How to set up a email server using Postfix, Dovecot and Roundcube on Linux Debian


Domain and Records

Before you start anything, you need a domain. If you don’t have one, purchase one.

Because it takes time to replicate the records, you need to start this processes first.

You will need to create A records for the domain, I created the following:

  • @
  • www
  • mail
  • smtp
  • imap
  • webmail

I have them all pointing to the same IP address but for the purpose of using different addresses for each service makes it

You will also need to point the MX record of the domain to the public facing IP address of the Linux box (and set up any natting if required).

Platform Set Up

I am assuming you already have a working Linux installation, for my set up I am using Linux Debian 7 (Wheezy) kernel version 2.6.32-042 Stable 64bit.

There are various ways you can set this up, for my set up I will be using a single server for handling the mail, presenting the webmail and holding the mySQL database. You can separate these functions out to different servers depending on the load requirements and underlying infrastructure.

Make sure your system is up-to-date by running the following command:


This is how the whole solution hangs together. It makes sense to me, hopefully it will make sense to you at least by the time you finish reading this tutorial.Mail Hosting Design


MBox vs MailDir

The Unix world has two ways of storing mail messages, the traditional mbox format and the newer maildir format. Postfix and Dovecot supports the two mail storage format so you can use any format, but I highly recommend you use the maildir format.

For the purpose of this tutorial I will be setting it up with maildir, for me the main purpose of this was to allow subfolders to be created in the mailbox (mbox doesn’t allow this no matter how much I tried!)

I won’t explain how mbox works but I will explain how Maildir does:

Receiving and storing a mail

  1. Create a unique file in the tmp directory
  2. Write the mail into the newly created file
  3. Move the completely written mail into the new directory

Retrieving a mail

  1. Locate and read the mail
  2. Move the mail from new into the cur directory and append the mail status flag into the filename

Deleting a mail

  1. Delete the file containing the mail

Searching a mail

  1. Search each and every mail file


  • Locating, retrieving and deleting a specific mail is fast
  • Minimal to no file locking is needed
  • Can be used on a network file system
  • Immune to mailbox corruption assuming hardware will not fail


  • Some filesystems may not efficiently handle a large number of small files
  • Searching text is slow due to all mail files to be opened.

SSL Certificate

Don’t get mistaken, if you don’t have a SSL certificate from a certified certificate authority then you can still use a self signed one. For this tutorial we   are going to assume the certificate is saved in /etc/ssl/certs/mailcert.pem and the key is saved in /etc/ssl/private/mail.key. Make sure the key is only readable by the root user!

Create a self signed certificate

Fill in the details

Example only:

Note that this way you cannot create a certificate valid for more than one domain using the subjectAltName field without some additional work.

Check to see if the certs are created:


Remove packages

If you are using Debian there is a default MTA on Debian called exim4, you need to remove this or it will conflict with the port mappings.

Install Postfix

Install Postfix

Stop Postfix

Postfix manages it’s own daemons so the following commands work to manage Postfix

  • postfix start
  • postfix stop
  • postfix reload

Configuring Postfix

Postfix has two configuration files

  1. /etc/postfix/ = configuration of services Postfix should run on
  2. /etc/postfix/ = configuration options

Add the following into the, this will take mail from trusted clients for delivery to broader internet, this restricts unauthorised users.

The “-o” options override the settings that are taken from defaults.


It is better to start with a clean slate so make a copy of the first


Create a new file

Copy the following into the file

Change the following lines to reflect your domain:

  • myhostname =
  • mydestination =

Check /etc/mailname file and ensure the correct FQDN is there eg:

With mydestination, just change the first two.

Ensure the host name of the service is specified in /etc/mailname; if you have used the same A records then use the “mail” one unless you have specific requirements not to.

The purpose of “mydestination” sets the domains postfix accepts emails for.

Leaving “relayhost” empty disables Postfix from being used as a relaying server.

In the same file ( you need to specify alias maps, enter the following lines:

We need to also specify SSL settings, enter the following after alias maps in

Furthermore to the file is to add a line to enable Postfix to reject email to users that cannot be found in the table which in this case, is the aliases table.


Aliases are defined in the /etc/aliases file to tell Postfix what email addresses to accept; for example:

SMTP RFC 5321 mandates that any publicly accessible mail server that accepts any mail at all must also accept mail to the following addresses:

  • postmaster
  • hostmaster
  • abuse
  • webmaster

You can set up redirects from those email accounts to a specific user by adding in the aliases file “root: user” (user being the email address of a user).

After updating aliases you must update the aliases database by issuing the following command:


Install Dovecot

Configuring Dovecot

Clearing out the configuration file is best for this too

Add the following:

This enables plaintext authentication (the plain text is tunnelled through TLS) and tells Dovecot to use the “mail” system group for accessing local mailboxes and uses Unix authentication system to autenticate users and enable imap only.

It’s probably best to have Dovecot automatically create the Draft, Junk, Trash, Sent folders so add the following to the dovecot.conf file:

We need to open a socket that Postfix can use to piggy-back on Dovecot’s authentication, add the following in dovecot.conf

Also configure SSL by adding the following into dovecot.conf

Start Processes

This should be it, execute the following to start Postfix and Dovecot


You don’t have to do this but it is good to see it all working, create two users:

Add the users into aliases

Recreate aliases database

Send an email to user1 and user2

Log into user1

Check mail for user1

You should be able to connect IMAP clients such as Outlook or Apple iPhone clients. If you created the same A records as mine then you should use the following settings:

incoming mail server: (SSL on port 993)
user: user1
password: what ever password you specified
outgoing mail server: (SSL on port 587)

If this isn’t working out so far, re-read the instructions above, if that fails I have added a troubleshooting section at the end of this post.


