Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

Virtual Users And Domains With Postfix, Courier And MySQL (Ubuntu 6.06 LTS)

This document describes how to install a mail server based on Postfix that is based on virtual users and domains, i.e. users and domains that are in a MySQL database. I’ll also demonstrate the installation and configuration of Courier (Courier-POP3, Courier- IMAP), so that Courier can authenticate against the same MySQL database Postfix uses.

The resulting Postfix server is capable of SMTP-AUTH and TLS and quota (quota is not built into Postfix by default, I’ll show how to patch your Postfix appropriately). Passwords are stored in encrypted form in the database (most documents I found were dealing with plain text passwords which is a security risk).

The advantage of such a “virtual” setup (virtual users and domains in a MySQL database) is that it is far more performant than a setup that is based on “real” system users. With this virtual setup your mail server can handle thousands of domains and users. Besides, it is easier to administrate because you only have to deal with the MySQL database when you add new users/domains or edit existing ones. No more postmap commands to create db files, no more reloading of Postfix, etc. For the administration of the MySQL database you can use web based tools like phpMyAdmin which will also be installed in this howto. The third advantage is that users have an email address as user name (instead of a user name + an email address) which is easier to understand and keep in mind.


1 Preliminary Note

This tutorial is based on Ubuntu 6.06 LTS Server base install (IE not LAMP).

2 Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin

To install Postfix, Courier, Saslauthd, MySQL, and phpMyAdmin, we simply run

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authmysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl phpmyadmin apache2 libapache2-mod-php5 php5 php5-mysql

You will be asked a few questions:

Create directories for web-based administration ? <– No
General type of mail configuration: <– Internet Site
System mail name: <–


3 Apply The Quota Patch To Postfix

We have to get the Postfix sources, patch it with the quota patch, build new Postfix .deb packages and install those .deb packages:

apt-get install build-essential dpkg-dev fakeroot debhelper libgdbm-dev libldap2-dev libpcre3-dev libssl-dev libsasl2-dev postgresql-dev po-debconf dpatch libdb4.3-dev libmysqlclient15-dev postgresql-dev libdb4.3-dev tinycdb libcdb-dev

cd /usr/src
apt-get source postfix

(Make sure you use the correct Postfix version in the following commands. I have Postfix 2.4.5 installed. You can find out your Postfix version by running

postconf -d | grep mail_version

The output should look like this:

root@server1:~# postconf -d | grep mail_version
mail_version = 2.4.5
milter_macro_v = $mail_name $mail_version


gunzip postfix-2.4.5-vda-ng.patch.gz
cd postfix-2.4.5
patch -p1 < ../postfix-2.4.5-vda-ng.patch

You might see a warning like this at the end of the dpkg-buildpackage command:

(WARNING: Failed to sign .dsc and .changes file)

You can ignore this message.

Now we go one directory up, that’s where the new .deb packages have been created:

cd ..

The command

ls -l

shows you the available packages:

root@server1:/usr/src# ls -la
total 5400
drwxrwsr-x 3 root src 4096 2007-11-14 13:15 .
drwxr-xr-x 11 root root 4096 2007-11-14 13:02 ..
drwxr-xr-x 19 1001 root 4096 2007-11-14 13:15 postfix-2.4.5
-rw-r–r– 1 root src 226965 2007-11-14 13:13 postfix_2.4.5-3build1~dapper1.diff.gz
-rw-r–r– 1 root src 673 2007-11-14 13:13 postfix_2.4.5-3build1~dapper1.dsc
-rw-r–r– 1 root src 1826 2007-11-14 13:15 postfix_2.4.5-3build1~dapper1_i386.changes
-rw-r–r– 1 root src 1093064 2007-11-14 13:15 postfix_2.4.5-3build1~dapper1_i386.deb
-rw-r–r– 1 root src 2934634 2007-08-03 13:53 postfix_2.4.5.orig.tar.gz
-rw-r–r– 1 root src 57055 2007-08-01 19:13 postfix-2.4.5-vdang.patch
-rw-r–r– 1 root src 40218 2007-11-14 13:15 postfix-cdb_2.4.5-3build1~dapper1_i386.deb
-rw-r–r– 1 root src 131728 2007-11-14 13:15 postfix-dev_2.4.5-3build1~dapper1_all.deb
-rw-r–r– 1 root src 820058 2007-11-14 13:15 postfix-doc_2.4.5-3build1~dapper1_all.deb
-rw-r–r– 1 root src 44012 2007-11-14 13:15 postfix-ldap_2.4.5-3build1~dapper1_i386.deb
-rw-r–r– 1 root src 39496 2007-11-14 13:15 postfix-mysql_2.4.5-3build1~dapper1_i386.deb
-rw-r–r– 1 root src 39306 2007-11-14 13:15 postfix-pcre_2.4.5-3build1~dapper1_i386.deb
-rw-r–r– 1 root src 39600 2007-11-14 13:15 postfix-pgsql_2.4.5-3build1~dapper1_i386.deb

