Components
Opterius Panel deploys a four-component mail stack. Each component has a single responsibility.
| Component | Role |
|---|---|
| Postfix | MTA — sends and receives mail via SMTP |
| Dovecot | Mail server — handles IMAP and POP3 access, and SASL authentication for submission |
| OpenDKIM | Milter — cryptographically signs outbound messages per domain |
| Rspamd | Spam filter — scores inbound and outbound messages, applies actions |
All four run as system services. You can check their status individually:
systemctl status postfix dovecot opendkim rspamd
Virtual Users
This stack uses virtual users, not system (Unix) users. Mail account credentials are stored in flat files:
/etc/postfix/vmailbox— maps each address to its mailbox path/etc/postfix/vdomains— list of domains Postfix accepts mail for/etc/postfix/virtual— alias/forwarder mappings/etc/dovecot/users— Dovecot passdb/userdb entries (username, hashed password, UID/GID)
Mail is stored under /var/mail/vdomains/{domain}/{user}/ in Maildir format.
[!NOTE] Because accounts are virtual, adding or removing a mailbox does not create or delete a system user. The agent handles all file and map changes atomically.
Ports and Protocols
| Port | Protocol | Purpose |
|---|---|---|
| 25 | SMTP | Inbound mail from the internet (MX delivery) |
| 587 | SMTP Submission | Outbound mail from mail clients (auth required) |
| 993 | IMAPS | IMAP over TLS |
| 995 | POP3S | POP3 over TLS |
| 8080 | HTTPS | Roundcube webmail |
| 11334 | HTTP | Rspamd web UI (localhost only) |
Port 465 (SMTPS) is not enabled by default. Use 587 for client submission.
Outbound Email Flow
When a user sends a message from a mail client or Roundcube:
- Client connects to port 587 — Postfix submission service.
- Dovecot SASL authenticates — Postfix delegates auth to Dovecot over a local socket. The user's credentials are checked against
/etc/dovecot/users. - Postfix queues the message — After authentication passes, the message enters the Postfix queue.
- Rspamd milter runs — Postfix passes the message to Rspamd before delivery. Rspamd scores the message and can reject, tag, or pass it.
- OpenDKIM milter signs — Postfix passes the message to OpenDKIM. OpenDKIM looks up the sending domain's key in
/etc/opendkim/keys/{domain}/and adds aDKIM-Signatureheader. - Postfix delivers to the remote MX — The signed, scored message is handed off to the destination mail server over port 25.
Inbound Email Flow
When mail arrives from the internet for a hosted domain:
- Remote MTA connects to port 25 — Postfix receives the connection.
- Postfix checks vdomains — If the recipient domain is in
/etc/postfix/vdomains, Postfix accepts it. Otherwise it rejects with a 550. - Rspamd milter scores — Postfix passes the message to Rspamd. Based on the score, Rspamd can pass, add spam headers, or reject the message.
- Postfix checks vmailbox/virtual — The recipient address is resolved. If it's a forwarder entry in
virtual, Postfix re-delivers to the target. If it's a real mailbox, Postfix delivers to/var/mail/vdomains/{domain}/{user}/. - Client retrieves via IMAP/POP3 — Dovecot serves the Maildir to the user's mail client over port 993 (IMAP) or 995 (POP3).
[!TIP] IMAP IDLE is supported — clients that use IDLE (Roundcube, Thunderbird, most mobile apps) receive push-style new-mail notifications without polling.
Component Interaction Diagram
Internet
│
┌───────────▼───────────┐
│ Postfix (port 25) │ ← inbound MX
│ Postfix (port 587) │ ← client submission
└──────┬────────────────┘
│ milter
┌───────▼────────┐
│ Rspamd │ spam scoring
└───────┬────────┘
│ milter (outbound only)
┌───────▼────────┐
│ OpenDKIM │ DKIM signing
└───────┬────────┘
│
┌──────────▼──────────────────┐
│ /var/mail/vdomains/… │ Maildir storage
└──────────┬──────────────────┘
│
┌───────▼────────┐
│ Dovecot │ IMAP (993) / POP3 (995)
└────────────────┘