Okay, if all is going well at this point, then lets install Roundcube.  If you prefer using a different webmail solution or if you wish not to use one then skip this step.

Roundcube is ajax driven webmail solution that runs on a typical LAMPP stack. There are customisable skins (two pre-installed) that use the latest web standards (XHTML and CSS 2)

If Apache, mySQL and PHP isn’t installed, follow the steps

Install Apache2

Install mySQL

You will need to specify a mysql root password, make this secure and save in a password manager – you will need this later

Install PHP 5

Restart Apache

An example only:

Change to root folder

Extract the archive out (install tar if not already installed)

Install additional packages

Configure time zone in Apache

Change the following line to a time zone specific to your location

Okay, so that is the base for Roundcube to be installed on, now you have to configure a vhost for Apache which can be followed using this process. I recommending using the A record webmail for your vhost and locating it in the /var/www/vhosts directory.

Create a folder for Roundcube to be installed

Copy the Roundcube files to the vhost location (my example is Roundcube version 1.0.2)


You will need to create a new database and grant privileges to it for a local mySQL account using the steps below. If you require further mySQL commands.

Log into mySQL

Use the password you specified earlier when installing mySQL

Create a database

Grant privileges

Change the ‘password’ to something secure

Flush privileges

Exit mySQL command line interface

Launch Roundcube Installer

So, if that is all set up correctly you should have a Apache, PHP and mySQL installed with a database ready to be used.

Go to the following address to run the Roundcube installer

Follow the prompts

If everything works out you should be able to go to your new webmail console at

Roundcube Webmail

Roundcube Plugins

So if you are using the Roundcube webmail you will find a basic web mailing features. If you desire more than that then you can install a multitude of plugins to add certain functionality.

Roundcube Security

Change the encryption key in the file to a new 24 character string

Find the string:

Message Attachment Size Limit


By default, Postfix limits the file attachment size to 10 megabytes. You can can this by executing the following:

This limits file sizes from 10M to 100M (This is not recommended if you don’t have a good internet connection on the server)


Once you have changed the attachment size in Postfix, you might want to change it in Roundcube

Make a backup of php.ini first

Search for the following two lines:

post_max_size =
upload_max_filesize =

Change the values to your desired size.

Restart Apache for settings to take effect


To see any problems with the setup


To see the mail queue in Postfix

To clear the mail queue

Location mail is stored:

For root:


For users:


If you cannot see mail in the web mail client, browse to the Maildir directory for the user and see if you see any files in the cur folders

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

WordPress Security Keys


Using strong security keys is an important part of securing WordPress against external attack. WordPress security Keys refer to four authentication keys and four hashing salts (random bits of data) that work to add an extra layer of security to your cookies and password. The security keys are defined in your WordPress configuration file aka wp-config.php.

Out of the box there are keys predefined however if you want a super strong WordPress installation, you should really change these to something else. As of WordPress 3.0, there are eight security keys in the following format:

  • WordPress 2.7: NONCE_KEY

View the Security Keys

1. Edit the wp-config.php file


Each key needs to be completely random and different from the others. You can do this manually or you can use the WordPress online service for an automatic key-generation.

Official WordPress Secret Key Generator (opens a new window)

You can refresh the page to generate new keys until you find the key set you desire the most

You will need to copy the entire block of code and replace the eight default keys with the eight random ones.

Other Considerations

  • Never reveal your security keys to anyone
  • Any logged in users will need to log back in if you change the keys
  • Security keys can be changed at anytime

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

How to Install Curl into PHP5 and Apache


Curl is a library that lets your make HTTP requests in PHP.

Most hosting providers have cURL installed already but if you have to install it on your self managed server with Apache and PHP5 installed, then follow this step by step process.

1. Install packages

2. Open php.ini and add extension (my php.ini file is located at /etc/php5/apache2/php.ini)

3. Restart Apache

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

A Collection of Wordlists

You are only as effective as the wordlist you use, over the years I have collected a fair few of them and will bring them to you all in one place.


10k_common.txt 82KB

2012commonpw.txt 1KB

All_Common_Router_Passwords.txt 3.3KB

commonpasswords.txt 3.3KB


AllPasswords.txt 58MB

dic.txt 8.6MB


darkc0de.txt 17MB

smalllist.txt 26MB

realhuman_phill.txt 683.2KB

rockyou.txt 133.4KB


pwgen-nontty.gz 118.7MB

pwgen-tty.gz 120.4MB

Wordlists-20031009.txt 613MB

Worst Passwords

500-worst-passwords.txt 3.4KB

I will add more as I get them.

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Add User to Sudo Without Prompting Password


You might need to add users to sudoers but when they elevate to sudo they will be prompted for a password, this process will add the user to sudoers and also allow them to run commands without being prompted for a sudo password.

This works for Linux Ubuntu or Debian


1. Install Sudo (if not currently installed)

2. Edit Sudo configuration

3. Add this line at the end of the configuration file (change sally to the username you are using)

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.