BackendSide MailPanel

User Guide — from clean Linux server to working mail, end to end

Welcome. This guide walks you through using BackendSide MailPanel from a fresh server to a fully working mail system, in plain language. No coding required.

If you're a developer looking for build instructions, source layout, or API internals, see the product page instead.

Contents
  1. What BackendSide MailPanel does
  2. What you need before starting
  3. Installing the panel
  4. The first-run setup wizard
  5. Logging in
  6. Dashboard tour
  7. Adding your first domain
  8. DNS records you'll need
  9. Creating mailboxes
  10. Creating aliases
  11. Issuing a TLS certificate
  12. DKIM, SPF, and DMARC
  13. Connecting an email client
  14. Sending and receiving — how to test
  15. Per-mailbox limits
  16. Mail queue
  17. Logs viewer
  18. Active sessions
  19. Security tab
  20. Anti-spam (DNSBL + greylisting)
  21. Webmail companion
  22. Backup and restore
  23. Updating to a new build
  24. Common problems

1. What BackendSide MailPanel does

BackendSide MailPanel turns a clean Linux server into a complete email system — receiving mail, sending mail, securing it with TLS, signing it with DKIM, and giving you a web dashboard to manage everything.

A single panel can host many email domains (e.g. [email protected] and [email protected] on the same server), each with as many mailboxes and aliases as you need.

You don't need to know how Postfix, Dovecot, or PostgreSQL work. The panel configures and supervises them for you. Everything happens through the dashboard in your browser.

2. What you need before starting

  • A server running one of: Ubuntu 24.04+, Debian 12+, AlmaLinux / Rocky / RHEL 9 or 10, CentOS Stream, or Fedora.
  • Root access (or sudo) on that server.
  • At least 1 GB RAM (512 MB minimum) and 1 GB free disk plus room for mail.
  • A domain name you own (e.g. example.com) and the ability to set DNS records for it at your DNS provider.
  • A public IP address that is not blocked from sending on port 25 (some cloud providers block this by default) and has a PTR (reverse DNS) record pointing to your mail server's hostname.
  • A web browser to reach the dashboard.

Open the following inbound ports on your firewall

PortPurpose
25Incoming mail from other servers (SMTP)
587Mail clients submitting outgoing mail (SMTP submission, STARTTLS)
465Mail clients submitting outgoing mail (SMTPS)
143Mail clients reading mail (IMAP, STARTTLS)
993Mail clients reading mail (IMAPS)
110Mail clients reading mail (POP3, STARTTLS) — optional
995Mail clients reading mail (POP3S) — optional
8080The admin dashboard (you can also restrict this to your office IP)

3. Installing the panel

Download the latest .deb or .rpm package for your build number from the product page.

Ubuntu / Debian

sudo dpkg -i backendside-mailpanel_0.1.0_053_amd64.deb

On success you'll see ✓ BackendSide MailPanel installed (BackendSide MailPanel v0.1.0 Build 053).

AlmaLinux / RHEL / Rocky / CentOS / Fedora

sudo rpm -i backendside-mailpanel_0.1.0_053_amd64.rpm
The package itself doesn't install Postfix, Dovecot, or PostgreSQL. The setup wizard installs them in the next step. This is intentional — it keeps the package small and lets the wizard install the right versions for your OS.

Start the service

sudo systemctl enable --now backendside-mailpanel
sudo systemctl status backendside-mailpanel

You should see active (running). The panel listens on port 8080.

4. The first-run setup wizard

Open http://YOUR-SERVER-IP:8080 in your browser. Because the database isn't configured yet, the panel automatically shows the Setup Wizard. You'll see a checklist with red dots next to each component:

  • PostgreSQL
  • Postfix
  • Dovecot
  • OpenDKIM (optional)
  • OpenDMARC (optional)
  • SpamAssassin / ClamAV (optional)
  • TLS

Click Run Installer. The panel will:

1
Install missing packages using your OS package manager (apt-get on Debian/Ubuntu, dnf on RHEL-family).
2
Initialise PostgreSQL (on RHEL it runs postgresql-setup --initdb) and adjust authentication so the panel can connect over the loopback.
3
Create the panel database, schema, and the vmail system user that owns mailbox files.
4
Write base Postfix and Dovecot configuration files.

This takes 2–5 minutes. The page auto-refreshes as each component turns green.

Create the admin account

When the installer finishes, the wizard asks you to set the admin username and password. These are stored (bcrypt-hashed) in /etc/backendside-mailpanel/.envnot in the database. If you ever lose the password, edit that file and restart the service.

5. Logging in

  • URL: http://YOUR-SERVER-IP:8080/login
  • Use the username and password you set in the wizard.

A session cookie keeps you logged in. The session lasts until you click Logout in the header (or until the cookie expires).

