Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail (Debian Wheezy)

This tutorial is Copyright (c) 2013 by Falko Timme. It is derived from a tutorial from Christoph Haas which you can find at You are free to use this tutorial under the Creative Commons license 2.5 or any later version.

This document describes how to install a Postfix mail server that is based on virtual users and domains, i.e. users and domains that are in a MySQL database. I'll also demonstrate the installation and configuration of Courier (Courier-POP3, Courier-IMAP), so that Courier can authenticate against the same MySQL database Postfix uses.

The resulting Postfix server is capable of SMTP-AUTH and TLS and quota (quota is not built into Postfix by default, I'll show how to patch your Postfix appropriately). Passwords are stored in encrypted form in the database (most documents I found were dealing with plain text passwords which is a security risk). In addition to that, this tutorial covers the installation of Amavisd, SpamAssassin and ClamAV so that emails will be scanned for spam and viruses. I will also show how to install SquirrelMail as a webmail interface so that users can read and send emails and change their passwords.

The advantage of such a "virtual" setup (virtual users and domains in a MySQL database) is that it is far more performant than a setup that is based on "real" system users. With this virtual setup your mail server can handle thousands of domains and users. Besides, it is easier to administrate because you only have to deal with the MySQL database when you add new users/domains or edit existing ones. No more postmap commands to create db files, no more reloading of Postfix, etc. For the administration of the MySQL database you can use web based tools like phpMyAdmin which will also be installed in this howto. The third advantage is that users have an email address as user name (instead of a user name + an email address) which is easier to understand and keep in mind.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!


1 Preliminary Note

This tutorial is based on Debian Wheezy, so you should set up a basic Debian Wheezy server installation before you continue with this tutorial. The system should have a static IP address. I use as my IP address in this tutorial and as the hostname.

It is very important that you make /bin/sh a symlink to /bin/bash...

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <-- No

... and that you disable AppArmor:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils


2 Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin

To install Postfix, Courier, Saslauthd, MySQL, and phpMyAdmin, we simply run

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl phpmyadmin apache2 libapache2-mod-php5 php5 php5-mysql libpam-smbpass

You will be asked a few questions:

General type of mail configuration: <-- Internet Site
System mail name: <--
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
Create directories for web-based administration? <-- No
SSL certificate required <-- Ok
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No


3 Apply The Quota Patch To Postfix

We have to get the Postfix sources, patch it with the quota patch, build new Postfix .deb packages and install those .deb packages:

apt-get build-dep postfix

cd /usr/src
apt-get source postfix

(Make sure you use the correct Postfix version in the following commands. I have Postfix 2.9.6 installed. You can find out your Postfix version by running

postconf -d | grep mail_version

The output should look like this:

root@server1:/usr/src# postconf -d | grep mail_version
mail_version = 2.9.6
milter_macro_v = $mail_name $mail_version


cd postfix-2.9.6
patch -p1 < ../postfix-vda-v11-2.9.6.patch

Next open debian/rules and change DEB_BUILD_HARDENING from 1 to 0:

vi debian/rules


If you don't do this, your build will fail with the following error messages:

maildir.c: In function âdeliver_maildirâ:
maildir.c:974:17: error: format not a string literal and no format arguments [-Werror=format-security]
maildir.c:977:17: error: format not a string literal and no format arguments [-Werror=format-security]
maildir.c:983:17: error: format not a string literal and no format arguments [-Werror=format-security]
maildir.c:986:17: error: format not a string literal and no format arguments [-Werror=format-security]
maildir.c: In function âsql2fileâ:
maildir.c:404:25: warning: ignoring return value of âreadâ, declared with attribute warn_unused_result [-Wunused-result]
maildir.c:417:26: warning: ignoring return value of âwriteâ, declared with attribute warn_unused_result [-Wunused-result]
cc1: some warnings being treated as errors
make: *** [maildir.o] Error 1
make: Leaving directory `/usr/src/postfix-2.9.3/src/virtual'
make[1]: *** [update] Error 1
make[1]: Leaving directory `/usr/src/postfix-2.9.3'
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2

Now we can build the new Postfix .deb packages:


Now we go one directory up, that's where the new .deb packages have been created:

cd ..

