Raspberry Pi Email Server


The RasPi’s small size and low power consumption make it an ideal choice for use as a home email server. After trying a couple of different pieces of software, I finally found an excellent combination: Postfix with Dovecot and Squirrelmail, plus Spamasssassin and Sieve for spam filtering. There are many, many tutorials out there for the first trilogy of programs, but since the configuration is slightly different for each distribution I kept coming unstuck when setting mine up on the Pi. Having finally got mine configured properly, I’ve put together a set of 5 tutorials, which will take you from a vanilla Raspbian image to a fully functioning email server in no time. When writing the tutorial I made an effort to explain what each setting does instead of just dumping commands. With a bit of luck at the end of the process you’ll not only have a working server, you’ll understand how it works… without having to wade through reams of documentation like I did! If you follow the tutorials from start to finish, here’s what you’ll end up with:

  1. An email server that you can run 24/7/365 for under £5 of electricity per year
  2. Personalised email address like you@yourdomain.com (requires you to have registered a domain name with a registrar like namecheap.com - see my DNS basics tutorial)
  3. The ability to connect from anywhere, and read & send email, using a secure IMAP connection on your phone, tablet or computer
  4. Log in to webmail using any web browser on a secure HTTPS connection, read & send email
  5. Complete control over your personal communication. Your emails are stored on YOUR server, and nobody is scanning them to sell you adverts.
  6. Smart spam filtering with Spamassassin
  7. Customisable mail sorting with Sieve rules

Postfix, the Mail Transfer Agent

Postfix Logo

Postfix is the program that lets you send and receive email using Simple Mail Transfer Protocol (SMTP). Whilst you, the user, may connect to your email server using IMAP (on port 143 or 993), or POP (on port 110 or 995), email servers talk to each other using SMTP on port 25. So, this is the basic core of the server. Without it, you wouldn’t be able to send or receive any emails! I’ve covered the setup here: Raspberry Pi Email Server Part 1: Postfix

Dovecot, the POP/IMAP Server


Dovecot is used for two things:

  1. It provides you with IMAP functionality
  2. It checks that you are who you say you are using Simple Authentication and Security Layer (SASL) before you send or fetch mail

If you’re not interested in connecting with IMAP on your devices, you still need Dovecot. Not only is it doing SASL for you, but Squirrelmail connects using IMAP in order to provide you with webmail. I’ve covered Dovecot installation and configuration here: Raspberry Pi Email Server Part 2: Dovecot

Squirrelmail, for Webmail

Squirrelmail Logo

Squirrelmail is handy because it allows you to check your email in any browser, from anywhere. Of the first three, it’s probably the easiest to configure. I’ve covered it here: Raspberry Pi Email Server Part 3: Squirrelmail

Spamassassin, for Marking Spam

Spamassassin Logo

Spamassassin is the program that we will use to audit incoming mail and decide whether or not it’s spam. Spamassassin doesn’t actually sort the mail into the spam folder, it only changes information in the headers based on the results of the scan. I’ve covered it here: Raspberry Pi Email Server Part 4: Spam Detection with Spamassassin.

LMTP & Sieve for Spam Sorting & Mailbox Organisation

After Spamassassin has checked incoming mail to see if it’s spam or not, we need another program to sort it into the right mail folder. This final step will be done with Dovecot’s Local Mail Transfer Protocol (LMTP) daemon and a Sieve plugin. Sieve is a simple programming language that allows users to define what to do with incoming email based on a predefined set of rules – think “if the header contains this flag, put it in the spam folder” kind of thing and you’ll get the gist. Aside from spam filtering, Sieve can be used to automatically sort & de-clutter your inbox. These steps are covered in the final tutorial: Raspberry Pi Email Server Part 5: Spam Sorting with LMTP & Sieve Enjoy! I’d love to hear how you get on, so leave a comment below :)


