Install dovecot email server on Amazon Linux2022

 In Amazon AWS

Install a Basic TLS/SMTP IMAP e-mail Server on Amazon Linux 2022

Software: SASL, PAM, POSTFIX, DOVECOT in conjunction with Amazon SES

An END-TO-END Solution

This is a detailed discussion for an end-to-end installation of a basic/introductory e-mail server on Amazon Linux 2022. (I have private notes on Linux2.) Installing Roundcubemail is a separate article or an add-on I can do here later on.


I looked at this exercise on and off for 2 years, finally having a working installation. I gave up many times. There is no end-to-end article on the Internet for this installation, but some very important sections of information from various authors. Others spend millions of dollars to do fully qualified services for us, so we should be using services like Amazon Workmail or MS Exchange, and so on.

Having said that, I assert this service will make use of a pre-configured and tested SES service utilising an S3 bucket, Lambda function(s), IAM attached on the Instance, Amazon’s anti-spam and DKIM/SPF, DMARC security. This means the headers of our final e-mails will be professional. We will also assume from my other installation notes you know how to install Linux 2022, and S3FS to do an “nfs-style” mount of the inbound e-mail bucket. These must be working.

First Notes


This article is not using production-strength or advanced configurations. It shows the basic installation as up and running only as a technical exercise for one e-mail user and no aliases or vhosts etc. It will use and “fred” as the example names. There is no discussion of ongoing problems that may arise in the real world.

The end-to-end solution contains many configurations I personally do not understand or have expertise in. They are simply given as a working model, therefore some configs may not be needed or could be different. This is a starting point that works. For instance, I have not added e-mail sizes or how to add additional disk space, or virtual mailboxes and a database, or options like mbox or dbox.


The service will need the SES framework up and running. We will have incoming e-mails going into an S3 bucket, as there is no other choice. These are transferred to the INBOX via crontab each minute. SES also permits the outgoing e-mails.

We will configure Route53 DNS appropriately.

For the purposes of this exercise, we will not create a hostname called as that would require an SSL certificate for, and the www entries.

We are using a Comodo Store Postive SSL certificate, the lowest cost available, rather than letsencrypt. You may test with letsencrypt but the Comodo (or Sertigo) would assure the certificate is valid and not produce incompatibility errors when testing.

We will finally configure Apple’s on an iMac to send and receive e-mails. I would suggest once the server is tested with outgoing and incoming e-mails, one can do a snapshot backup.


We use dovecot with some parts of cyrus. We do not need the cyrus-imap package that was included on Linux2. Linux 2022 no longer has dovecot by default, hence the compilations we give below. Keep in mind that authorisations need saslauthd, its password/user setups, and PAM, which I show below.

We will not look at POP3 email, but the ports are opened on my test instance.

The Configurations

Basic Configurations

Linux 2022 Dovecot

All of my comments below are enclosed in these square brackets [] and terminal shell commands are as-shown
SSH Logged in as “sudo su”
I use the vi editor in the configs below. Use your own preference.

echo "vm.swappiness=10" >> /etc/sysctl.conf
echo "vm.vfs_cache_pressure=200" >> /etc/sysctl.conf
sysctl -w vm.swappiness=10
sysctl -w vm.vfs_cache_pressure=200
dd if=/dev/zero of=/swapfile bs=1024 count=1048576
mkswap /swapfile
chmod 600 /swapfile
swapon /swapfile
echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
free -m

dnf install -y httpd httpd-tools mod_ssl 
dnf install -y php php-common php-pear wget php-mysqli php-devel php-mbstring
dnf install -y php-cli php-pdo php-fpm php-json php-mysqlnd php-opcache
dnf install -y gd libzip-devel httpd-devel kernel-devel php-gd postfix
dnf -y install pcre-devel gcc zlib zlib-devel
pecl install zip
pecl channel-update

[You should add “” to php.ini – insert after the Dynamic Extensions section in /etc/php.ini]

dnf install -y cronie cronie-anacron

[Set your own timezone]

a="Australia/Brisbane";export a;echo $a
ln -sf /usr/share/zoneinfo/$a /etc/localtime

