the domain to Cloudflare and setup the records at Cloudflare using their API and shell script. And then create the websites Virtualmin. But for the hostname of the install script to work that way I would need to change the ports.

Just using Cloudflare for DNS is not what I meant by “through Cloudflare”, assuming that DNS record is pointing directly at your server IP instead of at the Cloudflare proxy IP.

Right I’m just pointing it at the server. Not using their proxy with the default domain. So I think the steps should work assuming I can set the Cloudflare ports right before the post installation step.

@Joe, in fact, I really don’t mind changing it. I don’t particularly like the name “host default domain” myself, but I couldn’t think of a better option at a time.

What about instead of calling it “Create host default domain with Let’s Encrypt certificate?”** we called it “Setup Let’s Encrypt certificate for hostname”. I’m also suggesting to remove “Yes, and keep visible” option — existing users will be able to continue using it as before, but for new installs, it won’t create the false impression that this feature can be used as a normal domain.

1 Like

Fixed in this patch to stop using “host default domain” naming everywhere, making it less confusing. I also removed the option to show it in the UI.

Help tooltip and all references in language files have also been updated.

1 Like

I bet a large percent of people who use Virtualmin for hosting and email have their server set up with
server.ip host.mydomain.tld host

and that gets dragged into postfix during a default postfix install from Virtualmin
/etc/postfix/ mydestination = $myhostname localhost.$mydomain localhost

All this becomes what you hate to call

Because now that it’s all setup this way and working with no issues, It will become a default domain in Virtualmin so that people can create a cert for it in Let’s Encrypt so they can take advantage of TLS/SASL connections and log into Webmin/Virtualmin GUI…

That’s how it happens…

Edit because I would also like to add that this has been the way for many years I am told because Virtualmin would install the hostname as a Virtualserver. I believe you finally stopped doing this only a couple years ago.

Oh yes! back to what I was complaining about in “My Opinion Rant”
This hostname/default domain ends up being proxied in cloudflare because most people don’t understand to turn the proxy off for this. They then head back to this forum and others wanting to know why their email server or control panel connections are not working.

@Jamie, perhaps we should consider setting Enable proxying on new records in templates back to No, as you originally suggested? I’m getting more and more perception that users in general indeed know very little about what they are doing.


I’m not sure it’s something you guys did in the terminology. I just call default domain to separate it from the other domains. . SInce I already used host at the beginning I need to call the domain something else. sounds kind of funny. I didn’t put alot of thought into so might be a better term. topdomain, rootdomain, webmindomain, etc. But now that I think about it I guess I could just use . It’s just that part of me that doesn’t want to be repetitive. :slight_smile:

But that’s not what the host default domain is. It has nothing to do with Postfix.

The hostname is just the final destination of mail sent to the server for any of the various domains that are hosted virtually in Virtualmin. That’s what the hostname is to Postfix. That’s completely unrelated to the “host default domain” in Virtualmin!

The host default domain has one purpose: To get a certificate so the user doesn’t get a browser warning when they log in.

It is not important. It’s not a thing you should be treating specially, and it’s not a thing that matters to Postfix. That certificate isn’t used by Postfix unless you force it to be, and you shouldn’t.

This is why I don’t like calling it “default domain”, because it makes people think it’s something it isn’t. It literally exists to request a certificate. After you have Virtualmin domains, you never even need to think about it. You don’t need to tell your users about it, you don’t need to use it when configuring mail clients, you don’t need to use it for logging into Webmin/Usermin. It is literally just a name to uniquely ID the server, and we’re guessing that for many users it will be a name that resolves so we can request an LE cert for it (and if it doesn’t resolve yet, no big deal, we just won’t get a cert and you’ll get a browser warning like you would always have up until a couple years ago).

The host default domain is for getting a certificate early in the install process. That’s it. That’s all it does, and all it’s for. Unless you make it something more (but there’s no reason to do so).

Not many years. All of the “host default domain” stuff has been around for maybe a year in various forms (maybe as much as two). We’ve had some disagreements about how it should be shown and whether it should even be in Virtualmin (though we all agree having a Let’s Encrypt certificate from the beginning is super convenient and helps users who don’t understand the browser warning about a self-signed cert).