How to install email server using ISPConfig on Debian 10

How to install email server using ISPConfig on Debian 10

This tutorial uses a single server setup as an example. ISPConfig 3.1 has been installed on Debian 10.0, Buster (for actual server installation, please refer to the ISPConfig Perfect Server installation tutorial), the purpose of this guide is to show you the steps to set up a normal mail system for yourself after installing the initial server domain name. During testing this tutorial, I upgraded ISPConfig to 3.1.15.

what do you need

To successfully use this tutorial with a working email server, you need

  • Host where ISPConfig (and operating system) is installed
  • I suggest 2 GB of memory and 4 GB of swap space, which should be enough for a mail server.
  • The host must open an Internet connection through port 25
  • The host has a fixed IP address
  • The host’s IP address must have an A record (if using IPv6, it must be AAAA)
  • You have to create MX DNS name service recorded to host
  • You must get host reverse DNS name service PTR Records matching host FQDN

Memory requirements apply to SPAM filters. If you have 4 GB of swap space, you can use 1 GB of memory to avoid running out of memory even if you are running a SPAM filter.

Open port

The mail server must open port 25 both inbound and outbound. Before setting up an email server on the host, make sure that the host does open the port.

There are ways to make email work even if port 25 is not open, but this involves sending email through another host that does open port 25. Install an email server on another host, and in terms of email, it may make more sense to completely forget the first host.

DNS name service entry

The mail server requires an FQDN, a fully qualified domain name (read from Wikipedia: Full name). In this example, the domain name is To indicate that the host name of the mail server does not have to be mail, we use posti as the host name. So the FQDN is

This host is installed on the service provider system and they provide registration domain, name service and reverse name service. I use it.

The IP address is I did the following:

  • Registered domain name
  • Add this IP address as an A record to the DNS name service named
  • Added MX record for domain with value
  • Added a reverse name service PTR record for this IP address, pointing to

MX records are created for email domains. So I created it for, it points to, and the email server receives emails for that domain.

Reverse name service

Read about reverse name services from the name services tutorial. In this example case, the reverse name service must return

My service provider checked the existence of the A record before adding the corresponding PTR, and before finding out that this is why the addition failed, I encountered a problem.

Test the name service

It’s best to test your name service now, because sending and receiving email will not work properly if the name service is not set up properly. If your workstation is Windows instead of Linux or Unix, use the command nslookup instead of host.

$ host has address mail is handled by 10

The above results indicate that the domain name does have an associated IP number (in this case, the name is different from the IP number of the email server, but does not affect email), and there is a pointing MX record The “Mail is handled by” section is from MX records. This MX record is required if you want to receive emails sent to @ address on

Then check if the name service entry for the mail server FQDN ( in this example) is an A record and points to the correct IP number.

$ dig |grep "ANSWER SECTION" --after-context=3 ;; ANSWER SECTION: 3600 IN A ;; Query time: 56 msec

Finally check the reverse name service to resolve the IP number back to the FQDN of the mail server.

$ host domain name pointer

Instead of hosting and mining commands, you can use a web page that tests the name service. I know Enter DNS with MXToolbox.

If you can’t make the above test successful, you can try this “Set up a Name Service” tutorial.

Install the operating system

I use Debian version 10 Buster, so I followed this tutorial:

Replace the IP address, host name, and domain name with your values.

Since this tutorial was written in English, I chose English as the language, but chose Finland as the country and United_Kingdom en_GB.UTF-8 as the locale setting.

[email protected]:/tmp# cat /etc/debian_version 10.0
[email protected]:~# locale LANG=en_GB.UTF-8 LANGUAGE=en_GB:en LC_CTYPE="en_GB.UTF-8" LC_NUMERIC="en_GB.UTF-8" LC_TIME="en_GB.UTF-8" LC_COLLATE="en_GB.UTF-8" LC_MONETARY="en_GB.UTF-8" LC_MESSAGES="en_GB.UTF-8" LC_PAPER="en_GB.UTF-8" LC_NAME="en_GB.UTF-8" LC_ADDRESS="en_GB.UTF-8" LC_TELEPHONE="en_GB.UTF-8" LC_MEASUREMENT="en_GB.UTF-8" LC_IDENTIFICATION="en_GB.UTF-8" LC_ALL=[email protected]:~# cat /etc/timezone Europe/Helsinki

Verify that you set the host name correctly. If the host name is wrong, the mail system configuration ISPConfig will not work properly.

