🌟 Success! Everything is Perfect!
Congratulations! You’ve successfully engineered a fully working, secure mail server on your Raspberry Pi. You are bypassing residential ISP blocks, filtering spam through the cloud, cleanly routing inbound traffic, and securely authenticating your mail client out through Amazon SES. That is a massive milestone!
Here is your comprehensive, consolidated blueprint to rebuild this exact architecture completely from scratch on a fresh Raspberry Pi, along with instructions to add new users down the road.
📋 Table of Contents
Network & Port Setup
Public DNS Record Configuration
MXGuarddog (Spam Proxy) Setup
Postfix (MTA) Installation & Configuration
Dovecot (IMAP/SASL) Configuration
Managing Users (Adding Additional Accounts)
Before touch-typing any code, your home router must be configured to pass traffic to your Raspberry Pi's local static IP (e.g., 192.168.1.X).
Configure Port Forwarding on your home router with these exact mappings:
Service
External WAN Port
Internal LAN Port
Destination
Purpose
IMAP
993
993
Raspberry Pi IP
Secure mail syncing to Outlook
SMTPS
465
465
Raspberry Pi IP
Secure client mail sending
Inbound SMTP
2525
2525
Raspberry Pi IP
Cloud proxy inbound delivery lane
In your DNS provider’s zone editor (e.g., Cloudflare, Namecheap), configure your zone precisely. Replace your-home-public-ip with your external WAN IP address.
A Records (Infrastructure)
Type: A | Host: @ | Value: your-home-public-ip
Type: A | Host: mail | Value: your-home-public-ip
MX Records (Mail Routing)
⚠️ Crucial: Ensure the Host is set to @ (root domain), not mail.
Type: MX | Host: @ | Value: 1e865356.21.ik2.com. | Priority: 10
Type: MX | Host: @ | Value: 1e865356.22.ik2.io. | Priority: 20
TXT Records (SPF Security)
To authorize Amazon SES to send mail on your behalf:
Type: TXT | Host: @ | Value: v=spf1 include:amazonses.com ~all
Register an account and add your root domain: alinavas.com.
Set the Domain Focus at the top menu to alinavas.com.
Navigate to Settings $\rightarrow$ Your Email Servers and set up your server hook:
Primary Email Server: mail.alinavas.com
Primary Server Port Number: 2525
Go to Settings $\rightarrow$ Email Addresses and add your active system accounts (e.g., navas).
Step 4.1: Installation
Run the installer on the fresh Raspberry Pi:
Bash
sudo apt update
sudo apt install postfix mailutils -y
When prompted, choose Internet Site and enter alinavas.com as the System Mail Name.
Step 4.2: Edit Main Configurations (/etc/postfix/main.cf)
Open the main configuration file:
Bash
sudo nano /etc/postfix/main.cf
Modify or append the following core settings:
Plaintext
myhostname = mail.alinavas.com
mydomain = alinavas.com
myorigin = /etc/mailname
mydestination = $myhostname, alinavas.com, mail.alinavas.com, localhost.$mydomain, localhost
relayhost = [email-smtp.us-east-1.amazonaws.com]:587
# Local Mailbox Layout
home_mailbox = Maildir/
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may
# SMTP Outbound Security (Amazon SES Relay Authentication)
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
Step 4.3: Configure Amazon SES Credentials
Create the password map file:
Bash
sudo nano /etc/postfix/sasl_passwd
Add your unique Amazon SES SMTP credentials:
Plaintext
[email-smtp.us-east-1.amazonaws.com]:587 YOUR_SES_SMTP_USERNAME:YOUR_SES_SMTP_PASSWORD
Secure the file and compile the database map:
Bash
sudo chmod 0600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd
Step 4.4: Establish the Separate Port Lanes (/etc/postfix/master.cf)
Open the master process definitions file:
Bash
sudo nano /etc/postfix/master.cf
Append these two distinct master process definitions to the bottom of the file.
⚠️ Crucial: Ensure the lines beginning with -o have exactly two spaces of indentation before them.