Do standard setups as per my Linux install notes for:
– php.ini, php.d/10-opcache.ini, php-fpm.d/www.conf
– /etc/httpd/conf/httpd.conf, /etc/httpd/conf.modules.d and /etc/httpd/conf.d files.
– add/configure /usr/share/phpMyAdmin
– /etc/bashrc PS1 value
– apache user/group
– change /var/www/html from drwxrwsr-x. 2 ec2-user apache 6 Jun 30 2022 html to chown apache html -> drwxrwsr-x. 2 ec2-user apache 6 Jun 30 2022 html
– mariadb v10 (instead of older v5)
– if using certbot, then the python3 configs and install certbot certificate (tricky).
– basic postfix up and renning, sending emails
– s3fs configs (this allows emails to be mounted from an S3 bucket to your instance – see my article on installing this – I would not do much on this until you know dovecot is working)

dnf -y install mariadb105
dnf -y install mariadb105-server

[configure mariadb]
[some of these may not be required, but I’ll put them in anyway…]

dnf -y install automake fuse fuse-devel gcc-c++ git libcurl-devel libxml2-devel make openssl-devel
dnf -y install bison flex
dnf -y install gettext-devel 
dnf -y install pam-devel

[Update to this release – not later as it impacts updates to mariadb:]

dnf update
dnf upgrade
dnf update --releasever=2022.0.20221019


[Test that https:// is working ok before continuing…]
DNS entries are standard as we are using the primary domain name, so there are SES records for (or whatever) and an MX record for to Amazon’s relay server, which in my case from Oregon is 10 See my SES installation notes for more information.
We need to ensure the EC2 instance has these ports open in it inbound rules for the security group. You can play with these later if you want to remove things like POP.
[CONFIGURE POSTFIX for standard Amazon / SES use, and test it. We will modify it for Dovecot after we know it is correctly up and running.]

Download from here:
Then upload to your /home/ec2-user directory, tar xvf the gzip file.

cd to the extracted dovecot directory and compile dovecot – takes a while.
For example, cd dovecot-2.3.20

./configure --with-ssl=openssl --enable-maintainer-mode --with-pam

I got the following lines at the end of this configuration command. It is important that you see SSL: yes (OPenSSL)

Install prefix . : /usr/local
File offsets … : 64bit
I/O polling …. : epoll
I/O notifys …. : inotify
SSL ………… : yes (OpenSSL)
GSSAPI ……… : no
passdbs …….. : static passwd passwd-file shadow pam checkpassword
: -bsdauth -ldap -sql
userdbs …….. : static prefetch passwd passwd-file checkpassword
: -ldap -sql
CFLAGS ……… : -std=gnu99 -g -O2 -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
SYSTEMD …….. : simple – /usr/lib/systemd/system/dovecot.service
SQL drivers …. :
: -pgsql -mysql -sqlite -cassandra
Full text search : squat
: -lucene -solr

make install

[This method means we have to add a soft link from dovecot to /etc/dovecot, and copy example files…]
[Now that we have copied the files, we configure postfix, dovecot, /etc/hosts, sasl and pam, including adding an email user and null dovecot users]

adduser dovenull
adduser dovecot

systemctl enable mariadb
systemctl enable httpd
systemctl enable php-fpm
systemctl enable postfix
systemctl enable saslauthd

[Restart all the above services to make sure it is all running]

doveconf -n

[This is the error you will see:
# 2.3.20 (80a5ac675d): /usr/local/etc/dovecot/dovecot.conf
doveconf: Fatal: open(/usr/local/etc/dovecot/dovecot.conf) failed: No such file or directory (copy example configs from /usr/local/share/doc/dovecot/example-config/)

We need to create a softlink to /etc/dovecot to make things easier for us, so we can do commands like cd /etc/postfix, cd /etc/dovecot and so on, and copy dovecot configurations files to that /etc/dovecot directory….]

cd /usr/local/etc/dovecot

[We should see a README file]

ln -s /usr/local/etc/dovecot /etc/dovecot
cd /etc/dovecot

[We should see the same file]

cd /usr/local/share/doc/dovecot/example-config

[We should see dovecot.conf and the directory conf.d]

cp -pR * /etc/dovecot
cd /etc/dovecot

[This should be enough for our basic configurations. You will notice there are other files in /usr/local/share/doc/dovecot that we will not worry about]

cd /etc/systemd/system
ln -s /usr/lib/systemd/system/dovecot.service dovecot.service
cd /usr/lib/systemd/system

vi dovecot.service

[Change ProtectSystem=full to:]


[Save and exit the editor]

[Create a utility that we will use later to keep testing each step of our configs to make sure the system does not fail on one of our steps… It will not work just yet though. Replace “fred” and password with your own on the testsaslauthd line:]

cd /home/ec2-user
echo "Stop Postfix Dovecot"
systemctl stop postfix
systemctl stop dovecot
systemctl stop saslauthd
systemctl daemon-reload
echo "Start saslauthd Postfix Dovecot"
systemctl start dovecot
systemctl start postfix
systemctl start saslauthd
echo "Status Postfix"
systemctl status postfix -l
echo "Status saslauthd"
systemctl status saslauthd -l
echo "Status Dovecot"
systemctl status dovecot -l
testsaslauthd -u fred -p password

[Save and exit the editor]

chmod 775

[Add an email user. We will use fred on a test domain name called Use your own names.]

adduser fred
passwd fred

[Give fred a password]

cd /home
ls -l
cd fred
mkdir Maildir
chown fred Maildir
chgrp fred Maildir
chmod 2775 Maildir
cd /etc/postfix

Add these entries, using your own domain name, and ensure no double entries.
If there are, systemctl status postfix -l should show where you have doubled up, giving an error.
Replace with your own domain name. And your .crt and .key files.

myhostname =
mydomain =
myorigin = $mydomain
inet_interfaces = all
# inet_interfaces = localhost
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
home_mailbox = Maildir/
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
relayhost = []:587
smtp_sasl_auth_enable = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/pki/tls/private/domain_name.key
smtpd_tls_cert_file = /etc/pki/tls/certs/domain_name.crt
smtpd_tls_security_level = encrypt
smtpd_tls_loglevel = 2
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_sasl_mechanism_filter = plain, login
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtp_sasl_type = cyrus
smtpd_use_tls = yes
smtp_sasl_path = private/auth
smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_maps

[Save and exit the editor]

Notice that there is an existing entry that says:
smtp_tls_CApath = /etc/pki/tls/certs
This is good if you are using a comodo or sertigo style SSL certificate in that directory, but letsencrypt would, I gather, need /etc/letsencrypt/live/ (with whatever your domain name)
[IN this next configuration, use your own email name and domain name…]

vi smtpd_sender_login_maps fred

[save and exit the editor]

postmap hash:/etc/postfix/smtpd_sender_login_maps
chmod 0600 /etc/postfix/smtpd_sender_login_maps /etc/postfix/smtpd_sender_login_maps

[You will see smtpd_sender_login_maps.db as a new file after this. If editing again, put back to chmod 777, then redo the same steps.]

cd /etc/postfix

[Have these following entries... you will have to add a section for smtps.
e.g. insert above the commented line, #submissions     inet  n       -       n       -       -       smtpd]

smtp      inet  n       -       n       -       -       smtpd

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_sasl_auth_enable=yes

[Save and exit the editor]
cd /etc
vi emailuser

[Save and exit the editor]

cd pam.d
vi dovecot
auth       required
auth       include      password-auth
account    include      password-auth
session    include      password-auth
auth    required  item=user sense=allow file=/etc/emailuser onerr=fail
account required  item=user sense=allow file=/etc/emailuser onerr=fail

[save and exit]
vi imap
auth       required
auth       include      password-auth
account    include      password-auth
session    include      password-auth
auth    required  item=user sense=allow file=/etc/emailuser onerr=fail
account required  item=user sense=allow file=/etc/emailuser onerr=fail

