Setup Postfix and Dovecot storing virtual users in MySQL database

Install Postfix, Dovecot, postfix-mysql and dovecot-mysql from Ubuntu repositories.

apt-get install postfix postfix-mysql dovecot-imapd dovecot-mysql

Let’s start with Postfix config. Edit /etc/postfix/

### Postfix SMTP Server
myhostname = FQDN.TLD
mydestination = localhost
smtpd_banner = $myhostname ESMTP $mail_name
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
biff = no
append_dot_mydomain = no
readme_directory = no
relayhost =
inet_interfaces = all
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 100000000
recipient_delimiter = +
inet_protocols = all
delay_warning_time = 4h

### Virtual users/domains
relay_domains = 
local_transport = virtual
virtual_alias_maps = proxy:mysql:/etc/postfix/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/
virtual_mailbox_maps = proxy:mysql:/etc/postfix/
virtual_mailbox_base = /var/www
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 5000
virtual_transport = virtual
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
local_recipient_maps = $virtual_mailbox_maps
transport_maps = hash:/etc/postfix/transport

### Authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_loglevel = 1

Let’s enable TLS on SMTP, modify /etc/postfix/ like this:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Created a new user vmail (with no shell access) to store emails:

groupadd -g 5000 vmail
useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail

And a new MySQL database/user to store info about domains and virtual users:

USE postfix_db;
CREATE USER [email protected] IDENTIFIED BY 'postfix_user_password';
GRANT ALL ON postfix_db.* TO [email protected];

Then create the tables that are going to store the info related to domains, forwardings and users:

CREATE TABLE `domains` (
  `domain` varchar(50) NOT NULL default "",
  PRIMARY KEY  (`domain`),
  UNIQUE KEY `domain` (`domain`)

CREATE TABLE `forwardings` (
  `source` varchar(80) NOT NULL default "",
  `destination` text NOT NULL,
  PRIMARY KEY  (`source`)

CREATE TABLE `users` (
  `email` varchar(80) NOT NULL default "",
  `password` char(128) NOT NULL default "",
  `quota` varchar(20) NOT NULL default '20971520',
  `domain` varchar(255) NOT NULL default "",
  UNIQUE KEY `email` (`email`)

Then start adding domains (make sure they have A and MX records properly set) in the database:

INSERT INTO `domains` VALUES ('virtualdomain.tld');

And the account(s) related to the domain(s):

INSERT INTO `users` VALUES ('[email protected]', ENCRYPT('password', CONCAT('$6$', 'salt_text')), '20971520', 'virtualdomain.tld');

Create a self-signed cert:

cd /etc/ssl/private/
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out server.key
chmod 400 server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
chmod 444 server.crt

And then the files we were referring to in Postfix config:


user = postfix_user
password = postfix_user_password
hosts = localhost
dbname = postfix_db
table = domains
select_field = domain
where_field = domain


user = postfix_user
password = postfix_user_password
hosts = localhost
dbname = postfix_db
table = users
select_field = concat(domain,'/',email,'/')
where_field = email


user = postfix_user
password = postfix_user_password
hosts = localhost
dbname = postfix_db
table = forwardings
select_field = destination
where_field = source

Create an empty transport file:

touch /etc/postfix/transport
postmap /etc/postfix/transport

Now replace the default Dovecot config file (/etc/dovecot/dovecot.conf) with:

protocols = imap
auth_mechanisms = plain login
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf

service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
user = root

mail_home = /home/vmail/%d/%u
mail_location = maildir:~

ssl = yes

ssl_cert = 

Create the /etc/dovecot/dovecot-sql.conf file:

driver = mysql
connect = host=localhost dbname=postfix_db user=postfix_user password=postfix_user_password
# You can also set it on PLAIN. You can use MD5-CRYPT too, of course you'll need to change MySQL "users" table and have password as ENCRYPT('password').
default_pass_scheme = SHA512-CRYPT
# Get the mailbox
user_query = SELECT '/home/vmail/%d/%u' as home, 'maildir:/home/vmail/%d/%u' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=',  quota) AS quota FROM users WHERE email = '%u'
# Get the password
password_query = SELECT email as user, password, '/home/vmail/%d/%u' as userdb_home, 'maildir:/home/vmail/%d/%u' as userdb_mail, 5000 as  userdb_uid, 5000 as userdb_gid FROM users WHERE email = '%u'
# If using client certificates for authentication, comment the above and uncomment the following
#password_query = SELECT null AS password, ā€˜%uā€™ AS user

... and finally restart dovecot and postfix:

service postfix restart && service dovecot restart

Try to send a mail to one of your newly created accounts, it should end up in a subdirectory of /home/vmail related to the domain.
To access from an email client you need to set these info instead:
Host: your FQDN
Port: 993
Use SSL: Yes
Use authentication: Yes

Host: your FQDN
Port: 587
Use SSL: Yes
Use authentication: Yes

Leave a Reply

Your email address will not be published. Required fields are marked *