Domain and Records

Before you start anything, you need a domain. If you don’t have one, purchase one.

Because it takes time to replicate the records, you need to start this processes first.

You will need to create A records for the domain, I created the following:

  • @
  • www
  • mail
  • smtp
  • imap
  • webmail

I have them all pointing to the same IP address but for the purpose of using different addresses for each service makes it

You will also need to point the MX record of the domain to the public facing IP address of the Linux box (and set up any natting if required).

Platform Set Up

I am assuming you already have a working Linux installation, for my set up I am using Linux Debian 7 (Wheezy) kernel version 2.6.32-042 Stable 64bit.

There are various ways you can set this up, for my set up I will be using a single server for handling the mail, presenting the webmail and holding the mySQL database. You can separate these functions out to different servers depending on the load requirements and underlying infrastructure.

Make sure your system is up-to-date by running the following command:

apt-get update
apt-get upgrade


This is how the whole solution hangs together. It makes sense to me, hopefully it will make sense to you at least by the time you finish reading this tutorial.Mail Hosting Design


MBox vs MailDir

The Unix world has two ways of storing mail messages, the traditional mbox format and the newer maildir format. Postfix and Dovecot supports the two mail storage format so you can use any format, but I highly recommend you use the maildir format.

For the purpose of this tutorial I will be setting it up with maildir, for me the main purpose of this was to allow subfolders to be created in the mailbox (mbox doesn’t allow this no matter how much I tried!)

I won’t explain how mbox works but I will explain how Maildir does:

Receiving and storing a mail

  1. Create a unique file in the tmp directory
  2. Write the mail into the newly created file
  3. Move the completely written mail into the new directory

Retrieving a mail

  1. Locate and read the mail
  2. Move the mail from new into the cur directory and append the mail status flag into the filename

Deleting a mail

  1. Delete the file containing the mail

Searching a mail

  1. Search each and every mail file


  • Locating, retrieving and deleting a specific mail is fast
  • Minimal to no file locking is needed
  • Can be used on a network file system
  • Immune to mailbox corruption assuming hardware will not fail


  • Some filesystems may not efficiently handle a large number of small files
  • Searching text is slow due to all mail files to be opened.

SSL Certificate

Don’t get mistaken, if you don’t have a SSL certificate from a certified certificate authority then you can still use a self signed one. For this tutorial we   are going to assume the certificate is saved in /etc/ssl/certs/mailcert.pem and the key is saved in /etc/ssl/private/mail.key. Make sure the key is only readable by the root user!

Create a self signed certificate

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mail.key -out /etc/ssl/certs/mailcert.pem

Fill in the details

Example only:

Generating a 2048 bit RSA private key
writing new private key to 'mail.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]: AU
State or Province Name (full name) [Some-State]: QLD
Locality Name (eg, city) []: Sydney
Organization Name (eg, company) : My Company Name
Organizational Unit Name (eg, section) []: IT Dept
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []: [email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note that this way you cannot create a certificate valid for more than one domain using the subjectAltName field without some additional work.

Check to see if the certs are created:

ls /etc/ssl/certs/mailcert.pem
ls /etc/ssl/private/mail.key


Remove packages

If you are using Debian there is a default MTA on Debian called exim4, you need to remove this or it will conflict with the port mappings.

apt-get remove exim4

Install Postfix

Install Postfix

apt-get install postfix

Stop Postfix

postfix stop

Postfix manages it’s own daemons so the following commands work to manage Postfix

  • postfix start
  • postfix stop
  • postfix reload

Configuring Postfix

Postfix has two configuration files

  1. /etc/postfix/ = configuration of services Postfix should run on
  2. /etc/postfix/ = configuration options
vi /etc/postfix/

Add the following into the, this will take mail from trusted clients for delivery to broader internet, this restricts unauthorised users.

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

The “-o” options override the settings that are taken from defaults.


It is better to start with a clean slate so make a copy of the first

cp /etc/postfix/ /etc/postfix/


rm /etc/postfix/

Create a new file

vi /etc/postfix/

Copy the following into the file

myhostname =
myorigin = /etc/mailname
mydestination =,, localhost, localhost.localdomain
relayhost =
mynetworks = [::ffff:]/104 [::1]/128
home_mailbox = Maildir/
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

Change the following lines to reflect your domain:

  • myhostname =
  • mydestination =

Check /etc/mailname file and ensure the correct FQDN is there eg:

With mydestination, just change the first two.

Ensure the host name of the service is specified in /etc/mailname; if you have used the same A records then use the “mail” one unless you have specific requirements not to.

The purpose of “mydestination” sets the domains postfix accepts emails for.

Leaving “relayhost” empty disables Postfix from being used as a relaying server.

In the same file ( you need to specify alias maps, enter the following lines:

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

We need to also specify SSL settings, enter the following after alias maps in

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3

Furthermore to the file is to add a line to enable Postfix to reject email to users that cannot be found in the table which in this case, is the aliases table.