Pick the postfix and postfix-mysql packages and install them like this:

dpkg -i postfix_2.4.5-3build1~dapper1_i386.deb
dpkg -i postfix-mysql_2.4.5-3build1~dapper1_i386.deb


4 Create The MySQL Database For Postfix/Courier

First we need to set the root mysql password for security:

/etc/init.d/mysql reset-password

Now we create a database called mail:

mysqladmin -u root -p create mail

Next, we go to the MySQL shell:

mysql -u root -p

On the mySQL shell, we create the user mail_admin with the password ‘mail_admin_password’ (you can use this password for ease of setup as I will use it for the rest of this howto, however you can use any password you want just remember to change it where necessary) who has SELECT,INSERT,UPDATE,DELETE privileges on the mail database. This user will be used by Postfix and Courier to connect to the mail database:

GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO ‘mail_admin’@’localhost’ IDENTIFIED BY ‘mail_admin_password’;
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO ‘mail_admin’@’localhost.localdomain’ IDENTIFIED BY ‘mail_admin_password’;

Still on the MySQL shell, we create the tables Postfix and Courier need:

USE mail;

CREATE TABLE domains (
domain varchar(50) NOT NULL,
PRIMARY KEY (domain) )

CREATE TABLE forwardings (
source varchar(80) NOT NULL,
destination TEXT NOT NULL,
PRIMARY KEY (source) )

email varchar(80) NOT NULL,
password varchar(20) NOT NULL,
quota INT(10) DEFAULT ‘10485760’,

CREATE TABLE transport (
domain varchar(128) NOT NULL default ”,
transport varchar(128) NOT NULL default ”,
UNIQUE KEY domain (domain)


As you may have noticed, with the quit; command we have left the MySQL shell and are back on the Linux shell.

The domains table will store each virtual domain that Postfix should receive emails for (e.g.


The forwardings table is for aliasing one email address to another, e.g. forward emails for to

source destination

The users table stores all virtual users (i.e. email addresses, because the email address and user name is the same) and passwords (in encrypted form!) and a quota value for each mail box (in this example the default value is 10485760 bytes which means 10MB).

email password quota No9.E4skNvGa. (“secret” in encrypted form) 10485760

The transport table is optional, it is for advanced users. It allows to forward mails for single users, whole domains or all mails to another server. For example,

domain transport smtp:[]

would forward all emails for via the smtp protocol to the server with the IP address (the square brackets [] mean “do not make a lookup of the MX DNS record” (which makes sense for IP addresses…). If you use a fully qualified domain name (FQDN) instead you would not use the square brackets.).

BTW, (I’m assuming that the IP address of your mail server system is you can access phpMyAdmin over in a browser and log in as mail_admin. Then you can have a look at the database. Later on you can use phpMyAdmin to administrate your mail server.

5 Configure Postfix

Now we have to tell Postfix where it can find all the information in the database. Therefore we have to create six text files. You will notice that I tell Postfix to connect to MySQL on the IP address instead of localhost. This is because Postfix is running in a chroot jail and does not have access to the MySQL socket which it would try to connect if I told Postfix to use localhost. If I use Postfix uses TCP networking to connect to MySQL which is no problem even in a chroot jail (the alternative would be to move the MySQL socket into the chroot jail which causes some other problems).

Please make sure that /etc/mysql/my.cnf contains the following line:

vi /etc/mysql/my.cnf

bind-address            =

If you had to modify /etc/mysql/my.cnf, please restart MySQL now:

/etc/init.d/mysql restart


netstat -tap | grep mysql

to make sure that MySQL is listening on (localhost.localdomain):

root@server1:~# netstat -tap | grep mysql
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     5742/mysqld

Now let’s create our six text files.

vi /etc/postfix/

user = mail_admin
password = mail_admin_password
dbname = mail
query = SELECT domain AS virtual FROM domains WHERE domain='%s'
hosts =

vi /etc/postfix/

user = mail_admin
password = mail_admin_password
dbname = mail
query = SELECT destination FROM forwardings WHERE source='%s'
hosts =

vi /etc/postfix/

user = mail_admin
password = mail_admin_password
dbname = mail
query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'
hosts =

vi /etc/postfix/

user = mail_admin
password = mail_admin_password
dbname = mail
query = SELECT email FROM users WHERE email='%s'
hosts =

vi /etc/postfix/

user = mail_admin
password = mail_admin_password
dbname = mail
query = SELECT transport FROM transport WHERE domain='%s'
hosts =

vi /etc/postfix/

user = mail_admin
password = mail_admin_password
dbname = mail
query = SELECT quota FROM users WHERE email='%s'
hosts =

Then change the permissions and the group of these files:

chmod o= /etc/postfix/mysql-virtual_*.cf
chgrp postfix /etc/postfix/mysql-virtual_*.cf

Now we create a user and group called vmail with the home directory /home/vmail. This is where all mail boxes will be stored.

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /home/vmail -m

Next we do some Postfix configuration. Go sure that you replace with a valid FQDN, otherwise your Postfix might not work properly!

postconf -e ‘myhostname =’
postconf -e ‘mydestination =, localhost, localhost.localdomain’
postconf -e ‘mynetworks =’
postconf -e ‘virtual_alias_domains =’
postconf -e ‘virtual_alias_maps = proxy:mysql:/etc/postfix/, mysql:/etc/postfix/’
postconf -e ‘virtual_mailbox_domains = proxy:mysql:/etc/postfix/’
postconf -e ‘virtual_mailbox_maps = proxy:mysql:/etc/postfix/’
postconf -e ‘virtual_mailbox_base = /home/vmail’
postconf -e ‘virtual_uid_maps = static:5000’
postconf -e ‘virtual_gid_maps = static:5000’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/smtpd.cert’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/smtpd.key’
postconf -e ‘transport_maps = proxy:mysql:/etc/postfix/’
postconf -e ‘virtual_create_maildirsize = yes’
postconf -e ‘virtual_mailbox_extended = yes’
postconf -e ‘virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/’
postconf -e ‘virtual_mailbox_limit_override = yes’
postconf -e ‘virtual_maildir_limit_message = “The user you are trying to reach is over quota.”‘
postconf -e ‘virtual_overquota_bounce = yes’
postconf -e ‘proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps’

Afterwards we create the SSL certificate that is needed for TLS:

cd /etc/postfix
openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509

Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “DE”).
State or Province Name (full name) [Some-State]:
<– Enter your State or Province Name.
Locality Name (eg, city) []:
<– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) []:
<– Enter the Fully Qualified Domain Name of the system (e.g. “”).
Email Address []:
<– Enter your Email Address.

Then change the permissions of the smtpd.key:

chmod o= /etc/postfix/smtpd.key


6 Configure Saslauthd

First run

mkdir -p /var/spool/postfix/var/run/saslauthd

Then edit /etc/default/saslauthd. Set START to yes and change the line OPTIONS=”-c” to OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”:

vi /etc/default/saslauthd

# Settings for saslauthd daemon
# Should saslauthd run automatically on startup? (default: no)

# Which authentication mechanisms should saslauthd use? (default: pam)
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
# Only one option may be used at a time. See the saslauthd man page
# for more information.
# Example: MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.

# Other options (default: -c)
# See the saslauthd man page for information about these options.
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Then create the file /etc/pam.d/smtp. It should contain only the following two lines (go sure to fill in your correct database details):

vi /etc/pam.d/smtp

auth    required user=mail_admin passwd=mail_admin_password host= db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient user=mail_admin passwd=mail_admin_password host= db=mail table=users usercolumn=email passwdcolumn=password crypt=1

Next create the file /etc/postfix/sasl/smtpd.conf. It should look like this:

vi /etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_user: mail_admin
sql_passwd: mail_admin_password
sql_database: mail
sql_select: select password from users where email = '%u'

Then restart Postfix and Saslauthd:

/etc/init.d/postfix restart
/etc/init.d/saslauthd restart


7 Configure Courier

Now we have to tell Courier that it should authenticate against our MySQL database. First, edit /etc/courier/authdaemonrc and change the value of authmodulelist so that it reads:

vi /etc/courier/authdaemonrc


Then make a backup of /etc/courier/authmysqlrc and empty the old file:

cp /etc/courier/authmysqlrc /etc/courier/authmysqlrc_orig
cat /dev/null > /etc/courier/authmysqlrc

Then open /etc/courier/authmysqlrc and put the following lines into it:

vi /etc/courier/authmysqlrc

MYSQL_SERVER localhost
MYSQL_PASSWORD mail_admin_password
MYSQL_HOME_FIELD "/home/vmail"

Then restart Courier:

/etc/init.d/courier-authdaemon restart
/etc/init.d/courier-imap restart
/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop restart
/etc/init.d/courier-pop-ssl restart

By running

telnet localhost pop3

you can see if your POP3 server is working correctly. It should give back +OK Hello there. (Type quit to get back to the Linux shell.)

root@server1:/etc/postfix# telnet localhost pop3
Connected to localhost.localdomain.
Escape character is ‘^]’.
+OK Hello there.
+OK Better luck next time.
Connection closed by foreign host.

