Choosing the right Mail Transfer Agent (MTA) is one of the most critical decisions when building a self-hosted email server. The MTA handles all incoming and outgoing mail — routing, queuing, delivery, and relay — making it the backbone of your email infrastructure.

Two projects dominate the MTA landscape: Postfix and Exim. Together they power the vast majority of mail servers on the internet. Postfix is the default on Red Hat, CentOS, and many enterprise distributions. Exim is the default on Debian and Ubuntu, and powers all shared hosting servers via cPanel.

In this guide, we compare both MTAs side-by-side, provide Docker deployment configurations, and help you decide which one fits your self-hosted setup.

Why Self-Host Your Mail Transfer Agent

Running your own MTA gives you full control over email routing, filtering, and delivery policies. Instead of relying on third-party SMTP relays or hosted email services, you manage the entire mail pipeline locally.

Key benefits of self-hosting your MTA include:

  • Complete control over mail routing, DKIM signing, SPF policies, and DMARC enforcement
  • No per-email costs — process unlimited messages without paying per-message fees
  • Privacy — mail never passes through third-party servers
  • Custom filtering — integrate with Rspamd, SpamAssassin, or custom sieve rules
  • Reliability — your mail queue survives network outages and retries delivery automatically

For related reading, see our complete self-hosted email server guide and lightweight SMTP server comparison.

Postfix vs Exim: Overview Comparison

FeaturePostfixExim
First Release1998 (by Wietse Venema)1995 (by Philip Hazel)
Default OnRHEL, CentOS, Fedora, SUSE, macOSDebian, Ubuntu, cPanel servers
ArchitectureModular, process-basedMonolithic, single-daemon
ConfigurationSimple main.cf + master.cfSingle exim4.conf (complex)
Routing FlexibilityGood (transport maps, virtual maps)Excellent (ACLs, routers, transports)
PerformanceExcellent (designed for speed)Very Good (handles high volume well)
Security ModelLeast-privilege processesRoot daemon with privilege dropping
Learning CurveModerateSteep
Docker Imagelinuxserver/mailserver, juanluisbaptiste/postfixdevture/exim, martinrue/exim4
LicenseIBM Public License (open source)GPL
Active DevelopmentYes (regular security patches)Yes (active maintainer team)
GitHub StarsN/A (source on GitHub mirrors)~400 (mirror repos)

Architecture: How They Differ Under the Hood

Postfix: Modular Design

Postfix uses a modular architecture with separate processes for each function. The master daemon spawns child processes for specific tasks:

  • smtpd — handles incoming SMTP connections
  • smtp — handles outgoing SMTP delivery
  • pickup — reads mail from the local queue
  • cleanup — canonicalizes and rewrites message headers
  • qmgr — manages the mail queue and delivery scheduling
  • local — delivers mail to local mailboxes
  • virtual — delivers to virtual domains

This design means that if one component crashes, others continue running. It also enforces a least-privilege security model — each process runs with only the permissions it needs.

Exim: Monolithic Design

Exim uses a single-daemon architecture where one process handles all stages of mail processing. It uses a pipeline of routers, transports, and access control lists (ACLs) to process each message:

  1. ACLs — decide whether to accept, reject, or defer a message
  2. Routers — determine where to send the message (local, remote, alias)
  3. Transports — actually deliver the message (SMTP, local file, pipe)

This monolithic approach makes Exim incredibly flexible for complex routing scenarios but means a bug in any component can affect the entire daemon.

Installation and Setup

Installing Postfix on Debian/Ubuntu

1
2

sudo apt update
sudo apt install postfix

During installation, select “Internet Site” and enter your domain name.

Installing Exim on Debian/Ubuntu

1
2
3

sudo apt update
sudo apt install exim4-daemon-heavy
sudo dpkg-reconfigure exim4-config

Choose “internet site; mail is sent and received directly using SMTP” and configure your domain.

Docker Deployment

Postfix with Docker Compose

Using the popular juanluisbaptiste/postfix image, you can deploy a fully functional Postfix server in minutes:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

name: postfix-mta
services:
  postfix:
    image: juanluisbaptiste/postfix:latest
    ports:
      - "25:25"
      - "587:587"
    environment:
      - SMTP_SERVER=smtp.gmail.com
      - SMTP_USERNAME=your-relay-username
      - SMTP_PASSWORD=your-relay-password
      - SERVER_HOSTNAME=mail.example.com
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - postfix-data:/var/spool/postfix
    restart: unless-stopped

volumes:
  postfix-data:
    driver: local

For a full self-hosted mail server with Dovecot and Rspamd, use the LinuxServer.io mailserver image:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

name: full-mail-server
services:
  mailserver:
    image: lscr.io/linuxserver/mailserver:latest
    ports:
      - "25:25"
      - "143:143"
      - "587:587"
      - "993:993"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - DOMAIN=example.com
      - ENABLE_CLAMAV=false
      - ENABLE_FAIL2BAN=true
      - ENABLE_SPAMASSASSIN=true
      - ENABLE_FETCHMAIL=false
    volumes:
      - ./config:/config
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