[save and exit]
vi smtp
auth       include    password-auth
account    include    password-auth
auth    required  item=user sense=allow file=/etc/emailuser onerr=fail
account required  item=user sense=allow file=/etc/emailuser onerr=fail

[save and exit]
vi smtpd
auth       include    password-auth
account    include    password-auth
auth    required  item=user sense=allow file=/etc/emailuser onerr=fail
account required  item=user sense=allow file=/etc/emailuser onerr=fail

[save and exit]
cd /etc/dovecot
vi dovecot.conf
protocols = imap pop3 lmtp
listen = *, ::

[save and exit]
cd /etc/dovecot/conf.d
vi 10-auth.conf
disable_plaintext_auth = no
auth_mechanisms = plain login

[save and exit]
vi 10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/tls/certs/domain_name.crt
ssl_key = </etc/pki/tls/private/domain_name.key

[save and exit]

[Again, in the above, use your own domain name crt and key files. The file contents are what matters, so various providers could give you different names.
For letsencrypt you would have /etc/letsencrypt/live/ and /etc/letsencrypt/live/]

vi 10-master.conf
service imap-login {
  inet_listener imap {
    port = 143
  inet_listener imaps {
    port = 993
    ssl = yes
service pop3-login {
  inet_listener pop3 {
    port = 110
  inet_listener pop3s {
    port = 995
    ssl = yes
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix

  [save and exit]

vi /etc/dovecot/conf.d/auth-system.conf.ext
passdb {
  driver = pam
  args = session=yes dovecot
  # args = %s
  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=]
  # [cache_key=] []
  #args = dovecot
userdb {
  driver = passwd

[save and exit - userdb should already be there, but jest check it is]

[Set the password for the user “fred” to the same password you already used:]

saslpasswd2 -c -u fred
cd /etc/dovecot/conf.d
vi 10-mail.conf
[uncomment the line as shown:]

   mail_location = maildir:~/Maildir

 [save and exit]

[Note: often configs do not work until you restart services, including saslauthd]
[Again, I’m not 100% sure on every config I have shown, but we want to get things up and running. Add your own public IP address for the instance to /etc/hosts
Append to the bottom of the file:]
[I found I did not need the next /etc/hosts step…]

vi /etc/hosts

[save and exit with your own IP address and hostname]

[I like to have a backup user who can login to the EC2 instance from an EC2 AWS terminal if root cannot do so for some reason. For example, if you accidentall overwrite /home/ec2-user/.ssh you are done! You can append to /etc/sudoers something like:


If you run your script, you should see output like this:

Stop Postfix Dovecot
Start Postfix Dovecot
Status Postfix
● postfix.service – Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-01-18 10:14:28 AEST; 18ms ago
Process: 7367 ExecStartPre=/usr/sbin/restorecon -R /var/spool/postfix/pid/ (code=exited, status=255/EXCEPTION)
Process: 7368 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
Process: 7370 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
Process: 7371 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Main PID: 7442 (master)
Tasks: 3 (limit: 419)
Memory: 4.4M
CPU: 421ms
CGroup: /system.slice/postfix.service
├─ 7442 /usr/libexec/postfix/master -w
├─ 7443 pickup -l -t unix -u
└─ 7444 qmgr -l -t unix -u