22 is secure shell (SSH) 80 is HTTP 143 is "insecure" IMAP 993 is IMAPS (IMAP over SSL) Most of those are postfix related, but clamd is part of ClamAV (antivirus scanner) so the default "mailserver" configuration may be passing messages to ClamAV to scan for viruses (rather like postfix passes mail to spamassassin in this tutorial). That's not a bad thing, but unnecessary if all of your devices run Linux. saslauthd might be the Cyrus SASL implementation (used for authentication - this tutorial uses Dovecot's implementation of SASL instead). Maybe your outgoing email goes directly through the ISP and your sent messages are just picked up again with IMAP by Fetchmail? Do you run anything on port 80? It's not a good idea to leave it open if not. Also, take a look at /var/log/auth.log, guaranteed some bots are hammering your SSH. I'd recommend running fail2ban and/or using publickey authentication (i.e. disable password authentication) if you're not already doing so! Let me know if you need help! Sam

1. I set sylpheed up to send straight to my ISP with SSL. The copy of the email that I want to preserve is stored away by sylpheed in the IMAP structure. I tried to get it to go through Synology but it gets rejected (SASL authorisation failure, 535.5.7.0) by my ISP, which I now know is not surprising as I don't see anything in main.cf on the Synology. (BTW: you have main.conf at at least one place in the tutorial.)
2. Synology displays the number of "naughty" attempts at logging in etc. (Hello just now.) It doesn't do it by an auth.log but it's easy to see them. I'm not inundated.
3. I have a pathetic home webpage on 80.
No: none of the rest of the family will touch Linux. Mixture of Windows and Apple and Andoid and Windows phones.

I think I may have wasted enough of your time talking about the vagaries of the Synology variant of Linux. I have learned a vast amount from a) your tutorial and b) the experiments you have lead me to perform on the Synology. I shall now try to replicate the "spirit" of the Synology setup on the Pi using your tutorial with more understanding of what's going on.

I now owe you 2 bottles of good wine but have no idea how I can get them to you. Suggestions?

There's a way of getting Postfix to authenticate with your ISP when in use as a relay, I'm sure I was discussing it with someone in one of the comment threads... I'll find the info if it's something you'd like to try. It's good that there's some kind of authentication protection on there... first time I looked at my auth.log I discovered a bot was going mad trying to bruteforce SSH (no danger because I was using publickey authentication only, password authentication was turned off), but it didn't stop them trying every username under the sun, three per second for months, which is a waste of resources. The virus scanner is probably a good idea then - there are lots of nasty windows viruses out there that get transmitted by email (like the one that encrypts your home folder and ransoms you the key!). I'm not one to refuse a bottle of wine ;) that really is too kind of you. Where abouts in the country are you (actually, are you even from the UK?). Here's a neat trick for you to try on your Pi:
sudo apt-get update
sudo apt-get install whois
whois samhobbs.co.uk

I'll send you a private email if that is OK so you can see who I am. Is it OK?
If you can see my "hidden" (hidden from whom?) email address then you can see where I live. I suspect I should pay the fee to hide it though.

Best wishes

Yeah sure, email me :) Yeah I can see your email address in my log files when you leave a comment. Looks like you're not far but not close either! You mean woisguard? I considered doing that too, but I guess if it's been unhidden at any point in time then there's a public record of what it used to say (before it was hidden) anyway... so I didn't bother in the end. Sam

whenever i send an email to a external email account, such as gmail, i an email sent sraight back saying 'undelivered mail returned to sender'. In the email it says that it s likely that the email was 'unsolicited mail'. Does anyone know how to fix this?
Thanks in advance,


In reply to by Tom Walsh (not verified)


Sounds like those external servers don't think legitimate email should be coming from your IP address, probably because it's a dynamic IP address? The solution is to get a static IP address or use your ISP's SMTP server to relay outgoing mail. Sam

I am sure many people find your instructions useful. However, I got stuck at step 3, modify the main.cf file. Using the editor in the accessories only led to my being told I don't have permissions. As always in my experience with Linux based systems it means going off to do yet another tutorial or go to some bulletin board asking for more help. Although I studied computer science as my undergraduate degree a number of decades ago, seems that nothing has changed with the way people write operating systems. Sorry if I appear jaded with the whole process, but this started with my loading the Raspbian operating system a couple of days ago. All I wanted to do then was to stop the screen blanking after 10 minutes. 3 hours later after trolling through websites and forums in amongst others who also had the same problem I seem to have fixed that problem. 3 steps later another show-stopper. Anyway, perhaps you can tell me what I am doing wrong at this juncture??

