Build a Secure Email Server on Ubuntu Part 4: Postfix, Dovecot and TLS Encryption

This is part 4 of building your own secure email server on Ubuntu tutorial series. In previous tutorials, we showed you how to set up a basic Postfix SMTP server, configure SPF and DKIM and create DMARC record.

In this tutorial, we are going to configure our email server so that we can receive and send emails using a desktop email client like Mozilla Thunderbird or Geary.

To be able to send email using desktop email client, we need to do a little bit configuration on Postfix. To receive email using desktop email client, we can install an open source IMAP server named Dovecot on Ubuntu 16.04 or 14.04 server. And to encrypt our communications, we need a TLS/SSL certificate.

Note: This part depends on part 1: basic Postfix setup. After finishing part 1, come back here and read on.

TLS/SSL Certificate – Secure Email Server

Please note that when we configure our desktop email client, using encryption is always a good idea. We can easily obtain a free TLS/SSL certificate from Let’s Encrypt.

Install Certbot client on Ubuntu 16.04 server.

sudo apt install letsencrypt

If a web server (Apache or Nginx) is running on your Ubuntu server, stop it first. Then run the below command to obtain a certificate from Let’s Encrypt.

sudo letsencrypt certonly --agree-tos --email your-email-address -d

Substitute the red text with your actual data. You should see the following which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.


Now you can start your web server again.

Configuring Postfix

To send emails from a desktop email client, we need to enable the submission service of Postfix so that the email client can submit emails to Postfix SMTP server.

Edit the file.

sudo nano /etc/postfix/

In submission section, uncomment or add the following lines. Please allow at least one whitespace (tab or spacebar) before -o.  In postfix configurations, a preceding whitespace character means that this line is continuation of the previous line.

submission     inet     n    -    y    -    -    smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_tls_wrappermode=no
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth

The above configuration enables the submission daemon of Postfix and requires TLS encryption. So later on our desktop email client can connect to the submission daemon in TLS. The submission daemon listens on TCP port 587. STARTTLS is used to encrypt communications between email client and the submission daemon.

Save and close the file.

Next, we need to let Postfix know where TLS certificate and private key are. Edit file.

sudo nano /etc/postfix/

Edit the TLS parameter as follows:

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3

Your Let’s Encrypt certificate and private key are stored under /etc/letsencrypt/live/ directory.

Save and close the file. Then reload Postfix.

sudo postfix reload

If you run the following command, you will see port 587 is now open.

sudo netstat -lnpt


Installing Dovecot IMAP Server

Enter the following command to install Dovecot core package and the IMAP daemon package on Ubuntu server.

sudo apt install dovecot-core dovecot-imapd

Check Dovecot version:

sudo dovecot --version

Sample output:

2.2.22 (fe789d2)

Configuring Dovecot

First, edit main config file.

sudo nano /etc/dovecot/dovecot.conf

Add the following line to enable IMAP protocol.

protocols = imap

Configuring Mailbox Location

By default, Postfix uses mbox format to store emails. Each user’s emails is stored in a single file /var/mail/username. You can run the following command to find the mail spool directory.

postconf mail_spool_directory

Sample output:

mail_spool_directory = /var/mail

The config file for mailbox location is /etc/dovecot/conf.d/10-mail.conf.

sudo nano  /etc/dovecot/conf.d/10-mail.conf

The default configuration is as follows, which is fine for a small email server.

mail_location = mbox:~/mail:INBOX=/var/mail/%u

We need to add the following line in the file.

mail_privileged_group = mail

After that, add dovecot to the mail group so that Dovecot can read the INBOX.

sudo gpasswd -a dovecot mail

Configuring TLS/SSL Encryption

Edit the authentication config file.

sudo nano /etc/dovecot/conf.d/10-auth.conf

Uncomment the following line.

disable_plaintext_auth = yes

It will disable plaintext authentication unless SSL/TLS encryption is used. And if you want to use full email address ([email protected]) to login, add the following line in the file.

auth_username_format = %n

Otherwise you are able to login with username only (without

Next, edit SSL/TLS config file.

sudo nano /etc/dovecot/conf.d/10-ssl.conf

Change ssl = no to ssl = required.

ssl = required

Then specify the location of your SSL/TLS cert and private key. Don’t leave out < character. It’s necessary.

ssl_cert = </etc/letsencrypt/live/
ssl_key = </etc/letsencrypt/live/

SASL Authentication Between Postfix and Dovecot

Edit the following file.

sudo nano /etc/dovecot/conf.d/10-master.conf

Change service auth section to the following so that Postfix can find the Dovecot authentication server.

service auth {
    unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix

Auto-create Sent and Trash Folder

Edit the below config file.

sudo nano /etc/dovecot/conf.d/15-mailboxes.conf

To auto create a folder, simply add the following line in the mailbox section.

auto = create


 mailbox Trash {
    auto = create
    special_use = \Trash

After you save and close all above config files, reload Dovecot.

sudo systemctl reload dovecot

Dovecot will be listening on port 143 (IMAP) and 993 (IMAPS).

The Final Step: Configure Desktop Email Client

Now open up your desktop email client such as Mozilla Thunderbird and add a mail account.

  • In the incoming server section, select IMAP protocol, enter as the server name, choose port 993 and SSL/TLS.
  • In the outgoing section, select SMTP protocol, enter as the server name, choose port 587 and STARTTLS.

You should now be able to connect to your own email server and also send and receive emails with your desktop email client !

If you want to access emails via Webmail, then I recommend RainLoop Webmail, which is lightweight, fast and has a modern interface.

Rate this tutorial
[Total: 7 Average: 4.4]