How to Set up an Email Server using Postfix and Dovecot

Published June 12, 2023 by David Robert Newman

Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.

Create a Linode account to try this guide with a $ credit.

This credit will be applied to any valid services used during your first days.

This guide walks through how to build an email server using two open source email server packages, Postfix and Dovecot. Also included are steps on setting up virtual domains, users, and aliases using PostfixAdmin, a web-based front end for managing Postfix and Dovecot.

Email System Protocols and Encryption

The email server built in this guide uses four protocols:

SMTP works for message delivery between servers and optionally from client to server. Clients often use a separate protocol called “submission” to move messages from mail clients (mail user agents, or MUAs) to mail servers (mail transfer agents, or MTAs). MTAs always communicate over SMTP.

IMAP and POP are message retrieval protocols and operate exclusively between a local mail server and an MUA.

This guide uses Transport Layer Security (TLS) mechanisms to build encrypted tunnels between MUAs and your mail server since none of these mail protocols encrypt data in transit by themselves. Your server is capable of TLS-encrypting traffic with other servers, but only if the remote servers also support TLS. The free Let’s Encrypt service provides certificates and private keys on which TLS relies.

Postfix is a widely-used open source SMTP server and is included in most Linux distributions, including Ubuntu. Dovecot is also a common IMAP and POP server and is available as an Ubuntu package.

Before You Begin

This guide recommends using a Dedicated 8 GB Compute Instance using Ubuntu 24.04 LTS. This plan size is the recommended starting point for an email server for a small to medium enterprise. See our Get started with Compute Instances and Create a Compute Instance guides.
Follow our Setting Up and Securing a Compute Instance guide to update and secure your system. Make sure to set the timezone, configure your hostname, create a limited user account, and harden SSH access.
Do not enable IPv6
When setting up and securing your Compute Instance, do not enable IPv6. Enabling IPv6 may cause issues later when Certbot attempts to update the Let’s Encrypt certificate.
This guide sets up a mail server called mail.example.tld. Substitute your own domain name, and configure the /etc/hosts file as shown below:
File: /etc/hosts
1 2 3
127.0.0.1 localhost IPv4_ADDRESS mail.example.tld IPv6_ADDRESS mail.example.tld

The commands, file contents, and other instructions provided throughout this guide include example values. These are typically domain names, IP addresses, usernames, passwords, and other values that are unique to you. The table below identifies these example values and explains what to replace them with:

Example Values:	Replace With:
`example.tld`	Your custom domain name.
`IPv4_ADDRESS`	Your system’s public IPv4 address.
`IPv6_ADDRESS`	Your system’s public IPv6 address.
`external@email.tld`	A working external email address.
`POSTFIXADMIN_PASSWORD`	Your PostfixAdmin database user password.

Familiarity with SMTP and IMAP/POP protocols.
Although Postfix and Dovecot servers can operate in the system or virtual mode, only virtual mode is used in this setup.
In system mode, only users with local logins can send and receive emails. System mode users do this with lookups against the operating system’s /etc/passwd file with all users residing in a single domain. Virtual mode allows an unlimited number of domains, users, and aliases, all unrelated to the underlying operating system.

Non-root users recommended

This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, see the Users and Groups guide.

Step 1: Configure DNS

Email servers require at least two DNS records, A and MX:

An A record binds a hostname like mail.example.tld to an IPv4 address.
An MX (Mail eXchanger) record indicates the server handles email for the provided domain.
Optional: An AAAA record binds mail.example.tld to an IPv6 address.

See our A and AAAA records and MX records guides.

Follow the below steps to configure DNS using DNS Manager:
1. Log into Cloud Manager.
2. Click the Domains tab on the left dashboard.
3. Create a domain with your domain name (e.g., example.tld).
4. Add A, MX, and any other records as needed.
5. Update your domain from your registrar to use Linode’s authoritative name servers.
Blocked SMTP Ports
If your data center blocks inbound traffic on TCP ports 25, 465, or 587, open a Support ticket requesting inbound and outbound access to these ports be opened for your server.
Optional: Update the reverse DNS (rDNS) information to point one of your server’s IP addresses back to your hostname mail.example.tld:
1. Click on the Linodes tab of the main dashboard.
2. Select your Linode.
3. Select the Network tab.
4. In the IP Addresses section, set rDNS for your preferred IP address using the Edit RDNS option. Each rDNS setting creates a pointer (PTR) record that associates an IP address with a hostname.
Verify your DNS records are functioning by using the dig utility to validate each record. Below are example commands you can use to verify A, AAAA, MX, and PTR records exist for the server. Note that DNS propagation may take up to 24 hours:
- Validate the A record for mail.example.tld:
  dig +short -t a mail.example.tld
```
IPv4_ADDRESS
```
- Validate the AAAA record for mail.example.tld:
  dig +short -t aaaa mail.example.tld
```
IPv6_ADDRESS
```
- Validate the MX record for example.tld:
  dig +short -t mx example.tld
```
10 mail.example.tld.
```
- Validate the PTR record for you compute instance’s IPv4 address:
  dig +short -x IPv4_ADDRESS
```
mail.example.tld.
```
- Validate the PTR record for your compute instance’s IPv6 address:
  dig +short -x IPv6_ADDRESS
```
mail.example.tld.
```