[email protected]i:~# hostname posti[email protected]:~# hostname -f[email protected]:~#

Install ISPConfig

I chose to install Apache as a web server, so for Debian Buster, follow the Perfect Server Guide.

I installed openssh-server on the host and set up root login using the ssh key, so I can ssh directly to the host as root. Passwordless login with OpenSSH Either Protect passwordless logins with SSH.

[email protected]:/tmp# free -h


I prefer the Emacs style editor over nano, so installing jed now makes editing files more enjoyable.

After installing the operating system, I have set up / etc / host and / etc / hostname correctly, so I verified their correctness according to the Perfect Server Guide. Note the host name and FQDN, if you mess up the host name and FQDN, you will eventually find that your email server is not working. Damage can be repaired, but it’s easier to correct from the start.

[email protected]:/tmp# hostname posti[email protected]:/tmp# hostname -f

For everything else, I only follow the Perfect Server Guide. Note that you can usually cut and paste the commands in the guide to the command line.

I don’t have Mailman installed, and I don’t plan to use Mailman on this host. Similarly, I omitted the installation of BIND DNS server, Webalizer and AWStats. I did install Roundcube Webmail because the host became an email server.

In Chapter 18 (Installing the PHPMyAdmin database management tool), I used the command

/usr/bin/apg -m 32 -x 32

Generate a 32-character puffer fish secret.

Using the system

Create email domain and mailbox

Now I log in to ISPConfig as administrator and

  • Add customer
  • Add a new domain (email domain!) And fill out the form
  • Add new mailbox

Create a DKIM key and record it by clicking the numbered buttons in the image. You can read about DKIM here. Wikipedia.

Create mail domain in ISPConfig

Figure 1: Create mail domain

Then wait for two minutes, or until the red ball on the top of the ISPConfig panel disappears.

As a first test, log in to Roundcube Webmail using the mailbox created above, and send the email to that address. ISPConfig sends a welcome message to every mailbox created, so there should already be a message there. Use the compose button and write a short test message.

RoundCube login

Figure 2: Roundcube Webmail

Email in Roundcube

Figure 3: Sending from Roundcube

The message should appear in the mailbox shortly.

Then test sending the email to another mailbox you own, and then check if the message arrived at that mailbox. For the next test, you can send to the mailbox created above from another place.

Note that if graylisting is enabled for a mailbox, email sent from outside the server will not reach the mailbox immediately. However, you should immediately see it in the log entry of the message you are trying to send so that you can see that the message can reach your server. The greylist entry in the file /var/log/mail.log looks like this:

Aug 29 19:08:42 posti postfix/smtpd[16911]: NOQUEUE: reject: 
  RCPT from[]: 450 4.2.0 
  <[email protected]>: Recipient address rejected: Greylisted, 
  from=<****@*****.***> to=<[email protected]> proto=ESMTP 

You can monitor the mail log in such a terminal window, for example:

tail -f /var/log/mail.log

Or, if you are only interested in Greylist entries, use the following command:

tail -f /var/log/mail.log | grep Greylisted


grep Greylisted /var/log/mail.log

Greylisting only delays the first email from the same sender to the same recipient. Once the first email is received, subsequent emails will be received immediately without additional delay.

In my case, everything worked on the first try. This shows that the “ISPConfig Perfect Server Guide” does work.

Connect with email client

Use Thunderbird as a sample mail client. Other mail client applications work in a similar way.

ISPConfig makes the account name an email address.

Thunderbird Account Settings

Figure 4: Thunderbird Account Settings

Thunderbird server settings

Figure 5: Thunderbird server settings

Connection security STARTTLS means that the connection starts unprotected, and if both sides support encryption, it switches to encryption. SSL / TSL means that the session is encrypted from the beginning. SSL / TSL may be a bit more secure, so try using your client.

Thunderbird Outgoing Mail Server

Figure 6: Thunderbird outgoing server settings


From reading about the sender policy framework Wikipedia. Originally, SPF allowed senders on behalf of the sender, which made it easy to remember the meaning. After reading the information about SPF, you can create your own records and check if the name service provider can generate SPF records or use the Internet search engine

SPF wizard

Find a website that creates SPF name service records for you. Then cut and paste the records into your name service. Add TXT records, or add SPF records on some DNS systems.

