Virtual Mail Hosting on Centos7
Postfix MariaDB Dovecot PostfixAdmin Amavisd-new Spamassassin and Clamav

Virtual Mail hosting provides the option of offering mail services to multiple domains on one server.

You will get the following features:

This guide was developed from lessons I learned from Campworld Centos6 Virtual Mail Hosting.  Plus lots of discussions and near flame wars on lists for many of the packages used here.

A copy of textareas was recently added.  The default behavior is to only select the contents of the area on click and the copy to clipboard is a manual step.  This is for saftey measures in protecting the content of the clipboard.  Below are buttons to allow changing this behavior to copy the area to the clipboard on click.

Further, this guide strives to only modify package config files, rather than replacing them.  This is a nod to those package authors on knowing what works best in their packages and easier adoption of new features.

You have a choice of SHA256 or SHA512 for password hashing rather than the default of old MD5.  ARGON2 is the, new, recommended password hash algorithm, but not supported until Dovecot 2.3.


NOTE: The services set up here should be run on a system with at least 1GB of memory with 2GB really being the lower limit.  Additionally, though it will run on a duo-core ARMv7 system, a quad core would be better with AMAVIS restricted to 2 core.  AMAVIS and CLAMAV can really tie up the system.

FURTHER NOTE: SELinux policies are enforced!  In some cases this took working with the SELinux experts to develop polices (e.g. Dovecot to Mysql).  No laid back additude of just running in SELinux permissive mode.

Building the Base Server

Follow the instructions at: Centos7 for armv7 SOC

to build your base Centos7 armv7 server.  Be sure to add the EPEL repo as many of the mailserver packages are there.

Installing the Mail packages

This guide needs the following packages installed:

There is no rpm package for postfixadmin.  Get the most recent version at:
Let's assume that the current version you downloaded is: 3.2.  Place it in /usr/share.


Configuring the Mail packages

Throughout this guide, there are values unique to an installation that have to be provided.  For the most part, these can be handled by first setting some environment variables that will be used in cat and sed commands.  Or you can manually alter the variables.  Special characters (\, $, and / tested) MUST be proceeded by a \.  Spaces should work with quotes around value entered (but not really tested).

To set date_timezone value.  See
for valid timezones (use the same timezone name you used for timedatectl).  Set the variables by altering these commands.

Long passphrases may be more secure for the passwords, and not cause problems with the commands, than the use of special characters or spaces.

Three TLS certificates are created in this guide.  All should have the following values, but any MAY be left blank.  If any include a space, inclose that value in quotes.  Special characters can be included, preceeded by \.

Now there is a lot to configure from all these packages and perhaps you are testing from a temporary IP address that is not in DNS.  For this you need to add to your /etc/hosts file:

Next we have a lot of firewall rules to add:

Port 587 is used by client smtp to send mail to your mailserver.  Port 143 is used by IMAP.  Port 110 is for POP3.  Port 4190 is used by manageseive.  Amavis uses ports 10024 & 10025 but only to localhost so no firewall rule is needed there.

Now edit /etc/php.ini

Now create the mail store directory.  Put it in the /home directory to make backups and other item easy.

Setting up MariaDB

Next start MariaDB and secure it.  You can manually run mysql_secure_installation, or use the following to auto answer the prompts.

Now setup the mysql database for postfixadmin. The following creates the database and user. The setup URL will create the rest.

Next is the Roundcube database.

Then the tables.

Setting up Apache

This guide uses virtual hosting for the webmail service (Roundcubemail).  Virtual hosting requires a DNS entry for webmail.your domain as well as your host.  Once virtual hosting is configured, the first virtual host is the default host.  Additionally, once a virtual host is set to use TLS, this also becomes the default behavior.

This conf file will load first and force a polite behavior.

The default server access can be restricted with:

Next is postfixadmin's Apache conf file. 

Postfixadmin is a Security Risk; Postfixadmin access can be restricted to your IP addresses.  Finer control can be added into a /usr/share/postfixadmin/.htaccess file.

Postfixadmin access is via 'http://your_host_tld/mailadmin'.  You don't want the whole world accessing this link.

Roundcubemail httpd configuration is next.  This guide uses virtual hosting.  The conf can be edited to use your_host_tld/webmail.

Further, this guide forces users to https.  This is enhanced over the default roundcubemail.conf.  Also it secures the cookie used by Roundcubemail.  This is an important security deficiency in the default configuration.

Last step for setting up Apache is creating the SSL certificates.  Three certificates are needed.  One for webmail.$your_domain_tld, another for $your_host_tld, and the third for localhost.  Follow how you setup the roundcubemail.conf and how your users will access your server.  The following commands will create the RSA 2048/SHA256 certificates with a 10 years life.