Jan 18 10:14:27 ip-172-31-42-247.ap-southeast-2.compute.internal systemd[1]: Starting postfix.service – Postfix Mail Transport Agent…
Jan 18 10:14:27 ip-172-31-42-247.ap-southeast-2.compute.internal restorecon[7367]: /usr/sbin/restorecon: lstat(/var/spool/postfix/pid/ failed: No such file or directory
Jan 18 10:14:28 ip-172-31-42-247.ap-southeast-2.compute.internal postfix/postfix-script[7440]: starting the Postfix mail system
Jan 18 10:14:28 ip-172-31-42-247.ap-southeast-2.compute.internal postfix/master[7442]: daemon started — version 3.7.2, configuration /etc/postfix
Jan 18 10:14:28 ip-172-31-42-247.ap-southeast-2.compute.internal systemd[1]: Started postfix.service – Postfix Mail Transport Agent.
Status Dovecot
● dovecot.service – Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; linked; vendor preset: disabled)
Active: active (running) since Wed 2023-01-18 10:14:27 AEST; 482ms ago
Docs: man:dovecot(1)
Main PID: 7364 (dovecot)
Tasks: 4 (limit: 419)
Memory: 6.0M
CPU: 38ms
CGroup: /system.slice/dovecot.service
├─ 7364 /usr/local/sbin/dovecot -F
├─ 7372 dovecot/anvil
├─ 7373 dovecot/log
└─ 7374 dovecot/config

Jan 18 10:14:27 ip-172-31-42-247.ap-southeast-2.compute.internal systemd[1]: Started dovecot.service – Dovecot IMAP/POP3 email server.
Jan 18 10:14:28 ip-172-31-42-247.ap-southeast-2.compute.internal dovecot[7364]: master: Dovecot v2.3.20 (80a5ac675d) starting up for imap, pop3, lmtp

BUT: there is still a problem: TESTSASLAUTHD
connect() : No such file or directory


You have to restart saslauthd: in the example below, use your own user instead of fred, and fred’s password, then see the OK Success message.


systemctl restart saslauthd
testsaslauthd -u fred -p password

0: OK "Success."

systemctl enable dovecot

[Remember, it is good to reboot the instance if you’ve done a lot of new work.]
[TESTING…. these commands (wuth your own domain name) should work.]

openssl s_client -crlf -starttls smtp -connect

openssl s_client -crlf -connect

[again, use your own domain name:]

openssl s_client -connect
A1 LOGIN fred password

!!!!! if you get something like:
warning: hostname does not resolve to addres
then there is something odd going on, like a grey listed IP address. Get a new Amazon IP address and edit /etc/hosts after an instance stop/start.
You can however try these tests without an appended entry in /etc/hosts and see how you go. If you add something like you may need to add an entry in /etc/hosts (?) but you would need to add another A record in DNS with the same IP address as to, and an MX record to Amazon’s relay, or possible to your name – not sure until this is tested.
If you get the error again, try systemctl status postfix -l, and systemctl status dovecot -l. If you see a dovecot error, tehre is something in conf.d that likely needs correction.

Do the above again, and try: (or if it is working, continue the test to LIST the INBOX:)

openssl s_client -connect
A1 LOGIN fred password
A2 LIST "" "*"
netstat -a|grep imap

[output like this:]
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp6 0 0 [::]:imaps [::]:* LISTEN
tcp6 0 0 [::]:imap [::]:* LISTEN
unix 2 [ ACC ] STREAM LISTENING 39684 /usr/local/var/run/dovecot/login/imap
unix 2 [ ACC ] STREAM LISTENING 39687 /usr/local/var/run/dovecot/imap-master
unix 2 [ ACC ] STREAM LISTENING 39690 /usr/local/var/run/dovecot/imap-urlauth-worker
unix 2 [ ACC ] STREAM LISTENING 39691 /usr/local/var/run/dovecot/token-login/imap-urlauth
unix 2 [ ACC ] STREAM LISTENING 39694 /usr/local/var/run/dovecot/imap-urlauth
unix 2 [ ACC ] STREAM LISTENING 39701 /usr/local/var/run/dovecot/imap-hibernate

netstat -antup | grep dovecot 

[Use your own domain name in these tests:]

openssl s_client -starttls smtp -connect

openssl s_client -starttls smtp -connect

openssl s_client -starttls imap -connect

[or, try the same A1, A2, A3, A4 options shown above on port 993]

When e-mail is up and running:
– treat Roundcubemail as a separate installation exercise
– install SES with e-mail rules,and the S3FS bucket mount/scripts/crontab as pearate exercises. There is quite a lot involved around this.
– Make sure you previously have the domain able to receive emails and the SES email rules include the user, e.g. fred@…..
– See my ohter articles on s3fs mount errors and fixes, and SES installations with IAM attached to the instance, email rules etc.

