Building a Wildcard Catch-All POP3 Mail Server on Ubuntu
Receive mail for any address on any subdomain — no per-account configuration required
Introduction
This guide walks through setting up a wildcard catch-all mail server on Ubuntu using Postfix and Dovecot. The goal is to receive email sent to any address on any subdomain of your domain — for example, anything@abc.yourdomain.com or test@xyz.yourdomain.com — without having to configure individual mailboxes in advance.
This is particularly useful for testing, disposable address systems, API integrations, and mail sink setups where you want to capture inbound mail programmatically. The server will not send mail — only receive it. Mail older than 24 hours is automatically purged.
Architecture Overview
The stack consists of three components working together:
- Postfix — receives inbound SMTP and delivers to a local virtual mailbox
- Dovecot — serves POP3 access to the mailbox
- A single catch-all mailbox — all mail for all subdomains and addresses funnels into one Maildir
Rather than creating individual accounts, everything is routed to a single mailbox. A POP3 client connects with one username and password to retrieve all mail regardless of which address or subdomain it was sent to.
Part 1 — DNS Configuration
How Wildcard MX Records Work
MX records must point to a hostname, not an IP address directly. This means two DNS records are needed: an MX record pointing to a mail hostname, and an A record resolving that hostname to your server’s IP address.
Create the following records in your DNS provider (AWS Route 53 or equivalent):
| Record Name | Type / Value |
| *.yourdomain.com | MX — 10 mail.yourdomain.com |
| mail.yourdomain.com | A — your.server.ip.address |
The wildcard MX record *.yourdomain.com matches any single-level subdomain lookup. When a sending mail server looks up the MX record for abc.yourdomain.com, it matches the wildcard and is directed to mail.yourdomain.com, which in turn resolves to your server’s IP via the A record.
Note that the wildcard covers one subdomain level deep. Mail to anything@abc.yourdomain.com is covered. A deeper level such as anything@a.b.yourdomain.com would require a separate record.
Verifying DNS Records
From a Windows machine, use nslookup to verify records have propagated:
| # Check the MX recordnslookup -type=MX abc.yourdomain.com # Check the A record for the mail hostnslookup mail.yourdomain.com # Query AWS nameservers directly (before public propagation)nslookup -type=NS yourdomain.comnslookup -type=MX abc.yourdomain.com ns-123.awsdns-45.com |
You can also use dnschecker.org to check propagation across multiple global resolvers simultaneously.
Part 2 — Server Setup
Install Postfix and Dovecot
| sudo apt updatesudo apt install postfix dovecot-pop3d -y |
During the Postfix installation prompt, select Internet Site and enter your domain name (e.g. yourdomain.com) when asked for the mail name.
Configure Postfix
Edit the main Postfix configuration file:
| sudo nano /etc/postfix/main.cf |
Add or update the following values:
| myhostname = mail.yourdomain.commydomain = yourdomain.com # Leave mydestination empty — we use virtual mailboxes insteadmydestination = # Accept mail for any subdomain matching the wildcardvirtual_mailbox_domains = regexp:/etc/postfix/virtual_domainsvirtual_mailbox_base = /var/mail/vhostsvirtual_mailbox_maps = regexp:/etc/postfix/virtual_mailboxvirtual_minimum_uid = 100virtual_uid_maps = static:5000virtual_gid_maps = static:5000 # Required to prevent open relaysmtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination |
Create the virtual domains file — this regexp matches any subdomain of your domain:
| sudo nano /etc/postfix/virtual_domains |
| /^\.+\.yourdomain\.com$/ OK |
Create the virtual mailbox map — this catches all addresses and routes them to a single catchall mailbox:
| sudo nano /etc/postfix/virtual_mailbox |
| /^.+@.+\.yourdomain\.com$/ catchall/ |
Rebuild the aliases database (required to avoid a startup warning):
| newaliases |
Create the Virtual Mail User and Mailbox
Postfix delivers mail as a dedicated system user (vmail). Create the user, group, and mailbox directory:
| sudo groupadd -g 5000 vmailsudo useradd -u 5000 -g 5000 -d /var/mail/vhosts -s /sbin/nologin vmailsudo mkdir -p /var/mail/vhosts/catchallsudo chown -R vmail:vmail /var/mail/vhosts |
Configure Dovecot for POP3
Enable the POP3 protocol in the main Dovecot config:
| sudo nano /etc/dovecot/dovecot.conf |
| protocols = pop3 |
Set the mail location to the catchall Maildir:
| sudo nano /etc/dovecot/conf.d/10-mail.conf |
| mail_location = maildir:/var/mail/vhosts/catchall |
Allow plaintext authentication (suitable for internal/trusted use — see the TLS note at the end for public-facing deployments):
| sudo nano /etc/dovecot/conf.d/10-auth.conf |
| disable_plaintext_auth = noauth_mechanisms = plain login passdb { driver = passwd-file args = /etc/dovecot/users} userdb { driver = static args = uid=5000 gid=5000 home=/var/mail/vhosts/catchall} |
Create the Dovecot users file with your chosen credentials:
| sudo nano /etc/dovecot/users # Format: username:{PLAIN}passwordmailuser:{PLAIN}yourpasswordhere |
Start the Services
| sudo systemctl restart postfixsudo systemctl restart dovecot |
Verify Postfix is running:
| postfix status |
Check the mail log for any errors:
| tail -30 /var/log/mail.log |
Part 3 — Firewall Configuration
Cloud Firewall (Linode / AWS / equivalent)
Open the following inbound ports in your cloud provider’s firewall. On Linode this is found under Networking > Firewalls in the dashboard. Changes apply immediately with no reboot required.
