How to Configure Postfix and Dovecot with Virtual Domain Users in Linux – Part 2

In the previous article of this series we explained how to set up and manage the mail server database securely using phpMyAdmin.


  1. Install Postfix Mail Server and Dovecot with MariaDB – Part 1
Configure Postfix and Dovecot with Virtual Domain Users
Configure Postfix and Dovecot with Virtual Domain Users – Part 2

Now it’s time to configure the internal programs that will make sending and receiving emails a reality: Postfix and Dovecot (to handle outgoing and incoming emails, respectively).

Configuring Postfix Mail Server

Before you begin configuring Postfix, it would be worth and well to take a look at its man pages here, putting special emphasis on the section titled “Information for new Postfix users“. If you do, you will find it easier to follow along with this tutorial.

In few words, you should know that there are two configuration files for Postfix:

  1. /etc/postfix/ (Postfix configuration parameters, refer to man 5 postconf for more details).
  2. /etc/postfix/ (Postfix master daemon configuraton, see man 5 master for further details).

In /etc/postfix/, locate (or add, if necessary) the following lines and make sure they match the values indicated below:
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
dovecot_destination_recipient_limit = 1
message_size_limit = 4194304
readme_directory = no
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (CentOS)
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_transport = dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

The next three settings are of special importance. In the files indicated in yellow we will configure Postfix’s access to the Domains_tbl, Users_tbl, and Alias_tbl tables:

virtual_mailbox_domains = mysql:/etc/postfix/
virtual_mailbox_maps = mysql:/etc/postfix/
virtual_alias_maps = mysql:/etc/postfix/

Note that you can choose different file names above, as long as you make sure to create them and insert the following contents in them. In each case, replace YourPassword with the password you chose for the dba user in Part 1, or you can also use the MariaDB root credentials for user and password below.

Also, make sure you use the exact same names of the email server database and tables created in Part 1.

In /etc/postfix/
user = dba
password = YourPassword
hosts =
dbname = EmailServer_db
query = SELECT 1 FROM Domains_tbl WHERE DomainName='%s'

In /etc/postfix/
user = dba
password = YourPassword
hosts =
dbname = EmailServer_db
query = SELECT 1 FROM Users_tbl WHERE Email='%s'

In /etc/postfix/
user = dba
password = YourPassword
hosts =
dbname = EmailServer_db
query = SELECT Destination FROM Alias_tbl WHERE Source='%s'

Finally, don’t forget to change the permissions to these files to 640:

# chmod 640 /etc/postfix/
# chmod 640 /etc/postfix/
# chmod 640 /etc/postfix/

And the ownership to user root and group postfix:

# chown root:postfix /etc/postfix/
# chown root:postfix /etc/postfix/
# chown root:postfix /etc/postfix/

Next, to enable secure connections we need to make sure the following settings are uncommented (or added, if necessary) in /etc/postfix/
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp

showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
#virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

Note: The indentation in the lines beginning with the -o option is critical; otherwise postfix check will return an error:

Check Postfix Configuration
Check Postfix Configuration

Before you save changes, add the following lines at the bottom of the file:
dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

At this point it is essential to check whether Postfix has access to the database tables and the domains, accounts, and alias that we created in Part 1.

To do so, we will use the postmap command, an utility to test communication with the tables Postfix will look up during operation, but first and foremost we’ll need to restart postfix:

# systemctl postfix restart
# postmap -q mysql:/etc/postfix/
# postmap -q mysql:/etc/postfix/
# postmap -q [email protected] mysql:/etc/postfix/
# postmap -q [email protected] mysql:/etc/postfix/
# postmap -q [email protected] mysql:/etc/postfix/
# postmap -q [email protected] mysql:/etc/postfix/

In the image below we can see that for existing records in the database, a 1 is returned. Otherwise, nothing is displayed back to the screen. In the case of the alias check, note that the actual email account the alias is mapped to is returned:

Check Postfix Table Communication
Check Postfix Table Communication

Note that we are NOT authenticating against the credentials set for each email account, we are only testing the ability of Postfix to detect those records in the database.

Thus, if you get a different output than above, make sure you are using a valid user / password pair in,, and (or whatever you chose to call those files).

