Mail server#

The Email module is split into three main parts:

  • Postfix: SMTP server for sending and receiving

  • Dovecot: IMAP and POP3 server to read email, and Sieve language to organize it

  • RSPAMD: antispam filter, antivirus and attachments blocker

Benefits are:

  • complete autonomy in electronic mail management

  • avoid problems due to the Internet Service Provider

  • ability to track the route of messages in order to detect errors

  • optimized antivirus and antispam scan

See also the following related topics:

You can install only one mail server per node from the Software center.


The mail module requires at least one user domain already configured.

The first configuration wizard will require the following information:

  • Mail server hostname: insert the mail server name, this should be the same name configured inside your MX DNS record

  • Primary mail domain: insert the mail domain, like; you will be able to add more domains later

Then, select the user domain to be connected to the mail server. An email address will be created for every user in the selected domain.


NethServer can handle an unlimited number of mail domains, configurable from the Domains page.


If a domain is deleted, email will not be deleted; any message already received is preserved.

You can add a new domain by clicking on the Create domain button and fill the Name field with the mail domain, like

If the Add user addresses from user domain option is disabled, you can enable the Accept unknown recipients switch and select a mailbox that will catch all messages sent to non-existing addresses.

NethServer allows storing a hidden copy of all messages directed to a particular domain: they will be delivered to the final recipient and also to a custom email address. The hidden copy is enabled by the Copy inbound messages switch.


On some countries, enabling the Copy inbound messages switch can be against privacy laws.

If the final recipient cannot be reached (i.e. the recipient address does not exist), the message is normally rejected. Sometimes (i.e. when a mail domain is migrated) it could be useful to accept it and silently deliver the message to a catch-all mailbox. This behavior can be achieved by enabling the Accept unknown recipients option. This configuration is available only if Add user address from user domain option is disabled.

DKIM signature#


DKIM is not currently configurable from the web user interface.

DomainKeys Identified Mail (DKIM) provides a way to validate the sending MTA, which adds a cryptographic signature to the outbound message MIME headers.

The DKIM signature headers are added only to messages sent through TCP ports 587 (submission) and 465 (smtps).

To work effectively, the public DNS must be configured properly. Refer to the instructions of your DNS provider to run the following steps:

  1. Add a TXT record to your public DNS service provider with key “default._domainKey”

  2. Copy and paste the given key text in the DNS record data (RDATA) section


Each user has a personal mailbox and any user name in the form <username>@<domain> is also a valid email address to deliver messages into it.

The list of mailboxes is shown on the Mailboxes page. There are two types of mailboxes: users and public mailboxes.

Users mailboxes#

You can disable each mailbox by selecting the Disable item from the three-dots menu on the mailbox line.

By clicking the Edit item from the three-dots menu it’s possible to setup the following options:

  • Forward messages: forward all messages to another mail address

  • Custom mailbox quota: override the quota configured from the Settings

  • Custom spam retention: override the retention configured from the Settings

Public mailboxes#

Public mailboxes can be shared among groups of users. The Create public mailbox button allows creating a new public mailbox and defining one or more owning groups and users. Public mailboxes can also be created by any IMAP client supporting IMAP ACL protocol extension (RFC 4314).

When a new public mailbox is created, the mail server will automatically add a new address for all existing mail domains.


In addition to the users, groups and public mailboxes addresses, described in the previous section, the system enables the creation of an unlimited number of email addresses, from the Addresses page. Each mail address is associated with one or more destinations. A destination can be of the following types:

  • user mailbox

  • public mailbox

  • external email address

A mail address can be bound to any mail domain or be specific to one mail domain. For example:

  • First domain:

  • Second domain:

  • Email address info bound to any domain:,

  • Email address goofy specific to one domain:

Sometimes a company forbids communications from outside the organization using personal email addresses. The Internal check box blocks the possibility of an address to receive messages from the outside. Still an internal address can be used to exchange messages with other accounts of the system.


All transiting email messages are subjected to a list of checks:

  • Antivirus

  • Antispam


The antivirus component finds email messages containing viruses. Infected messages are discarded. The virus signature database is updated periodically.


The antispam component RSPAMD analyzes emails by detecting and classifying SPAM messages using heuristic criteria, predetermined rules and statistical evaluations of the content of messages.

The filter can also check if the sending server is listed in one or more block lists (DNSBL). A score is associated with each rule.

Total spam score collected at the end of the analysis allows the server to decide what to do with a message.

Statistical filters, called Bayesian, are special rules that evolve and quickly adapt analyzing messages marked as spam or ham.


Module settings are split up and accessible under the cards described by the following sections.

General settings#

The following values are set at module first configuration time. They should not be changed in production:

  • Mail server hostname configures how the MTA identifies itself with other MTAs. To successfully receive email messages, use this host name to configure the following DNS records:

    • A record, resolving the Mail server hostname to the public and static IP address of the server

    • PTR record, resolving back the IP address to the Mail server hostaname

    • MX records, one for each mail domain handled by the Mail module instance

    • TXT records, as specified by DKIM, SPF and DMARC

  • User domain selects a LDAP database with user, groups and passwords. If the DB is changed existing mailboxes are not removed! A mailbox is still accessible if the same user name is present in both the old and the new database.


Under the Mailboxes card you can configure the Default mail quota.

If the general mailbox quota is enabled, the Mailboxes page summarizes the quota usage for each user. This summary is updated when a user logs in or a message is delivered.

Under the Shared mailboxes section, Shared seen selects if the IMAP seen flag is shared or not with other users. In general, the seen flag is used to mark if a message has been read or not. In a shared mailbox, each user can access the same message.

  • If users accessing the shared mailbox prefer to know if a mail has already been read by someone else, set Shared seen to enabled (default).

  • If users accessing the shared mailbox are not interested if a message has been already read by someone else, set Shared seen to disabled.

Messages marked as spam (see Filter) can be automatically moved into the Junk folder by enabling the option Move spam to junk folder. Spam messages can be expunged automatically after a period of time. You can configure it from the Default spam retention option.

Master users#

Under the Master users card, you can setup a user that can impersonate another user, gaining full rights to any mailbox contents and folder permissions.

Credentials are accepted by the IMAP server:

  • user name of the master user, eg. master

  • master user password

For instance, to access as john with root password secr3t, use the following credentials:

  • user name: john*master

  • password: secr3t

Client configuration#

The server supports standard-compliant email clients using the following IANA ports:

  • imap/143

  • pop3/110

  • smtp/587

  • sieve/4190

Authentication requires the STARTTLS command and supports the following variants:



Also the following SSL-enabled ports are available for legacy software that still does not support STARTTLS:

  • imaps/993

  • pop3s/995

  • smtps/465


The standard SMTP port 25 is reserved for mail transfers between MTA servers. Mail user agents (MUA) must use the submission port.

If you’re looking for web email clients, take a look to: