Virtual user mail system with Postfix,

Dovecot and Roundcube

This article describes how to set up a virtual user mail system, i.e. where Related articles
the senders and recipients do not correspond to the Linux system users.
Courier MTA
Roughly, the components used in this article are Postfix as the mail
server, Dovecot as the IMAP server, Roundcube as the webmail OpenDKIM
interface and PostfixAdmin as the administration interface to manage it Postfix
all.
SOGo
In the end, the provided solution will allow you to use the best currently
available security mechanisms, you will be able to send mails using SMTP and SMTPS and receive
mails using POP3, POP3S, IMAP and IMAPS. Additionally, configuration will be easy thanks to
PostfixAdmin and users will be able to login using Roundcube.

Contents
Installation
Configuration
User
Database
PostfixAdmin
SSL certificate
Postfix
Setting up Postfix
Create the file structure
Dovecot
DH parameters
PostfixAdmin
Roundcube
Apache configuration
Roundcube: Change Password Plugin
Fire it up
Testing
Error response
See that you have received a email
Optional Items
Quota
Autocreate and autosubscribe folders in Dovecot
Dovecot public folder and global ACLs
Fighting Spam
Sidenotes
Alternative vmail folder structure
Troubleshooting
IMAP/POP3 client failing to receive mails
Roundcube not able to delete emails or view any 'standard' folders
LMTP / Sieve
Are your emails sent to gmail users ending up in their junk/spam folders?
See also

Installation
Before you start, you must have both a working MySQL server as described in MySQL and a
working Postfix server as described in Postfix.

Install the postfix-mysql (https://archlinux.org/packages/?name=postfix-mysql),

dovecot (https://archlinux.org/packages/?name=dovecot), and roundcubemail (http
s://archlinux.org/packages/?name=roundcubemail) packages.

Configuration

User

For security reasons, a new user should be created to store the mails:

# groupadd -g 5000 vmail

# useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail

A gid and uid of 5000 is used in both cases so that we do not run into conflicts with regular users.
All your mail will then be stored in /home/vmail . You could change the home directory to
something like /var/mail/vmail but be careful to change this in any configuration below as
well.

Database

You will need to create an empty database and corresponding user. In this article, the user
postfix_user will have read/write access to the database postfix_db using hunter2 as password.
You are expected to create the database and user yourself, and give the user permission to use the
database, as shown in the following code.

$ mysql -u root -p

CREATE DATABASE postfix_db;

GRANT ALL ON postfix_db.* TO 'postfix_user'@'localhost' IDENTIFIED BY 'hunter2';

FLUSH PRIVILEGES;

Now you can go to the PostfixAdmin's setup page, let PostfixAdmin create the needed tables and
create the users in there.

PostfixAdmin

See PostfixAdmin.
SSL certificate

You will need a SSL certificate for all encrypted mail communications (SMTPS/IMAPS/POP3S). If
you do not have one, create one:

# cd /etc/ssl/private/

# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout vmail.key -out vmail.crt -days 1460 #days are optional

# chmod 400 vmail.key

# chmod 444 vmail.crt

Alternatively, create a free trusted certificate using Let's Encrypt. The private key will be in
/etc/letsencrypt/live/yourdomain/privkey.pem , the certificate in
/etc/letsencrypt/live/yourdomain/fullchain.pem . Either change the configuration
accordingly, or symlink the keys to /etc/ssl/private :

# ln -s /etc/letsencrypt/live/yourdomain/privkey.pem /etc/ssl/private/vmail.key

# ln -s /etc/letsencrypt/live/yourdomain/fullchain.pem /etc/ssl/private/vmail.crt

Postfix

Before you copy & paste the configuration below, check if relay_domains has already been set.
If you leave more than one active, you will receive warnings during runtime.

Warning: relay_domains can be dangerous. You usually do not want Postfix to forward mail
of strangers. $mydestination is a sane default value. Double check its value before running
postfix! See
http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to

Also follow Postfix#Secure SMTP (receiving) pointing to the files you created in #SSL
certificate.

