[SOLVED] Setting correct SMTP HELO host, domain name, PTR records for e-mail server

Hi all,

Now I am in the secondary domain (VHOST) titi.org on ​​the same server as toto.org.

I created a mail server for titi.org and the appropriate DNS and aliases.
I created a user-1@toto.org and an alias for him that points to user-1@titi.org.

At Webmail: https://www.titi.org/webmail, user-1 can connect without any problem.

In Webmail, I created a new user-1@titi.org identity and set it as the default identity.
I created an email with user-1@titi.org and the FROM: identity was correctly user-1@titi.org.

I sent the message to michelandre@toto.org and everything went well.
DKIM does indicate that it is from srv1.titi.org. Everything indicates that only titi.org exists and there is no mention of toto.org at all in the email received.

● In Thunderbird, I cannot create an account user-1@titi.org (cannot connect); I have to use user-1@toto.org.
● I cannot adjust the incoming/outgoing server to titi.org, only to toto.org.

I have looked at Markos DNS records and see that I don’t have CAA and TLSA records.

I googled around and the CAA record is linked to the certificate Authority.
Let’s Encrypt issued my 2 certificates (one for toto.org and another one for titi.org).

● The certificate for titi.org is a SAN in the sense that it is used for mail, srv1, www, etc.
● Configuring the CAA record, I have to use a flag [issue || issuewild || iodef].

issue: explicitly authorizes a single certificate authority to issue a certificate (any type) for the hostname.
issuewild: explicitly authorizes a single certificate authority to issue a wildcard certificate (and only wildcard) for the hostname.
iodef: specifies a URL to which a certificate authority may report policy violations.

● Is the flag issue the proper one to use ?
● Is that the solution to have Thunderbird working with user1@titi.org or there is another way to solve that ?

If I remember well, the SAN is for a multi-domains (meaning mail, srv1, www, etc, and possibly also including titi.org, titi.com, titi.net) and WILDCARD is for *.domain (here the [ * ] meaning mail, srv1, www, etc, but all from the same domain).

I am confused, but on a higher level than before… :slight_smile:

The TLSA record will be for later if possible

All comments and suggestions are highly appreciated,


Has anyone been successfully ably to create & authenticate multi users/domains on a single Nethserver install? Since SOGo v 5 I can create multiple email identity/alias and send/receive as a secondary domain (user1@test.com & user1@example.com) but everything is tied to the primary domain/user that the email identity was created for.

1 Like

Hi all,

The exact error I received from Thunderbird is:
Failed to connect to server …


Yes, I have done it. I have three domains running, corresponding to three different vhosts and mail domains. Each with a few mail users.

How are you defining the unique login credentials for user1@example.com that is different than user1@test.com on the same Nethserver host?

Hi Royce,

As far as I know with NethServer, the names are different but the password is/are the same one.


that was my most important hint from @Andy_Wismer :

…my Candidate for the Hall of Fame


Hi Marko,

I think I did the same as you:

With Webmail all is wordking fine, but did you try to create a user@vhost-fqdn and the mail server as smtp.vhost-fqdn in Thunderbird ?

If so, then I have an error because of the CAA/TLSA records missing, or somethig else ?



In Thunderbird I use the actual FQDN of the NethSwerver, usually also defined within DNS with SPF, etc.

With this one, Kerberos is actually working! :slight_smile:

The corresponding SMTP settings:

(In case anyone’s wondering, the lady married in the meantime, but the old login was retained, just added a new alias! - NethServer’s quite flexible, we didn’t want to touch the fine tuned Windows profile!)

My 2 cents


This client, a Hotel, had to close doors for the last time end of 2020, not due to Corona, but somewhat greedy Owners who did not want to extend the well paid 20 year lease!
6 years of NethServer, after 4 years SME, before that 4 years a hand configured SuSE…

At least the hotel managment will remain clients for future projects!

Salut Andy,

Thank you again for your great insight.

With the screen capture you included above, is the Server the same as user@Server ?

If not, then the DKIM will indicate the SERVER in d=SERVER; which is different from user@different-server?
EDIT: In Webmail both are exactly the same.



Yes, but as they’re closing (closed now!), we didn’t put too much effort when the Hotel-IT “moved out” in April.

We relocated almost the whole IT, as this will remain operational another 3 years (at least). Using TSplus (Terminal Service for a MultiUser Win10 VM), everything was connected via VPN and RDP.
This made the end of year cleanup, and vacating the Hotel, much more easier, as we do not have to worry about any IT stuff, except for a couple (5) ex-Windows10 PCs, now running Linux-Mint and Renmina RDP… We actually activated “Roving Profiles” on NethServer just for this move… (It worked better than expected!).

In a first step, all PCs were converted P2V with VMWare Converter, then converted to Proxmox using Proxmox.
Second Step was migrating the profiles all to the new Windows 10 “Terminal Server”.

One reason for this setting is that the server would move location, and change the FQDN (Client side). The Server, as AD, could not use a different FQDN.

And once set, we didn’t want to fiddle with the working mail settings!

We moved the whole IT while the hotel was open, the move created an outage of only 1 hour (as planned!) for the IT!
Yay to Proxmox, NethServer and OPNsense to make this possible!

My 2 cents

PS: The used mailserver name IS the FQDN shown in Server Name of the old NethGUI (980).

Hi Andy,

Unable to communicate in secure mode with the peer: the requested domain name does not match the server certificate.