Aliases are defined in the /etc/aliases file to tell Postfix what email addresses to accept; for example:

SMTP RFC 5321 mandates that any publicly accessible mail server that accepts any mail at all must also accept mail to the following addresses:

  • postmaster
  • hostmaster
  • abuse
  • webmaster

You can set up redirects from those email accounts to a specific user by adding in the aliases file “root: user” (user being the email address of a user).

mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
webmaster: root
abuse: root
root: user1
user1: user1

After updating aliases you must update the aliases database by issuing the following command:



Install Dovecot

apt-get install dovecot-core dovecot-imapd

Configuring Dovecot

Clearing out the configuration file is best for this too

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
rm /etc/dovecot/dovecot.conf
vi /etc/dovecot/dovecot.conf

Add the following:

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = maildir:~/Maildir:LAYOUT=fs
userdb {
  driver = passwd
passdb {
  args = %s
  driver = pam
protocols = " imap"

This enables plaintext authentication (the plain text is tunnelled through TLS) and tells Dovecot to use the “mail” system group for accessing local mailboxes and uses Unix authentication system to autenticate users and enable imap only.

It’s probably best to have Dovecot automatically create the Draft, Junk, Trash, Sent folders so add the following to the dovecot.conf file:

protocol imap {
  mail_plugins = " autocreate"
plugin {
  autocreate = Draft
  autocreate2 = Junk
  autocreate3 = Trash
  autocreate4 = Sent
  autosubscribe = Draft
  autosubscribe2 = Junk
  autosubscribe3 = Trash
  autosubscribe4 = Sent

We need to open a socket that Postfix can use to piggy-back on Dovecot’s authentication, add the following in dovecot.conf

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix

Also configure SSL by adding the following into dovecot.conf

ssl_cert =</etc/ssl/certs/mailcert.pem
ssl_key =</etc/ssl/private/mail.key

Start Processes

This should be it, execute the following to start Postfix and Dovecot

postfix start
service dovecot restart


You don’t have to do this but it is good to see it all working, create two users:

adduser user1

Add the users into aliases

vi /etc/aliases
user1: user1

Recreate aliases database


Send an email to user1 and user2

Log into user1

su - user1

Check mail for user1

cat /var/mail/user1

You should be able to connect IMAP clients such as Outlook or Apple iPhone clients. If you created the same A records as mine then you should use the following settings:

incoming mail server: (SSL on port 993)
user: user1
password: what ever password you specified
outgoing mail server: (SSL on port 587)

If this isn’t working out so far, re-read the instructions above, if that fails I have added a troubleshooting section at the end of this post.


Okay, if all is going well at this point, then lets install Roundcube.  If you prefer using a different webmail solution or if you wish not to use one then skip this step.

Roundcube is ajax driven webmail solution that runs on a typical LAMPP stack. There are customisable skins (two pre-installed) that use the latest web standards (XHTML and CSS 2)

If Apache, mySQL and PHP isn’t installed, follow the steps

Install Apache2

apt-get install apache2

Install mySQL

apt-get install mysql-server

You will need to specify a mysql root password, make this secure and save in a password manager – you will need this later

Install PHP 5

apt-get install php5 libapache2-mod-php5 php5-mysql

Restart Apache

/etc/init.d/apache2 restart

An example only:

Change to root folder

cd /root

Extract the archive out (install tar if not already installed)

tar xvf roundcubemail-1.1.1-complete.tar.gz

Install additional packages

apt-get install php5-mcrypt
apt-get install php5-intl

Configure time zone in Apache

vi /etc/php5/apache2/php.ini

Change the following line to a time zone specific to your location

Okay, so that is the base for Roundcube to be installed on, now you have to configure a vhost for Apache which can be followed using this process. I recommending using the A record webmail for your vhost and locating it in the /var/www/vhosts directory.

Create a folder for Roundcube to be installed

mkdir -p /var/www/vhosts/

Copy the Roundcube files to the vhost location (my example is Roundcube version 1.0.2)

mv /root/roundcubemail-1.1.1/* /var/www/vhosts/


You will need to create a new database and grant privileges to it for a local mySQL account using the steps below. If you require further mySQL commands.

Log into mySQL

mysql -u root -p

Use the password you specified earlier when installing mySQL

Create a database


Grant privileges

GRANT ALL PRIVILEGES ON roundcube.* TO [email protected] IDENTIFIED BY 'password';

Change the ‘password’ to something secure

Flush privileges


Exit mySQL command line interface


Launch Roundcube Installer

So, if that is all set up correctly you should have a Apache, PHP and mySQL installed with a database ready to be used.

Go to the following address to run the Roundcube installer

Follow the prompts

If everything works out you should be able to go to your new webmail console at

Roundcube Webmail

Roundcube Plugins

So if you are using the Roundcube webmail you will find a basic web mailing features. If you desire more than that then you can install a multitude of plugins to add certain functionality.

Roundcube Security

Change the encryption key in the file to a new 24 character string

vi /var/www/vhosts/

Find the string:

$config['des_key'] = 'some24bitstring'

Message Attachment Size Limit


By default, Postfix limits the file attachment size to 10 megabytes. You can can this by executing the following:

postconf -e 'message_size_limit = 102400000'

This limits file sizes from 10M to 100M (This is not recommended if you don’t have a good internet connection on the server)


Once you have changed the attachment size in Postfix, you might want to change it in Roundcube

Make a backup of php.ini first

vi /etc/php5/apache2/php.ini

Search for the following two lines:

post_max_size =
upload_max_filesize =

Change the values to your desired size.

Restart Apache for settings to take effect

/etc/init.d/apache2 restart


To see any problems with the setup

tail -f /var/log/syslog


tail -f /var/log/mail.log

To see the mail queue in Postfix


To clear the mail queue

postsuper -d ALL

Location mail is stored:

For root:


For users:


If you cannot see mail in the web mail client, browse to the Maildir directory for the user and see if you see any files in the cur folders

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.