If you ever lock yourself out (forgotten password):

sudo nano /etc/backendside-mailpanel/.env
# update ADMIN_USER and ADMIN_HASH (you can generate a new bcrypt hash with
#   htpasswd -nbB admin 'NewPassword123!' )
sudo systemctl restart backendside-mailpanel

6. Dashboard tour

The dashboard has a sidebar with these tabs:

TabWhat it's for
OverviewService status (Postfix, Dovecot, DB), mail stats cards (Sent / Received, last 1h and 24h)
DomainsAdd, view, and delete the email domains this server handles
TLS / CertificatesIssue and renew Let's Encrypt certificates, upload your own
DKIMGenerate signing keys, copy the DNS record
Mail QueueView pending messages, flush the queue, delete a stuck message
LogsLive log viewer for Postfix and Dovecot, color-coded
SessionsActive IMAP / POP3 sessions, disconnect users
SecurityChange admin password, restrict admin access by IP, port firewall
Anti-SpamDNSBL blocklists, greylisting (postgrey), sender / recipient whitelist
Webmail(visible if BackendSide WebMail is installed) configure the companion webmail
About (?)Version, build, OS, Postfix and Dovecot versions

Each domain has its own detail page with tabs for Mailboxes, Aliases, TLS, DKIM, and Settings. Each mailbox has a detail page with Overview / Settings / Limits tabs.

7. Adding your first domain

1
Click Domains in the sidebar.
2
Click Add Domain.
3
Enter the domain name, e.g. example.com. Don't include @ or mail..
4
Click Create.

The new domain appears in the list. Click it to open the domain detail page. A domain on its own doesn't accept mail yet — you still need DNS records (next section) and at least one mailbox.

8. DNS records you'll need

At your DNS provider (Cloudflare, Route 53, your registrar, etc.), add these records for the domain. Replace mail.example.com with your server's hostname and 1.2.3.4 with your server's public IP.

A (or AAAA) — points the hostname at your server

mail.example.com.    A     1.2.3.4

MX — tells the world which server handles mail for the domain

example.com.    MX  10  mail.example.com.

SPF — declares which servers are allowed to send for the domain

example.com.    TXT   "v=spf1 mx -all"

DKIM — added after you generate the key in the panel

See §12.

DMARC — start in "report only" mode

_dmarc.example.com.    TXT   "v=DMARC1; p=none; rua=mailto:[email protected]"

PTR (reverse DNS) — set at your hosting provider

1.2.3.4 should resolve back to mail.example.com. Without this many remote servers will refuse your mail.

Verify records have propagated with dnschecker.org or:

dig +short MX example.com
dig +short A mail.example.com

9. Creating mailboxes

1
Open the domain detail page.
2
Switch to the Mailboxes tab.
3
Click Add Mailbox.
4
Fill in:
  • Username — just the local part (alice, not [email protected]). The panel attaches the domain automatically.
  • Password — set a strong password. It's hashed with bcrypt before storage.
  • Quota — maximum disk usage (e.g. 1 GB). Use 0 for unlimited.
5
Click Create.

The panel creates the database row and the maildir on disk (/var/mail/vhosts/example.com/alice/Maildir/). The first time the user connects with IMAP, Dovecot also auto-creates the Sent, Drafts, Trash, and Junk folders for them.

Resetting a mailbox password

Click the mailbox row → opens the mailbox detail page → Settings tab → enter the new password → click Update Password.

10. Creating aliases

Aliases forward mail from one address to one or more destinations.

1
Open the domain detail page → Aliases tab.
2
Click Add Alias.
3
Fill in:
4
Click Create.

Aliases don't have storage — they just forward. If a domain is deleted, all its aliases are deleted automatically.

11. Issuing a TLS certificate

Mail clients refuse to send a password over an unencrypted connection by default. You need a TLS certificate. The panel ships with a self-signed day-0 certificate so ports 587 / 993 / 8080 work immediately, but you should replace it with a real certificate.

Let's Encrypt (free, automated)

Prerequisites: your domain's A record must already point at this server, and port 80 must be open for the validation challenge.

1
Click TLS in the sidebar.
2
Find your hostname (e.g. mail.example.com) in the list.
3
Click Issue.
4
Wait 30–60 seconds. On success you'll see a green badge with the expiry date.

The panel automatically wires the new certificate into Postfix and Dovecot and restarts them. Certificates renew automatically before expiry.

Uploading your own certificate

  • Click TLSUpload Certificate.
  • Paste the certificate (PEM, including chain) and private key.
  • Save.

12. DKIM, SPF, and DMARC

These three TXT records together make your mail far more likely to land in recipients' inboxes (rather than spam).

Generate the DKIM key

1
Click DKIM in the sidebar.
2
Click Generate next to the domain.
3
Wait a few seconds. A row appears showing the selector (typically default) and the DNS record to add.
4
Click Copy DNS Record.
5
At your DNS provider, add a TXT record:
  • Name: default._domainkey.example.com
  • Value: (paste what you copied — starts with v=DKIM1; k=rsa; p=...)