Unable to get identify status for this site.


I think it is because the CAA record is missing …



As said, that server was set up more than 10 yaers ago… And all DNS “grew” to all the newer challenges in correct mail handling needed nowadays… (This was a Hotel with international guests…)

I can’t recall in detail at the moment what we put in, but I can look up a few stuff - the server, as said, is still running and will remain so, also mail etc.


Time for walk,

To be continued…


1 Like

Hi Marc,

Thank you for your reply.

I did those alias but my problem is with Thunderbird that can’t get the certificate of the sending vhost server.

Looking at your reply: ThunderBird - Sieve not working?, I tried it as a partial solution by adding an exception for the certificate and now the DKIM for the mail from the secondary domaine shows the d=secondary-fqdn; which is what I want.

As said, this is a partial solution: but I would still like to have the real certificate from the sending server.

I didn’t take a walk yet… I am going to take it now…


Hi @michelandre,
I don’t have any experience with thunderbird, only using Apple Mail and iOS.

My Procedure was:
0. Creating all needed A-Records, CNAMES and MX-Records for my mymaindomain.tld and myseconddomain.tld, but not DMARC-; TLS-, SPF-, DKIM-Records within my external DNS-Provider.

What I did on my srv01.mymaindomain.tld

  1. Creating user like: firstname_secondname
  2. that automatically creates a blue mailbox firstname_secondname and orange mail address firstname_secondname@mymaindomain.tld point to the user firstname_secondname
  3. manually creating a blue mail address with firstname.seconadname@mymaindomain.tld
  4. pointing firstname.seconadname@mymaindomain.tld to firstname_secondname
  5. crating a mail domain myseconddomain.tld
  6. creating user myseconddomain_firstname_secondname
  7. that automatically creates a blue mailbox myseconddomain_firstname_secondname and orange mail address myseconddomain_firstname_secondname@mymaindomain.tld point to the user myseconddomain_firstname_secondname
  8. manually creating a blue mail address with firstname.seconadname@myseconddomain.tld
  9. pointing firstname.seconadname@myseconddomain.tld to myseconddomain_firstname_secondname
  10. Control aliases in Servermanger for all subdomains mymaindomain.tld, myseconddomain.tld and needed subdomains like nextcloud or collabora but not the mail related like mail, imap, smtp, pop.
  11. Creating LE-certificates for all subdomains of mymaindomain.tld
  12. Creating LE-certificates for all subdomains of myseconddomain.tld
  13. creatig DKIM-Keys in mail domains
  14. Transfering DKIM-keys as DNS-Recordx to my external DNS-Provider
  15. creating TLS-Keys and DMARC + SPF-Records

In the mail clients I created accounts for my @mymaindomain.tld using

  • Email-Address: firstname.secondname@mymaindomain.tld
  • Server: imap.mymaindomain.tld and smtp.mymaindomain.tld
  • for IMAP and SMTP-Server I used credentials with firstname_secondname and password

In the mail clients I created accounts for my @myseconddomain.tld using

  • Email-Address: firstname.secondname@myseconddomain.tld
  • Server: imap.myseconddomain.tld and smtp.myseconddomain.tld
  • for IMAP and SMTP-Server I used credentials with myseconddomain_firstname_secondname and password

My friend who uses the also hosted @mythirddomain.tld uses Thunderbird and told me, it was tricky to configure Thunderbird. I believe he used

  • Email-Address: firstname.secondname@mythirddomain.tld
  • Server: imap.mymaindomain.tld and smtp.mymaindomain.tld
  • for IMAP and SMTP-Server I used credentials with mythirddomain_firstname_secondname and password

Additionally, he had to configure the ports manually.

Perhaps you should try this curios config.

Best regards, Marko

1 Like

Hi all,

At the site: https://support.dnsimple.com/articles/caa-record/.

CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. They also provide a means of indicating notification rules in case someone requests a certificate from an unauthorized certificate authority. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.

CAA records can set policy for the entire domain or for specific hostnames. CAA records are also inherited by subdomains. For example, a CAA record set on example.com also applies to any subdomain, like subdomain.example.com (unless overridden).

CAA record for titi.org:

titi.org.  CAA 0 issue "letsencrypt.org"

For TLSA record:
At the site: https://www.cloudns.net/wiki/article/342/.

The TLS Authentication record (TLSA) is used to associate a TLS server certificate or public key with the domain name where the record is found. With a TLSA record, you can store the fingerprint of a TLS/SSL certificate in the DNS of your domain.

So this should resolve the problem of Thunderbird not able to get the certificate.

From the site: https://thecustomizewindows.com/2016/09/steps-create-add-dane-tlsa-record/.

# cd /etc/pki/tls/certs/

# openssl x509 -noout -fingerprint -sha256 < ca-bundle.trust.crt |tr -d : |cut -d"=" -f2

TLSA record:

*._tcp.titi.org. 3600 IN TLSA 3 1 1 9a6ec012e1a7da9dbe34194d478ad7c0db1822fb071df12981496ed104384124

Is that the proper way to generate the Hash value and to create the TLSA record ?


If your DNS-Provider dont offer an assistant, you can use such generators.

1 Like

and here for the Community more informations:

My DNS provider offers an assistant to create it from LE-Certificate.
In the former time, I created it manually. I do not remember exactly how, but I used these sources:

There are external generators:

You can check the success with:

Sincerely, MArko