Virtualmin Secondary Mail Server

Hi guys,
just setting up a secondary mail server for virtualmin

virtualmin pro on primary server
virtualmin gpl on secondary

exactly how does this work?

I do not use either of my virtualmin servers as nameservers…that is controlled from domain registrar.

considering i dont use virtualmin as a nameserver, do i still follow the virtulmin docs on how to do this

or do i need to modify what im being told to do?

Because dns is hosted by registrar and not my virtualmin systems, would i need to manually add secondary mxrecords to all domains on my system?

for example…lets say my domain for my hosting business is What should i do for the below example? (virtualmin pro) - primary mail server (virtualmin gpl) - secondary mail server

Finally, does the secondary system need to have enabled “can accept RPC calls?” = yes (if i have created a new admin user other than root)

Is there any information on this at all?

I have another issue that has arisen since i setup this “host2” secondary mail server with virtualmin gpl (remembering host1 is virtualmin pro)

no dns is sent through either virtualmin server.
dns is controlled via my domain registrars (including client domains on my system)
i have no nameserver glue records configured at registrar for my (or
dns domain is not enabled in virtualmin for any virtual server

After running through the tutorial on setting up secondary mail servers, i wake up the next morning to find clients getting duplicate emails! Every virtual server domain on the system where mail is enabled had the same problem.

I turned off the secondary server…immediately any email sent from hotmail to my server was rejected!

I turned the secondary back on, disabled webmin Server index > webmin servers (host2)…emails from hotmail rejected!

I added back into webmin servers index > webmin server (host2)…now the double emails have stopped!

I dont understand, when there are no glue records, no secondary mxrecords…how can server2 even have anything to do with this?

How do i even check what host2 is actually doing with regards to email at present? Why are emails on host1 being immediately rejected if host2 is turned off?

Where you host DNS doesn’t change anything in the guide except how you create MX records. A hold-and-forward backup server needs an MX record with lower priority than the primary (and an A record for the server that the MX record points to). That’s it.

Joe i understand where the mx record needs to be added, thats at the client domain registrar.

can you clarify what you mean by also needs an A record?

where is the A record actually supposed to be added…at the clients domain registrar, or my own domain registrar for the server itself?

I am assuming you are talking about the A record for the server2 itself?

A record (server2 public ip address)

The current records at the are as follows:

A record = (my ip address)
mx record =
spf txt v=spf1 mx a ip4: ~all

So i believe i need to add server2 copies of the above records at my client registrar dns?

A record = (my ip address)
mx record =

Finally, at client registrar dns, do i need a second spf record for server2 or can i combine the two servers into a single spf record? (the original client spf is below)

spf txt v=spf1 mx a ip4: ~all

Do i just add a second spf like…

spf txt v=spf1 mx a ip4: ~all

An MX record points to a name. An A (name) record points to an IP. The MX record should point to the A record for your secondary server.

What? The registrar is not involved at all, unless you mean you’re using your registrar’s DNS servers to host your zones. The registrar just sets up a glue record in the root name servers for you to point to whatever DNS servers you choose (which may be your own, a service like AWS, or most registrars also provide DNS for free or a small additional charge…but that’s a different service).

Add the A record and the MX record to whatever DNS servers are hosting your zone. SPF/DKIM is a separate problem, and you only need SPF if you will also be sending mail through your secondary server (rather than just receiving in a hold-and-forward configuration).

I am not able to get the tutorial to work at all. its too vague.

when i attempt to register the server in webmin, look at what i get…

i know the dns is fine because its resolving that ip address in dns lookups online no problems at all.

One thing…these two servers are not on the same ipaddress range. They are different networks. Does that matter?

Also, dns is not controlled by either virtulamin system!

Why wont this work?

No. Networks is networks. But, they do need to be able to reach each other on port 10000-10010. So, make sure that works. Webmin just makes web requests to the other Webmin server. If it can’t connect, you’ve got a network problem, maybe firewall.

i use the same network firewall for both systems. maybe its the firewall on the server itself? I havent configured anything on the server myself though, its just a stock virtualmin install. I dont understand why the two wont talk to each other…i have had this problem in the past and never did find a solution to it.

If i didnt know better i would say its because the default install requires dns to be managed by the systems themselves. Because i am not doing it that way, something isnt right because it is not resolving the second server ipaddress in webmin. This cannot be, if i go to a web browser and enter either the ipaddress or the url for the second server, i can bring it up easily. Its just that webmin server registration is unable to do this on the primary server (i have altered my actual domain below)

Failed to connect to : Connection timed out

this has to be something wrong in webmin…i mean all that is required are the ip address (or, a user, and a password yes?

the second i change the webmin setting to “normal link to server” it brings up webmin login screen. I change it back to username: root password: , it times out.

Is root not allowed to access the secondary via this method?

But, you know better, so forget about DNS. :wink:

What makes you think that? Can you access Webmin on both servers?

Hi Joe,
yes web min is accessible no problems on both servers (virtulamin pro and virtualmin gpl).
I can perform mxtoolbox checks on the dns and both are resolving.

when I say I feel there is something wrong in webmin, I don’t mean its a flaw exactly, maybe something I need to do that I haven’t done correctly.