Plaintext
# ==========================================================================
# Custom Configuration Lanes
# ==========================================================================
# 1. Inbound lane for MXGuarddog (No local authentication required)
2525 inet n - y - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
# 2. Outbound lane for Mail Clients (Requires Secure Password Authentication)
465 inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Step 4.5: System Virtual Aliases
To handle mandatory technical postmaster lookups smoothly without bounces:
Bash
sudo nano /etc/aliases
Verify or add this line at the bottom:
Plaintext
postmaster: root
root: navas
Update the active alias map:
Bash
sudo newaliases
Step 5.1: Installation
Bash
sudo apt install dovecot-imapd dovecot-core -y
Step 5.2: Configure Mail Directories
Bash
sudo nano /etc/dovecot/conf.d/10-mail.conf
Find the mail_location entry and change it to match Postfix's layout:
Plaintext
mail_location = maildir:~/Maildir
Step 5.3: Enable Postfix SASL Inter-Process Authentication
Bash
sudo nano /etc/dovecot/conf.d/10-master.conf
Locate the service auth block (around line 100) and edit the unix_listener inside it to match this:
Plaintext
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
Step 5.4: Activate Services
Restart both systems to bind the multi-port lanes together cleanly:
Bash
sudo systemctl restart dovecot
sudo systemctl restart postfix
Because your server maps email addresses directly to secure system accounts, creating a brand new email account (e.g., sarah@alinavas.com) takes less than two minutes!
Step 1: Create the User on the Raspberry Pi
Run the standard system user configuration command:
Bash
sudo adduser sarah
Provide a strong password when prompted. This password is what the new user will enter into Outlook.
Step 2: Initialize Their Mail Storage Structure
Log into the new user account briefly to generate their safe local mail directories:
Bash
sudo su - sarah
mkdir -p Maildir/{cur,new,tmp}
chmod -R 700 Maildir
exit
Step 3: Authorize the New Address on MXGuarddog
Log into your MXGuarddog Dashboard.
Set the domain focus to alinavas.com.
Go to Settings $\rightarrow$ Email Addresses.
Click Add New Email and type in the new username: sarah.
Save the configuration.
Step 4: Configure Their Email Client
The new user can open up Outlook, add an account, and input these precise settings:
Incoming Mail Server: mail.alinavas.com | Port: 993 | Encryption: SSL/TLS
Outgoing Mail Server: mail.alinavas.com | Port: 465 | Encryption: SSL/TLS
Username: sarah
Password: The password you set in Step 1.
Your system will immediately begin processing both users entirely independently without breaking a sweat!
dont i need _dmarc record and c name records for amazon for this setup?
Yes, you absolutely do! You caught a very critical piece of the puzzle.
While your mail server is fully working right now on a technical connection level, modern email providers like Gmail, Yahoo, and Outlook will quickly block your outbound emails or throw them straight into spam if you do not have a DMARC record and Amazon's DKIM records configured.
Medium
Here is exactly what those records are, why you need them, and how to add them to your DNS manager.
1. The Amazon CNAME Records (DKIM Verification)
When Postfix hands your outbound emails off to Amazon SES, Amazon signs them with a secret cryptographic key. To prove to the world that this signature is authentic, receiving servers look at your DNS records for the matching public key.
DMARCTrust+ 1
Amazon SES uses a feature called Easy DKIM, which requires you to add three CNAME records.
CaptainDNS
How to get and add them:
Log into your AWS Console and navigate to Amazon SES.
Click on Verified Identities on the left menu and select your domain: alinavas.com.
DMARCTrust
Click on the Authentication tab and look for the DomainKeys Identified Mail (DKIM) section.
Sendmarc
It will provide three distinct tokens. Add them to your DNS manager exactly like this:
DMARCTrust
Type
Host / Name
Value / Target
CNAME
[token1]._domainkey
[token1].dkim.amazonses.com.
CNAME
[token2]._domainkey
[token2].dkim.amazonses.com.
CNAME
[token3]._domainkey
[token3].dkim.amazonses.com.
⚠️ DNS Provider Tip: Some DNS managers (like Namecheap or GoDaddy) automatically append your domain name to the Host field. When creating the record, only paste [token1]._domainkey instead of the full [token1]._domainkey.alinavas.com to prevent it from duplicating.