*** NOW ADD an Applie iMac email account ***
Use your own values:

email address: fred@…..
USername: fred
Account type: imap

Takes half a minute if all is ok. Otherwise it may take a long time and default to non-SSL.
Untick the Notes option.

At this stage there is only an INBOX, so initially try sending from your new email domain to some other email you already have.
As you work with emails, or add folders in iMac/ these will show up ok.

This should work, as I have tested it with all the above configurations and openssl tests.

You should previosuly have set up an S3 bucket to receive emails.
Try sending to fred@…. and check the bucket and CLoudwatch logs if need be.

If that works you can then setup S3FS to mount the bucket, and run a crontab script every minute:

cd /home/ec2-user
cd /var/s3email
chmod 777 *
chown fred *
mv * /home/fred/Maildir/new

[save and exit]

[You need to cd to /var to avoid processes hanging]

cd /var
ls -l
[Verify you have s3email as a directory or some other name you set up and that you have your IAM policy attched to the instance - see my other setup articles]
s3fs -o iam_role="YOUR_IAM_ROLE" -o use_path_request_style -o url="" -o endpoint=us-west-2 -o dbglevel=info -o curldbg -o allow_other -o use_cache="" YOURBUCKETNAME_Allready_Working /var/s3email
crontab -e
* * * * * /home/ec2-user/ >/dev/null 2>&1

[save and exit]

– How do we upgrade Dovecot? I have not addressed this just yet.

If one can install all the above, one will have the skills to install roundcubemail.

There are some dnf packages to consider, which I managed to work out.
The final configs are quite simple. See Roundcube’s installation webpage.
Make sure /var/www/ has apache ownership and group in html,
and all roundcube files – see my script for setting permissions.
And make sure /var/www/hmtl/roundcubemail/config has chmod 777 on the temp directory, and you have created a user called roudcube in Mariadb with UTF83 general char set. I don’t know we need imagick and php-imagick but I did work out those configs.

However, had these values:
$config[‘imap_host’] = ‘tls://’;
$config[‘smtp_host’] = ‘tls://’; should not be used for modifications, rather, but here were my settings:

$config[‘imap_host’] = ‘localhost:143’;

Cheers 🙂

How to change from to – with letsencrypt

Say you’d like the incoming and outgoing entry to be some other name, like I think this raises other problems, but one can try it.

To Route53, add another A record with the name using the same IP address.

In Route53, as per my installation notes, add the CAAA records for letsencrypt, rather than Comodo.

Add another MX record with imap, using the same as the standard Amazon MX record values.

Using certbot, set up,, and (three values) and place all three as aliases in the ssl.conf file.

/etc/hosts does not need another entry.

In /etc/dovecot/conf.d/10-ssl.conf, change the entries to letsencrypt.

For instance, </etc/letsencrypt/live/domain_name/fullchain.pem and so on.

Do the same fix for the two certificate entries in /etc/postfix/

Ensure https:// is running fine, and restart saslauthd, postfix, and dovecot with the systemctl stop/start commands, and if need be do dovecot twice if you get strange messages from the systemctl status … -l command.

You should now be able to add the account to your (or other email client you like using.)

If all is well, as it should be, reboot your instance, verify that httpd, saslauthd, postfix, and dovecot are running, then retest sending and receiving emails with the server account you previously set up above.

Reverse Lookup

If you use the URL:

you can test your postfix/dovecot service using the test email server option. It will give a reverse pointer error:
SMTP Banner Check Reverse DNS does not match SMTP Banner

To fix this, do a PTR lookup of your server IP address, and obtain the Amazon EC2 instance associated with the IP.
e.g. -> whatever values.
Then in /etc/postfix/ add a line with the EC2 instance value, followed by any two strings:
smtpd_banner = ESMTP postfix
In this example we put the domain name being used, and that it was postfix. At least now the reverse lookup in MX Tools will be ok.

Start typing and press Enter to search