Having said that, I doubt that mxtoolbox is going to successfully check the smtp, I don’t have any domains on the second system (ie no virtual servers). Am I supposed to? My domains are all on the primary system.

does the second system at least need a single apache virtual host on it? (say for the host itself…eg with a web directory)

I am new to the idea of using backup mail servers, and relatively new to mail servers in general…so you have to treat me as a newbie on this.

if I go to second server…webmin>Webmin servers index> and add the primary server to the servers list on the backup mail server…and I choose SSL option…

the status of the primary server when looking at it from the second is as follows

Server status Running Webmin 1.942

So if I can see the primary mail server from the backup, why can’t the primary see the backup server?

this is what the primary server says…

kind regards

Because something is preventing it. Firewall, routing issue, who knows? If you can reach both Webmin instances, then you know they’re up. This isn’t a complicated thing to configure, and you clearly have a network problem not a problem with password or whatever. It says “Timeout connecting”, which is a network problem. No connection. Make sure both servers can reach ports 10000-10100 (I said 10010 above, but I think fast RPC can theoretically use more). Try disabling Fast RPC just to see if maybe your firewall isn’t allowing the other ports…10000 is sufficient for your browser, but not sufficient for Fast RPC API mode.

Both servers use the exact same network firewall…so settings for both are identical obviously because this is a global setting on my network.

My global network port is set to

accept TCP 10000 - 10100

ok so this morning i now see a different error on the primary server…

Link type Login via Webmin with username

  • password*
    Fast RPC calls= “yes”
    Server status Login to RPC server as root rejected

I dont know why it wouldnt display this error yesterday? Anyway, this looks promising

If i change setting for Fast RPC calls…(setting it to “no)”

Server status RPC HTTP error : HTTP/1.0 403 Access denied for <ip12.34.56.78> (i have masked real ip address)

I am definately getting somewhere now. Where in virtualmin is this restricted i wonder?

My assumption is that the default virtualmin debian 10 install does not allow root access from external calls?

wohoo i have figured out the problem and made some progress.

when i installed the virtualmin gpl system, without realising that a particular safety habit i have would cause communication issues between two webmin systems, i had automatically restricted Webmin control panel access to only my home static ipaddress by adding the following:

Webmin>Webmin Configuration>IP Access Control>Allow only from listed ipaddresses (my home static ipaddress)

I did not realise that this had anything to do with webmin to webmin calls between two systems that have been added in the webmin servers index!

clearly it does because as soon as i made this file look like the following: (my home static ipaddress) (host2 static ipaddress)

voila, now in Webmin server index i get the following:

Normally i would have restricted my Virtualmin Professional ipaccess to my home static ipaddress but i had disabled this recently due to a power failure on my office and was relying on using mobile connection for all internet for almost 7 days and had to remove this restriction in order to access virtualmin pro system. That is why my was working with this but not! ( was installed recently and was restricting webmin ipaccess, and so it could access but not the other way around!)

agh…how do i now logout of the second server after accessing it via webmin>webmin servers index on the primary server?
the logout button is not visible?

oh i see, if i log out of the primary, it automatically logs out of the secondary. (im getting the hang of this now :wink: )

So Joe can i just clarify…
as you know my primary server is having a problem with Dovecot in the system monitor (it is not recognising that dovecot is running and keeps saying its offline, even though dovecot is delivering emails).

Will that affect my secondary mail server at all?

Ie i dont want my clients getting mail errors…for example duplicate emails being delivered etc.

If your secondary is correctly configured for hold and forward it should never see mail unless the primary is unreachable. And, Dovecot on the secondary is never involved, as your users will never be connecting to the secondary to retrieve mail. Secondary just makes sure mail is never lost.

I don’t know why you had duplicates before…mail from outside servers should only ever reach one of your two servers. Primary if it is available, secondary if primary is not. Secondary accepts mail on behalf of your users and then sends it along to primary when primary comes back up.

how is it determined whether or not the primary mail server is online? Is it a simple smtp dns resolution?

Because my status monitor isnt accurately reporting, i cant rely on that can i?

No. Sending mail servers try to send to the primary. If it fails for any reason, they try the secondary.

ok great. Now that both systems are talking to each other, and i have the entries in registrar dns hosting for both mail servers, i expect that it will now work.

My assumption is that the only real way to check this is to shut down the primary system

I will pick a time when its not busy and shut one of the primaries down and see if the backup shows an email qued.

to think that all of my heartache could have been avoided if somewhere in that tutorial it said "make sure that one addresses the issue of IP Access Control! The opposite server ipaddress has to be whitelisted for each other to communicate!

Sor for to be reachable by, then the following entriy “” needs to be added…(and vice versa).

Webmin>Webmin Configuration>IP Access Control>Allow only from listed ipaddresses (my home static ipaddress)

Isnt there some kind of an API workaround for this such that, when two of my own servers are indexed in webmin so they communicate with each other, they bypass this issue?