Hi George, The reason I wrote to use your favourite instead of specifying a particular one is that it doesn't actually matter which one you use (they all do the same thing) and I didn't want to start a flame war about which editor is best (Google vi vs Emacs if you want to see what I mean!). Nano is a good text editor for beginners and happens to be my favourite at the moment, I think you've made a good choice. Those permission errors you got when using the built in graphical text editor are because it was running as an unprivileged user (whichever username you log in as) and the configuration files are owned by root. This is because the configuration affects the whole system/every user, so only administrators should be able to make changes. When you use sudo to run a command you are telling the computer to run the command that follows as the superuser (administrator/root), i.e. sudo="SuperUser DO". By the way, this isn't just a Linux thing - if you wanted to do something similar in windows you'd have to right click notepad and "run as administrator" or something like that. If you want to run a graphical application as root you have to use a different command to sudo, for example gksudo, but this depends on which graphical desktop you're using. Bit of a pain, right? This is why almost every tutorial expects you to be using a terminal to make edits. I'm going to change the tutorial so that it says "command line text editor", hopefully that'll make it clearer. Using a graphical editor really didn't occur to me because I actually never use the graphical desktop on a Pi, I prefer to connect with secure shell (SSH) from my normal computer, which gives me a remote terminal session. This is handy if you don't want to have a monitor attached to the pi all the time. You can get s secure shell from Linux (or Mac) to Linux by opening the terminal and typing:
ssh username@ip-address-of-pi
ssh pi@
Or use the hostname of the sever instead of the IP address, like:
ssh pi@raspberrypi
If you want to connect from windows to Linux, there's a free software program called PuTTY you can download. Hope that helps, don't get put off by things like this - every thing you learn makes the next thing easier. I've only been using Linux for a year and a half now and I've learned so much! Sam

Thanks Sam,
I've been using nano for the time being, I'll chase up a visual editor later.
I've gotten as far as installing dovecot and about to testing SASL. I commented out a "}" by accident, and fixed it and now don't get any more error messages when I restart postfix and dovecot. Getting late, so I'll leave it for today and try to complete the installation process tomorrow.
THanks for your help.

I have two Raspberry Pi machines connected to a single router. That router is addressable as rpibee.com via dyndns and I have the respective email port pointed to one of the aforementioned Raspberry Pi.
I am using Postfix with Dovecot and Squirrelmail, as your tutorial suggested, on the one RPi and it sends and receives email fine.
The question is can I get the other RPi to route email thru the 1st one without getting another dyndns name? One complication is that both boxes are headless and therefore the email from the second box is either from a script or a compiled program.
BTW Both RPi are running raspbian.

Yep that's possible. Give your main Pi a fixed LAN IP address or hostname, and then edit your secondary Pi's postfix configuration, adding the main Pi as a relayhost. Take a look at this comment - it deals with adding an ISP's SMTP server as a relay but the principle is the same for another server on your LAN. https://samhobbs.co.uk/comment/2129#comment-2129 Since both Pi are on your LAN, the main Pi should accept all outgoing email from the secondary Pi because its IP address is in the range defined in mynetworks. Sam

Awesome couple of tutorials! Thanks.

