Click here to Skip to main content
14,218,748 members

How to Install & Configure Email Server with Postfix, Dovecot & Opendkim

Rate this:
5.00 (3 votes)
Please Sign up or sign in to vote.
5.00 (3 votes)
28 Nov 2014CPOL
In this article, we are talking Postfix, Dovecot and DKIM so we will walk you through the steps of installing and configuring an email server with Postfix, Dovecot and OpenDKIM on a CentOS 7 system


An email server is a system or set of systems which handles the receiving and sending of email messages on the Internet. There are multiple types of email servers such as SMTP servers which use the Simple Mail Transfer Protocol that is used for e-mail transmission. An SMTP server usually runs in conjunction with an IMAP or POP3 server whose purpose is to provide e-mail retrieval and/or storage. Running an email server is not an easy task. It requires installing, configuring, understanding and maintaining a number of different services.

As you can imagine, there are number of different SMTP, POP3 and IMAP servers out there. In this article, we are talking Postfix, Dovecot and DKIM so we will walk you through the steps of installing and configuring an email server with Postfix, Dovecot and OpenDKIM on a CentOS 7 system. For this article, we are using CentOS 7 on a Linux VPS from Rose Hosting but you can also use anything else which runs CentOS 7 and preferably has a public IP address.

Before proceeding any further, it is recommended to verify your host/domain name is a valid FQDN (fully qualified domain name) and it has a valid MX DNS record. For this, you can use a tool like dig for example. Run this command to install dig if it's not already installed on the system:

# if !type -path "dig" > /dev/null 2>&1; then yum install bind-utils -y; fi

In our case, the hostname of the e-mail server is and the domain is The domain name has the following MX record:

# dig MX @ +short

which tells everyone on the Internet that the machine where resolves will handle the e-mails for

It's also recommended that the public IP address of the e-mail server has a valid rDNS (Reverse DNS) record that matches the e-mail server hostname. You can verify this using dig:

# dig -x +short

Access your Server

To complete this article, you will need to have root access (or sudo privileges) on the CentOS system. So, use your favorite SSH client to connect to your server. In *NIX like operating systems, you can fire up your terminal and execute:

# sshroot@YOUR_SERVER_IP -p 22

Note: Make sure you change the port if SSH is listening on non-default port. Also be sure to replace YOUR_SERVER_IP with your actual server's IP address.

Once you're logged into your CentOS 7 system, install (if it's not already installed) a tool named screen using yum:

# yum install screen

and initiate a new screen session using the command below:

# screen -U -S postfix-dovecot-dkim

Update the System

Once you are in a screen session, it is preferred to make sure your system is fully up-to-date. So, run the following yum command to update your CentOS 7:

# yum update

Note: It is recommended to reboot your system if there's a kernel upgrade.

SSL Certificate

You will need an SSL certificate to make the e-mail server secure and capable of communicating over SSL with other servers or clients. In our example, we are using a self-signed certificate which can be generated using the commands below:

# yum install openssl
# mkdir -p /root/SSL/
# cd /root/SSL/

# opensslgenrsa -out 2048
# opensslreq -new -x509 -nodes -days 365 -key -out

Enter your SSL certificate details like Country, City, Common Name, etc., for example:

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Oregon
Locality Name (eg, city) [Default City]:Portland
Organization Name (eg, company) [Default Company Ltd]:E-Mail Dept.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []

Once you have the certificate and key, use the following commands to copy them to /etc/pki/tls/certs/ and /etc/pki/tls/private/ respectively:

# cp -av /etc/pki/tls/certs/
# cp /etc/pki/tls/private/

Install Dovecot

Before installing Dovecot, let's say a word about it. What is Dovecot? It is a POP3 and IMAP server that provides a way to Mail User Agents (MUA) like Thunderbird or Outlook, etc. to access the e-mails on the e-mail server.

Install dovecot using yum:

# yum install dovecot

Once installed, you have to edit a few Dovecot configuration files in /etc/dovecot and add/edit some configuration parameters. Let's start with /etc/dovecot/conf.d/10-mail.conf and /etc/dovecot/conf.d/20-imap.conf where we'll set the mail location where the e-mails are looked up from:

# vim +/mail_location /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:~/Maildir
# vim /etc/dovecot/conf.d/20-imap.conf
protocolimap {
mail_location = maildir:~/Maildir

Next, edit /etc/dovecot/conf.d/10-ssl.conf and set the following parameters:

# vim +/"ssl =" /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/tls/certs/
ssl_key = </etc/pki/tls/private/

Note: Double check the certificate and key actually exist in the paths specified in ssl_cert and ssl_key.

In /etc/dovecot/conf.d/10-auth.conf, set disable_plaintext_auth to no and enable plain and login authentication mechanisms:

# vim +/disable_plaintext_auth /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no
auth_mechanisms = plain login

We'll use Dovecot's SMTP authentication service in Postfix to authenticate the e-mail accounts, so edit /etc/dovecot/conf.d/10-master.conf and make sure the following snippet exists within service auth {} section:

# vim /etc/dovecot/conf.d/10-master.conf
serviceauth {
    # Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix

Finally, let's edit /etc/dovecot/dovecot.conf, set the enabled protocols and bind Dovecot to all interfaces:

# vim +/"protocols =" /etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp
listen = *

Restart the Dovecot service on the system using systemctl and add it to the system's startup:

# systemctl restart dovecot
# systemctl status dovecot
# systemctl enable dovecot

Install Postfix

What is Postfix? It is a Mail Transfer Agent (MTA) which is responsible for transferring e-mail messages from one computer to another. An MTA has the capability to act as a client for sending e-mails or as a server for receiving e-mails via the SMTP protocol.

Install postfix using yum:

# yum install postfix

Once installed, create the /etc/mail directory, edit Postfix main configuration file /etc/postfix/ and set the following configuration options:

# mkdir /etc/mail
# vim /etc/postfix/
inet_interfaces = all
inet_protocols = ipv4
mydestination = /etc/mail/my_domains, $myhostname
virtual_alias_maps = hash:/etc/mail/virtual
home_mailbox = Maildir/

tls_random_source = dev:/dev/urandom
broken_sasl_auth_clients = yes

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_use_tls = yes
smtpd_tls_key_file  = /etc/pki/tls/private/
smtpd_tls_cert_file = /etc/pki/tls/certs/
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Note: Make sure you replace with your actual server's hostname. Also verify the paths used in smtpd_tls_key_file and smtpd_tls_cert_file exist.

Next, create two configuration files, /etc/mail/my_domains and /etc/mail/virtual. The first one will contain all domain names handled by Postfix and the second one will contain the virtual e-mail aliases.

# touch /etc/mail/my_domains /etc/mail/virtual
postmap /etc/mail/virtual
Edit /etc/postfix/ and enable the submission (587) and SSL (465) ports in Postfix:
# vim /etc/postfix/

submissioninet n       -       n       -       -       smtpd

smtpsinet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Restart the Postfix service using systemctl for the changes to take effect:

# systemctl restart postfix
# systemctl status postfix
# systemctl enable postfix

Add Domain, Account and Aliases

Add to /etc/mail/my_domains so Postfix can accept and relay email for this domain. Each domain should be added on a new line.

# echo >> /etc/mail/my_domains

To create a new email account on the e-mail server, you can use the following commands:

# useradd -s /sbin/nologin -m john
# passwd john

If you like to add some aliases like or, you can use add the following to /etc/mail/virtual. john john

Every-time you change this configuration file, you have to postmap it and restart Postfix for the changes to take effect. For example:

# postmap /etc/mail/virtual
# systemctl restart postfix

Setup OpenDKIM

DKIM is a digital email signing and verification technology that digitally signs the e-mails on the e-mail server. This feature can be used for further verification of the e-mail message that it was signed...

Enable EPEL Repository

You can install the EPEL repository simply by using yum as in:

# yum install

Verify EPEL is enabled on the system:

# yumrepolist

Install OpenDKIM

Install OpenDKIM using yum

# yum install opendkim

Configure OpenDKIM

The following configuration is reasonable and should work in most setups. You are free, however, to make any changes as needed for your case.

Make a copy of the opendkimconfig file and modify it as shown below. Finally, save the file and exit vim.

# mv /etc/opendkim.conf{,.orig}
# vim /etc/opendkim.conf
AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/
UMask                   022
TemporaryDirectory      /var/tmp

Setup DKIM Private/Public Keys

You will now need to create the necessary DKIM private and public keys. Execute the following statements as shown.

# mkdir /etc/opendkim/keys/
# opendkim-genkey -D /etc/opendkim/keys/ -d -s mail
# chown -R opendkim: /etc/opendkim/keys/
# mv /etc/opendkim/keys/ /etc/opendkim/keys/

Edit the KeyTable file:

# vim /etc/opendkim/KeyTable

Now edit the SigningTable file:

# vim /etc/opendkim/SigningTable


Add the trusted hosts in the file as shown below. Make sure you change with your actual domain name.

# vim /etc/opendkim/TrustedHosts

add a TXT record in tje domain's zone file:

# cat /etc/opendkim/keys/

verify the DKIM TXT record using dig

# dig +short TXT

Integrate DKIM in Postfix

# vim /etc/postfix/

smtpd_milters           = inet:
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2
# systemctl restart opendkim
# systemctl enable opendkim

# systemctl restart postfix

And that should be it. You should now have a fully functional Postfix, Dovecot and DKIM setup, ready to send and receive DKIM signed emails for your domain.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Joy Mali
Technical Lead
United States United States
Joy Mali is a certified digital analyst who helps online businesses to perform better on the web with best solutions & advice. Her content is featured on many mainstream sites & blogs.

Comments and Discussions

QuestionAdjustments to the opendkim.conf file Pin
Sven18838-Apr-15 1:51
memberSven18838-Apr-15 1:51 
Firstly thanks for taking the time to write the guide, it was easy to follow and well structured, however I have encountered a problem. I have done a clean install of CentOS 7 ran all updates and followed the guide and I am now faced with an issue when trying to run:
systemctl restart opendkim

I get the message:

Job for opendkim.service failed. See 'systemctl status opendkim.service' and 'journalctl -xn' for details.

and when I run the status command as suggested I get this:

opendkim.service - DomainKeys Identified Mail (DKIM) Milter
Loaded: loaded (/usr/lib/systemd/system/opendkim.service; enabled)
Active: failed (Result: exit-code) since Wed 2015-04-08 11:31:37 BST; 50s ago
Docs: man:opendkim(8)
Process: 17763 ExecStart=/usr/sbin/opendkim $OPTIONS (code=exited, status=78)

Apr 08 11:31:37 opendkim[17763]: opendkim: /etc/opendkim.conf: configuration error at line 8: unrecognized parameter
Apr 08 11:31:37 systemd[1]: opendkim.service: control process exited, code=exited status=78
Apr 08 11:31:37 systemd[1]: Failed to start DomainKeys Identified Mail (DKIM) Milter.
Apr 08 11:31:37 systemd[1]: Unit opendkim.service entered failed state.

After some investigation I noticed there are a few misconfiguration's in the opendkim.conf file.

My corrected file is below:
AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      file:/etc/opendkim/TrustedHosts
InternalHosts           file:/etc/opendkim/TrustedHosts
KeyTable                file:/etc/opendkim/KeyTable
SigningTable            file:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

Hope this helps


General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Posted 28 Nov 2014

Tagged as


6 bookmarked