Setting up Postfix

To /etc/postfix/main.cf append:

relay_domains = $mydestination

virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf

virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf

virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf

virtual_mailbox_base = /home/vmail

virtual_mailbox_limit = 512000000

virtual_minimum_uid = 5000

virtual_transport = virtual

virtual_uid_maps = static:5000

virtual_gid_maps = static:5000

local_transport = virtual

local_recipient_maps = $virtual_mailbox_maps

transport_maps = hash:/etc/postfix/transport

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = /var/run/dovecot/auth-client

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_sasl_security_options = noanonymous

smtpd_sasl_tls_security_options = $smtpd_sasl_security_options

smtpd_tls_security_level = may

smtpd_tls_auth_only = yes

smtpd_tls_received_header = yes

smtpd_tls_cert_file = /etc/ssl/private/vmail.crt

 smtpd_tls_key_file = /etc/ssl/private/vmail.key

smtpd_sasl_local_domain = $mydomain

smtpd_tls_loglevel = 1

smtp_tls_security_level = may

smtp_tls_loglevel = 1

In the configuration above virtual_mailbox_domains is a list of the domains that you want
to receive mail for. This CANNOT contain the domain that is set in mydestination . That is
why we left mydestination to be localhost only.

virtual_mailbox_maps will contain the information of virtual users and their mailbox
locations. We are using a hash file to store the more permanent maps, and these will then
override the forwards in the MySQL database.

virtual_mailbox_base is the base directory where the virtual mailboxes will be stored.

The virtual_uid_maps and virtual_gid_maps are the real system user IDs that the virtual
mails will be owned by. This is for storage purposes.

Note: Since we will be using a web interface (Roundcube), and do not want people accessing
this by any other means, we will be creating this account later without providing any login
access.

Create the file structure

Those new additional settings reference a lot of files that do not even exist yet. We will create them
with the following steps.

If you were setting up your database with PostfixAdmin and created the database schema through
PostfixAdmin, you can create the following files. Do not forget to change the password:

/etc/postfix/virtual_alias_maps.cf

user = postfix_user
password = hunter2

hosts = localhost

dbname = postfix_db
table = alias

select_field = goto
where_field = address

/etc/postfix/virtual_mailbox_domains.cf

user = postfix_user
password = hunter2

hosts = localhost

dbname = postfix_db
table = domain

select_field = domain

where_field = domain

/etc/postfix/virtual_mailbox_maps.cf

user = postfix_user
password = hunter2

hosts = localhost

dbname = postfix_db
table = mailbox

select_field = maildir

where_field = username

For alias domains functionality adjust the following files:

/etc/postfix/main.cf

virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf,proxy:mysql:/etc/postfix/virtual_alias_domains
_maps.cf

virtual_alias_domains = proxy:mysql:/etc/postfix/virtual_alias_domains.cf

/etc/postfix/virtual_alias_domains_maps.cf

user = postfix_user
password = hunter2

hosts = localhost

dbname = postfix_db
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%
u', '@', alias_domain.target_domain) AND alias.active = '1' AND alias_domain.active='1'

/etc/postfix/virtual_alias_domains.cf

user = postfix_user
password = hunter2

hosts = localhost

dbname = postfix_db
query = SELECT alias_domain FROM alias_domain WHERE alias_domain='%s' AND active = '1'

Note: For setups without using PostfixAdmin, create the following files.

/etc/postfix/virtual_alias_maps.cf

user = postfix_user
password = hunter2

hosts = localhost

dbname = postfix_db
table = domains

select_field = virtual

where_field = domain

/etc/postfix/virtual_mailbox_domains.cf

user = postfix_user
password = hunter2

hosts = localhost

dbname = postfix_db
table = forwardings
select_field = destination

where_field = source

/etc/postfix/virtual_mailbox_maps.cf

user = postfix_user
password = hunter2

hosts = localhost

dbname = postfix_db
table = users

select_field = concat(domain,'/',email,'/')

where_field = email

Run postmap on transport to generate its db:

# postmap /etc/postfix/transport

Dovecot

Instead of using the provided Dovecot example configuration file, we will create our own
/etc/dovecot/dovecot.conf . Please note that the user and group here might be vmail
instead of postfix!

/etc/dovecot/dovecot.conf

protocols = imap pop3

auth_mechanisms = plain

passdb {

driver = sql

args = /etc/dovecot/dovecot-sql.conf

userdb {

driver = sql

args = /etc/dovecot/dovecot-sql.conf

service auth {

unix_listener auth-client {

group = postfix

mode = 0660
user = postfix

user = root

mail_home = /home/vmail/%d/%n

mail_location = maildir:~

ssl_cert = </etc/ssl/private/vmail.crt

ssl_key = </etc/ssl/private/vmail.key

Note: If you instead want to modify dovecot.conf.sample , beware that the default
configuration file imports the content of conf.d/*.conf . Those files call other files that are not
present in our configuration.