DMARCTrust
2. The _dmarc Record (Security Policy)
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the ultimate security layer. It instructs major email providers exactly what to do if an email claims to be from navas@alinavas.com but fails to pass your SPF or DKIM checks.
Josh Finnie
Since you are running a fresh setup, you should always start with a Monitoring Policy (p=none). This tells providers to let the mail through even if a configuration is slightly off while you test things out.
Medium+ 1
Add this to your DNS Provider:
Type: TXT
Host: _dmarc (or _dmarc.alinavas.com depending on your DNS interface)
Medium
Value: v=DMARC1; p=none; pct=100; adkim=r; aspf=r;
What this breakdown means:
p=none: Monitor mode. No emails will be blocked yet.
Josh Finnie
pct=100: Apply this rule to 100% of emails leaving your domain.
adkim=r & aspf=r: Relaxed alignment mode. This allows subdomains (like Amazon's internal mail-from structures) to pass your security checks without strict error rejections.
CaptainDNS
Summary of your final DNS Zone layout
Once these adjustments are saved alongside your previous changes, your total email DNS block is bulletproof and completely compliant with Google and Yahoo's strict spam guidelines:
Type
Host / Name
Value / Target
Purpose
MX
@
1e865356.21.ik2.com.
Incoming Email Route
MX
@
1e865356.22.ik2.io.
Incoming Email Route
TXT
@
v=spf1 include:amazonses.com ~all
Authorizes Amazon to send your mail
TXT
_dmarc
v=DMARC1; p=none; pct=100; adkim=r; aspf=r;
Global anti-spoofing policy
CNAME
*[token1]*._domainkey
*[token1]*.dkim.amazonses.com.
Amazon security certificate 1
CNAME
*[token2]*._domainkey
*[token2]*.dkim.amazonses.com.
Amazon security certificate 2
CNAME
*[token3]*._domainkey
*[token3]*.dkim.amazonses.com.
Amazon security certificate 3
Medium+ 1
Once Amazon SES polls your DNS and flips your domain status to "Verified" on their dashboard, your emails will pass every security check flawlessly!
DMARCTrust
Configuration Files
master.conf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: https://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
# -o smtpd_forbid_unauth_pipelining=no
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o local_header_rewrite_clients=static:all
# -o smtpd_hide_client_session=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
-o smtpd_client_restrictions= permit_sasl_authenticated,reject
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable submissions for loopback clients only, or for any client.
#127.0.0.1:submissions inet n - y - - smtpd
#submissions inet n - y - - smtpd
# -o syslog_name=postfix/submissions
# -o smtpd_forbid_unauth_pipelining=no
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o local_header_rewrite_clients=static:all
# -o smtpd_hide_client_session=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
#465 inet n - y - - smtpd
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
# Inbound lane for MXGuarddog (No authentication)
2525 inet n - y - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
# Outbound lane for Outlook (Requires authentication)
465 inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=permit_sasl_authenticated,