The command

ls -l

shows you the available packages:

root@server1:/usr/src# ls -l
total 8400
drwxr-xr-x  4 root root    4096 May  7 01:24 linux-headers-3.2.0-4-amd64
drwxr-xr-x  4 root root    4096 May  7 01:24 linux-headers-3.2.0-4-common
lrwxrwxrwx  1 root root      23 Jun 24  2012 linux-kbuild-3.2 -> ../lib/linux-kbuild-3.2
drwxr-xr-x 18 root root    4096 Jul  1 21:13 postfix-2.9.6
-rw-r--r--  1 root root    3561 Jul  1 21:13 postfix_2.9.6-2_amd64.changes
-rw-r--r--  1 root root 1529980 Jul  1 21:13 postfix_2.9.6-2_amd64.deb
-rw-r--r--  1 root root  254432 Jul  1 21:12 postfix_2.9.6-2.diff.gz
-rw-r--r--  1 root root    1492 Jul  1 21:12 postfix_2.9.6-2.dsc
-rw-r--r--  1 root root 3767309 Mar 11 15:03 postfix_2.9.6.orig.tar.gz
-rw-r--r--  1 root root  255470 Jul  1 21:13 postfix-cdb_2.9.6-2_amd64.deb
-rw-r--r--  1 root root  367774 Jul  1 21:13 postfix-dev_2.9.6-2_all.deb
-rw-r--r--  1 root root 1294258 Jul  1 21:13 postfix-doc_2.9.6-2_all.deb
-rw-r--r--  1 root root  264196 Jul  1 21:13 postfix-ldap_2.9.6-2_amd64.deb
-rw-r--r--  1 root root  257322 Jul  1 21:13 postfix-mysql_2.9.6-2_amd64.deb
-rw-r--r--  1 root root  257376 Jul  1 21:13 postfix-pcre_2.9.6-2_amd64.deb
-rw-r--r--  1 root root  257476 Jul  1 21:13 postfix-pgsql_2.9.6-2_amd64.deb
-rw-r--r--  1 root root   55009 May  7 08:47 postfix-vda-v11-2.9.6.patch
drwxr-xr-x  7 root root    4096 May  7 01:24 virtualbox-guest-4.1.18

Pick the postfix and postfix-mysql packages and install them like this:

dpkg -i postfix_2.9.6-2_amd64.deb postfix-mysql_2.9.6-2_amd64.deb


4 Create The MySQL Database For Postfix/Courier

Now we create a database called mail:

mysqladmin -u root -p create mail

Next, we go to the MySQL shell:

mysql -u root -p

On the MySQL shell, we create the user mail_admin with the passwort mail_admin_password (replace it with your own password) who has SELECT,INSERT,UPDATE,DELETE privileges on the mail database. This user will be used by Postfix and Courier to connect to the mail database:

GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost' IDENTIFIED BY 'mail_admin_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'mail_admin_password';

Still on the MySQL shell, we create the tables needed by Postfix and Courier:

USE mail;

CREATE TABLE domains (
domain varchar(50) NOT NULL,
PRIMARY KEY (domain) )

CREATE TABLE forwardings (
source varchar(80) NOT NULL,
destination TEXT NOT NULL,
PRIMARY KEY (source) )

email varchar(80) NOT NULL,
password varchar(20) NOT NULL,
quota INT(10) DEFAULT '10485760',

CREATE TABLE transport (
domain varchar(128) NOT NULL default '',
transport varchar(128) NOT NULL default '',
UNIQUE KEY domain (domain)


As you may have noticed, with the quit; command we have left the MySQL shell and are back on the Linux shell.

The domains table will store each virtual domain that Postfix should receive emails for (e.g.


The forwardings table is for aliasing one email address to another, e.g. forward emails for [email protected] to [email protected].

source destination
[email protected] [email protected]

The users table stores all virtual users (i.e. email addresses, because the email address and user name is the same) and passwords (in encrypted form!) and a quota value for each mail box (in this example the default value is 10485760 bytes which means 10MB).

email password quota
[email protected] No9.E4skNvGa. ("secret" in encrypted form) 10485760

The transport table is optional, it is for advanced users. It allows to forward mails for single users, whole domains or all mails to another server. For example,

domain transport smtp:[]

would forward all emails for via the smtp protocol to the server with the IP address (the square brackets [] mean "do not make a lookup of the MX DNS record" (which makes sense for IP addresses...). If you use a fully qualified domain name (FQDN) instead you would not use the square brackets.).

BTW, (I'm assuming that the IP address of your mail server system is you can access phpMyAdmin over in a browser and log in as mail_admin. Then you can have a look at the database. Later on you can use phpMyAdmin to administrate your mail server.

Share this page:

11 Comment(s)

Add comment


From: Anonymous


I succesfully installed according to these instructions and almost everything is working fine.

 Only thing which is not working is SMTP authentication. If I try to add account to Outlook outlook just keeps asking password and username for the SMTP server. Auth.log shows this:

 Feb 26 14:58:37 l119 postfix/smtpd[26228]: sql plugin try and connect to a host
Feb 26 14:58:37 l119 postfix/smtpd[26228]: sql plugin trying to open db 'mail' on host ''
Feb 26 14:58:37 l119 postfix/smtpd[26228]: sql plugin Parse the username [email protected]

 I changed the SMTP port to 587 before that change i did not even get a connection to the SMTP.

Anybody can help me?


From: Kadu Lessa


Have you corrected this problem? How to fixed this? I trying to fix this for a week!


From: fly

Hello Sir Falko:

This a very good guide to set up my server. and Great thanks to you.

Here I have one problems confused me a lot.

After Finished the steps as you showed, I found when i mailx my users registered in mail database of mysql, it can not automatically generate the folders for users in the path of ../vmail/ . I have checked ,but can not found where is the problem. can you help me ?

Best wishes.


From: schmoove

For anyone updating from Squeeze to Wheezy and getting login failures when connecting to smtp, with errors in '/var/log/mail.log':

"[...]postfix/smtpd[...]: warning: unknown[]: SASL LOGIN authentication failed: no mechanism available"

Double-check your '/etc/postfix/sasl/smtpd.conf', there are slight changes. The tutorial further up this page reflects those changes. They are practically

--auxprop_plugin: mysql

--sql_select: select password from users where email = '%u'

++auxprop_plugin: sql

++sql_engine: mysql

++sql_select: select password from users where email = '%u@%r'

From: Lennart

The method for encrypting the password shown here is very weak. The mysql ENCRYPT() function is just a wrapper around the unix crypt() function, which uses DES by default with only a two char salt (only 4096 permutations!). DES is only 56 bits, this can be bruteforced within a few days, or even quicker. Also on most platforms only the first 8 chars of the password is used, making "password1234" and "password5678" the same.

It's wise to use a newer, more secure hash algorithm, like SHA2 and with a longer salt. The salt could be based on a SHA2 hash of the email address, as it is different for each user (the salt just needs to be unique, not secret). This is how I do it:

insert into users (email, password) values ('email@domain', encrypt('secretpassword', concat('$5$', sha2('email@domain', 224))));

This will give a crypted password with length 64 so you need a VARCHAR(64) for the password column.

This will work transparently with postfix and courier imap; the mysql auth backend will recognize the used hash method (and the salt) automatically. Of course you'll also need to adjust the change password queries for squirrelmail accordingly.

For more information see the unix crypt(3) man page.


From: juan

in the past I have used this instructions with no issues in general, switched hosting so I had to recreate the server and this time I get lost of errors in mail.err about no working DCC servers

Being checking serveral sites, but can't point my finger on it. Firehol has the port open, and I don't think I made anything different from previous configurations.

From: Denis

Hi, and if i have no such string 250-AUTH PLAIN LOGIN after ehlo localhost?

From: Przemek

I have configured it from this tuturial, everything works fine but in home/vmail/domain/user are no maildirsize file for checking, any advice?

From: nico ad

For some reason I am not ablte to get my emails from thunderbird. It s working fine with a webmail(roundcube) but I am not able to receive any email with pop3 on my desktop computer.

It s not a firewall issue as I am able to telnet port 110 from my desktop.


Any ideas?


Nothing in /var/log/


Thunderbird has validated the settings and I am able to send emails with smtp but not to receive. my mailbox appears empty and no errors message while it try to fetch emails.

From: Han Flamez

After upgrading from squeezy to wheezy and then to Jessie it appears that the STARTLS communication for POP3 over SSL is no longer working.

Any idea where the issue could be and how to resolve it please ?


From: Colin S

You probably want to commit the patch before building:

# dpkg-source --commit

# dpkg-buildpackage