Would be great to be able to turn this into a multi-domain setup <-- hint hint

Hi! I've been asked about multiple domains before, it's an interesting question. What exactly is it that you want to achieve? It's relatively easy to change the setup so that you can receive emails sent to several domain names, but it's more difficult to have lots of domain names that you can send email out from without the mail being marked as spam. To add more incoming domains, you can just edit this parameter in /etc/postfix/main.cf e.g.:
mydestination = yourdomain.com, yourdomain, localhost.localdomain, localhost, yourdomain2.com
...then mail sent to foo@yourdomain.com and foo@yourdomain2.com will land in system user foo's Maildir. Outgoing email is more difficult, because if you only have one IP address you can only have one PTR record (for reverse DNS lookups). So if you send mail from yourdomain2.com to some other server, and that server does a rDNS lookup and sees that the IP address is supposed to be for yourdomain1.com, it might reject it as spam. Not every server is configured like this, but I found out that some do the hard way when some of my email was getting rejected until I asked my ISP to change my PTR record to samhobbs.co.uk from the generic one. Also, what do you do about all the SSL/TLS parts - you can't have a SSL cert that is valid for yourdomain.com and yourdomain2.com at the same time, and postfix needs to know which cert to use at the start of the connection, before it knows which domain the client is trying to connect to. I have a feeling that people who have one server for multiple domains either don't use SSL/TLS, or they have multiple IP addresses (but I could be wrong!). So basically, it's not as easy as it seems. You might find the postfix documentation for virtual hosting an interesting read. Thanks for your comment :) Sam


You have some valid concerns about hosting multiple domains on a single server!

The DNS and PTR should not be a challenge: http://help.dnsmadeeasy.com/spry_menu/ptr-record/
Easy to setup and a lot of servers serve multiple email domains so it can't be that hard (famous last words).

I absolutely agree with your easy solution of adding the extra domains to the 'mydestination' field and be done with it (I use this right now).
The more elegant way would be the way of the "Virtual Domain Hosting": http://www.postfix.org/VIRTUAL_README.html. But this will take some re-configuration of the server so maybe your tutorial could follow these rules from the start but implement only one domain, this way the setup is future proof or "built to change".

The Postfix book is a good help; http://www.amazon.com/exec/obidos/ASIN/1593270011/postfixbook-20/ref=no…
Also available at your local (Arrr) e-book supplier.


ps. your homepage field above this reply needs "http://", stringent! :D

Dude, I admire your enthusiasm, but I really wish you had read what I wrote a bit more carefully. Your link shows how to configure the PTR record for a single IP address - I've already done this, as I mentioned:
feathers-mcgraw@Hobbs-T440s:~$ dig samhobbs.co.uk

; <<>> DiG 9.9.5-4.3-Ubuntu <<>> samhobbs.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14778
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;samhobbs.co.uk.                        IN      A

samhobbs.co.uk.         32569   IN      A

;; Query time: 3 msec
;; WHEN: Fri Nov 07 23:32:13 GMT 2014
;; MSG SIZE  rcvd: 48
feathers-mcgraw@Hobbs-T440s:~$ dig -x

; <<>> DiG 9.9.5-4.3-Ubuntu <<>> -x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48713
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;  IN      PTR

;; ANSWER SECTION: 43200 IN  PTR     samhobbs.co.uk.

;; Query time: 29 msec
;; WHEN: Fri Nov 07 23:33:21 GMT 2014
;; MSG SIZE  rcvd: 85
The problem that I was referring to in my original post is that you can only have one PTR record per IP address. Show me a person with multiple IP addresses pointing to a Raspberry Pi and I will eat my hat! You will notice that the virtual domain hosting link you posted is the same one I sent you in the comment you are replying to! I understand that it can be done, I just don't think it's appropriate for a RasPi tutorial because it means adding a lot of complexity. I gave you the link because I didn't want to hold you back, if you want to do it then go for it! I've tried to keep it simple - if you're using a Pi for a really busy email server with multiple domains you're doing something wrong. The reason I wrote this guide is that I couldn't find any tutorials aimed at Raspbian (or Ubuntu/Debian) that taught me the basics - how to set up a small home email server for personal use, plus a handful of people (think close family). I think that if I changed the tutorial to add lots of virtual bits it would make it less useful for people like me, and I always try to write the tutorial I was looking for but couldn't find. Of course, that doesn't mean that I won't write a new tutorial someday covering a more advanced setup - I'm certainly interested in learning about virtual hosting, I just don't need it myself right now and I'm working on other things so I don't have the time. I'd like to leave this tutorial as it is because I think it's more useful for beginners this way. As for my homepage field... if anything it would be "https://" ;) - the protocol was left off deliberately. Sam

Thanks for the pages, they seem to be quite comprehensive. Reading the comments, it works for many.