From this point on, outgoing mail is signed automatically.

SPF and DMARC

These are plain TXT records you add yourself at your DNS provider (see §8). The panel doesn't manage them, but OpenDMARC (installed by the setup wizard) records the verification results in mail headers so you can see which incoming mail passes or fails.

13. Connecting an email client

Use these settings in Thunderbird, Apple Mail, Outlook, etc.

SettingValue
Incoming (IMAP) servermail.example.com
Incoming port993 (IMAPS) or 143 (STARTTLS)
Incoming securitySSL/TLS (993) or STARTTLS (143)
Outgoing (SMTP) servermail.example.com
Outgoing port465 (SMTPS) or 587 (STARTTLS)
Outgoing securitySSL/TLS (465) or STARTTLS (587)
Usernamefull email address ([email protected])
Passwordthe password you set in the panel
AuthenticationNormal password
POP3 (110 / 995) also works if your client requires it, but IMAP is recommended.

14. Sending and receiving — how to test

Receive a test mail

From any external account (Gmail, etc.), send a message to your new mailbox. Open your IMAP client (or the webmail companion) and check the inbox.

If it doesn't arrive within ~30 seconds:

  • Check Logs → Postfix for connect from and to=<...> lines.
  • Check Mail Queue — the message may be deferred.
  • Confirm the MX record at mxtoolbox.com.

Send a test mail

From your IMAP client, send a message to a Gmail address (or similar). At the recipient:

  • Open the message → "Show original" / "View source".
  • Confirm SPF: PASS, DKIM: PASS, DMARC: PASS in the headers.

If DKIM: FAIL, double-check the DNS TXT record you added in §12 (common mistakes: extra quotes, line breaks inserted by the DNS UI, wrong selector name).

15. Per-mailbox limits

Open a mailbox's detail page → Limits tab. You can set:

LimitEffect
SMTP enabledAllow this mailbox to send mail at all
Require TLSRefuse the send if the client connection isn't encrypted
Max message sizeReject messages larger than this
Max recipients per messageCap how many addresses one send can hit
Max sends per dayHard daily cap, resets at midnight UTC

These are enforced by the panel's policy daemon. Counters and reset controls are visible in Overview → Policy Status (or via the API at /api/v1/policyd/status). You can clear a mailbox's daily counter from there if you need to lift the cap mid-day.

16. Mail queue

The Mail Queue tab shows messages Postfix is holding (typically because the destination is temporarily unreachable).

  • Flush All — forces Postfix to retry every queued message immediately.
  • Delete (per row) — removes a single stuck message.

Most queued messages clear themselves within minutes. A queue that grows without shrinking suggests a misconfigured destination, a blocked outbound port 25, or an IP reputation problem.

17. Logs viewer

The Logs tab is the fastest way to diagnose mail issues without leaving the browser.

  • Service selector — Postfix or Dovecot.
  • Line count — 50 / 150 / 500 / 1000.
  • Keyword filter — narrow to a recipient, sender, or message ID.
  • Auto-refresh — toggle on for a live tail (refreshes every 10s).
  • Color coding — errors and rejects in red, deferred and warnings in orange, delivered / connected in green.

18. Active sessions

Shows IMAP and POP3 clients currently connected. You can:

  • See which user, from which IP, how long they've been connected.
  • Kick — force-disconnect a session (useful if a stolen password is being used right now while you reset it).

19. Security tab

Change admin password

Sets a new admin password, rewrites /etc/backendside-mailpanel/.env, and hot-reloads it. You stay logged in.

Admin IP restrictions

Add IP addresses or CIDR ranges (e.g. 203.0.113.7, 198.51.100.0/24), one per line. If the list is empty, the panel is open to any IP — you'll see a warning banner across the top of every page reminding you.

When the list has entries, any request from an IP not on the list gets a 403 Forbidden — including yours, so make sure your IP is on the list before saving.

Port firewall

Per-port Allow / Block / Restrict (per-IP) rules for the managed ports (25, 587, 465, 143, 993, 110, 995, 8080). Backed by an iptables chain called BSMP_FW. Re-applied on every panel restart.

  • Allow — port is open to everyone.
  • Block — port is closed.
  • Restrict — only the listed IPs / CIDRs can connect.

20. Anti-spam (DNSBL + greylisting)

The Anti-Spam tab gives you two independent layers of spam defense, plus a whitelist for senders that should bypass both.

DNSBL — DNS Blocklists

Public reputation lists (Spamhaus, SpamCop, etc.) are queried at SMTP connect time. Listed senders are rejected before they get to send a single byte.

1
Tick Enable DNSBL rejection.
2
Blocklist zones — one zone per line. Default is zen.spamhaus.org (combines SBL + XBL + PBL into a single query).
3
Click Save.

