Setup a production-ready exim/dovecot server

Setup a production-ready exim/dovecot server

In this tutorial, I will introduce step by step how to set up a full-fledged email server.

At the end of the tutorial, the email server will support

  • SMTP server to receive email
  • SMTP to send email
  • Receiving SMTP server supports TLS
  • Sending SMTP server support DKIM
  • Configure DMARC, SPF records
  • IMAP/POP3 server with dovecot
  • (TODO) Automatically renew TLS certificate with letsencrypt
  • (TODO) Periodically backup email data to S3
  • (TODO) Setup a simple web-based client

Refer to this post to know how to test sending SMTP/receiving SMTP/POP3/IMAP with or without TLS servers.

My server information:

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04 LTS
Release:	20.04
Codename:	focal
$ uname -a
Linux ip-10-0-20-69 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Brief introduction of basic terms and concepts

Alice wants to send Bob an email. To accomplish this, Alice needs the following information:

  • A from email address. For example:
  • A to email address. For example:
  • The email payload such as body, title, reply-to, subject, attachment, etc. For example: lorem ipsum.
  • An SMTP agent server, for example:
  • The credential (usually are username and password) to access and authorize the email at the SMTP agent server.

On the other hand, when sending the email request (from:, to:, payload: lorem ipsum), the SMTP agent server prepares the following information:

  • A reply-to email address. For example: Note: this can be any domain value regardless of the from email's domain. Of course, this domain and the associated email agent server must be correctly configured in conjunction with the  from email's domain. And this is what we are going to set up in this tutorial.
  • A random string value called domainkey. For example: a_random_domainkey.
  • A pair of pre-configured private/public key with the public key propagated in a specific DNS record called DKIM record at the from email address's domain.

Step 1: In an email application (Gmail, outlook, thunderbird, etc.), Alice use her credential to access the email agent server at with a request to send an email with the content.

    from: '',
    to: '',
    payload: 'lorem ipsum'

Step 2: The email application does  a DNS reverse of to obtain the associated IP address (at server X) and send the email sending a request to this ip address.

Step 3: Server X authorizes the request with the provided credential. X sees the receiver email, it looks for the MX record of and gets a value. For example: X does a DNS reverse of to get an IP address of the receiver server Y.

Step 4: X add reply-to ( and domainkey (a_random_domainkey) to the request. Now the email payload becomes:

    from: '',
    to: '',
    payload: 'lorem ipsum',
    replyTo: '',
    domainkey: 'a_random_domainkey'

Step 5: X uses the pre-configured private key associated with the DKIM record to sign the email (i.e., it attaches a signature along with the email payload).

Step 6: X sends the encoded payload to Y, at the Network Layer, this request is sent from to

Step 7: Y decodes the email payload, and reveals the email's payload in Step 4 along with the signature. At the Network Layer, Y also knows that this email is sent from the IP address
If the to address is somewhat another email that is not controlled by Y. Y can just reject or ignore the email.

Step 8: Y checks a TXT DNS record of to get the list of allowed-sender IP addresses. This record is called SPF record. If is not on the list, go to step 10, otherwise, go to step 9.

Step 9: Y gets the public key configured at the TXT DNS record at and verifies the email's signature. If the signature is correct, accept the email and put it in the associated mailbox. Notify Bob to check his new email from Alice and finish the process. Otherwise, go to step 10.

Step 10: In this step, Y has already rejected the email. However, there is one more step to improve email server management. Y checks the value of the TXT DNS record at and gets an email address to report the incident (to the admin of domain). This DNS record is called DMARC record. For example, Y gets as the report target.

Step 11: Because is different from, Y needs to make sure that the admin of allow to receive SPF failure or DKIM failure reports for Y checks for the TXT DNS record at If there is an expected value (of v=DMARC1), Y sends a DMARC report to

Email forwarding

There is another scenario that is worth looking at.

A sends email to B's email However, B setups a forwarding server to forward all incoming emails to to
A owns, and B owns both and

Something will happen in this case.

