Table of Contents
Understanding Dovecot’s Role
Dovecot is a high‑performance IMAP/POP3 server commonly paired with MTAs like Postfix. For this chapter, assume:
- Your MTA (e.g., Postfix) is already accepting mail and delivering it to local mailboxes.
- Authentication backends and basic SMTP concepts were covered in previous email chapters.
Here we focus on:
- Installing and enabling Dovecot
- Enabling IMAP and/or POP3
- Mailbox formats and locations
- Authentication and TLS for IMAP/POP3
- Common Dovecot configuration patterns
- Basic troubleshooting
Examples assume a typical Linux server (e.g., Debian/Ubuntu or RHEL‑like). Paths may vary slightly by distribution.
Installing and Enabling Dovecot
On a Debian/Ubuntu system:
sudo apt update
sudo apt install dovecot-imapd dovecot-pop3dOn a RHEL/Fedora‑like system:
sudo dnf install dovecotEnable and start the service:
sudo systemctl enable --now dovecot
sudo systemctl status dovecotCheck that it is listening (IMAP: 143, IMAPS: 993, POP3: 110, POP3S: 995):
sudo ss -tlnp | grep dovecotCore Dovecot Configuration Layout
Dovecot typically uses a modular config under /etc/dovecot:
dovecot.conf– main entry point; usually just includes other files.conf.d/10-mail.conf– mail locations and formats.conf.d/10-auth.conf– authentication settings.conf.d/10-ssl.conf– TLS/SSL configuration.conf.d/10-master.conf– services, ports, and listeners.conf.d/20-imap.conf– IMAP protocol‑specific settings.conf.d/20-pop3.conf– POP3 protocol‑specific settings.
Always validate syntax after changes:
sudo dovecot -n # show current running config
sudo dovecot -a # all settings (including defaults)
If there is a syntax error, Dovecot will show it when you run dovecot -n.
Enabling IMAP and POP3 Services
Dovecot can serve:
- IMAP: online, folder‑aware protocol; preferred for modern clients.
- POP3: older protocol, usually downloads and deletes mail from server.
Service Definitions
Services are controlled in conf.d/10-master.conf.
Typical defaults (simplified):
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}To disable POP3 entirely, you can:
- Comment out the
pop3-loginservice block, or - Disable the protocol in
dovecot.conf:
protocols = imapTo enable both:
protocols = imap pop3After editing, reload:
sudo systemctl reload dovecotMailbox Formats and Locations
Dovecot supports several storage formats. The two most common:
mbox– one file per folder.Maildir– one directory per folder, one file per message.
For new deployments, Maildir is almost always preferred.
Configuring Mail Location
Set in conf.d/10-mail.conf with the mail_location setting.
Maildir Example (per‑user home directory)
mail_location = maildir:~/MaildirThis means:
- User
alice’s mail is in/home/alice/Maildir/ - New mail in
new/, read mail incur/, temp intmp/.
System‑Wide Maildir Example
If your MTA delivers into /var/mail/vhosts/example.com/alice/:
mail_location = maildir:/var/mail/vhosts/%d/%n
%d = domain, %n = local part (user). These variables let Dovecot map virtual users to directories.
mbox Example
If you must support legacy /var/mail/username mbox plus per‑user folders in ~/mail:
mail_location = mbox:~/mail:INBOX=/var/mail/%u
Where %u is the full username.
Indexes and Performance
Dovecot maintains index/cache files (for performance) in a parallel directory. Often:
mail_location = maildir:~/Maildir
# Optional: separate index dir
# mail_location = maildir:~/Maildir:INDEX=/var/dovecot-indexes/%uIndexes speed up IMAP search, sort, and flag handling.
Basic Authentication Configuration
Dovecot supports many auth backends (system users, SQL, LDAP, etc.). This chapter focuses on system users (/etc/passwd//etc/shadow) and simple virtual users as the most common setups.
Using System Users (Simple Setup)
In conf.d/10-auth.conf:
disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-system.conf.ext
System auth uses PAM (or passwd/shadow) depending on your distro’s Dovecot build.
Ensure that:
- You have real Unix users (e.g.,
alice,bob). - Their home dirs and mailbox paths match your
mail_location. - Permissions on maildirs allow those users to read/write their own mail.
Virtual Users (Overview)
For domains with many users or where users should not have shell accounts, you typically use:
- SQL backend (
auth-sql.conf.ext) or - passwd‑file backend (
auth-passwdfile.conf.ext).
Example snippet for passwd‑file (conceptual):
!include auth-passwdfile.conf.ext
And in auth-passwdfile.conf.ext:
passdb {
driver = passwd-file
args = scheme=SHA512-CRYPT /etc/dovecot/users
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
The /etc/dovecot/users file then lists users and hashed passwords. The vmail user owns the mail directories.
Details of SQL and virtual user management are generally covered under more advanced mail server design; here you just need to recognize how Dovecot fits in.
TLS/SSL for IMAP and POP3
You should never allow unencrypted passwords over the Internet. Best practice:
- Use STARTTLS on 143/110 or
- Use SSL‑wrapped IMAPS (993) and POP3S (995).
Settings are in conf.d/10-ssl.conf.