These are self-signed certificates.  You can purchase your certificates from a recognized CA.  You can find instructions on how to create your own CA and issue these certificates from it.  Future work will add a section on using Let's Encrypt certificates.
You can review the certificate content with:
If you get any of the certificates 'wrong' httpd will not start, and trouble-shooting can be a challenge. Check out /etc/httpd/logs/ssl_error_log for messages hinting at what is wrong with your certificates.

It is now time to enable and start Apache.

Configuring Postfix

Now on to configure the actual packages starting with Postfix.

Postfix is a real task to configure.  It will be easier in versions of Postfix beyond 2.10 that is supplied in Centos 7.  The following modifies the existing config files, rather than replacing them.

This is a 'best effort' from reviewing a number of sources. 

The place to start is with  Note that message_size_limit limits a message to ~20Meg.  Change this as needed. is next.  I have worked out how to just append needed changes to the end.
And if you have to support Outlook TLS connections, then

Next a number of files in /etc/postfix
Edit /etc/postfix/mynetworks as needed,

The last step for postfix is the Vacation Email Functionality

And finally create /etc/postfixadmin/vacation.conf

Finally restart postfix

Configuring Dovecot

Dovecot is next.  There are a number of Dovecot conf files to edit.  Instead, this guide uses the local.conf file which is loaded after the default conf files.  By using the default files and local.conf, these modifications should work in future versions of Dovecot.  The files altered by the local.conf are:

Next the following files are added into /etc/dovecot
Note that the user_query limits an imap mailbox to 30,000 messages.  Change this as needed.

Now create the sieve filter for SPAM filtering

SELinux needs a policy to allow Dovecot to access the mysql unix socket.  As of Feb 5, 2019, this policy has been rolled into Fedora 28 and up, and in time will be included in CentOS.

It is now time to enable and start Dovecot.

Configuring Amavis and Clamav

These two packages work together, along with Spamassassin, to provide anti-spam and anti-virus protection.  Their configuration is simple.

With some guidance from
And more from
We can get clamav working with the following:

Next edit /etc/amavisd/amavisd.conf.

Finally start it all:

A simple test of clamav is

Test the amavis connection with

You should get

Configuring Postfixadmin

Postfixadmin is the email domain and email account management tool.

Create a base /usr/share/postfixadmin/config.local.php

SELinux seems to be a problem for Postfixadmin (and Roundcubemail which needs the setsebool).

Now go to host/mailadmin/setup.php

Setup should proceed to create/update its database structures.

Next is creating the Setup Password by clicking by entering password and clicking on generate hash.  Then edit /usr/share/postfixadmin/config.local.php with the provided hash.

Use this password to add your postfixadmin admin account.  Use this account to log into host/mailadmin.  Create a mail domain; set up a DNS MX entry for it and create a user.  Postfixadmin should set up all the files for the user and send it a welcome message that will be the basis for testing the components.

Configuring Roundcubemail

Roundcubemail configuring is easier now with the installer, but there are a few permission items to take care of first.

Roundcubemail is written in php and a couple php defaults may not be right for Roundcubemail, particularly the file upload size and message size maximums.  The following will comment out the defaults and add new maximums.  Change them as you need.

Depending on how you setup roundcubemail.conf for httpd

The installer does most of the work.  Things to do in the install include:
In the General configuration, select Enchant spellcheck_engine.
In the Database section set your Roundcubemail MySQL password.
In the IMAP section, change the junk_mbox to Spam.
In the SMTP section,
set smtp_server to fqdn
Check "Use the current IMAP username and password for SMTP authentication"
In the Plugins section,
Check managesieve
Check password
Click the UPDATE CONFIG button, start a
cat > /etc/roundcubemail/
copy the content of the text box into the prompt and end with a Cntl-D.

Do not add a closing ?> tag.

Follow the instructions to test Roundcubemail.

If in your system 0 quota means no limit

To allow browser-autocompletion of username and host on login form.

To directly delete messages in Junk instead of moving to Trash.

This quide uses 'Spam' for the 'Junk' folder.  To force Roundcubemail to display 'Spam', rather than 'Junk' as default.

Apache is configured to redirect to secure connections.  Roundcubemail can check and redirect if the Apache configuration is wrong with:

Now we set up the manage sieve plugin.

For the password plugin:

Restart Apache.

Testing the Configuration

This completes configuring the software. Next are some tests to confirm things are working.

Use Postfixadmin to create a virtual domain and a user or so.  Use Roundcubemail to log into a user account and check receipt of the Postfixadmin welcome message.

Roundcubemail use did a basic test of dovecot imap access.  For a fuller test, use all of the following connection methods (via fqdn from a remote system).

IMAP log in and some commands are

POP3 log in and some commands are

For more on Dovecot testing see
For anti-virus testing, find sample.tar.gz.compl (check the version of amavisd-new) and change to that folder and untar it

Then send the following emails.  virus-sample should be dropped, GTUBE should be moved to Spam, and README should end up in INBOX.


© Robert G. Moskowitz -- 2019