  • The forwarding server sends the email to with the from address being from a server with IP address different from what was sent from. Basically, and mostly SPF checks will fail.
  • In this case, DKIM comes and plays the main role in preventing the email from being spoofed.
  • Because the forwarding server sends the email at the end, it keeps the responsibility for the success of the sending. So it should rewrite the Return-Path header in the email. Also, to prevent the DKIM integrity, it shouldn't modify the email body.
  • If the original email (from is not signed with DKIM and the forwarding server keeps forwarding it without any modification. The email will not pass the DMARC check (because none of SPF or DKIM checks passes). It is common that the email agent (such as of has its own heuristic to overwrite the behaviour defined in DMARC by the sender provider (of
  • To avoid being marked as spam when forwarding an email without DKIM, the forwarding server might choose to rewrite the FROM field in the email to be forwarded.
  • The forwarding server might choose to implement Sender Rewriting Scheme (SRS) or Authenticated Received Chain (ARC) to improve the forward email reliability.

Some useful resources:

Part 1: Install exim4

  • sudo apt install -y exim4 certbot
  • Allow port 80 (HTTP for letsencrypt), 25 (SMTP) in iptables/security group/network ACL, etc.
  • Generate a dkim key

To check the username who is running the exim4 process: ps aux | grep exim. In ubuntu, the username is Debian-exim

sudo openssl genrsa -out /etc/exim4/dkim.pem 2048
openssl rsa -in /etc/exim4/dkim.pem -pubout -out -outform PEM
sudo chown Debian-exim:Debian-exim /etc/exim4/dkim.pem

copy the result to set up the DNS txt dkim record in the next subsection "Setup DNS records".

  • Setup DNS records

From the administrator panel of the domain, add the following records.

===========annotation explanation starts===========

From now on, I will this format for DNS records <x> / <y> / <z> / <t> where
-<x> is the record type ( mx, A, TXT, CNAME)
   - <y> is target domain. For example:
        + mail is for with is the top-level domain
        + is for (notice the ending dot).
        + @ is for the root level domain, for example
     The true annotation depends on your DNS provider. The provider I am using is Namecheap.
   - <z> is the value of the record, it can be
         + an IP address for A type
         + a domain for CNAME type
         + a text value for TXT type
   - <t> only exists in MX record, and is the priority value.

===========annotation explanation ends============

+ For receiver server: (replace the ip address with your value of the ip of the receiver server).
mx / @ / mail / 10
A / mail /

+ Sender server: A / smtp / (replace the ip address with your value of the ip of the sender server). Here I am use the same server for sending and receiving.

+ SPF record: TXT / @ / "v=spf1 ip4: -all"' (replace the ip address with your value of the sender server).

+ DMARC record: TXT / _dmarc / v=DMARC1\;p=reject\;\;\;rf=afrf\;pct=100. Note that the rua/ruf email target is to a domain. Because this target domain ( is different from the being setup domain (, it requires an additional record in the domain (see next).

+ DKIM record.
Note 1: mail is a key selector and can be an arbitrary value.
Note 2: DNS records are limited by 255 characters. Some DNS providers support long DNS records (with namecheap, up to 2500 characters) in the panel. In fact, they (the providers) separate the long value to multiple less-than-256 characters entries under the hood.

TXT / mail._domainkey / k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo+/XQCEHaV/3Yp9ZWQ0r1i9Eyb8l8ZPOdFvyZIFFRI2ZLQo86fyDu8HSs2MZXC0wtr1Ec5STsyG1kAmai+OOgN9JS1g050NCJFXAjd0fhxymWSsG+bHvP70BirwU7oaiUCsJ8H9cKUdZ4BkiHQfJ1k6+D4jMTra62hEMgkg8cillG9reW69PfwF4hhiYg+qNcUm1lxYFPAqLbxD5n2wG9f6bhSuntVomwGPAnUMivfi0lpb+rLM9XW1RUZI/aDjI5imfMhhTefRPW4pPnnhtOwyMMs78jccmEZroCcWVD3wMTgZbxQyB2nZRm/80sLrP+HDZMMZUlpK8pZCC6pTPywIDAQAB

The long value MIIBI... is the value copied in the DKIM generating step.

