How to configure a mail server with Postfix and Dovecot for different requirements

I had originally written this article for
Mail server admins may often have to deal with different types of requirements based on service policies or customer-specific requests. This tutorial will cover common cases of mail server administration. More specifically, it will show how different mail server requirements can be met by tuning parameters of Postfix and Dovecot.

Useful Postfix Commands

Before we start, let us look at some commands related to Postfix.

1. postfix reload vs. service postfix restart

To reload Postfix with any updated configuration files, two commands can be used.
  • postfix reload: This command will check configuration files, and will update Postfix accordingly. As this command does not cause Postfix to shut down, it is highly recommended in production environments.
  • service postfix restart: This command will first shut down Postfix, and then start it again. This command will start a fresh instance of Postfix.
Depending on requirements or convenience, we can choose either option to reload Postfix.

2. postconf

postconf is a very useful Postfix command. The following are some example usages of postconf.
To show the values of all Postfix parameters:
# postconf
To see the value of a specific Postfix parameter, grep can be used to filter the output:
# postconf | grep myorigin
append_at_myorigin = yes
myorigin = example.tst
postconf can also be used to set the value of a particular Postfix parameter at run time.
# postconf -e 'myorigin = example.tst'
Note that any Postfix parameter changed by postconf command persists across reboots. The same thing can be achieved by modifying the configuration file at /etc/postfix/

"Always BCC" Policy

I have seen some companies that have "always BCC" policy which mandates that a copy of every outgoing email be sent to a specific mail account automatically.
In Postfix, this can be achieved by modifying one line in the configuration file.
# vim /etc/postfix/
## assuming that the account is allmail@example.tst ##
always_bcc = allmail
# service postfix restart

Bypassing DNS Lookup

Postfix can be configured in such a way that DNS lookup for a specific domain always resolves to a predetermined IP address. This is very useful in test environments as well as in domains that use multiple mail servers for different purposes.
For example, if we want Postfix to send all emails with a destination domain to a mail server with IP address, we can do it by modifying Postfix configuration as follows.
# vim /etc/postfix/transport smtp:[]
# postmap /etc/postfix/transport
# service postfix restart
NOTE: make sure that the variable transport_maps is properly set in /etc/postfix/ as follows.
transport_maps = hash:/etc/postfix/transport

Using Relayhost

relayhost aka smarthost is an ISP's mail server that accepts all outbound mails originating from its customer's mail servers. The customer can choose to hand over all outgoing mails to the relayhost instead of directly sending it over to the Internet. A relayhost can also be configured to accept incoming emails on behalf of a customer's mail server by tweaking MX records. The configuration of a relayhost is done as follows. is modified to specify relayhost:
# vim /etc/postfix/
relayhost =

## in case of IP address ##
## [ ] disables DNS lookups ##
relayhost = []
# service postfix restart

Sender Email Account Verification

To protect against spamming, it is sometimes useful to verify the validity of the sender's email account on local domain.
The following method can be used to double-check whether the local sender's address of an outgoing mail is valid.
First, we add all the valid accounts.
# vim /etc/postfix/sender_access
user1@example.tst  OK
user2@examle.tst  OK
user3@example.tst  OK
user4@example.tst  OK
## emails sent from user5 will be rejected ##
user5@example.tst  REJECT
# postmap /etc/postfix/sender_access
Next, sender restrictions are implemented as follows.
# vim /etc/postfix/
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, reject_unauth_destination, reject_unknown_sender_domain 
# service postfix restart
At this point, the only valid senders would be user1user2user3, and user4user5 and any other sender address will be blocked.

Blocking Specific Addresses or Domains

Postfix can be configured to block incoming and outgoing mails from specific sender addresses or specific domains. The following configuration can do the trick.
# vim /etc/postfix/access 550  address blocked 550  domain blocked
# postmap access
# vim /etc/postfix/
smtpd_recipient_restrictions = hash:/etc/postfix/access, permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination
# service postfix restart
Note: it is possible to use one file to block both sender and recipient, instead of using separate filessender_access (described earlier) and access. Personally, I prefer keeping them separate for ease of troubleshooting.

Set Maximum Email Size and Mailbox Quota

The following parameters can be tuned to specify the size of an email message and also the size of a user mailbox.
# vim /etc/postfix/
## maximum email size in bytes, including header information ##
message_size_limit = 10240000

## maximum mailbox size in bytes. 0 denotes no quota ##
mailbox_size_limit = 0
# service postfix restart

Enable Plaintext Authentication in Dovecot

For security reasons, the Dovecot IMAP/POP server by default does not allow plaintext authentication (i.e., use an unencrypted password). For some reason, if someone needs to enable plaintext authentication in Dovecot, the following tuning is necessary.
# vim /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no
# service dovecot restart
These are some of the tunings that mail server admins often do. Postfix and Dovecot can be tuned even further to match the needs of a stakeholder.
Hope this helps.