However, I am lost at the requirements:
"2. Personalised email address like you@yourdomain.com (requires you to own a cool domain name) "
What do you mean by "own a domain name". For the last decade or more one can't own a domain name. It must be registered by an official registrar.
But say one did register 'reallycool.com'. There is no connection between this name and the ISP/IP I am connected to/via.
How will the email my friend sends me find my 'reallycool.com' email server?

Could you extend on this please?


You are being needlessly pedantic (I think it's pretty clear what I mean), but you're right. How about "requires you to have registered a cool domain name"? When someone wants to send a message to you@yourdomain.com, their server's Mail Transfer Agent (MTA) looks up the Mail Exchanger (MX) record for yourdomain.com. You can do this yourself with the dig command like so:
~$ dig samhobbs.co.uk MX

; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> samhobbs.co.uk MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37870
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;samhobbs.co.uk.                        IN      MX

samhobbs.co.uk.         60000   IN      MX      10 samhobbs.co.uk.

;; Query time: 26 msec
;; WHEN: Tue Dec 16 18:38:27 GMT 2014
;; MSG SIZE  rcvd: 59
Then the MTA will look up the DNS A record for the domain in the result. In this case it's samhobbs.co.uk but it is often mail.yourdomain.com for domains that have a separate server at a different IP address for email. Again, with the dig command:
~$ dig samhobbs.co.uk

; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> samhobbs.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36866
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;samhobbs.co.uk.                        IN      A

samhobbs.co.uk.         59209   IN      A

;; Query time: 3 msec
;; WHEN: Tue Dec 16 18:43:17 GMT 2014
;; MSG SIZE  rcvd: 59
... which gives the IP address for the domain name - in my case it's Sam

Hello Sam,

Thank you very much for this comprehensive tutorial. I was trying to install postfixadmin to manage postfix but didn't succeed. Would you be able to help me with this topic?


In reply to by Mariusz (not verified)


Hi Mariusz, I'm afraid I don't think postfixadmin is a particularly good idea for home users and defeats the point of what I'm trying to achieve here. That doesn't mean there isn't a place for it in some situations, just that I'm not interested in learning it because it doesn't fit my needs and would make my setup less secure. Here's my response to someone who asked the same question a while back. If it really does fit your use case, I hope you find a decent guide somewhere - I'm sorry I can't help! Sam

Thank you for the great tutorials! I am a relative newbie, so please bear with me.

One thing that that puzzles me is the requirement to "have a registered domain name".

I followed your tutorial and installed owncloud in one of my raspberry pi's and am considering setting up a pi for an e-mail server. I got my owncloud pi working by opening port 80 to the pi and using http. It's shut down now because I would like to use SSL.

For external ssh access to my pi's (I have 10 of them), I set a unique port number and a unique ip address on my LAN for each pi.

Can't I just use my static external IP address (as my "domain name") and open appropriate ports (like 443) in my router that forward traffic to an owncloud pi or email server pi?

I followed your instructions to get a CAcert SSL certificate and got to the point "After you have created your account and logged in, navigate to server certificates --> new". I put in my CSR and tried to submit, but CAcert can't send to webmaster@MYIPADDRESS. I don't have a domain name (and would like to do this without one) and I don't have an email server set up because I don't have a domain name.

So, my questions are:
Can I use owncloud with SSL with my static external IP address instead of a domain name?
Can I make a pi email server with my static external IP address instead of a domain name?

Thanks for you help!

