How to setup a mail server on Debian 8 (jessie) using postfix, dovecot and LMTP

Putting thoughts and deeds into words greatly improves my understanding of topics and thus I am writing this post. It will cover setting up a mail server on Debian 8.7 (jessie) server using postfix, dovecot, LMTP and virtual mailboxes. Another blog post including quota, sieve, spam filtering (through SpamAssassin and various restrictions) is soon™ to follow.

This tutorial assumes the following setup:

  • a Debian 8.7 (jessie) server with root privileges
  • a static IP address and FQDN with configurable r/DNS record, a valid TLS/SSL certificate (covered in this post)
  • non blocked mail ports for SMTP (25), Submission (587), IMAPS (993)

Make sure to:

sudo apt-get update && upgrade

and ssh on your machine (make sure to append sudo if you don’t use root privileges).

Test if port 25 is blocked / your r/DNS record configuration is working as intended:


Your outbound mail is blocked if your connections times out:

dig +short mx
telnet 25
Trying 2a00:1450:400c:c07::1b..
Connected to
Escape character is '^]'.
220 ESMTP 7si6442403wmr.85 - gsmtp

Exit telnet by typing QUIT.

DNS record configuration:

dig +short mx
dig +short a
dig +short -x

Install postfix

Postfix is an MTA (Mail Transfer Agent) – it’s routing and delivering mails on Linux systems, it’s lightweight, efficient and secure when configured appropriately.

apt-get install postfix && postfix stop && purge exim4

Please choose Internet site as general type of mail configuration and enter your FQDN as system mail name (in our case “”) while completing the install wizard. Postfix will be stopped afterwards because there is no need to have it running at this stage.

Exim4 is the default mail service used by Debian which won’t be needed any more and is thus removed.

Configure postfix

There are two main configuration files to be edited in /etc/postfix/. The is used to define how a program connects to a service and which daemon program runs when a service is requested. The controls several hundred configuration parameters (which can be shown by postconf -d).

Open and uncomment line 17 to enable the submission service (also called MSA (Mail Submission Agent)):

#tlsproxy  unix  -      -       -       -       -       tlsproxy
submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission

Backup the original file:

cp /etc/postfix/ /etc/postfix/

Specify the location of your certificates and add security levels for smtpd and smtp:

smtpd_tls_cert_file = /etc/letsencrypt/live/
smtpd_tls_key_file = /etc/letsencrypt/live/
smtpd_tls_security_level = may
smtp_tls_security_level = may

Add mydomain = and adjust the remaining parameters accordingly:

mydomain =
myhostname = mx.$mydomain
myorigin = $mydomain
mydestination = localhost

Install dovecot

Dovecot acts as an open source IMAP and POP3 server that includes an MDA (Mail Delivery Agent), it is used to get mails from postfix to a local recipient’s mailbox and has it’s own administration utility tool – doveadm:

apt-get install dovecot-core dovecot-imapd dovecot-lmtpd
  • dovecot-imapd allows users to use the IMAP protocol
  • dovecot-lmtpd enables dovecot to receive LMTP connections

Configure dovecot

Backup the initial configuration file:

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig

and copy the output of dovecot -n to to dovecot.conf:

dovecot -n > /etc/dovecot/
mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
mv /etc/dovecot/ /etc/dovecot/dovecot.conf

Force using TLS/SSL, specify your certificates, disable IMAP (by setting the port equal to 0) and let the service imap-login listen on port 993 (IMAPS):

service imap-login {
  inet_listener imap {
    port = 0
  inet_listener imaps {
    port = 993

ssl = required
ssl_cert = </etc/letsencrypt/live/
ssl_key = </etc/letsencrypt/live/

Testing your configuration:


The client tool of OpenSSL offers a way to connect to and diagnose servers, a more detailed explanation of the options can be found here:

openssl s_client -starttls smtp -connect
openssl s_client -connect helenenhof:993

both commands should output Verify return code: 0 (ok) as one of the last lines.


Open a new terminal, connect to your machine and:

tail -f /var/log/mail.log

to check if postfix and dovecot are (re-)starting without issues:

service postfix restart
service dovecot restart

Next we check if port 25, 587 and 993 are listed the column ‘Local Address’:

netstat -ltnp

Create the user vmail that owns all virtual mailboxes:

groupadd -g 2000 vmail
useradd -g vmail -u 2000 vmail -d /var/vmail -m
You can check this by:
ls - l /var/

which should output:

drwxrwxrwt  3 root  root  4096 Apr 27 00:27 tmp
drwxr-xr-x  3 vmail vmail 4096 Apr 23 13:37 vmail
drwxr-xr-x  3 root  root  4096 Apr 17 12:29 www

Configuring mail location, passdb, userdb and authentication

Add this to the file of postfix to hand the authentication to dovecot:

smtpd_sasl_auth_only = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

Insert this block into your dovecot.conf to allow plain text authentication only when TLS/SSL has been used before and to bind the auth service to the socket found in /private/auth:

auth_mechanisms = plain login
disable_plaintext_auth = yes

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    user = postfix
    mode = 0666

Next we adjust mail_location to use the maildir format, set the driver of userdb to static and the driver of passdb to a passwd-file (the scheme will be overwritten by the file), which we will create soon – information on the variables can be found here:

mail_location = maildir:/var/vmail/%d/%n
passdb {
  driver = passwd-file
  args = scheme=CRYPT username_format=%u /etc/dovecot/userdb-file
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/vmail/%d/%n

Create the first mail account and input your password using the SHA512-CRYPT scheme:

doveadm pw -s SHA512-CRYPT

Example output:


Create a new file userdb-file in /etc/dovecot and insert:{SHA512-CRYPT}$6$xVscOkS.Nch5xE.y$Sv/X8ATyIrTwRdME8qHgoWhU/G56soWsUMLMtyujrAdpy.1LXNNpYiWY.RoaAe68Vu4.711SiKvn2fDBlR5WC0

Dovecot doesn’t care about domains, thus you can use multiple / no domains. Users can be administered using this file.

Mail delivery via dovecot’s LMTP server

Insert this in to tell postfix to use this socket, virtual domain and virtual alias mapping:

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = $mydomain
virtual_alias_maps = hash:/etc/postfix/virtual_aliases

Let’s create the virtual_aliases file and insert (adjust to your needs):

postmaster          root
webmaster           root
info                root
abuse               root
# redirect to the user that should get root's mails
root                cirmscher

Don’t forget to:

postmap /etc/postfix/virtual_aliases
service postfix restart

afterwards to create the .db file which is expected by postfix.

Adjust your dovecot.conf like this to bind the LMTP service to the unix socket, which is set inside the postfix spool:

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0666
    user = postfix
    group = postfix
protocol lmtp { 
  postmaster_address =
Testing your configuration


Make sure the terminal running tail -f /var/log/mail.log is still open – otherwise open a new one. Restart postfix and dovecot:

service postfix restart
service dovecot restart

Install mailutils:

apt-get install mailutils


echo test | mail

Your output should look similar to this:

postfix/pickup[27532]: 61632100FBB: uid=0 from=<root@www>
postfix/cleanup[28168]: 61632100FBB: message-id=<>
postfix/qmgr[27531]: 61632100FBB: from=<>, size=318, nrcpt=1 (queue active)
dovecot: lmtp(28171): Connect from local
dovecot: lmtp(28171, QAUkGfRn8lgLbgAA9v3IoA: msgid=<>: saved mail to INBOX
www postfix/lmtp[28170]: 61632100FBB: to=<>,[private/dovecot-lmtp], delay=0.07, delays=0.03/0.01/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <> QAUkGfRn8lgLbgAA9v3IoA Saved)
dovecot: lmtp(28171): Disconnect from local: Successful quit
postfix/qmgr[27531]: 61632100FBB: removed

Setup MUA (Mail User Agent) e.g. Mozilla Thunderbird

Create a new account with the following settings:

Incoming IMAP:

Server hostname:
Port: 993
Authentication: Normal password

Outgoing SMTP:

Server hostname:
Port: 587
Authentication: Normal password

Sending mails to Gmail users might result in this:

Our system has detected 550-5.7.1 that this message is likely unsolicited mail.  
To reduce the amount of 550-5.7.1 spam sent to Gmail, this message has been  
blocked. Please visit 550-5.7.1  
for 550 5.7.1 more information.  
kn5si24189651wjc.75 - gsmtp (in reply to end of DATA command)) 

which can be fixed by adding and verifying your domain, just follow the instructions (either add a DNS TXT or a DNS CNAME).


Final thoughts

I hope this was helpful to some of you. As always – comments / constructive criticism and overall feedback are very welcome. Feel free to check our other howto’s – there is plenty to come tho.

One Reply to “How to setup a mail server on Debian 8 (jessie) using postfix, dovecot and LMTP”

Leave a Reply

Your email address will not be published. Required fields are marked *