Configuring Dovecot

As an IMAP / POP3 server, Dovecot provides a way for users through a Mail User Agent (MUA, or also known as client), such as Thunderbird or Outlook, to name a few examples to access their mail.

To begin, let’s create a user and a group to handle emails (we will need this as our email accounts are not associated with a system user). You can use another UID and GID (other than 5000 as we do below) as long as it’s not in use and is a high number:

# groupadd -g 5000 vmail 
# useradd -g vmail -u 5000 vmail -d /home/vmail -m

The settings for Dovecot are split across several configuration files (make sure the following lines are uncommented and / or edit them to match the settings indicated below).

In /etc/dovecot/dovecot.conf:
!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap pop3 lmtp
!include conf.d/*.conf
!include_try local.conf

In /etc/dovecot/conf.d/10-auth.conf (only enable authentication through SQL and leave other authentication methods commented out):

disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-sql.conf.ext

In /etc/dovecot/conf.d/auth-sql.conf.ext (note that we will store emails within a directory named inside /home/vmail, which you need to create if it doesn’t exist. In our case we did mkdir /home/vmail/ to manage emails for that domain):

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/home/vmail/%d/%n/Maildir

Individual inboxes for user accounts will be created when emails for such accounts are first received.

In /etc/dovecot/conf.d/10-mail.conf:

mail_location = maildir:/home/vmail/%d/%n/Maildir
namespace inbox {
  inbox = yes
mail_privileged_group = mail
mbox_write_locks = fcntl

In /etc/dovecot/conf.d/10-master.conf:

service imap-login {
  inet_listener imap {
    port = 143
  inet_listener imaps {
service pop3-login {
  inet_listener pop3 {
    port = 110
  inet_listener pop3s {
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0600
   user = postfix
   group = postfix
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  unix_listener auth-userdb {
   mode = 0600
   user = vmail
  user = dovecot
service auth-worker {
  user = vmail
service dict {
  unix_listener dict {

In /etc/dovecot/conf.d/10-ssl.conf (replace the certificate and key paths if you are planning on using a certificate signed by a CA):

ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

In /etc/dovecot/dovecot-sql.conf.ext enter your database information and the credentials of the administrative user created in Part 1.

Important: if your password contains an asterisk (#), you will need to enclose the connect string as indicated in the example below:

driver = mysql
connect = "host= dbname=EmailServer_db user=dba password=PassWith#Here"
default_pass_scheme = SHA512-CRYPT
password_query = SELECT Email as User, password FROM Users_tbl WHERE Email='%u';

Additionally, you can configure logging for Dovecot to be separate from Postfix in /etc/dovecot/conf.d/10-logging.conf:

log_path = /var/log/dovecot.log

Finally, make sure the Dovecot log is accessible for user dovecot:

# chown vmail:dovecot /var/log/dovecot.log
# chmod 660 /var/log/dovecot.log

Verify and Fix Postifix Configuration and Enable SMTP, POP3, and IMAP in Firewall

If you happen to run into any issues while configuring Postfix and / or Dovecot, instead of submitting all of the configuration files to ask for help, you can get a configuration summary (uncommented lines only) with:

# postconf –n # Summary for /etc/postfix/
# postconf –M # Summary for /etc/postfix/
# doveconf –n # Summary of all configuration files for Dovecot

In addition, make sure that the email inboxes are readable by vmail only:

# chown –R vmail:vmail /home/vmail

Configuration files should also be readable by vmail and dovecot users:

# chown -R vmail:dovecot /etc/dovecot 
# chmod -R o-rwx /etc/dovecot 

Finally, make sure you enable SMTP, POP3, and IMAP through the firewall:

# firewall-cmd --add-port=143/tcp
# firewall-cmd --add-port=143/tcp --permanent
# firewall-cmd --add-port=110/tcp
# firewall-cmd --add-port=110/tcp --permanent
# firewall-cmd --add-port=587/tcp
# firewall-cmd --add-port=587/tcp --permanent

Configure Thunderbird as an Email Client for Postfix

Having secured access through the firewall for the ports used in email communications, it’s time to configure an email client. Using [email protected] and its corresponding password, along with as IMAP (or POP3) and SMTP server we are ready to start sending and receiving emails to and from such account:

Postfix: Configure Thunderbird Client
Postfix: Configure Thunderbird Client

You can safely disregard the warning message that is shown because you are using a certificate that is not signed by a trusted 3rd-party CA:

Thunderbird: Add Security Exception
Thunderbird: Add Security Exception

Let’s compose a brief test email and click Send:

Compose A Email on Thunderbird
Compose A Email on Thunderbird

When prompted to accept the self-signed certificate for the outgoing server, confirm it previously as before:

Thunderbird: Accept SSL Certificate
Thunderbird: Accept SSL Certificate

Finally, go to the destination email to see if you received the email that was just sent. If so, reply to it and see if it is delivered back to the source email inbox (otherwise, refer to the Postfix log at /var/log/maillog or the Dovecot log at /var/log/dovecot.log for troubleshooting information):

Verify Postfix and Dovecot Email Delivery
Verify Postfix and Dovecot Email Delivery

You now have a working Postfix and Dovecot email server and can start sending and receiving emails.


In this article we have explained how to configure Postfix and Dovecot to handle email traffic in your Linux server. If something does not work as indicated in this article, make sure you take time to check the Postfix and Dovecot documentation.

Please note that although setting up a Postfix mail server is not an easy task, it is a rewarding experience for every system administrator.

If after going through the docs you find yourself still struggling with Postfix and / or Dovecot, feel free to drop us a note using the comment form below and we will be glad to help you (don’t forget to upload to an online storage service the Postfix and Dovecot configuration as retrieved using postconf and doveconf as outlined in this article).

If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

99 thoughts on “How to Configure Postfix and Dovecot with Virtual Domain Users in Linux – Part 2”

  1. So my problem is .. i am on the of the part 2 so i am trying setup Thunderbird but i have a problem. I can connect to my mail server and get the folders (inbox, draft, trash) and i think download mails via imap (this i can’t test because i don’t have any emails).

    But smtp still not work..Thunderbird shows me error that connection to my mail server failed and nothing shows in logs.. Telnet works i cant normally send email… Another thing when i send email from gmail to my server then gmail send me back error message.

    this is my log when i connect to sync my emails.. there are some unknown user auth-worker messages and some pam auth messages

    Oct 05 07:44:01 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
    Oct 05 07:44:01 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/
    Oct 05 07:44:01 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/
    Oct 05 07:44:01 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
    Oct 05 07:44:01 auth: Debug: auth client connected (pid=7486)
    Oct 05 07:44:01 auth: Debug: auth client connected (pid=7489)
    Oct 05 07:44:01 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=2TQQqhc+bgBY1CMG 
    lip=myip       rip= lport=143       rport=54382
    Oct 05 07:44:01 auth: Debug: client passdb out: CONT    1
    Oct 05 07:44:01 auth: Debug: client in: CONT
    Oct 05 07:44:01 auth-worker(7491): Debug: Loading modules from directory: /usr/lib64/dovecot/auth
    Oct 05 07:44:01 auth-worker(7491): Debug: Module loaded: /usr/lib64/dovecot/auth/
    Oct 05 07:44:01 auth-worker(7491): Debug: Module loaded: /usr/lib64/dovecot/auth/
    Oct 05 07:44:01 auth-worker(7491): Debug: pam([email protected], lookup service=dovecot
    Oct 05 07:44:01 auth-worker(7491): Debug: pam([email protected], #1/1 style=1 msg=Password:
    Oct 05 07:44:03 auth-worker(7491): Info: pam([email protected], pam_authenticate() 
    failed: Authentication failure (password mismatch?)
    Oct 05 07:44:03 auth-worker(7491): Debug: sql([email protected], query: 
    SELECT Email as User, password FROM Users_tbl WHERE Email='[email protected]';
    Oct 05 07:44:04 auth: Debug: client passdb out: OK      1       [email protected]      
     [email protected]
    Oct 05 07:44:04 auth: Debug: master in: REQUEST 1762394113      7489    1      
     1f4774e9be834b6150011787a313c10d        session_pid=7494        request_auth_token
    Oct 05 07:44:04 auth-worker(7491): Debug: passwd([email protected], lookup
    Oct 05 07:44:04 auth-worker(7491): Info: passwd([email protected], unknown user
    Oct 05 07:44:04 auth: Debug: master userdb out: USER    1762394113      [email protected]    
    uid=5000        gid=5000        home=/home/vmail/xxx/richardrozbrj/Maildir   
    Oct 05 07:44:04 imap-login: Info: Login: user=, method=PLAIN, rip=, lip=myip, mpid=7494, TLS, session=
    Oct 05 07:44:04 imap([email protected]): Debug: Effective uid=5000, gid=5000, home=/home/vmail/xxx/richardrozbrj/Maildir
    Oct 05 07:44:04 imap([email protected]): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no,
    list=yes, subscriptions=yes location=maildir:/home/vmail/xxx/richardrozbrj/Maildir
    Oct 05 07:44:04 imap([email protected]): Debug: maildir++: root=/home/vmail/xx/richardrozbrj/Maildir, 
    index=, indexpvt=, control=, inbox=/home/vmail/xxx/richardrozbrj/Maildir, alt=
      • I am on the end of this part of tutorial… but my smtp connection via mail client doesn’t work… i can normally send email via telnet but not via client … it shows me error with smtp failed connection and no logs anywhere.