Check the appearance of SPF in the name service like this

$ dig -t TXT | grep spf 3000 IN TXT "v=spf1 mx ~all"

Or like this:

$ dig +short TXT "v=spf1 mx ~all" "1|"

Using DKIM

From reading messages about DomainKeys logo Wikipedia. ISPConfig created a DKIM key for you when you created your email domain (if you remember to tick the DKIM box). Cut and paste the DNS record as a public key into your name service as a TXT record. Your name service provider may provide a tool to make creating a DKIM record easier. Keep the DKIM private key secret.

Check how DKIM looks in the name service as follows:

$ host -t txt descriptive text "v=DKIM1;h=sha256;s=*;p=MIIB(I cut long string shorter)0rp" "sTGLXyK(cut shorter)B;t=s;"

If it is ISPConfig that created the DKIM key, copy the private key to the correct location in the amavis settings.

Website This is useful for checking whether SPF and DKIM are normal. Go to the website, it will provide an email address, and you send an email from the server. Then wait a minute and check the site again.

Create Certificate

ISPConfig can create self-signed certificates, which are created during ISPConfig installation unless you choose not to create them. Even if you create those self-signed certificates, it’s best to create appropriate certificates that browsers, email programs, and other email servers trust.

There is a good tutorial: Securing ISPConfig with Free “Let’s Encrypt SSL Certificate”

After following this tutorial, I noticed that the website I created showed the Debian default webpage until I created an LE certificate for the website. Also, I believe the ISPConfig Panel is also unstable because it has a self-signed certificate and now has this new certificate or no certificate at all. Refreshing the page in a browser resolves this issue.

After setting the certificate, enter the https address of the server in the browser. With another mouse click on the icon to the left of the browser’s address bar to display information about the certificate.

Go to the System tab of the ISPConfig panel, the Interface Master Configuration and the Mail tab. Have a set

Use SSL/TLS encrypted connection for SMTP


You can use the tools on the website to further test the certificate, linking the Internet search engine with

ssl testing

As a search term. These tools often test websites and use them when testing certificates that email servers have

ssl testing mail server

ISPConfig Roundcube plugin

These plugins are useful for webmail users. For example, they allow changing email passwords in Roundcube. There are other settings that can be modified in Roundcube. They can all be modified in the ISPConfig panel, but some email users may not want to use this panel.

I installed the ISPConfig Rouncube plugin using the tutorial ISPConfig 3 Roundcube plugin on Debian 9. The tutorial is fully available on Debian 10 Buster, but now ispconfig3_account / config / has one more line:

$config['soap_validate_cert'] = true;

Since the certificate can be set up and tested correctly in the previous chapter of this tutorial, you can keep the value true. However, if the host does not have a valid certificate, change this setting to false.

I have a question. Some items in the account section pop up error messages

An error occurred.
Soap Error: The login is not allowed from 

I solved this by ticking “Remote Access” and writing for the rcmail remote user created after the tutorial. It seems that this tutorial is wrong about not needing to tick “Remote Access”. Now it seems to me that both a single server setup and an ISPConfig multiple server setup with a separate email server are needed.

Further use

You can now create another email domain. Remember to create an MX record for this domain and point it to your email server. You can use the same email server for all email domains you create. This is the usual way, because creating a separate email server for each email domain would be very wasteful.


Following the instructions in this tutorial, I can reset the email server. If your computer does not work, check that you have followed this tutorial and that you have not skipped some steps.

Reading the forum has shown that making the hostname and hostname -f wrong and / or errors in the /etc/postfix/ file are common ways to prevent email servers from working properly.

If you suspect a problem with the DNS name service, use ISPConfig -tutorial to check DNS issues. There are some website tools for checking DNS, such as,,

If no email is received or sent, the suffix performs these functions and logs them to /var/log/mail.log. Too

tail -f /var/log/mail.log | grep postfix to see what happens when mail is being received or sent.

If you are having trouble connecting with your email client (for example, Thunderbird), use this command to see what happens:

tail -f /var/log/mail.log | grep dovecot

If there is a problem with a particular email, you can use the email’s ID to find the mail log entry. E.g:

Sep 23 14:19:34 posti postfix/smtps/smtpd[10260]: A9F2880C76:[],
sasl_method=PLAIN, [email protected]

The email ID is A9F2880C76. You can find log entries for that email using

# grep A9F2880C76 /var/log/mail.log

The command mailq displays emails in the suffix delay queue. That is, those emails that have not yet been delivered. There are usually some recent entries here, and emails cannot always be sent immediately. You can view the contents of these emails using the queue ID as follows:

# postcat /var/spool/postfix/deferred/A/A9F2880C76

Howtoforge has an ISPConfig forum, where suggestions can be sought.


Related Posts