| Port / Protocol | Purpose |
| 22 TCP | SSH (ensure this is always open) |
| 25 TCP | SMTP inbound (receiving mail) |
| 110 TCP | POP3 (retrieving mail) |
UFW on the Ubuntu Instance
| sudo ufw allow 22/tcpsudo ufw allow 25/tcpsudo ufw allow 110/tcpsudo ufw enablesudo ufw status |
Always confirm port 22 is allowed before enabling UFW to avoid locking yourself out of SSH.
Part 4 — Testing
Test SMTP Locally
From the server itself, connect to Postfix on port 25 and send a test message. Use 127.0.0.1 rather than localhost to avoid IPv6 connection issues:
| telnet 127.0.0.1 25 |
You should immediately see the greeting banner:
| 220 mail.yourdomain.com ESMTP Postfix |
Then send a test message interactively:
| EHLO test.comMAIL FROM:<test@test.com>RCPT TO:<anything@abc.yourdomain.com>DATASubject: Test mail Hello this is a test.QUIT |
Each step should return a 250 OK response. The RCPT TO line is the critical one — if the wildcard regexp is configured correctly, Postfix will accept any subdomain address. After QUIT, verify the mail landed in the mailbox:
| tail -20 /var/log/mail.logls -la /var/mail/vhosts/catchall/new/ |
You should see a file in the new/ directory — that is the email in Maildir format.
Test POP3 Locally
| telnet 127.0.0.1 110 |
Dovecot should respond with:
| +OK Dovecot (Ubuntu) ready. |
Then authenticate and list messages:
| USER mailuserPASS yourpasswordhereLISTRETR 1QUIT |
A successful LIST response showing message count confirms the full chain is working: inbound SMTP via Postfix, delivery to virtual Maildir, and POP3 retrieval via Dovecot.
Part 5 — Automatic Mail Purge
To automatically delete mail older than 24 hours, add a cron job:
| sudo crontab -e |
Add the following line:
| 0 * * * * find /var/mail/vhosts/catchall -type f -mmin +1440 -delete |
This runs every hour and removes any file in the catchall mailbox older than 1440 minutes (24 hours).
Optional — Silence the Backwards Compatibility Warning
Postfix logs a harmless warning about backwards-compatible default settings. To silence it:
| postconf compatibility_level=3.6postfix reload |
Security Notes
- Port 110 transmits credentials in plaintext. For any public-facing deployment, configure Dovecot with TLS and use POP3S on port 995 instead.
- The smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination setting prevents your server from acting as an open relay — do not remove this.
- Consider rate limiting inbound SMTP connections if the server is publicly accessible to reduce spam load.
- The vmail system user has no login shell (nologin) and cannot be used to access the system interactively.
Summary
With Postfix and Dovecot configured as described above, your server will:
- Accept inbound SMTP for any address on any subdomain of your domain
- Deliver all mail into a single catch-all Maildir with no per-account configuration
- Expose all received mail via POP3 using a single username and password
- Automatically purge mail older than 24 hours
- Require no restart or reconfiguration when new subdomains or addresses are used
Network Programming in .NET 