Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail, intended as an alternative to Sendmail MTA.

Remove sendmail if it was already installed on your system

yum remove sendmail
#1 Install Postfix
Now Install Postfix  and make sure it started at boot by adding chkconfig.
yum install postfix

chkconfig postfix on

#2 Create user to access mailbox

Lets create system user that will have access to mailbox with shell login disabled.

useradd -s /sbin/nologin mboxuser

Make a note of UID & GID of this user

grep mboxuser /etc/passwd



#3. Edit Postfix Config file 
If its a production server, takef a backup of

cd /etc/postfix/

Now open and edit file. You have to make sure uncomment or edit lines to fit your environment.

myhostname =
mydomain =
myorigin = $mydomain

inet_interfaces = all
inet_protocols = ipv4

# Uncomment and add or remove your local network if needed
mynetworks =, [::1]/128

# Uncomment
home_mailbox = Maildir/

# Add the following lines at the bottom
# Virtual domain config
virtual_mailbox_domains = /etc/postfix/virtual_domains
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox

# Replace UID:GID numbers with ones from Step 2
virtual_minimum_uid = 500
virtual_maximum_uid = 500
virtual_uid_maps = static:500
virtual_gid_maps = static:500
virtual_alias_maps = hash:/etc/postfix/virtual

#4. Create Virtual Domains File

Lets create a file /etc/postfix/virtual_domains which will hold all domains of our mail server. The file localtion should be defined in for virtual_mailbox_domains.  Update the virtual_domains file with domain names.

#5. Create Mailbox File
This is the file “/etc/postfix/vmailbox” defined in our“” and in here where we must enter all of the users with their domains, that will recieve their mails on this server.


Every line must end with “/” otherwise the users will not recieve their emails into their mailboxes.
We can also implement a “catch-all” account, to catch all emails for recipients not listed in “virtual_domains” file:

#6. Create Mail Folders and Fix Permissions
Next we need to create the virtual domain folders where user emails will be delivered to and add rights to access this folder and files to the user defined with UID and GID in“”.

You can rename this folder to anything you like and also relocate it but be sure to fix the path to it in also. Do not worry about creating additional directories inside vhosts/domain/ folder since Postfix will create this automatically.

mkdir /var/mail/vhosts
chown -R root:mboxuser /var/mail/
mkdir /var/mail/vhosts/
mkdir /var/mail/vhosts/
chown mboxuser:mboxuser -R /var/mail/vhosts/
#7. Update Postfix Lookup Table
Next we should run “postmap” to update the Postfix lookup table. We should run this everytime we make a change to these files. This creates a hashed .db instances of these files.

postmap /etc/postfix/virtual
postmap /etc/postfix/vmailbox
#8. Restart Postfix
Let’s restart Postfix for configuration changes to take effect:

/etc/init.d/postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
..and make sure Postfix is listening on port 25 and 465 (the last is secure SMTP port):

netstat -anp |grep 25
tcp 0 0* LISTEN 1146/master
netstat -anp |grep 465
tcp 0 0* LISTEN 1515/master

#9. Reconfigure IPTables
We must reconfigure IPTables to allow connections on port 25 (SMTP) and 465 (SMTPs).

#10. Testing Postfix
You can try testing our Postfix configuration by sending an email to existing recipient from Gmail. You can verify the log from /var/log/maillog.
Install and Configure Postfix with Dovecot
yum install dovecot
chkconfig dovecot on
#11. Edit Main Dovecot Configuration File
Before making any changes to Dovecot configuration file make a backup of it.

Main Dovecot configuration file is “/etc/dovecot/dovecot.conf”, additional config files are located in “/etc/dovecot/conf.d” directory. Main Dovecot configuration file should look like this:

# Uncomment and edit this line
protocols = imap pop3

# Uncomment and edit - make dovecot only listen on ipv4
listen = *

#12. Edit Additional Dovecot Configuration Files
There are additional Dovecot configuration files located in “/etc/dovecot/conf.d” directory. We need to edit some of them as follows.