Exim with Docker Compose

Exim can be deployed using the devture/exim-relay image for relay setups or built from source for full MTA functionality:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

name: exim-relay
services:
  exim:
    image: devture/exim-relay:latest
    ports:
      - "25:25"
      - "587:587"
    environment:
      - EXIM_RELAY_HOST=smtp.example.com
      - EXIM_RELAY_PORT=587
      - EXIM_RELAY_USERNAME=relay-user
      - EXIM_RELAY_PASSWORD=relay-password
      - EXIM_DOMAINS=example.com
    volumes:
      - ./exim-config:/etc/exim4
      - exim-data:/var/spool/exim4
    restart: unless-stopped

volumes:
  exim-data:
    driver: local

For a full Exim MTA, you can build a custom Docker image:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

FROM debian:bookworm-slim

RUN apt-get update && apt-get install -y \
    exim4-daemon-heavy \
    openssl \
    && rm -rf /var/lib/apt/lists/*

COPY exim4.conf /etc/exim4/exim4.conf.template
COPY domains /etc/exim4/domains/

RUN update-exim4.conf

EXPOSE 25 587

CMD ["exim", "-bd", "-q30m"]

Configuration Comparison

Postfix Configuration

Postfix uses two main configuration files:

/etc/postfix/main.cf — General settings:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

# Basic settings
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

# Network settings
inet_interfaces = all
inet_protocols = ipv4

# Mailbox settings
home_mailbox = Maildir/
mailbox_size_limit = 0

# Security settings
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_auth_only = yes

# Relay settings
smtpd_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

# SASL authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

# Spam protection
smtpd_helo_required = yes
disable_vrfy_command = yes

/etc/postfix/master.cf — Service definitions:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

smtp      inet  n       -       y       -       -       smtpd
submission inet n       -       y       -       -       smtpd
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
smtp      unix  -       -       y       -       -       smtp
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual

Exim Configuration

Exim uses a single configuration file with sections for ACLs, routers, and transports:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

# /etc/exim4/exim4.conf.template

# General settings
primary_hostname = mail.example.com
domainlist local_domains = @ : example.com
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16

# TLS settings
tls_certificate = /etc/ssl/certs/mail.crt
tls_privatekey = /etc/ssl/private/mail.key
daemon_smtp_ports = 25 : 587
tls_on_connect_ports = 465

# Authentication
auth_plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${if crypteq{$auth3}{${lookup{$auth2}lsearch{/etc/exim4/passwd}{$value}fail}}{yes}{no}}

# ACL: Reject spam
acl_check_rcpt:
  accept  hosts = :
  deny    message = Rejected for policy reasons
          !acl = acl_check_whitelist
          dnslists = zen.spamhaus.org
  accept

# Router: Local delivery
local_delivery:
  driver = accept
  check_local_user
  transport = local_delivery

# Router: Remote delivery
dnslookup:
  driver = dnslookup
  domains = !+local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8

# Transport: Local delivery
local_delivery:
  driver = appendfile
  directory = $home/Maildir
  maildir_format

# Transport: Remote SMTP
remote_smtp:
  driver = smtp

Performance and Reliability

Queue Management

Both MTAs handle mail queuing well, but with different approaches:

  • Postfix uses a highly optimized queue manager (qmgr) that schedules deliveries based on destination, retry intervals, and concurrency limits. It handles millions of messages per day on commodity hardware.
  • Exim uses a single queue directory with files representing individual messages. Its exim -q command processes the queue, and retry rules are configured in the retry section of the config.

Concurrency

Postfix supports configurable concurrency per destination (default 20 simultaneous deliveries to the same domain). Exim can be configured for parallel deliveries but requires manual tuning of the queue_run_max and remote_max_parallel settings.

Resource Usage

MetricPostfixExim
Idle Memory~15-30 MB (master + minimal children)~10-20 MB (single daemon)
Peak MemoryScales with active connectionsScales with message complexity
CPU UsageLow (efficient process model)Moderate (regex-heavy ACL processing)
Disk I/OOptimized for queue operationsStandard file-based queue

Security Features

Postfix Security

  • Least-privilege processes — each daemon runs as a non-root user
  • Chroot support — SMTP processes can be chrooted for isolation
  • Built-in rate limitingsmtpd_client_connection_rate_limit, anvil service
  • Header rewriting — removes sensitive headers before forwarding
  • SASL integration — supports Dovecot, Cyrus SASL for authentication
  • Postscreen — blocks spam bots before they reach the SMTP daemon

Example Postscreen configuration:

1
2
3
4
5
6

postscreen_enable = yes
postscreen_greet_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2 b.barracudacentral.org
postscreen_dnsbl_threshold = 2
postscreen_access_list = permit_mynetworks