Now we create /etc/dovecot/dovecot-sql.conf , which we just referenced in the

configuration above. Use the following contents and check if everything is set accordingly to your
system's configuration.

If you used PostfixAdmin, then you add the following:

/etc/dovecot/dovecot-sql.conf

driver = mysql

connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2

# It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/P

asswordSchemes

default_pass_scheme = SHA512-CRYPT

# Get the mailbox

user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, co
ncat('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'

# Get the password

password_query = SELECT username as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%

n' as userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'

# If using client certificates for authentication, comment the above and uncomment the following

#password_query = SELECT null AS password, ‘%u’ AS user

Without having used PostfixAdmin you can use:

/etc/dovecot/dovecot-sql.conf

driver = mysql

connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2

 # It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/P

asswordSchemes

default_pass_scheme = SHA512-CRYPT

# Get the mailbox

user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, co
ncat('dirsize:storage=', quota) AS quota FROM users WHERE email = '%u'

# Get the password

password_query = SELECT email as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' a

s userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid FROM users WHERE email = '%u'

# If using client certificates for authentication, comment the above and uncomment the following

#password_query = SELECT null AS password, ‘%u’ AS user

Tip: Visit https://wiki2.dovecot.org/Variables to learn more about Dovecot variables.

DH parameters

With v2.3 you are required to provide ssl_dh = /path/to/dh.pem yourself.

To generate a new DH parameters file (this will take very long):

# openssl dhparam -out /etc/dovecot/dh.pem 4096

then add the file to /etc/dovecot/dovecot.conf

ssl_dh = /etc/dovecot/dh.pem

PostfixAdmin

See PostfixAdmin.

Note: To match the configuration in this file, config.inc.php should contain the following.

# /etc/webapps/postfixadmin/config.inc.php

...

$CONF['domain_path'] = 'YES';

$CONF['domain_in_mailbox'] = 'NO';

...

Roundcube

See Roundcube.

Make sure that both extension=pdo_mysql and extension=iconv are uncommented in your
php.ini file. Also check the .htaccess for access restrictions. Assuming that localhost is your
current host, navigate a browser to http://localhost/roundcube/installer/ and follow the
instructions.

Roundcube needs a separate database to work. You should not use the same database for
Roundcube and PostfixAdmin. Create a second database roundcube_db and a new user named
roundcube_user .

While running the installer ...

For the address of the IMAP host, i.e. default_host , use ssl://localhost/ or
tls://localhost/ and not just localhost .
 Use port 993 . Likewise with SMTP.
For the address of the SMTP host, i.e. smtp_server , use tls://localhost/ and port
587 if you used STARTTLS. Use ssl://localhost/ with port 465 if you used SMTPS. If
there is a failure to establish a session, try using tls://yourservername instead, replacing
yourservername with the name of your server.
See #Postfix for an explanation on that.
Make sure the resulting configuration file has $config['smtp_user'] = '%u'; and
$config['smtp_pass'] = '%p'; lines in it or you will not be able to send email.

The post install process is similar to any other webapp like PhpMyAdmin or PostFixAdmin. The
configuration file is in /etc/webapps/roundcubemail/config/config.inc.php which works
as an override over defaults.inc.php .

Apache configuration

If you are using Apache, copy the example configuration file to your webserver configuration
directory.

# cp /etc/webapps/roundcubemail/apache.conf /etc/httpd/conf/extra/httpd-roundcubemail.conf

Add the following line in

/etc/httpd/conf/httpd.conf

Include conf/extra/httpd-roundcubemail.conf

Roundcube: Change Password Plugin

To let users change their passwords from within Roundcube, do the following:

Enable the password plugin by adding this line to

/etc/webapps/roundcubemail/config/config.inc.php

$config['plugins'] = array('password');

Configure the password plugin and make sure you alter the settings accordingly:

/usr/share/webapps/roundcubemail/plugins/password/config.inc.php

<?php

$config['password_driver'] = 'sql';

$config['password_db_dsn'] = 'mysql://<postfix_database_user>:<password>@localhost/<postfix_database_name>';

// If you are not using dovecot specify another algorithm explicitly e.g 'sha256-crypt'

$config['password_algorithm'] = 'dovecot';

// For dovecot salted passwords only (above must be set to 'dovecot')

// $config['password_algorithm_prefix'] = 'true';

// $config['password_dovecotpw'] = 'doveadm pw';

// $config['password_dovecotpw_method'] = 'SHA512-CRYPT';

// $config['password_dovecotpw_with_method'] = true;

$config['password_query'] = 'UPDATE mailbox SET password=%P WHERE username=%u';

Fire it up
All necessary daemons should be started in order to test the configuration. Start both postfix
and dovecot .

