Overview
This guide walks you through setting up a complete, production-ready mail server on Ubuntu. By the end, you'll have:
- Postfix — SMTP server for sending/receiving mail
- Dovecot — IMAP server for mail clients
- Let's Encrypt — Free SSL/TLS certificates
- SPF, DKIM, DMARC — Email authentication to prevent spoofing
This guide assumes you're using Ubuntu 18.04+ and Nginx. Commands are optimized for quick copy-paste execution.
Reference sources:
- LinuxBabe: Basic Postfix Setup
- LinuxBabe: Dovecot IMAP + TLS
- LinuxBabe: SPF and DKIM
- LinuxBabe: DMARC Record
Prerequisites
Check Hostname
hostname -f
Set Hostname
hostnamectl set-hostname example.com
nano /etc/hostname # change to example.com
Configure /etc/hosts
nano /etc/hosts
Add these entries:
127.0.1.1 example.com example
127.0.0.1 localhost
127.0.0.1 example.com
Check PTR Record
dig -x example.com +short
Create Mail User
adduser noreply # can be hello, info, sales, etc.
Postfix SMTP Server
Open SMTP Ports
ufw allow smtp
Install Packages
apt-get update
apt-get install mailutils -y
apt-get install postfix postfix-policyd-spf-python -y
apt-get install dovecot-core dovecot-imapd dovecot-lmtpd -y
apt-get install opendkim opendkim-tools -y
apt autoremove
Configure Postfix
nano /etc/postfix/main.cf
Add mydomain and update myhostname & mydestination:
...
mydomain = example.com
myhostname = mail.example.com
...
mydestination = $myhostname, $mydomain, localhost.localdomain, , localhost
...
Add the following at the end of the file:
mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtputf8_enable = no
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
Restart Postfix
systemctl restart postfix
Create Email Aliases
nano /etc/aliases
# See man 5 aliases for format
postmaster: root
root: noreply # your mail username
Rebuild aliases:
newaliases
IMAP Server (Dovecot + SSL)
Open IMAP Ports
ufw allow 587/tcp
ufw allow 465/tcp
ufw allow 143/tcp
ufw allow 993/tcp
Install Let's Encrypt Certbot
apt install software-properties-common -y
add-apt-repository ppa:certbot/certbot
apt update
apt install certbot python3-certbot-nginx -y
Create Nginx Virtual Host
mkdir /var/www/mail
touch /etc/nginx/sites-available/mail
ln -s /etc/nginx/sites-available/mail /etc/nginx/sites-enabled/mail
nano /etc/nginx/sites-enabled/mail
server {
listen 80;
server_name mail.example.com;
root /var/www/mail;
location ~ /.well-known/acme-challenge {
allow all;
}
}
chown www-data:www-data /var/www/mail -R
nginx -t
service nginx restart
Obtain SSL Certificate
certbot --nginx --agree-tos --redirect --hsts --staple-ocsp -d mail.example.com
Configure Postfix for TLS
Edit /etc/postfix/master.cf and /etc/postfix/main.cf to enable TLS submission on ports 587 and 465.
SPF and DKIM Records
Create SPF Record
Add DNS TXT record:
TXT @ 3600 "v=spf1 a mx ip4:YOUR_SERVER_IP ~all"
Generate DKIM Keys
mkdir /etc/opendkim/keys/example.com
opendkim-genkey -b 2048 -d example.com -D /etc/opendkim/keys/example.com -s default -v
Add DKIM DNS Record
TXT default._domainkey 3600 "v=DKIM1; h=sha256; k=rsa; p=YOUR_PUBLIC_KEY"
Testing
echo 'Testing mail server' | mail your-email@gmail.com -s 'Test subject' -r noreply
Check received email headers for SPF: PASS and DKIM: PASS.
Next Steps
- Set up fail2ban for brute force protection
- Configure SpamAssassin for spam filtering
- Add Roundcube or Rainloop for webmail
- Set up automatic certificate renewal
Need help? Contact us for professional assistance.