Virtual user mail system with Postfix, Dovecot and Roundcube

For security reasons, a new user should be created to store the mails:

# groupadd -g 5000 vmail
# useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail

A gid and uid of 5000 is used in both cases so that we do not run into conflicts with regular users. All your mail will then be stored in /home/vmail. You could change the home directory to something like but be careful to change this in any configuration below as well.

You will need to create an empty database and corresponding user. In this article, the user postfix_user will have read/write access to the database postfix_db using hunter2 as password. You are expected to create the database and user yourself, and give the user permission to use the database, as shown in the following code.

Now you can go to the PostfixAdmin's setup page, let PostfixAdmin create the needed tables and create the users in there.

See PostfixAdmin.

You will need a SSL certificate for all encrypted mail communications (SMTPS/IMAPS/POP3S). If you do not have one, create one:

# cd /etc/ssl/private/
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout vmail.key -out vmail.crt -days 1460 #days are optional
# chmod 400 vmail.key
# chmod 444 vmail.crt

Alternatively, create a free trusted certificate using Let's Encrypt. The private key will be in , the certificate in /etc/letsencrypt/live/yourdomain/fullchain.pem. Either change the configuration accordingly, or symlink the keys to /etc/ssl/private:

# ln -s /etc/letsencrypt/live/yourdomain/privkey.pem /etc/ssl/private/vmail.key
# ln -s /etc/letsencrypt/live/yourdomain/fullchain.pem /etc/ssl/private/vmail.crt

Before you copy & paste the configuration below, check if has already been set. If you leave more than one active, you will receive warnings during runtime.

Also follow Postfix#Secure SMTP (receiving) pointing to the files you created in #SSL certificate.

To append:

relay_domains = $mydestination
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_mailbox_base = /home/vmail
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 5000
virtual_transport = virtual
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
transport_maps = hash:/etc/postfix/transport

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_tls_cert_file = /etc/ssl/private/vmail.crt
smtpd_tls_key_file = /etc/ssl/private/vmail.key
smtpd_sasl_local_domain = $mydomain
smtpd_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_loglevel = 1

• In the configuration above is a list of the domains that you want to receive mail for. This CANNOT contain the domain that is set in . That is why we left to be localhost only.

• will contain the information of virtual users and their mailbox locations. We are using a hash file to store the more permanent maps, and these will then override the forwards in the MySQL database.

• is the base directory where the virtual mailboxes will be stored.

The and virtual_gid_maps are the real system user IDs that the virtual mails will be owned by. This is for storage purposes.

Those new additional settings reference a lot of files that do not even exist yet. We will create them with the following steps.

If you were setting up your database with PostfixAdmin and created the database schema through PostfixAdmin, you can create the following files. Do not forget to change the password:

For alias domains functionality adjust the following files:

/etc/postfix/virtual_mailbox_maps.cf

user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
table = users
select_field = concat(domain,'/',email,'/')
where_field = email

Run postmap on transport to generate its db:

# postmap /etc/postfix/transport

Instead of using the provided Dovecot example configuration file, we will create our own . Please note that the user and group here might be vmail instead of postfix!

/etc/dovecot/dovecot.conf

protocols = imap pop3
auth_mechanisms = plain
passdb {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf
}
userdb {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf
}
 
service auth {
    unix_listener auth-client {
        group = postfix
        mode = 0660
        user = postfix
    }
    user = root
}

mail_home = /home/vmail/%d/%n
mail_location = maildir:~

ssl_cert = </etc/ssl/private/vmail.crt
ssl_key = </etc/ssl/private/vmail.key

Now we create , which we just referenced in the configuration above. Use the following contents and check if everything is set accordingly to your system's configuration.

If you used PostfixAdmin, then you add the following:

Without having used PostfixAdmin you can use:

With v2.3 you are required to provide yourself.

To generate a new DH parameters file (this will take very long):

# openssl dhparam -out /etc/dovecot/dh.pem 4096

then add the file to

ssl_dh = /etc/dovecot/dh.pem

See PostfixAdmin.

Note: To match the configuration in this file, config.inc.php should contain the following.

   # /etc/webapps/postfixadmin/config.inc.php
   ...
   $CONF['domain_path'] = 'YES';
   $CONF['domain_in_mailbox'] = 'NO';
   ...

See Roundcube.

Make sure that both and are uncommented in your php.ini file. Also check the for access restrictions. Assuming that localhost is your current host, navigate a browser to and follow the instructions.

Roundcube needs a separate database to work. You should not use the same database for Roundcube and PostfixAdmin. Create a second database roundcube_db and a new user named .

While running the installer ...

• For the address of the IMAP host, i.e. , use or and not just .
• Use port . Likewise with SMTP.
• For the address of the SMTP host, i.e. smtp_host, use and port if you used STARTTLS. Use with port if you used SMTPS. If there is a failure to establish a session, try using instead, replacing with the name of your server.
• See #Postfix for an explanation on that.
• Make sure the resulting configuration file has and lines in it or you will not be able to send email.

The post install process is similar to any other webapp like PhpMyAdmin or PostFixAdmin. The configuration file is in which works as an override over defaults.inc.php.

If you are using Apache, copy the example configuration file to your webserver configuration directory.

