KnowledgebaseMail Server › Mail aliases, catch-all addresses, and virtual mailboxes

Mail aliases, catch-all addresses, and virtual mailboxes

An alias forwards mail from one address to another; a virtual mailbox is a real account behind an arbitrary address. A catch-all delivers every undefined address at your domain somewhere. Postfix gives you all three; the patterns aren't always obvious. This article covers the common shapes for a single-VPS Postfix setup.

System aliases (the /etc/aliases file)

Aliases at the OS level — root → admin@example.com, postmaster → root, etc. The simplest case:

# /etc/aliases
root:           you@example.com
postmaster:     root
abuse:          root
webmaster:      root
hostmaster:     root

# After editing, rebuild the database
newaliases
# OR: postalias /etc/aliases

System aliases only work for local-user addresses (root@your-server.example.com). For virtual-hosted domains (mail.yourdomain.com routing for example.com), you need virtual aliases.

Virtual aliases (for multiple domains or non-system users)

When your server hosts mail for one or more domains where the local part isn't a real Unix account:

# /etc/postfix/main.cf
virtual_alias_domains = example.com example.net
virtual_alias_maps = hash:/etc/postfix/virtual

# /etc/postfix/virtual
sales@example.com       alice@example.com
support@example.com     alice@example.com bob@example.com   # forward to BOTH
postmaster@example.com  alice@example.com

# Whole-domain forwarding
@oldcompany.com         someone@newcompany.com

# Rebuild after editing
postmap /etc/postfix/virtual

The whole-domain entry catches every address at oldcompany.com that isn't more specifically mapped — useful for forwarding an entire domain transitionally.

Catch-all (one address gets everything not otherwise mapped)

# /etc/postfix/virtual
@example.com    catchall@example.com

Any address at example.com that doesn't have a more specific entry above this line lands at catchall@. Useful patterns:

  • Tracking which signups are leaking your email — give each service a unique address (amazon@example.com, spotify@example.com) and catch-all sees them all.
  • One-person business where every address conceptually goes to "you."

Downsides:

  • Massive spam target. Spammers send to random local parts asdf12345@example.com hoping for catch-alls. You receive ALL of them.
  • Backscatter — if the catch-all account is full or unavailable, every spam message generates a bounce, your server's reputation suffers.

For real-world use of a catch-all, pair with aggressive Rspamd/SpamAssassin filtering specifically on the catch-all address.

Virtual mailboxes (real per-address accounts)

For multi-user setups where each address has its own mailbox (and ideally its own login), Postfix + Dovecot's virtual mailboxes are the pattern:

# /etc/postfix/main.cf
virtual_mailbox_domains = example.com example.net
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_transport = lmtp:unix:private/dovecot-lmtp

# /etc/postfix/vmailbox
alice@example.com    example.com/alice/
bob@example.com      example.com/bob/

postmap /etc/postfix/vmailbox

Create the vmail user + group + base directory:

groupadd -g 5000 vmail
useradd -u 5000 -g 5000 -d /var/vmail -s /usr/sbin/nologin vmail
mkdir -p /var/vmail/example.com/{alice,bob}
chown -R vmail:vmail /var/vmail
chmod 770 /var/vmail

Dovecot serves IMAP/POP3 from these mailboxes. See the Postfix + Dovecot from scratch article for the full setup.

Forwarding while keeping a local copy

"Send to my Gmail, but keep a local copy too":

# /etc/postfix/virtual
alice@example.com   alice@gmail.com, alice@example.com

The second target is the LOCAL recipient — Postfix delivers a copy to the local mailbox AND forwards to Gmail. Both arrive.

Caveat: any forwarding to a major mailbox provider risks getting your IP on their blocklist if spam in your mailbox gets forwarded to them automatically. Mitigation: filter aggressively before forwarding, or use a forward-out-to-Gmail relay that's IP-reputation-managed.

Subaddressing (plus addressing)

Postfix supports + as a subaddress separator by default: mail to alice+amazon@example.com delivers to alice@example.com. Same use case as a catch-all (per-service email addresses) but without the spam exposure — you only need to define the bare address.

To change the separator (some apps don't tolerate + in email fields):

# /etc/postfix/main.cf
recipient_delimiter = +

Useful with Dovecot's Sieve filter: route +amazon mail straight to a folder via the LDA.

Bounce / redirect / drop

Postfix offers three special "discard the mail" patterns in virtual maps:

# Bounce — sender gets a 5xx, mail is rejected
spam@example.com    REJECT
oldsales@example.com  REJECT  We're no longer using this address; please use sales@example.com

# Silently discard — sender thinks the mail was accepted, it goes nowhere
junk@example.com   DISCARD

# Redirect to /dev/null (DELETE the mail, no bounce, no copy)
# (Achieved via virtual_alias to a Sieve-managed local user, since Postfix
# doesn't directly support /dev/null in virtual maps)

Use REJECT for typos and decommissioned addresses (sender knows they messed up). DISCARD silently when you don't want to acknowledge the address exists at all (anti-harvesting).

Also Read

Migrating mail accounts off cPanel onto a self-managed VPS
Getting delisted from Spamhaus, UCEPROTECT, Barracuda — the realistic process
Routing outbound mail through SES, SendGrid, or Postmark
Sender reputation for a brand-new VPS IP — the warm-up strategy that actually works
SpamAssassin vs Rspamd — choosing your spam filter

« « Back

Powered by WHMCompleteSolution