+ In, add DMARC report record: TXT / / v=DMARC1

  • Add user group. This group will be used for the dovecot user and exim user to read cert keys generated by letsencrypt.
sudo groupadd mailers
sudo usermod -aG mailers Debian-exim
  • Get TLS certificates with certbot
sudo certbot certonly -d --standalone --agree-tos -m -n

The cert key files are at:
+ Public cert and chain: /etc/letsencrypt/live/
+ Key file (private): /etc/letsencrypt/live/

  • Allow exim user to access the private key
sudo chgrp mailers /etc/letsencrypt/{live,archive}{,/} /etc/letsencrypt/archive/
sudo chmod g+x /etc/letsencrypt/{live,archive}
sudo chmod g+r /etc/letsencrypt/archive/
  • (optional) Configure exim4 from interactively: sudo dpkg-reconfigure exim4

This script merely updates the configuration file at /etc/exim4/update-exim4.conf.conf.

The default content of this file is as follow:

# /etc/exim4/update-exim4.conf.conf
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
# This is a Debian specific file

dc_local_interfaces=' ; ::1'

My config (comment stripped)


If you change the content of this file or the configuration in /etc/exim4/exim4.conf.template or /etc/exim4/conf.d, you need to execute sudo update-exim4.conf to generate and update the updated configuration.

From exim4 manpage

The script update-exim4.conf generates the main configuration files /var/lib/exim4/config.autogenerated for Exim v4 by merging the data in the template file /etc/exim4/exim4.conf.template or the ones in the /etc/exim4/conf.d directory tree respectively and /etc/exim4/update-exim4.conf.conf to the output file /var/lib/exim4/config.autogenerated.

If dc_use_split_config in /etc/exim4/update-exim4.conf.conf specifies a split configuration, update-exim4.conf processes the /etc/exim4/conf.d subdirectories in the order main, acl, router, transport, retry, rewrite and auth. Within each directory it takes files in lexical sort order by file name. It concatenates all these files and makes the debconf replacement described below.

If you are not using split configuration update-exim4.conf concatenates /etc/exim4/exim4.conf.localmacros (if this file exists) and /etc/exim4/exim4.conf.template (in this order) and makes the debconf replacement described below.

For some configuration, it requires restarting the exim4 service with sudo systemctl restart exim4.

  • Config the exim4 server: sudo vim /etc/exim4/exim4.conf.template


MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/
MAIN_TLS_PRIVATEKEY = /etc/letsencrypt/live/

+ Enable authentication by uncommenting these lines:

  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  server_set_id = $auth1
  server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}

+ Enable DKIM by adding:

Update the configuration with sudo update-exim4.conf && sudo systemctl restart exim4
Note: changing MAIN_TLS_CERTKEY and MAIN_TLS_PRIVATEKEY requires exim to be restarted: sudo systemctl restart exim4.

  • Check configuration:
    + exim4 -bV
    + ps aux | grep exim
Debian-+   32196  0.0  0.1  16376  4516 ?        Ss   21:21   0:00 /usr/sbin/exim4 -bd -q30m
  • Alias for email receiving:

Suppose that the OS username is ubuntu, we have an associated email at /home/ubuntu/Maildir. To accept all emails sent to and store in the mailbox for the ubuntu user, we need to config alias.
sudo vim /etc/aliases, add me: ubuntu.

  • Email addresses for sending

By default, when the ubuntu user calls exim to send an email from, exim will use in the envelope from and return path fields. To overwrite this config,
sudo vim /etc/email-addresses, add ubuntu:
Now: is in used instead.

  • Configure the remote SMTP connection (username/password).

+ Install package to get password hash sudo apt install -yq whois
+ mkpasswd to get a password. For example real password mypassword is hashed as tQ1xW9c3f5OP.
+ Add credential username = me, password = mypassword by sudo vim /etc/exim4/passwd, add me:tQ1xW9c3f5OP.

Note: adding/removing/modifying the user database does not require restarting the server or running update-exim4.conf

Subject: Test email from exim
hello. this is the test email's body


Ctrl-D to finish.