# cp /etc/webapps/roundcubemail/apache.conf /etc/httpd/conf/extra/httpd-roundcubemail.conf

Add the following line in

To let users change their passwords from within Roundcube, do the following:

Enable the password plugin by adding this line to

Configure the password plugin and make sure you alter the settings accordingly:

/usr/share/webapps/roundcubemail/plugins/password/config.inc.php

<?php

$config['password_driver'] = 'sql';
$config['password_db_dsn'] = 'mysql://<postfix_database_user>:<password>@localhost/<postfix_database_name>';
// If you are not using dovecot specify another algorithm explicitly e.g 'sha256-crypt'
$config['password_algorithm'] = 'dovecot';
// For dovecot salted passwords only (above must be set to 'dovecot')
// $config['password_algorithm_prefix'] = 'true';
// $config['password_dovecotpw'] = '/usr/bin/doveadm pw';
// $config['password_dovecotpw_method'] = 'SHA512-CRYPT';
// $config['password_dovecotpw_with_method'] = true;
$config['password_query'] = 'UPDATE mailbox SET password=%P WHERE username=%u';

451 4.3.0 <lisi@test.com>:Temporary lookup failure

Maybe you have entered the wrong user/password for MySQL or the MySQL socket is not in the right place.

This error will also occur if you neglect to run newaliases at least once before starting postfix. MySQL is not required for local only usage of postfix.

550 5.1.1 <email@spam.me>: Recipient address rejected: User unknown in virtual mailbox table.

Double check content of mysql_virtual_mailboxes.cf and check the main.cf for mydestination

Now type .

You should see something like the following: The key is the last entry. This is an actual email, if you see that, it is working.

To enable mailbox quota support by dovecot, do the following:

• First add the following lines to /etc/dovecot/dovecot.conf

dict {
	quotadict = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
service dict {
	unix_listener dict {
		group = vmail
		mode = 0660
		user = vmail
	}
	user = root
}
service quota-warning {
	executable = script /usr/local/bin/quota-warning.sh
	user = vmail
	unix_listener quota-warning {
		group = vmail
		mode = 0660
		user = vmail
	}
}	
mail_plugins=quota
protocol pop3 {
	 mail_plugins = quota
	 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
	 pop3_uidl_format = %08Xu%08Xv
}
protocol lda {
	mail_plugins = quota
	postmaster_address = postmaster@yourdomain.com
}
protocol imap {
	mail_plugins = $mail_plugins imap_quota
	mail_plugin_dir = /usr/lib/dovecot/modules
}
plugin {
       quota = dict:User quota::proxy::quotadict
       quota_rule2 = Trash:storage=+10%%
       quota_warning = storage=100%% quota-warning +100 %u
       quota_warning2 = storage=95%% quota-warning +95 %u
       quota_warning3 = storage=80%% quota-warning +80 %u
       quota_warning4 = -storage=100%% quota-warning -100 %u # user is no longer over quota
}

• Create a new file /etc/dovecot/dovecot-dict-sql.conf.ext with the following code:

connect = host=localhost dbname=yourdb user=youruser password=yourpassword
map {
	pattern = priv/quota/storage
	table = quota2
	username_field = username
	value_field = bytes
}
map {
	pattern = priv/quota/messages
	table = quota2
	username_field = username
	value_field = messages
}

• Create a warning script /usr/local/bin/quota-warning.sh and make sure it is executable. This warning script works with postfix lmtp configuration as well.

• Edit the user_query line and add iterat_query in dovecot-sql.conf as following:

 user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND active = '1'
 iterate_query = SELECT username AS user FROM mailbox

• Set up LDA as described above under SpamAssassin. If you are not using SpamAssassin, the pipe should look like this in /etc/postfix/master.cf :

 dovecot    unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

As above activate it in Postfix main.cf

 virtual_transport = dovecot

• You can set up quota per each mailbox in postfixadmin. Make sure the relevant lines in config.inc.php look like this:

$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';

Restart postfix and dovecot services. If things go well, you should be able to list all users' quota and usage by the this command:

doveadm quota get -A

You should be able to see the quota in roundcube too.

To automatically create the "usual" mail hierarchy, modify your as follows, editing to your specific needs.

namespace inbox {
  type = private
  separator = /
  prefix =
  inbox = yes
}
namespace inbox {
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
   auto = subscribe
   special_use = \Junk
 }
 mailbox Trash {
   auto = subscribe
   special_use = \Trash
 }
 mailbox Sent {
   auto = subscribe
   special_use = \Sent
 }
}

In this section we enable IMAP namespace public folders combined with global and per-folder ACLs.

First, add the following lines to :

Create the root directory and the folders you want to publicly share, for example (the period is required!) /home/vmail/public/.example-1.

Change the ownership of all files in the root directory:

$ chown -R vmail:vmail /home/vmail/public

Finally, create and modify your global ACL file to allow users access to these folders:

In the above example, user has access to, and can do anything to, all the public folders. Edit to fit your specific needs.

To use SpamAssassin, you must set it up with a SQL database. Otherwise user scores and filter data won't be saved as users are virtual and don't have home directories where to save these.

As an alternative to SpamAssassin, consider . Out of the box, it delivers an amazing amount of spam reduction, greylisting, etc and includes a nifty webui. See also .

Instead of having a directory structure like you can have cleaner subdirectories (without the additional domain name) by replacing and with:

query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'

If you get similar errors, take a look into or run as root to find out more.

It may turn out that the Maildir is just being created if there is at least one email waiting. Otherwise there would not be any need for the directory creation before.

Ensure that the Roundcube config.inc.php file contains the following:

Is LMTP not connecting to sieve? Ensure that your server is not routing the messages locally. This can be set in /etc/postfix/main.cf:

Google gmail (and most other large email providers) will send your emails straight into your recipients junk / spam folder if you have not implemented SPF / DKIM / DMARC policies. (Hint: Rspamd, via the link above, shows you how to set this up, and will DKIM sign your emails.)