Greylisting (postgrey)

AlmaLinux 10 / Rocky 10 / RHEL 10 limitation. The postgrey package is not currently available in the EPEL 10 repositories. On these distributions the setup wizard logs a non-fatal warning, and the greylist toggle in the UI has no effect. DNSBL works normally. Options: install postgrey manually from the upstream tarball; use Ubuntu 24.04 instead; or wait for EPEL 10 to re-add postgrey.

When a sender's IP is new, postgrey rejects the message with a temporary error (450 4.x.x) and remembers the triplet (client IP / sender / recipient). Legitimate mail servers retry within minutes; most spam bots don't. After 5 successful deliveries the client is auto-whitelisted.

1
Tick Enable greylisting.
2
Initial delay (seconds) — default 300 s (5 minutes).
3
Auto-whitelist max age (days) — default 35 days.
4
Click Save.

Whitelist

TypeWhat it matchesExample
IPExact connecting client IP203.0.113.7
DomainReverse-DNS hostname of the connecting clientsmtp.partner.com
EmailRecipient address or recipient domain[email protected]
CIDRStored only — not yet propagated to postgrey203.0.113.0/24

How the layers interact

Inbound mail flows through the restrictions in this order:

  1. Trusted source check (your own server, authenticated submissions)
  2. Recipient validity (reject_unauth_destination)
  3. DNSBL — instant reject if the client IP is listed
  4. Greylist — temporary defer if the triplet is new
  5. SPF (if policyd-spf is installed)
  6. Content filter (SpamAssassin / ClamAV, if installed)

Authenticated outgoing mail skips DNSBL and greylist entirely.

21. Webmail companion

If you've installed BackendSide WebMail on the same server, the panel detects it automatically and shows a 📧 Webmail tab in the sidebar.

From this tab you can:

  • Start / Stop / Restart the webmail service.
  • View its logs.
  • Edit its configuration via a form: listen port, cookie-secure flag, session secret + Regenerate button (one-click new 32-char hex key), allow-custom-server toggle, allow-insecure-plaintext toggle, and an inline-editable mail-server table.

Users then point their browser at the webmail URL and log in with their full email address and password.

22. Backup and restore

The panel exposes one-click backup of its own configuration and database (API endpoints POST /api/v1/backup and POST /api/v1/restore). The Overview page has buttons that wrap these.

What's included in a backup

  • Panel database (domains, mailboxes, aliases, certificates, audit log)
  • Generated Postfix and Dovecot config files
  • TLS certificates
  • DKIM keys
  • The panel .env (admin credentials, secrets)

What's not included (back these up separately)

  • Mailbox contents under /var/mail/vhosts/ — typically much larger than the config backup. Use rsync, restic, or your existing file backup tool for these.

23. Updating to a new build

1
Download the new .deb or .rpm.
2
Install over the existing package: 
sudo dpkg -i backendside-mailpanel_0.1.0_054_amd64.deb     # Ubuntu/Debian
sudo dnf install backendside-mailpanel_0.1.0_054_amd64.rpm # RHEL/Alma
3
The service restarts automatically.

Your database, configs, certificates and DKIM keys are preserved across upgrades.

During the v0.1.0 beta, downgrade is not supported and the database schema may change between builds. If a build refuses to start because of a schema mismatch, the recommended path is fresh install + restore your backup. From v0.2.0 onward, schema migrations will be automatic and reversible.

24. Common problems

I sent mail to my server but nothing arrives

  1. MX record correct? dig +short MX example.com must return your server's hostname.
  2. Port 25 open? Some cloud providers block outbound and inbound 25 by default. telnet your.server.ip 25 from another machine.
  3. Look at Logs → Postfix for the recipient. If you don't even see a connection attempt, it's a DNS or firewall issue.

My outgoing mail goes to spam

  1. DKIM signing? Send to [email protected] — it replies with a full DKIM/SPF/DMARC report.
  2. PTR (reverse DNS)? Must match your hostname. Set in your hosting provider's console.
  3. IP reputation? Check on mxtoolbox.com/blacklists.aspx.

I can't log into the dashboard

  • Forgotten password — see §5 for the .env reset.
  • 403 Forbidden — the Security tab → Admin IP restrictions list doesn't include your IP. SSH in and edit /etc/backendside-mailpanel/admin_allowed_ips.txt (one IP/CIDR per line) or empty the file to disable the restriction, then restart the service.

TLS certificate issue failed

  • Port 80 must be open to the public for Let's Encrypt's HTTP challenge.
  • A record for the hostname must already point at this server.
  • Try again after a few minutes — Let's Encrypt rate-limits failures.

Mailbox quota full

Edit the mailbox → Limits tab → bump the quota → Save. The user sees the new quota on their next IMAP login.