  • Setup Gmail to sending using the setup SMTP server
    + name: any
    + email:
    + smtp server:
    + username: me
    + password: mypassword
    + secured connection using TLS

Setup dovecot

  • Install dovecot
sudo apt install -yq dovecot-imapd dovecot-pop3d
  • Open ports: 110 (POP3), 995 (POP3S), 143 (IMAP), 993 (IMAPS) in iptables/security group/network ACL/etc.
  • In DNS panel, add A / imap / Note: we will share the IMAP and pop servers at
  • Generate TLS cert
sudo certbot certonly -d --standalone --agree-tos -m -n
  • Add dovecot user to the mailers group: sudo usermod -aG mailers dovecot
  • Allow the mailers group to read the TLS private key
sudo chgrp mailers /etc/letsencrypt/{live,archive}{,/} /etc/letsencrypt/archive/
sudo chmod g+r /etc/letsencrypt/archive/
  • Config dovecot
    + Setup keychain. In /etc/dovecot/conf.d/10-ssl.conf,
    change lines
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key


ssl_cert = </etc/letsencrypt/live/
ssl_key = </etc/letsencrypt/live/

+ In the same dir, in file 10-auth.conf,
change line auth_mechanism = plain
to auth_mechanism = dovecot_plain dovecot_login
And, uncomment !include auth-passwdfile.conf.ext.
And, comment out #!includeauth-system.conf.ext.
+ In the same dir, in file 10-master.conf, in the block service auth { unix_listener ..., uncomment and change to the following

service auth {
  unix_listener auth-userdb {
    mode = 0660
    user = mail

+ In the same dir, in file 10-mail.conf
change line mail_location = mbox:~/mail:INBOX=/var/mail/%u
to mail_location = maildir:~/Maildir
+ In the same dir, in the file 10-logging.conf, uncomment log_path = syslog

  • Add dovecot credentials. Create file sudo touch /etc/dovecot/users
  • Add user. For example with username = me, password = mypassword.
    + Use sudo doveadm pw to generate the password. For e.g.: {CRYPT}$2y$05$pFZ8zDO.o.FtcTIWNOTqdeTgRj0OmoxzK2HineVAKEv91DEP4DXY6
    + Add following entry in /etc/dovecot/users

Check this dovecot document for the meanings of these fields.

  • Restart dovecot: sudo systemctl restart dovecot
  • Test the created dovecot credential: sudo doveadm auth login me
  • Setup POP3 in Gmail
    + Email address:
    + Gmailify: no support
    + Username: me
    + Password: mypassword
    + POP server:
    + Port: 995
    + Check "Always use a secure connection (SSL) when receiving mail.
    + All other 3 checkboxes are optional and up to your preferences.

Helpful commands and information

  • To test an SMTP connection: swaks -a -tls -q HELO -s -au test -ap '<>'
  • Exim log dir: tail -f /var/log/exim4/mainlog. Also, check rejectlog, and paniclog.
  • View exim stat: eximstats /var/log/exim4/mainlog
  • List all listening ports/running PID/running user: sudo lsof -i -P
  • Get dovecot user information: sudo doveadm user me
  • To debug userdb/passwd in dovecot. Add
auth_debug_passwords = yes
auth_debug = yes
  • Watch dovecot log with tail -f /var/log/syslog


  • There are two ways of storing emails in the Linux OS: mbox and maildir. They are both used widely and are not compatible with the other.
    Personally, I would recommend maildir over mbox (in short, maildir is more structure and safer). In this post, I have introduced to change dovecot config from using mbox to maildir. And, in my installation, Exim uses maildir by default. However, according to @Solaris (see his comment at the end), in some distributions, mbox is the default for Exim. I will investigate the detection and configuration of exim for this latter.
  • Test if exim/dovecot requires a restart if TLS cert keys change. Hint: use openssl s_client to reveal the current certificates. (refer Test SMTP/IMAP(S)/POP3(S) configuration from the command line)
  • Support multiple domains
  • Periodically backup to AWS s3.
Buy Me A Coffee