Now for testing purposes, create a domain and mail account in PostfixAdmin. Try to login to this
account using Roundcube. Now send yourself a mail.

Testing
Now lets see if Postfix is going to deliver mail for our test user.

nc servername 25

helo testmail.org

mail from:<test@testmail.org>

rcpt to:<cactus@virtualdomain.tld>

data

This is a test email.

quit

Error response

451 4.3.0 <lisi@test.com>:Temporary lookup failure

Maybe you have entered the wrong user/password for MySQL or the MySQL socket is not in the
right place.

This error will also occur if you neglect to run newaliases at least once before starting postfix.
MySQL is not required for local only usage of postfix.

550 5.1.1 <email@spam.me>: Recipient address rejected: User unknown in virtual mailbox table.

Double check content of mysql_virtual_mailboxes.cf and check the main.cf for mydestination

See that you have received a email

Now type $ find /home/vmailer .

You should see something like the following:

/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld

/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/tmp

/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/cur

/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new

/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new/1102974226.2704_0.bonk.testmail.org

The key is the last entry. This is an actual email, if you see that, it is working.

Optional Items
Although these items are not required, they definitely add more completeness to your setup

Quota
To enable mailbox quota support by dovecot, do the following:

First add the following lines to /etc/dovecot/dovecot.conf

dict {

quotadict = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext

service dict {

unix_listener dict {

group = vmail

mode = 0660

user = vmail

user = root
}

service quota-warning {

executable = script /usr/local/bin/quota-warning.sh

user = vmail

unix_listener quota-warning {

group = vmail

mode = 0660

user = vmail

mail_plugins=quota

protocol pop3 {

mail_plugins = quota

pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

pop3_uidl_format = %08Xu%08Xv

protocol lda {

mail_plugins = quota

postmaster_address = postmaster@yourdomain.com

protocol imap {

mail_plugins = $mail_plugins imap_quota

mail_plugin_dir = /usr/lib/dovecot/modules

plugin {

quota = dict:User quota::proxy::quotadict

quota_rule2 = Trash:storage=+10%%

quota_warning = storage=100%% quota-warning +100 %u

quota_warning2 = storage=95%% quota-warning +95 %u

quota_warning3 = storage=80%% quota-warning +80 %u

quota_warning4 = -storage=100%% quota-warning -100 %u # user is no longer over quota

Create a new file /etc/dovecot/dovecot-dict-sql.conf.ext with the following code:

connect = host=localhost dbname=yourdb user=youruser password=yourpassword

map {

pattern = priv/quota/storage

table = quota2

username_field = username

value_field = bytes

map {

pattern = priv/quota/messages

table = quota2

username_field = username

value_field = messages

Create a warning script /usr/local/bin/quota-warning.sh and make sure it is executable. This

warning script works with postfix lmtp configuration as well.

#!/bin/sh

BOUNDARY="$1"

USER="$2"

MSG=""

if [[ "$BOUNDARY" = "+100" ]]; then

MSG="Your mailbox is now overfull (>100%). In order for your account to continue functioning properly, you nee
d to remove some emails NOW."

 elif [[ "$BOUNDARY" = "+95" ]]; then

MSG="Your mailbox is now over 95% full. Please remove some emails ASAP."

elif [[ "$BOUNDARY" = "+80" ]]; then

MSG="Your mailbox is now over 80% full. Please consider removing some emails to save space."

elif [[ "$BOUNDARY" = "-100" ]]; then

MSG="Your mailbox is now back to normal (<100%)."

fi

cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"

From: postmaster@yourdomain.com

Subject: Email Account Quota Warning

Dear User,

$MSG

Best regards,

Your Mail System

EOF

Edit the user_query line and add iterat_query in dovecot-sql.conf as following:

user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, c
oncat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND active = '1'

iterate_query = SELECT username AS user FROM mailbox

Set up LDA as described above under SpamAssassin. If you are not using SpamAssassin, the
pipe should look like this in /etc/postfix/master.cf :

dovecot unix - n n - - pipe

flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

As above activate it in Postfix main.cf

virtual_transport = dovecot

You can set up quota per each mailbox in postfixadmin. Make sure the relevant lines in
config.inc.php look like this:

$CONF['quota'] = 'YES';

$CONF['quota_multiplier'] = '1024000';

Restart postfix and dovecot services. If things go well, you should be able to list all users' quota
and usage by the this command:

doveadm quota get -A

You should be able to see the quota in roundcube too.