Exim Security

  • Privilege dropping — daemon drops root privileges after binding to port 25
  • ACL-based filtering — fine-grained control at each SMTP stage
  • TLS support — STARTTLS on all SMTP ports
  • Rate limitingratelimit ACL condition for per-user/per-IP throttling
  • SPF/DKIM/DMARC — supported via spf and dkim ACL conditions

Example Exim rate limiting:

1
2
3
4
5
6
7

acl_check_rcpt:
  warn
    set acl_m0 = ${if >{$sender_rate}{10}{true}{false}}
    condition = ${if >{$sender_rate_period}{1h}}
  deny
    message = Rate limit exceeded
    condition = ${if >{$sender_rate}{20}{true}{false}}

Integration Ecosystem

Postfix Integrations

Postfix integrates seamlessly with the broader self-hosted email stack:

  • Dovecot — IMAP/POP3 server with LDA (Local Delivery Agent) support
  • Rspamd — Modern spam filtering with Redis backend
  • Amavis — Content filtering and antivirus scanning
  • OpenDKIM — DKIM signing and verification
  • PostfixAdmin — Web-based virtual domain management
  • Mailman — Mailing list management

For spam filtering integration, see our SpamAssassin vs Rspamd comparison.

Exim Integrations

Exim has similar integration capabilities:

  • Dovecot — via Dovecot SASL authentication and LDA
  • Rspamd — via milter or rspamd ACL integration
  • ClamAV — antivirus scanning via clamd ACL
  • SpamAssassin — via spamassassin ACL condition
  • Mailman — built-in Mailman router support
  • cPanel/WHM — deeply integrated (all cPanel servers use Exim)

When to Choose Postfix

Choose Postfix if:

  • You want the default, battle-tested MTA on most enterprise Linux distributions
  • You prefer a modular architecture where components can fail independently
  • You need excellent performance out of the box with minimal tuning
  • You want a simpler configuration that is easier to audit and maintain
  • You value the least-privilege security model with chroot support
  • You are building a standard mail server with Dovecot + Rspamd

When to Choose Exim

Choose Exim if:

  • You are on Debian/Ubuntu and want the native, well-integrated MTA
  • You need complex mail routing with per-domain, per-user, or per-regex rules
  • You run cPanel/WHM and need the supported MTA
  • You want fine-grained ACL control at every SMTP stage
  • You need advanced queue management with custom retry and bounce rules
  • You prefer a single configuration file (even if complex) for all mail processing

Alternative Lightweight MTAs

If neither Postfix nor Exim fits your needs, consider these lightweight alternatives:

  • Maddy — All-in-one mail server written in Go, combines MTA, IMAP, and spam filtering in a single binary
  • chasquid — Modern SMTP server written in Go, designed for simplicity and security
  • OpenSMTPD — Clean, simple MTA from the OpenBSD project, with an easy-to-read configuration syntax

For a detailed comparison of these lightweight options, see our lightweight SMTP server guide.

FAQ

Which is more secure: Postfix or Exim?

Both MTAs are highly secure when properly configured. Postfix has a structural advantage with its least-privilege process model — each component runs with minimal permissions. Exim relies on privilege dropping after startup. Both have strong track records, and security often depends more on the administrator’s configuration than the software itself.

Can I switch from Exim to Postfix (or vice versa)?

Yes, but it requires careful migration. Both MTAs use different configuration formats and queue structures. The mail queue must be drained or re-queued during the switch. On Debian, you can use dpkg-reconfigure exim4-config to switch the system MTA. Always test the new configuration in a staging environment first.

Do Postfix and Exim support virtual domains?

Yes, both support virtual domains. Postfix uses virtual_mailbox_domains and virtual_mailbox_maps for domain routing. Exim uses routers with local_domains and domain lists to handle multiple domains. Both can integrate with MySQL, PostgreSQL, or LDAP for virtual domain lookups.

Which MTA handles high-volume email better?

Postfix is generally considered faster for high-volume scenarios due to its modular architecture and optimized queue manager. It is the default choice for large-scale mail systems. However, Exim can also handle millions of messages per day with proper tuning — it powers all cPanel servers worldwide, many of which process very high mail volumes.

How do I add DKIM signing to Postfix or Exim?

For Postfix, use OpenDKIM or Rspamd as a milter. Install OpenDKIM, generate keys, configure smtpd_milters in main.cf, and add DNS TXT records. For Exim, use the built-in DKIM support — add dkim_domain, dkim_selector, and dkim_private_key to your configuration. Both methods sign outgoing mail automatically.

Which MTA is easier to configure for beginners?

Postfix is generally easier for beginners. Its main.cf uses simple key-value pairs with clear documentation. Exim’s single configuration file is more powerful but significantly more complex, with routers, transports, and ACLs that interact in non-obvious ways. For a quick start, Postfix’s postconf command-line tool also makes configuration changes straightforward.