        Imap works i think because i connect and got folders so i think it can sync mail via server and client. Another thing is that when i want send email from gmail to my server it return error message to gmail that wasn’t successful.

        Is there any options how can i turn on logs for smtp ? because i trying connect but there is nothing in logs no messages for smtp.

  2. I’ve installed all as is decribed in part 1 and 2, but the postfix don’t communicate with me.
    If I try to connect at port 25 with telnet, there isn’t answer.
    Could You describe how we can test the installation and how to set postfix to log in maillog file?

    Thanks for articles/help.

  3. Hello, notice the last line in the master.cfg
    ” flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}”
    must start with [space]


      • I tried this again but its true. So if You look at examples in file, every second line with “flags” parameter had two spaces in the start of.

  4. I’ve done everything step by step, but I can not send or receive any email, I opened port 25 and nothing … please some help … thank you

  5. Ok I have an issue with /var/log/dovecot.log, apparently it was not created during the postfix configuration.. What can I do? can I just create that file under /var/log/?

    • @Johnny,
      The log file should have been created if you followed the steps outlined in this series. What distribution are you using? If you’re using a distro other than CentOS, the file may be located somewhere else. Before creating it manually, I would do a search: find / -name “dovecot.log”.

  6. I’ve been using this guide as a step-by-step literal how-to. At the point with header “Configuring Dovecot” I attempted to send mail to my server using a telnet session, both from localhost and from external. Connection was refused in all cases despite firewall being open on 25. The solution was to modify to add the line:

    smtp inet n – n – 1 smtpd

    I’ve got other issues at this point, but at least the server is accepting connection and responding to ehlo now. On CentOS7.2 x64.

      • What? RTFM before posting? Why would I do that?

        BTW, the “other issues” I’ve got … spelling alias in my mariadb lookup cf as “alais”.

        I’m a doof. I’m going to keep plugging away at it anyways. Maybe I’ll have a functional server by the time I get to the end of this series.

        • I advised you to check Part 3 of this series to point out that this had been properly addressed there. This setup was tested so I don’t see why you wouldn’t have a functional server once you complete this series.

          • Oh, I don’t doubt the series. With stupid problems like spelling mistakes and freaking out about broken stuff before bothering to reading the entire process I’m questioning my ability to execute properly. But I’m learning plenty along the way, so I’m going to keep at it. I’ve tried a dozen different tutorials and I keep coming back to this one. It seems to make more sense and be laid out a bit more logically and informatively than most. If I can’t make it work, its on me.

        • @Harmon20,
          If for some reason you can’t make it work, don’t hesitate to let us know. I’m willing to share all the configuration files so you can compare them to your setup. We really want you to have the awesome feeling of having set up this complete mail server and make it work :).

  7. I was having the same issue receiving emails from outside, i solved it with
    firewall-cmd –add-port=25/tcp
    firewall-cmd –add-port=25/tcp –permanent


Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.