10-mail.conf
##
## Mailbox locations and namespaces
##
# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
# %{user} - username
# %{user|username} - user part in user@domain, same as %u if there's no domain
# %{user|domain} - domain part in user@domain, empty if there's no domain
# %{home} - home directory
#
# See https://doc.dovecot.org/latest/core/settings/variables.html for full list
# of variables.
#
# Example:
mail_driver = maildir
mail_path = ~/Maildir
# mail_inbox_path = ~/Maildir/.INBOX
#
# Debian defaults
# Note that upstream considers mbox deprecated and strongly recommends
# against its use in production environments. See further information
# at
# https://doc.dovecot.org/2.4.1/core/config/mailbox/formats/mbox.html
mail_driver = mbox
mail_home = /home/%{user | username}
mail_path = %{home}/mail
mail_inbox_path = /var/mail/%{user}
# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
# Namespace type: private, shared or public
#type = private
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
#separator =
# Prefix required to access this namespace. This needs to be different for
# all namespaces. For example "Public/".
#prefix =
# Physical location of the mailbox. This is in same format as
# mail location, which is also the default for it.
# mail_driver =
# mail_path =
#
# There can be only one INBOX, and this setting defines which namespace
# has it.
inbox = yes
# If namespace is hidden, it's not advertised to clients via NAMESPACE
# extension. You'll most likely also want to set list=no. This is mostly
# useful when converting from another server with different namespaces which
# you want to deprecate but still keep working. For example you can create
# hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
#hidden = no
# Show the mailboxes under this namespace with LIST command. This makes the
# namespace visible for clients that don't support NAMESPACE extension.
# "children" value lists child mailboxes, but hides the namespace prefix.
#list = yes
# Namespace handles its own subscriptions. If set to "no", the parent
# namespace handles them (empty prefix should always have this as "yes")
#subscriptions = yes
# See 15-mailboxes.conf for definitions of special mailboxes.
}
# Example shared namespace configuration
#namespace shared {
#type = shared
#separator = /
# Mailboxes are visible under "shared/user@domain/"
# $user, $domain and $username are expanded to the destination user.
#prefix = shared/$user/
# Mail location for other users' mailboxes. Note that %{variables} and ~/
# expands to the logged in user's data. %{owner_user} and %{owner_home}
# destination user's data.
#mail_driver = maildir
#mail_path = %{owner_home}/Maildir
#mail_index_path = ~/Maildir/shared/%{owner_user}
# Use the default namespace for saving subscriptions.
#subscriptions = no
# List the shared/ namespace only if there are visible shared mailboxes.
#list = children
#}
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
#mail_shared_explicit_inbox = no
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <https://doc.dovecot.org/latest/core/config/system_users.html#uids>
#mail_uid =
#mail_gid =
# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.
# Typically this is set to "mail" to give access to /var/mail.
mail_privileged_group = mail
# Grant access to these supplementary groups for mail processes. Typically
# these are used to set up access to shared mailboxes. Note that it may be
# dangerous to set these if users can create symlinks (e.g. if "mail" group is
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
#mail_access_groups =
# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no
# Dictionary for key=value mailbox attributes. This is used for example by
# URLAUTH and METADATA extensions.
#mail_attribute {
# dict file {
# path = %{home}/Maildir/dovecot-attributes
# }
#}
# A comment or note that is associated with the server. This value is
# accessible for authenticated users through the IMAP METADATA server
# entry "/shared/comment".
#mail_server_comment = ""
# Indicates a method for contacting the server administrator. According to
# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
# is currently not enforced. Use for example mailto:admin@example.com. This
# value is accessible for authenticated users through the IMAP METADATA server
# entry "/shared/admin".
#mail_server_admin =
##
## Mail processes
##
# Don't use mmap() at all. This is required if you store indexes to shared
# filesystems (NFS or clustered filesystem).
#mmap_disable = no
# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
# since version 3, so this should be safe to use nowadays by default.
#dotlock_use_excl = yes
# When to use fsync() or fdatasync() calls:
# optimized (default): Whenever necessary to avoid losing important data
# always: Useful with e.g. NFS when write()s are delayed
# never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized
# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl
# Directory where mails can be temporarily stored. Usually it's used only for
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
# example LDA/LMTP while delivering large mails or zlib plugin for keeping
# uncompressed mails.
#mail_temp_dir = /tmp
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0
# Maximum allowed length for mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50
# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot, mail_chroot or auth chroot
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. <https://doc.dovecot.org/latest/core/config/chrooting.html>