Minimal TLS Configuration
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
ssl = required forces clients to use TLS (STARTTLS or SSL ports).
If you serve both cleartext and SSL ports but want to forbid auth before STARTTLS on cleartext, disable_plaintext_auth = yes in 10-auth.conf enforces that.
STARTTLS vs SSL Ports
- STARTTLS: client connects to port 143 (IMAP) or 110 (POP3), then issues
STARTTLScommand to upgrade. - SSL ports: encryption is active immediately at connect (993, 995).
Many modern clients use IMAPS (993) by default; make sure imaps/pop3s listeners are configured in 10-master.conf.
IMAP‑Specific Features in Dovecot
IMAP is folder‑ and state‑aware; Dovecot implements a robust set of IMAP features.
Enabling IMAP Protocol
conf.d/20-imap.conf typically contains:
protocol imap {
mail_max_userip_connections = 10
}
Ensure protocols in dovecot.conf includes imap.
Namespaces and Folders (High Level)
Namespaces allow you to define which folders users see and how.
Example: classic private namespace (often default):
namespace inbox {
inbox = yes
separator = /
prefix =
}This makes:
INBOXthe main mailbox.- User‑created folders appear as
Folder(no prefix) with/separator.
More complex shared/public namespace setups are used for shared mailboxes; they rely on Dovecot namespaces and ACLs beyond the basics of this chapter.
IMAP IDLE (Push‑like Notifications)
IDLE allows clients to stay connected and receive new‑mail notifications without polling.
Dovecot supports IDLE by default in IMAP. Ensure your firewall and connection limits allow long‑lived IMAP connections.
POP3‑Specific Features in Dovecot
POP3 is simpler and usually used just for downloading and optionally deleting mail from INBOX.
Enabling POP3 Protocol
In conf.d/20-pop3.conf:
protocol pop3 {
mail_max_userip_connections = 3
}
Ensure protocols contains pop3 if you want POP3.
POP3 UIDL and Message State
POP3 clients depend on UIDL strings to identify which messages已 been downloaded.
Dovecot generates stable UIDLs; altering message storage or indexes can affect UIDLs, which may cause clients to re‑download mail. Avoid deleting Dovecot index files unnecessarily on an active POP3 system.
Leave Messages on Server vs Delete
The POP3 protocol itself is simple; it’s the client that decides whether to:
- Leave messages on server, or
- Delete after retrieval (the common old‑style use).
Server‑side, Dovecot doesn’t “know” about that policy; it just applies the POP3 commands sent by the client.
Integrating Dovecot with Local Delivery
Typically, your MTA delivers mail into mailboxes that Dovecot later serves.
Common patterns:
- System users + Maildir in home directory
- Postfix
home_mailbox = Maildir/ - Dovecot
mail_location = maildir:~/Maildir - Virtual domains +
vmailuser - Postfix LDA or LMTP delivers as
vmailinto/var/mail/vhosts/domain/user/ - Dovecot
mail_location = maildir:/var/mail/vhosts/%d/%n userdb/passdbconfigured for virtual users.
Delivery method specifics (LDA/LMTP, plus interaction with Postfix) are usually covered in the SMTP/Postfix sections; with Dovecot you just need consistent mailbox paths and permissions.
Basic Monitoring and Troubleshooting
Checking Logs
Dovecot logs via syslog or journald. Common paths:
/var/log/mail.log/var/log/maillogjournalctl -u dovecot
Look for:
- Auth failures
- TLS issues
- Permission or mailbox path errors
Example:
sudo journalctl -u dovecot -eTesting IMAP/POP3 Manually
With `openssl s_client` (IMAPS/POP3S)
IMAPS:
openssl s_client -connect mail.example.com:993 -quiet
A1 LOGIN alice@example.com supersecret
A2 LIST "" "*"
A3 LOGOUTPOP3S:
openssl s_client -connect mail.example.com:995 -quiet
USER alice@example.com
PASS supersecret
LIST
QUITIf TLS is working, you’ll see a certificate handshake and encrypted session. Authentication failures will be logged.
Common Issues
- Authentication fails
- Check
auth_mechanismsvs client settings (e.g., PLAIN/LOGIN/CRAM‑MD5). - Verify the correct
passdb/userdbis enabled in10-auth.conf. - No mail appears
mail_locationdoesn’t match where your MTA is delivering.- File permissions prevent the user from reading maildir/mbox.
- TLS errors
- Invalid or mismatched certificate paths.
- Hostname in certificate doesn’t match server name.
- Too many connections
- Tune
mail_max_userip_connectionsin20-imap.conf/20-pop3.conf. - Inspect clients that open many simultaneous connections.
Hardening and Best Practices
- Prefer IMAP over POP3 for modern environments (multiple devices, folders).
- Require TLS (
ssl = required,disable_plaintext_auth = yes). - Use strong ciphers and modern TLS versions (controlled in
10-ssl.conf). - Avoid granting shell access to ordinary mail users when using virtual hosting.
- Monitor logs for brute‑force attempts and combine with firewall/IDS tools.
For more advanced topics like full virtual domain setups, dovecot‑lmtp, Sieve filtering, and integration with spam/AV systems, see the broader email architecture and security chapters.