How to set up postfix and dovecot to have a comprehensive mail server
This thread belongs to

2014-10-23 16:11 GMT   |   #1

Comments: 14
We've been using postfix+dovecot for more than 8 years they can do anything we expect from a mail server.
We've started using postfix because sendmail is basically unconfigurable, I mean I don't want to learn a macro language only to configure my mail server.
A little later we've started using dovecot because we needed virtual domains and we didn't want to create a jillion linux users for every mail account. Dovecot solves this in a very good way, keep reading.
Installation and configuration steps (described for debian but can be adapted to any distro):
  1. install packages: postfix (as Internet server), dovecot-pop3d, dovecot-imapd, spamassassin, spamc. You can install ony one of these dovecot packages depending on your needs. If you have dovecot2 also install dovecot-postfix (or mail-stack-delivery on newer systems). If you want sieve and to be able modify sieve scripts from your user agent install dovecot-sieve and dovecot-managesieve.
  2. We will create one account for all mail accounts, let's call it vmail:
  3. groupadd vmail
    useradd -g vmail vmail
    groupadd spamd
    useradd -d /var/log/spamassassin -g spamd spamd
    mkdir /var/log/spamassassin
    chown spamd.spamd /var/log/spamassassin
    mkdir /var/vmail
    chown vmail.vmail /var/vmail

  4. Add the following values to your /etc/postfix/
  5. myhostname =
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination =, localhost.localdomain, localhost
    relayhost =
    mynetworks =
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = ipv4
    dovecot_destination_recipient_limit = 1
    virtual_mailbox_domains =
    virtual_transport = dovecot
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    smtpd_sasl_auth_enable = yes

    Please nothe that smtpd_tls_auth_only = yes may cause problems with several mail clients so you better avoid it. Also note that myhostname is set to in my config. That's because we want to use with dovecot.

  6. Let's add a basic openrelay filter:
  7. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

    Or here is a more restrictive ruleset that also filters a lot of spam:

    smtpd_delay_reject = yes
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_invalid_hostname, permit
    smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
    smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit
    smtpd_data_restrictions = reject_unauth_pipelining

  8. Enable spamassassin:
  9. /etc/default/spamassassin



    modify smtp service:

    smtp      inet  n       -       -       -       -       smtpd
            -o content_filter=spamassassin

    add new services:

    spamassassin unix -     n       n       -       -       pipe
        user=spamd argv=/usr/bin/spamc -f -e
        /usr/sbin/sendmail -oi -f ${sender} ${recipient}
    dovecot   unix  -       n       n       -       -       pipe
        flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f $sender -d $recipient
    smtps    inet  n       -       n       -       -       smtpd
        -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

  10. To configure spamassassin add to /etc/spamassassin/ :
  11. rewrite_header Subject ***** SPAM _SCORE_ *****
    skip_rbl_checks         0
    use_razor2              0
    use_pyzor               0

  12. Dovecot 1 is fairly old so we do not cover it in this thread. To configure dovecot2 you have to add/modify several lines in several files:

    1. 01-mail-stack-delivery.conf or 99-mail-stack-delivery.conf
    2. disable_plaintext_auth = no
      mail_location = mdbox:/var/vmail/%u
      auth_username_chars = ...

      Where auth_username_chars should contain all characters that you use in your usernames. We usually add + to the default characters. mdbox is dovecot's own storage format, if you want more compatibility at the expense of performance use mbox.

    3. 10-auth.conf
    4. !include auth-passwdfile.conf.ext

    5. 10-logging.conf
    6. syslog_facility = mail

    7. 10-mail.conf
    8. mail_uid = vmail
      mail_gid = vmail
      mail_access_groups = vmail

    9. 10-master.conf in section service-auth unix_listener auth-userdb
    10. mode = 0600
      user = vmail
      group = vmail

    11. auth-passwdfile.conf.ext
    12. args = scheme=CRYPT username_format=%u /etc/dovecot/userlist
      args = username_format=%u /etc/dovecot/userlist

    13. to increase the number of concurrent connections/ip set for every occurence (should be in: protocol imap/pop3/managesieve {}):
    14. mail_max_userip_connections=100

  13. Restart postfix, dovecot and spamassassin and you are good to go
  14. Create your user database in /etc/dovecot/userlist, an example entry:

  16. Optionally create sieve scripts for personalized filtering, forwarding etc in /var/vmail/ For example a simple forwarding looks like this:
  17. redirect ""

  18. Some advanced Pigeonhole sieve options that you may need:
  19. sieve_max_actions = 500
    sieve_max_redirects = 100

    sieve_plugins = sieve_extprograms
    sieve_extensions = +notify +imapflags +vnd.dovecot.execute
    sieve_execute_bin_dir = /some/dir

Last edited by perpeton at 2016-11-02 13:00 GMT
2017-11-06 16:19 GMT   |   #2

Comments: 14

Other useful options:

OPTIONS="-u debian-spamd -g debian-spamd ..."

If you want to use spamass-milter then don't add the spamassassin service to postfix, instead add as a milter:

smtpd_milters = unix:spamass/spamass.sock
non_smtpd_milters = unix:spamass/spamass.sock

OPTIONS="... -- -u debian-spamd  -s 268435456"

Nowadays Debian creates user debian-spamd so use that instead of spamd.

Last edited by perpeton at 2017-11-17 10:44 GMT