# Uncomment
disable_plaintext_auth = yes

# Comment this line
#!include auth-system.conf.ext

# Uncomment
!include auth-passwdfile.conf.ext
!include auth-checkpassword.conf.ext



# Uncomment and edit
log_path = /var/log/dovecot.log
auth_verbose = yes
auth_verbose_passwords = no
auth_debug = no
auth_debug_passwords = no
mail_debug = no
verbose_ssl = no



# Uncomment and edit to reflect previous configuration
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_uid = 500
mail_gid = 500
mail_privileged_group = mboxuser


# Comment this out
#service lmtp {
# unix_listener lmtp {
# }

# Edit and change
service auth {
unix_listener auth-userdb {
mode = 0600
user = postfix
group = postfix
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
service auth-worker {
service dict {
unix_listener dict {


# Uncomment
ssl = yes
# Leave this for now - we will change this in Step 16
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

#13. Generate Passwords for Dovecot Users
The Dovecot users password file location is defined in “/etc/dovecot/conf.d/auth-passwdfile.conf.ext”. By default this is “/etc/dovecot/users” file. We can generate a password for user using the following command:

doveadm pw -s SHA512-CRYPT
Enter new password:
Retype new password:


We chose to use the strongest SHA512 encryption and as we can see, this command only encrypts the string you entered as password.

Next we need to edit or create a “/etc/dovecot/users” file and enter the information about a user as follows:{SHA512-CRYPT}$6$7iU6C9qP.Ba2R3bz$3cw0qRM4Q0s1Nh15xaJYzj8qA7AR4KjqQuE4vbMup4Ncg8rIFsnGGNvjH1huYw3.6ijkNWibp51N6N1FTxbJ01::::

We must not forget to add the “::::” at the end of the line to make this work!!

Repeat the process for every mail user on the server.

#14. Start Dovecot
We are finally ready to start Dovecot for the first time.

/etc/init.d/dovecot start
Starting Dovecot Imap: [ OK ]

Check that Dovecot is listening on IMAP(s) and POP(s) ports:

netstat -anpt |grep dovecot
tcp 0 0* LISTEN 1397/dovecot
tcp 0 0* LISTEN 1397/dovecot
tcp 0 0* LISTEN 1397/dovecot
tcp 0 0* LISTEN 1397/dovecot

#15. Generate Postfix Self-Signed Certificate
We need to generate a self-signed SSL certificate to be used with Postfix and Dovecot.

Follow these steps to do this:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/

 openssl genrsa -out postfix.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
openssl req -new -key postfix.key -out postfix.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [XX]:SI
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Ljubljana
Organization Name (eg, company) [Default Company Ltd]
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []
Email Address []
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 openssl x509 -req -days 3650 -in postfix.csr -signkey postfix.key -out postfix.crt
Signature ok
Getting Private key
#16. Reconfigure Postfix
To wrap things up, we must reconfigure Postfix to work with Dovecot.

This requires some additional changes to Postfix and configuration files as follows.

Add the following lines to the bottom of the “/etc/postfix/” file:

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/postfix.key
smtpd_tls_cert_file = /etc/postfix/ssl/postfix.crt
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_sasl_type = dovecot
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
# HELO restrictions:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
# Sender restrictions:
smtpd_sender_restrictions =
# Recipient restrictions:
smtpd_recipient_restrictions =
# Relay restrictions
smtpd_relay_restrictions =
# Limit DOS
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100

These are mostly security checks and restrictions for our mail server. With these, we only allow authenticated users to send mail from our servers. Also we are checking if the senders and recipients are comming from a valid domain and more.

We have also configured a basic DOS security just to bounce off any unwanted attacks.

Also we need to edit “/etc/postfix/” file and uncomment the following lines:


submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

#17. Reconfigure Dovecot
Please change the SSL certificate used in Dovecot with the newly generated self-signed certificate as follows. If you leave

Dovecot pointing to default certificate you might encounter some SSL errors:


# Uncomment
ssl = yes
# Change to point to SSL cert generated in Step 15
ssl_cert = </etc/postfix/ssl/postfix.crt
ssl_key = </etc/postfix/ssl/postfix.key

#18. Reconfigure IPTables
We must reconfigure IPTables to allow connections on ports 110 (POP3), 993 (POP3s), 143 (IMAP) and 993 (IMAPs). Read more on how to reconfigure IPTables HERE.

#19. Restart Postfix and Dovecot
As a final step before testing out our new mail server, we need to restart Postfix and Dovecot services for changes to take effect.

/etc/init.d/postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
/etc/init.d/dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
Voila! We have successfully installed and configured Postfix with Dovecot!

You can now configure your IMAP or POP clients to use your server as a mail server. You can do this on your mobile or desktop clients such as MS Outlook or Thunderbird.

Leave a Reply