Step 2: Install Postfix

Install the Postfix SMTP server package:
sudo apt install postfix
The installer prompts you to pick a server type, the default option is Internet Site. Enter a hostname, such as mail.example.tld, and optionally choose whether to restart services.
You may encounter the same setup screen again when upgrading Postfix in the future. If so, choose No configuration to retain your current settings.
Once installation is complete, verify your version of Postfix:
sudo postconf mail_version
As of this writing, the version displayed (3.8.6) is standard on Ubuntu 24.04 LTS:
```
mail_version = 3.8.6
```
Verify that Postfix is listening for incoming connection attempts:
sudo ss -lnpt | grep master
The following output should be displayed:
```
LISTEN 0      100          0.0.0.0:25        0.0.0.0:*    users:(("master",pid=2157,fd=13))
LISTEN 0      100             [::]:25           [::]:*    users:(("master",pid=2157,fd=14))
```
This indicates the Postfix server is listening for incoming connections on TCP port 25 for both IPv4 and IPv6 on any IP address.
Verify your server can make outbound SMTP connections:
sudo nc gmail-smtp-in.l.google.com 25
You should see the following output:
```
220 mx.google.com ESMTP 00721157ae682-62ccae740b7si23680997b3.287 - gsmtp
```
If you do not get the above output, check internal and/or firewall rules to ensure outbound TCP port 25 is allowed. You can exit this session and return to the terminal prompt by pressing CTRL+C.
To set the hostname in Postfix, open the main Postfix configuration file using the text editor of your choice:
sudo nano /etc/postfix/main.cf
Find the myhostname parameter, set it to your desired hostname, and save your changes:
File: /etc/postfix/main.cf
37
myhostname = mail.example.tld
Reload Postfix:
sudo systemctl reload postfix
Open and update the /etc/aliases file to receive messages from the system:
sudo nano /etc/aliases
Set root to a working email address where you can reliably receive mail, and save your changes:
File: /etc/aliases
1 2 3
# See man 5 aliases for format postmaster: root root: external@email.tld
Rebuild the alias database:
sudo newaliases
Send a test message to verify the system can send an outgoing message to your external email address:
echo "test email" | sudo sendmail external@email.tld
Verify you received the message at your working email address. The message should be an email from root with no subject and test email as the body content. If not, you may need to check /var/log/mail.log for troubleshooting.

Step 3: Let’s Encrypt and Nginx

To avoid having traffic intercepted, enable Transport Layer Security (TLS) to set up encrypted tunnels between mail clients and your server. TLS relies on certificates, which in turn require a working web server and access to the free Let’s Encrypt service.

Install certbot, a tool that automates Let’s Encrypt certificate creation and maintenance:
sudo apt install certbot
Install the NGINX web server. This is required for Let’s Encrypt setup and later for PostfixAdmin:
sudo apt install nginx
Install the Python3 NGINX certbot plugin:
sudo apt install python3-certbot-nginx

Define a virtual host for NGINX by creating a file /etc/nginx/conf.d/mail.example.tld:

sudo nano /etc/nginx/conf.d/mail.example.tld.conf

Add the following contents to the file, replacing example.tld with your domain name. When complete, save your changes:

File: /etc/nginx/conf.d/mail.example.tld.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
server {
  listen 80;
  listen [::]:80;
  server_name mail.example.tld;

  root /usr/share/nginx/html/;

  location ~ /.well-known/acme-challenge {
    allow all;
  }
}

Create the /usr/share/nginx/html directory if it does not already exist:
sudo mkdir -p /usr/share/nginx/html
Restart NGINX to load the new virtual host configuration:
sudo systemctl restart nginx

Verify NGINX is running:

sudo systemctl status nginx

● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-06-10 11:12:29 EDT; 4s ago

Exit this session and return to the terminal prompt by pressing CTRL+C.

Test your setup with the --dry-run parameter in the certificate request. Replace external@email.tld with your working external email address and example.tld with your domain name:

sudo certbot certonly --dry-run -a nginx --agree-tos --no-eff-email --staple-ocsp --email external@email.tld -d mail.example.tld

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Simulating a certificate request for mail.example.tld
The dry run was successful.

If the response indicates a successful dry run, proceed to obtain the certificate by running the same command without the --dry-run option:

sudo certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email external@email.tld -d mail.example.tld

You should get a response indicating success:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for mail.example.tld

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.example.tld/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/mail.example.tld/privkey.pem
This certificate expires on 2024-09-08.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Note the locations of the certificate and key files indicated in the success response.

