Skip to content

Dovecot

What Is It?

Dovecot is an open-source IMAP and POP3 server that allows email clients to access mailboxes on the server. It integrates with Postfix via LMTP for mail delivery and SASL for authentication.

Installation

dnf install dovecot

Key Files and Directories

Path Purpose
/etc/dovecot/dovecot.conf Main configuration
/etc/dovecot/conf.d/ Modular configuration files
~/mail/ User maildir (when configured)

Default Ports

Port Protocol Purpose
143 TCP IMAP — mailbox access (plaintext/STARTTLS)
993 TCP IMAPS — IMAP over implicit TLS

Configuration

Dovecot uses a modular configuration structure:

  • /etc/dovecot/dovecot.conf — main configuration (protocols, includes)
  • /etc/dovecot/conf.d/ — modular config files for authentication, mail, SSL, logging, etc.

Key configuration files in conf.d/:

File Purpose
10-auth.conf Authentication mechanisms and username format
10-logging.conf Debug and log settings
10-mail.conf Mail location and mailbox format
10-master.conf Service definitions and UNIX socket listeners
10-ssl.conf TLS/SSL configuration
15-mailboxes.conf Default mailbox folders (Inbox, Sent, Trash, etc.)

Minimal Working Configuration

Main config (/etc/dovecot/dovecot.conf):

protocols = imap lmtp

imap provides mailbox access for clients. lmtp provides local delivery from Postfix.

Authentication (conf.d/10-auth.conf):

auth_mechanisms = plain login
auth_username_format = %n
disable_plaintext_auth = no    # Set to 'yes' once TLS is configured
  • plain and login are the simplest SASL mechanisms. Both send credentials in cleartext (must be combined with TLS in production).
  • %n strips the domain part from the username, so mailuser@example.sysadm.ee authenticates as local user mailuser.

Mail location (conf.d/10-mail.conf):

mail_location = maildir:~/mail
mail_privileged_group = mail
  • maildir:~/mail stores each user's mail in their home directory under ~/mail/ using the Maildir format (one file per message).
  • mail_privileged_group = mail gives Dovecot's mail processes access to /var/mail.

LMTP listener (conf.d/10-master.conf) — receives mail from Postfix:

service lmtp {
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
        mode = 0600
        user = postfix
        group = postfix
    }
}

Auth listener (conf.d/10-master.conf) — provides SASL authentication for Postfix submission:

service auth {
    unix_listener /var/spool/postfix/private/auth {
        mode = 0600
        user = postfix
        group = postfix
    }
}

Mailboxes (conf.d/15-mailboxes.conf) — auto-create standard folders:

namespace inbox {
    mailbox Drafts {
        auto = create
        special_use = \Drafts
    }
    mailbox Sent {
        auto = create
        special_use = \Sent
    }
    mailbox Trash {
        auto = create
        special_use = \Trash
    }
    mailbox Spam {
        auto = create
        special_use = \Junk
    }
}

Important Directives

protocols
Which protocols to enable. Typically imap lmtp. Add pop3 only if legacy clients require it.
mail_location
Where and how mail is stored. maildir:~/mail is the recommended format (one file per message, crash-safe).
auth_mechanisms
SASL mechanisms to offer. plain login for basic authentication (combine with TLS).
auth_username_format
How usernames are normalised. %n strips the domain, %Lu lowercases.
disable_plaintext_auth
When yes, plaintext authentication is only allowed over TLS connections. Set to no only during initial testing.
ssl
Set to required in production (with ssl_cert and ssl_key configured). Set to no only for initial testing without TLS.

Common Commands

# Install
sudo dnf install dovecot

# Start and enable
systemctl start dovecot
systemctl enable dovecot
systemctl restart dovecot

# View active (non-default) configuration
doveconf -n

# View default values
doveconf -d

# Check a specific parameter
doveconf mail_location

# Test IMAP login via telnet
telnet localhost 143
# Then: A1 login <username> <password>
# Then: A2 select inbox
# Then: A3 logout

# Add dovecot user to mail group
usermod -aG mail dovecot

Logging and Debugging

Enable debug logging in conf.d/10-logging.conf:

mail_debug = yes

Dovecot logs to syslog by default. On CentOS/RHEL, mail logs appear in /var/log/maillog alongside Postfix entries.

Example IMAP login log: 

Mar 15 09:12:03 vm dovecot: imap-login: Login: user=<mailuser>, method=PLAIN,
  rip=127.0.0.1, lip=127.0.0.1, mpid=12345, session=<abc123>

Troubleshooting checklist:

  1. systemctl status dovecot — is the service running?
  2. doveconf -n — verify configuration values
  3. tail -f /var/log/maillog — watch authentication and delivery events
  4. ss -tulpn | grep :143 — is Dovecot listening on IMAP?
  5. ls -la /var/spool/postfix/private/dovecot-lmtp — does the LMTP socket exist?
  6. ls -la /var/spool/postfix/private/auth — does the auth socket exist?
  7. telnet localhost 143 — can you manually connect and authenticate?

Security Considerations

  • Enable TLS: Set ssl = required with valid certificates in production. Without TLS, passwords are transmitted in plaintext over the network.
  • disable_plaintext_auth = yes: Once TLS is configured, re-enable this to prevent plaintext credentials on unencrypted connections.
  • UNIX socket permissions: The LMTP and auth sockets should be owned by postfix:postfix with 0600 permissions, restricting access to the Postfix process only.
  • Firewall: Open port 143 (IMAP) and 993 (IMAPS) in firewalld and cloud security groups. Close port 143 once TLS is enforced and only use 993.
  • Maildir permissions: Each user's ~/mail/ directory should be owned by that user. Dovecot creates it automatically on first delivery.
  • Avoid POP3: POP3 downloads and deletes mail from the server. Use IMAP for synchronised access across multiple devices.

Further Reading

  • Concepts: Email
  • SOPs: Mail Server Management