Autocreate and autosubscribe folders in Dovecot

To automatically create the "usual" mail hierarchy, modify your /etc/dovecot/dovecot.conf

as follows, editing to your specific needs.

namespace inbox {

type = private

separator = /

prefix =

inbox = yes

namespace inbox {

 mailbox Drafts {

auto = subscribe

special_use = \Drafts

mailbox Junk {

auto = subscribe
special_use = \Junk

mailbox Trash {

auto = subscribe
special_use = \Trash

mailbox Sent {

auto = subscribe
special_use = \Sent

Dovecot public folder and global ACLs

In this section we enable IMAP namespace public folders combined with global and per-folder
ACLs.

First, add the following lines to /etc/dovecot/dovecot.conf :

### ACLs

mail_plugins = acl

protocol imap {

mail_plugins = $mail_plugins imap_acl

plugin {

acl = vfile

# With global ACL files in /etc/dovecot/dovecot-acls file (v2.2.11+):

acl = vfile:/etc/dovecot/dovecot-acl

### Public Mailboxes

namespace {

type = public

separator = /

prefix = public/

location = maildir:/home/vmail/public:INDEXPVT=~/public

subscriptions = no
list = children

Create the root directory /home/vmail/public and the folders you want to publicly share, for
example (the period is required!) /home/vmail/public/.example-1 .

Change the ownership of all files in the root directory:

$ chown -R vmail:vmail /home/vmail/public

Finally, create and modify your global ACL file to allow users access to these folders:

/etc/dovecot/dovecot-acl

public/* user=admin@example.com lrwstipekxa

In the above example, user admin@example.com has access to, and can do anything to, all the
public folders. Edit to fit your specific needs.

Note:
 lrwstipekxa are the permissions being granted. Visit the Dovecot wiki for further details.
Make sure the user subscribes to the folders in the client they are using.

Fighting Spam

As an alternative to SpamAssassin, consider rspamd (https://archlinux.org/packages/?nam

e=rspamd). Out of the box, it delivers an amazing amount of spam reduction, greylisting, etc and
includes a nifty webui. See also [1] (https://thomas-leister.de/en/mailserver-debian-stre
tch/).

Sidenotes

Alternative vmail folder structure

Instead of having a directory structure like /home/vmail/example.com/user@example.com you

can have cleaner subdirectories (without the additional domain name) by replacing
select_field and where_field with:

query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email

='%s'

Troubleshooting

IMAP/POP3 client failing to receive mails

If you get similar errors, take a look into /var/log/mail.log or run

journalctl -xn --unit postfix.service as root to find out more.

It may turn out that the Maildir /home/vmail/mail@domain.tld is just being created if there is
at least one email waiting. Otherwise there would not be any need for the directory creation
before.

Roundcube not able to delete emails or view any 'standard' folders

Ensure that the Roundcube config.inc.php file contains the following:

$config['default_imap_folders'] = array('INBOX', 'Drafts', 'Sent', 'Junk', 'Trash');

$config['create_default_folders'] = true;

$config['protect_default_folders'] = true;

LMTP / Sieve

Is LMTP not connecting to sieve? Ensure that your server is not routing the messages locally. This
can be set in /etc/postfix/main.cf :

mydestination =
Are your emails sent to gmail users ending up in their junk/spam folders?

Google gmail (and most other large email providers) will send your emails straight into your
recipients junk / spam folder if you have not implemented SPF / DKIM / DMARC policies. (Hint:
Rspamd, via the link above, shows you how to set this up, and will DKIM sign your emails.)

See also
Gentoo:Complete Virtual Mail Server

Retrieved from "https://wiki.archlinux.org/index.php?

title=Virtual_user_mail_system_with_Postfix,_Dovecot_and_Roundcube&oldid=718957"

This page was last edited on 18 February 2022, at 08:41.

Content is available under GNU Free Documentation License 1.3 or later unless otherwise noted.

Privacy policy
About ArchWiki
Disclaimers