Unfortunately it's impractical to set up an email server that receives messages without a domain name, because although user@[] is technically a valid email address, nobody really does this and most systems will treat such messages as spam. The SMTP protocol allows you to send messages from anywhere and put whatever you like in the from line, but again they'd probably be marked as spam. Normally, email servers find each other by doing an MX lookup on the domain.com part of user@domain.com, which gives a hostname (commonly mail.domain.com or just domain.com)... they then do a DNS A lookup on the hostname to get the IP address to connect to. You can't get a CA to sign a certificate for an IP address for good reasons. One of these reasons is that sometimes they change (if you had a dynamic IP address, you could ask them to verify a cert for your current IP, then power cycle your router, get a new IP, verify the new one... at which point the CA would be telling everyone you control an IP address that isn't assigned to you... there's no way for an automated service like CAcert to know if an IP address is static or dynamic, and even if you have a static IP you can often ask for a new one, so that wouldn't be a guarantee. What is a reliable guarantee is domain name registration, since registration is generally for a long period of time, and this is more flexible because once you've registered a domain name you can choose which IP address to point it at, and change it without changing the certificate. Not having a signed cert won't stop you from running services on 443 (https) with just an IP address, but if you do you'll get a browser error because the certificate has not been verified. One handy workaround could signing up with a free service like noip.com which will give you a valid domain name to use (it'll be a subdomain though, foobar.noip.com or something similar - OK for something like a web page only you will use, but not ideal for email... still better than an IP address though!). Not sure what would happen if you tried to verify a certificate for a noip subdomain, but there's no harm in trying, I think it would work. You can get a "proper" domain name really cheap, mine was 5 years for ~£15 with namecheap.com which I think is great value (avoid GoDaddy!). So... yes, you can use SSL for owncloud without a domain name (but you'll get certificate errors). And yes, technically i think you could set up an email server for sending and receiving mail with only your IP address, but you'd probably be marked as a spammer and people would have to type in user@[] with the square brackets, which is a bit unnatural. You wouldn't have a valid cert for your mail server either. You'll save yourself some pain if you get a domain name. Sam

Thank you. That all makes perfect sense.

Ok, I'll get a domain name and a certificate from CAcert.

But when I submit my CSR to CAcert, how do they respond/authenticate to a webmaster@MYDOMAINNAME if it doesn't exist yet since I don't have my @MYDOMAINNAME or my mail server set up yet.

Get the domain name first. Otherwise you'd be trying to get a certificate for a domain you don't control yet! You don't have to set up an email server to get the cert, most providers set up some kind of email forwarding for webmaster, so you could have the verification email sent to gmail or whatever. Sam

I took your advice and got a domain name from namecheap. $10.87/year for mydomain.com with free whoisguard protection.

I got the cacert certificate (had to disable whoisguard, temporarily to do this).

I opened up ports 80 and 443 on my router for the ownCloud pi - LAN static IP. Any problem here?

I use Linux Mint Mate 17.1 (love it) and successfully connected to my ownCloud at https://mydomain.com using Konqueror, Firefox, and Chromium.

For Konqueror:
I get my ownCloud site with a green check in the shield. No problem.

For Firefox and Chromium I followed the instructions in http://wiki.cacert.org/FAQ/BrowserClients#Linux and connect with lock in Firefox and green lock and https in Chromium.

Thanks again for your great tutorials! Now I'll move on to the pi e-mail server.


I followed your 'howto' to the letter but I cannot receive e-mails. I get the following error message:
Delivery to the following recipient has been delayed:
Message will be retried for 2 more day(s)
Technical details of temporary failure:
DNS Error: Address resolution of mail. failed: Domain name not found

MelbourneIT have my DNS records set as:
A, CNAME, AAAA Records:
www.mydomain.com.au. myIP 86400 A
mail.mydomain.com.au. myIP 86400 A
MX Records:
mydomain.com.au. mail. 86400 10

I have tried changing the Postfix hostname to mail.mydomain.com.au from mydomain.com.au without success.

I'm out of ideas. Any help would be appreciated.


Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer