Postfix handles SMTP (sending/receiving), Dovecot handles IMAP (mailbox access). Install both on a VPS, configure virtual mailboxes, add OpenDKIM for signing, obtain a TLS certificate via Let's Encrypt, set up DNS records, and you have a complete email server. This is the most flexible approach but requires 1-2 days of setup and ongoing manual maintenance.
Postfix + Dovecot Setup Guide: The Manual Approach
When to Go Manual
Mailcow wraps Postfix and Dovecot in a Docker-based package with a web UI. It's easier and faster. So why would you set up bare Postfix + Dovecot?
Reasons to go manual:
- You need custom Postfix configurations that Mailcow doesn't expose
- You want to avoid Docker overhead on resource-limited servers
- You're running a non-standard OS or architecture
- You want to learn how email servers actually work
- You need to integrate with existing infrastructure (LDAP, custom auth)
- See also: SMTP authentication explained and DNS configuration
Reasons to use Mailcow instead:
- You want a web admin panel
- You want automatic updates
- You want built-in webmail, antivirus, and spam filtering
- You value your time and don't need custom configs
This guide assumes you've chosen manual for good reason.
Server Preparation
# Ubuntu 22.04 or Debian 12
apt update && apt upgrade -y
hostnamectl set-hostname mail.yourdomain.com
Verify your hostname resolves:
hostname -f
# Should return: mail.yourdomain.com
Install Postfix
apt install postfix -y
When prompted, select "Internet Site" and enter your domain name.
Core Configuration
Edit /etc/postfix/main.cf:
myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost
inet_interfaces = all
inet_protocols = ipv4
# TLS settings
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
smtpd_tls_security_level = may
smtp_tls_security_level = may
# SASL Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
# Virtual mailbox settings
virtual_mailbox_domains = yourdomain.com
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
Create the mailbox directory and user:
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail/vhosts -s /usr/sbin/nologin
mkdir -p /var/mail/vhosts/yourdomain.com
chown -R vmail:vmail /var/mail/vhosts
Create /etc/postfix/vmailbox:
[email protected] yourdomain.com/user/
Run postmap /etc/postfix/vmailbox after editing.
Install Dovecot
apt install dovecot-imapd dovecot-lmtpd -y
Configure Dovecot
Edit /etc/dovecot/conf.d/10-mail.conf:
mail_location = maildir:/var/mail/vhosts/%d/%n
Edit /etc/dovecot/conf.d/10-auth.conf:
disable_plaintext_auth = yes
auth_mechanisms = plain login
Edit /etc/dovecot/conf.d/10-master.conf to add the SASL socket for Postfix:
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
Install OpenDKIM
apt install opendkim opendkim-tools -y
Generate a DKIM key:
mkdir -p /etc/opendkim/keys/yourdomain.com
opendkim-genkey -b 2048 -d yourdomain.com -D /etc/opendkim/keys/yourdomain.com -s default -v
chown -R opendkim:opendkim /etc/opendkim
Configure /etc/opendkim.conf:
Syslog yes
UMask 007
Domain yourdomain.com
KeyFile /etc/opendkim/keys/yourdomain.com/default.private
Selector default
Socket inet:8891@localhost
Add to Postfix /etc/postfix/main.cf:
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
The DNS TXT record is in /etc/opendkim/keys/yourdomain.com/default.txt.
Practitioner note: The manual Postfix + Dovecot setup teaches you more about email infrastructure than any managed solution ever will. If you're serious about email operations, doing this once — even if you end up switching to Mailcow later — gives you the knowledge to troubleshoot any email problem. But for production? Mailcow handles all of this automatically.
TLS Certificate
apt install certbot -y
certbot certonly --standalone -d mail.yourdomain.com
Certificate auto-renews. Restart Postfix and Dovecot after renewal:
echo '#!/bin/bash
systemctl restart postfix dovecot' > /etc/letsencrypt/renewal-hooks/post/mail-restart.sh
chmod +x /etc/letsencrypt/renewal-hooks/post/mail-restart.sh
DNS Configuration
Same as any mail server — see the complete DNS setup guide. You need: A record, MX record, SPF, DKIM (from OpenDKIM), DMARC, and PTR.
Start Services
systemctl restart postfix dovecot opendkim
systemctl enable postfix dovecot opendkim
Test sending:
echo "Test email" | mail -s "Test" [email protected]
Check headers for SPF and DKIM pass.
Practitioner note: If you got this far and everything passes authentication checks, congratulations — you understand more about email infrastructure than 95% of people sending email. The knowledge is valuable even if you decide the maintenance isn't worth it.
Adding SpamAssassin (Optional)
apt install spamassassin spamc -y
systemctl enable spamassassin
systemctl start spamassassin
Add to Postfix as a content filter in /etc/postfix/master.cf. This adds server-side spam filtering for incoming email.
The Maintenance Burden
Bare Postfix + Dovecot requires you to manually:
- Update packages and restart services
- Rotate DKIM keys
- Monitor logs for issues
- Configure and maintain spam filtering
- Manage SSL certificate renewal
- Handle security patches
This is why Mailcow exists. If you don't need custom configurations, switch to Mailcow and get all of this managed through a web interface with automatic updates.
Practitioner note: I maintain two bare Postfix servers for clients with specific compliance requirements that prohibit Docker. Every other client runs Mailcow. The bare servers take 3x the maintenance time. Don't choose manual setup for ego — choose it for requirements.
If you need a custom Postfix deployment for specific infrastructure requirements, schedule a consultation — I build and maintain bare-metal email servers for businesses with needs that packaged solutions can't meet.
Sources
- Postfix: Official Documentation
- Dovecot: Official Documentation
- OpenDKIM: Configuration Guide
- Let's Encrypt: Certbot Instructions
v1.0 · April 2026
Frequently Asked Questions
Should I use Postfix + Dovecot or Mailcow?
Mailcow wraps Postfix + Dovecot in Docker with a web UI and pre-configured settings. Use bare Postfix + Dovecot if you need custom configurations that Mailcow doesn't expose, want to avoid Docker, or want to understand exactly how every component works. For everyone else, Mailcow saves hours of setup.
How long does it take to set up Postfix + Dovecot?
Plan 1-2 days for a production-ready setup including Postfix, Dovecot, OpenDKIM, SpamAssassin, TLS, and DNS configuration. Compare to 2-4 hours for Mailcow. The time investment only makes sense if you need custom configurations.
Is Postfix secure by default?
Postfix is designed with security in mind (chroot, least privilege) but requires proper configuration: enforce TLS, disable open relay, configure authentication, set up fail2ban. An out-of-the-box install with default settings needs hardening before production use.
Can I use Postfix without Dovecot?
Yes, if you only need to send email (no mailbox access). Postfix handles SMTP sending and receiving independently. Add Dovecot only if you need IMAP/POP3 mailbox access for reading email via clients.
What's the difference between Postfix and Sendmail?
Both are MTAs. Postfix is the modern replacement for Sendmail — it's faster, more secure, and has cleaner configuration. Sendmail is legacy and rarely used for new deployments. Always choose Postfix for new installations.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.