8 Modify /etc/aliases

Now we should open /etc/aliases. Make sure that postmaster points to root and root to your own username or your email address, e.g. like this:

vi /etc/aliases

postmaster: root
root: root@yourdomain.tld

Whenever you modify /etc/aliases, you must run


afterwards and restart Postfix:

/etc/init.d/postfix restart


9 Quota Exceedance Notifications

If you want to get notifications about all the email accounts that are over quota, then do this:

cd /usr/local/sbin/
mv quota.txt quota_notify
chmod 755 quota_notify

Open /usr/local/sbin/quota_notify and edit the variables at the top. Further down in the file (towards the end) there are two lines where you should add a % sign:

vi /usr/local/sbin/quota_notify

my $POSTFIX_CF = "/etc/postfix/";
my $MAILPROG = "/usr/sbin/sendmail -t";
my @POSTMASTERS = ('postmaster@yourdomain.tld');
my $CONAME = 'My Company';
my $COADDR = 'postmaster@yourdomain.tld';
my $SUADDR = 'postmaster@yourdomain.tld';
my $MAIL_REPORT = 1;
           print "Subject: WARNING: Your mailbox is $lusers{$luser}% full.\n";
           print "Your mailbox: $luser is $lusers{$luser}% full.\n\n";


crontab -e

to create a cron job for that script:

0 0 * * * /usr/local/sbin/quota_notify &> /dev/null


10 Test Postfix

To see if Postfix is ready for SMTP-AUTH and TLS, run

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines




everything is fine:

root@server1:~# telnet localhost 25
Connected to localhost.localdomain.
Escape character is ‘^]’.
220 ESMTP Postfix (Ubuntu)
ehlo localhost
250-SIZE 10240000
250 DSN
221 2.0.0 Bye
Connection closed by foreign host.



to return to the system shell.


11 Install Roundcube Mail

Create a new VirtualHost in Apache2 for webmail access. Make sure you change any instance of to your own domain.

vi /etc/apache2/sites-available/

<VirtualHost *>
             ServerAdmin webmaster@localhost
             DocumentRoot /var/
             <Directory />
                        Options FollowSymLinks
                        AllowOverride None
             <Directory /var/>
                        Options FollowSymLinks
                        AllowOverride AuthConfig
                        Order allow,deny
                        allow from all
                        # Uncomment this directive is you want to see apache2's
                        # default start page (in /apache2-default) when you go to /
                        #RedirectMatch ^/$ /apache2-default/
             ErrorLog /var/log/apache2/mail.error.log
             # Possible values include: debug, info, notice, warn, error, crit,
             # alert, emerg.
             LogLevel warn
             CustomLog /var/log/apache2/mail.access.log combined
             ServerSignature On

Make the directory for the document root of the new site:

mkdir /var/

Then symlink that to the sites-enabled directory and restart Apache2:

cd /etc/apache2/sites-enabled
ln –s ../sites-available/
/etc/init.d/apache2 restart

Download and unpack Roundcube:

tar zxvf roundcubemail-0.1-rc2.tar.gz
cd roundcubemail-0.1-rc2
cp –r * ../
cd ..
rm –rf roundcubemail-0.1-rc2*

Now we must configure Roundcube to attach to our servers:

cd config/

Line 21 will need to be modified as follows:

$rcmail_config['db_dsnw'] = 'mysql://mail_admin:mail_admin_password@localhost/roundcubemail';

Then modify the file:


Line 38:

$rcmail_config['default_host'] = 'localhost';

Line 63:

$rcmail_config['smtp_server'] = 'localhost';

Line 70:

$rcmail_config['smtp_user'] = '%u';
// SMTP password (if required) if you use %p as the password RoundCube
// will use the current user's password for login
$rcmail_config['smtp_pass'] = '%p';

Now we need to make a DB and grant privileges to Roundcube to access the DB:

mysql –u root –p

create database roundcubemail;
grant all privileges on roundcubemail.* to mail_admin@localhost identified by ‘mail_admin_password’;

Now populate the db:

mysql –u mail_admin -p roundcubemail < /var/

Roundcube should now be setup and accessible at
NOTE: Keep in mind you can’t log in as a user until mail is sent to that user.

To do this manually connect to the mail server and send a piece of mail:

telnet localhost 25

Connected to localhost.
Escape character is ‘^]’.
220 ESMTP Postfix (Ubuntu)

ehlo me
250-SIZE 10240000
250 DSN

mail from:

250 2.1.0 Ok

rcpt to:

250 2.1.5 Ok


354 End data with <CR><LF>.<CR><LF>

Subject: Testing

250 2.0.0 Ok: queued as 6B4022D82B5


221 2.0.0 Bye
Connection closed by foreign host.