#valid_chroot_dirs =
# Default chroot directory for mail processes. This can be overridden for
# specific users in user database by giving /./ in user's home directory
# (eg. /home/./user chroots into /home). Note that usually there is no real
# need to do chrooting, Dovecot doesn't allow users to access files outside
# their mail directory anyway. If your home directories are prefixed with
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
#mail_chroot =
# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
#auth_socket_path = /var/run/dovecot/auth-userdb
# Directory where to look up mail plugins.
#mail_plugin_dir = /usr/lib/dovecot
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
#mail_plugins =
#
# To add plugins, use
#mail_plugins {
# plugin = yes
#}
##
## Mailbox handling optimizations
##
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = yes
# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
# of potentially returning out-of-date results after e.g. server crashes.
# The results will be automatically fixed once the folders are opened.
#mailbox_list_index_very_dirty_syncs = yes
# Should INBOX be kept up-to-date in the mailbox list index? By default it's
# not, because most of the mailbox accesses will open INBOX anyway.
#mailbox_list_index_include_inbox = no
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
#mail_cache_min_mail_count = 0
# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
# time to wait between those checks. Dovecot can also use inotify and
# kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs
# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
# Also note that if other software reads the mboxes/maildirs, they may handle
# the extra CRs wrong and cause problems.
#mail_save_crlf = no
# Max number of mails to keep open and prefetch to memory. This only works with
# some mailbox formats and/or operating systems.
#mail_prefetch_count = 0
# How often to scan for stale temporary files and delete them (0 = never).
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w
# How many slow mail accesses sorting can perform before it returns failure.
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
# The untagged SORT reply is still returned, but it's likely not correct.
#mail_sort_max_read_count = 0
protocol !indexer-worker {
# If folder vsize calculation requires opening more than this many mails from
# disk (i.e. mail sizes aren't in cache already), return failure and finish
# the calculation via indexer process. Disabled by default. This setting must
# be 0 for indexer-worker processes.
#mail_vsize_bg_after_count = 0
}
##
## Maildir-specific settings
##
# By default LIST command returns all entries in maildir beginning with a dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no
# When copying a message, do it with hard links whenever possible. This makes
# the performance much better, and it's unlikely to have any side effects.
#maildir_copy_with_hardlinks = yes
# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
#maildir_very_dirty_syncs = no
# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no
# Always move mails from new/ directory to cur/, even when the \Recent flags
# aren't being reset.
#maildir_empty_new = no
##
## mbox-specific settings
##
# Which locking methods to use for locking mbox. There are four available:
# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
# solution. If you want to use /var/mail/ like directory, the users
# will need write access to that directory.
# dotlock_try: Same as dotlock, but if it fails because of permissions or
# because there isn't enough disk space, just skip it.
# fcntl : Use this if possible. Works with NFS too if lockd is used.
# flock : May not exist in all systems. Doesn't work with NFS.
# lockf : May not exist in all systems. Doesn't work with NFS.
#
# You can use multiple locking methods; if you do the order they're declared
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this much time.
#mbox_dotlock_change_timeout = 2 mins
# When mbox changes unexpectedly we have to fully read it to find out what
# changed. If the mbox is large this can take a long time. Since the change
# is usually just a newly appended mail, it'd be faster to simply read the
# new mails. If this setting is enabled, Dovecot does this but still safely
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
# commands.
#mbox_dirty_syncs = yes
# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
#mbox_very_dirty_syncs = no
# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
# commands and when closing the mailbox). This is especially useful for POP3
# where clients often delete all mails. The downside is that our changes
# aren't immediately visible to other MUAs.
#mbox_lazy_writes = yes
# If mbox size is smaller than this (e.g. 100k), don't write index files.
# If an index file already exists it's still read, just not updated.
#mbox_min_index_size = 0
# Mail header selection algorithm to use for MD5 POP3 UIDLs when
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
# algorithm, but it fails if the first Received: header isn't unique in all
# mails. An alternative algorithm is "all" that selects all headers.
#mbox_md5 = apop3d
##
## mdbox-specific settings
##
# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 10M
# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
#mdbox_rotate_interval = 0
# When creating new mdbox files, immediately preallocate their size to
# mdbox_rotate_size. This setting currently works only in Linux with some
# filesystems (ext4, xfs).
#mdbox_preallocate_space = no
# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
# By default, all MIME parts with Content-Disposition=attachment, or inlines
# with filename parameter are consired attachments.
# add-flags - Add the keywords when saving new mails or when fetching can
# do it efficiently.
# content-type=type or !type - Include/exclude content type. Excluding will
# never consider the matched MIME part as attachment. Including will only
# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
# exclude-inlined - Exclude any Content-Disposition=inline MIME part.
#mail_attachment_detection_options =