Open the Postfix configuration file to configure Postfix to use the newly created certificate and key:

sudo nano /etc/postfix/main.cf

Locate the # TLS parameters section. Find the smtpd_tls_cert_file and smtpd_tls_key_file parameters, and replace their values with the file locations from the certbot command output above. If not present, add the remaining highlighted lines to enable TLS transport and enforce TLSv1.2 or TLSv1.3. When complete, save your changes:

File: /etc/postfix/main.cf

26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.tld/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.tld/privkey.pem
smtpd_tls_security_level=may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
# Enforce TLSv1.2 or TLSv1.3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

TLS and SSL version security

TLS prior to version 1.2, and all versions of Secure Sockets Layer (SSL), are insecure and should be disallowed.

Restart Postfix to apply the changes:
sudo systemctl restart postfix

Step 4: Submission

The steps below enable mail clients to submit outgoing mail to your server using the submission protocol instead of SMTP. This is necessary since many ISPs block SMTP (TCP port 25) but allow outgoing submission connections (TCP ports 465 and/or 587). Separating SMTP and submission functions can also help with troubleshooting.

Open the /etc/postfix/master.cf file:

sudo nano /etc/postfix/master.cf

Add the following lines to the end of the file to enable the submission protocol:

File: /etc/postfix/master.cf

141
142
143
144
145
146
147
148
149
submission     inet     n    -    y    -    -    smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_tls_wrappermode=no
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth

If you or your users run Outlook and need to use the Secure SMTP (SMTPS) protocol on TCP port 465, also add the following lines:

File: /etc/postfix/master.cf

150
151
152
153
154
155
156
157
smtps     inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth

When done, save your changes.

Restart Postfix to apply the changes.
sudo systemctl restart postfix

Verify that Postfix is now listening on port 587 (submission) and optionally on port 465 (SMTPS) on all IPv4 and IPv6 addresses.

sudo ss -lnpt | grep master

The output should include lines similar to the following:

LISTEN 0      100          0.0.0.0:465       0.0.0.0:*    users:(("master",pid=25871,fd=99))
LISTEN 0      100          0.0.0.0:25        0.0.0.0:*    users:(("master",pid=25871,fd=13))
LISTEN 0      100          0.0.0.0:587       0.0.0.0:*    users:(("master",pid=25871,fd=95))
LISTEN 0      100             [::]:465          [::]:*    users:(("master",pid=25871,fd=100))
LISTEN 0      100             [::]:25           [::]:*    users:(("master",pid=25871,fd=14))
LISTEN 0      100             [::]:587          [::]:*    users:(("master",pid=25871,fd=96))

Step 5: Dovecot

The Postfix server allows your server to send outgoing messages and receive emails from others. However, you need a different server, Dovecot, for your clients to retrieve mail.

Install Dovecot:
sudo apt install dovecot-core dovecot-imapd
POP3 Support
POP3 support is optional. However, unless you have users who specifically require the older POP3 protocol, it’s recommended to use IMAP. Should POP3 support be required, use the command below:
sudo apt install dovecot-pop3d
Verify the Dovecot installation:
dovecot --version
As of this writing, the Dovecot version for Ubuntu 24.04 LTS is 2.3.21:
```
2.3.21 (47349e2482)
```
Open the /etc/dovecot/dovecot.conf file to configure IMAP and/or POP protocols:
sudo nano /etc/dovecot/dovecot.conf
Add the following line directly under # Enable installed protocols, and save your changes:
File: /etc/dovecot/dovecot.conf
23 24 25
# Enable installed protocols protocols = imap lmtp !include_try /usr/share/dovecot/protocols.d/*.protocol
LMTP protocol is explained in the next section: Local Message Storage (LMTP).
If using POP3 protocol, edit the line to also include pop3:
File: /etc/dovecot/dovecot.conf
23 24 25
# Enable installed protocols protocols = imap lmtp pop3 !include_try /usr/share/dovecot/protocols.d/*.protocol
Set the mail folder location and storage type by editing the /etc/dovecot/conf.d/10-mail.conf file:
sudo nano /etc/dovecot/conf.d/10-mail.conf
Locate the mail_location = mbox:~/mail:INBOX=/var/mail/%u line, and change the value to read:
File: /etc/dovecot/conf.d/10-mail.conf
30
mail_location = maildir:~/Maildir
Save your changes.
Add the Dovecot user to the mail group to ensure proper permissions.
sudo adduser dovecot mail
It should display output similar to the following:
```
info: Adding user `dovecot' to group `mail' ...
```
Verify the dovecot user is added to the mail group:
groups dovecot
```
dovecot : dovecot mail
```

Step 6: Local Message Storage (LMTP)

Since Postfix uses mbox by default rather than Maildir, some additional configuration is necessary to ensure messages enter Dovecot in Maildir format. Instead of using Postfix’s built-in local delivery agent (LDA) which defaults to mbox, configure LMTP (a local version of SMTP) to deliver messages to Dovecot in Maildir format.

Install LMTP:
sudo apt install dovecot-lmtpd

Open the Dovecot 10-master.conf file:

sudo nano /etc/dovecot/conf.d/10-master.conf

Find the service lmtp section: