Skip to content
Flowchart Learning

Dovecot

Chapter 79: Dovecot IMAP/POP3 Server

Section titled “Chapter 79: Dovecot IMAP/POP3 Server”

Comprehensive Dovecot Configuration and Management

Section titled “Comprehensive Dovecot Configuration and Management”

Why This Matters in DevOps/SRE

Section titled “Why This Matters in DevOps/SRE”

Dovecot provides IMAP/POP3 access for users to retrieve emails. As a DevOps/SRE, you’ll configure Dovecot for secure email access, set up authentication, implement SSL/TLS, and integrate with LDAP or Active Directory. It’s the gateway for users to access their mailboxes.

┌─────────────────────────────────────────────────────────────────────────────┐
│                    DOVECOT IN EMAIL INFRASTRUCTURE                          │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  ┌─────────────────────────────────────────────────────────────────────┐    │
│  │                    EMAIL FLOW                                          │    │
│  │                                                                       │    │
│  │   Internet → Postfix → Mailbox → Dovecot → IMAP/POP3 → User        │    │
│  │                                                                       │    │
│  └─────────────────────────────────────────────────────────────────────┘    │
│                                                                             │
│  ┌─────────────────────────────────────────────────────────────────────┐    │
│  │                    DEV OPS TASKS                                        │    │
│  │                                                                       │    │
│  │   • IMAP/POP3 access for users                                      │    │
│  │   • SSL/TLS configuration for secure connections                   │    │
│  │   • User authentication (LDAP, PAM, database)                     │    │
│  │   • Quota management                                                 │    │
│  │   • Mailbox indexing for fast search                               │    │
│  │                                                                       │    │
│  └─────────────────────────────────────────────────────────────────────┘    │
│                                                                             │
│  ┌─────────────────────────────────────────────────────────────────────┐    │
│  │                    SECURITY                                              │    │
│  │                                                                       │    │
│  │   • TLS required for all connections                                │    │
│  │   • Strong authentication mechanisms                                │    │
│  │   • IMAPS (993) and POP3S (995) ports                             │    │
│  │                                                                       │    │
│  └─────────────────────────────────────────────────────────────────────┘    │
│                                                                             │
└─────────────────────────────────────────────────────────────────────────────┘

Real-world DevOps scenarios:

  • Remote access: Employees accessing email via IMAP from mobile/desktop clients
  • Webmail integration: Roundcube or other webmail using Dovecot
  • Mail storage: NFS or distributed filesystem for mailbox storage

79.1 Dovecot Architecture Overview

Section titled “79.1 Dovecot Architecture Overview”

What is Dovecot?

Section titled “What is Dovecot?”

Dovecot is an open-source IMAP and POP3 server for Linux and UNIX-like systems. Known for its security, simplicity, and high performance, it’s widely deployed in production email environments ranging from small organizations to large-scale mail services.

┌────────────────────────────────────────────────────────────────────────┐
│                        DOVECOT ARCHITECTURE                            │
├────────────────────────────────────────────────────────────────────────┤
│                                                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                      CLIENT CONNECTIONS                         │  │
│  │  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐           │  │
│  │  │ Thunder-│  │  iOS    │  │ Outlook │  │  Web    │           │  │
│  │  │  bird   │  │ Mail    │  │         │  │  Mail   │           │  │
│  │  └────┬────┘  └────┬────┘  └────┬────┘  └────┬────┘           │  │
│  └───────┼───────────┼───────────┼───────────┼──────────────────┘  │
│          │           │           │           │                      │
│          │           │           │           │                      │
│  ┌───────┴───────────┴───────────┴───────────┴──────────────────┐  │
│  │                     DOVECOT SERVER                             │  │
│  │                                                                  │  │
│  │  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐        │  │
│  │  │  IMAP (143) │  │ IMAPS (993)  │  │ POP3 (110)  │        │  │
│  │  │  POP3S(995) │  │              │  │              │        │  │
│  │  └──────┬───────┘  └──────┬───────┘  └──────┬───────┘        │  │
│  └─────────┼─────────────────┼─────────────────┼────────────────┘  │
│            │                 │                 │                    │
│  ┌─────────┴─────────────────┴─────────────────┴────────────────┐  │
│  │                    AUTHENTICATION LAYER                       │  │
│  │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐   │  │
│  │  │   PAM    │  │   LDAP   │  │  SQL     │  │  passwd  │   │  │
│  │  └──────────┘  └──────────┘  └──────────┘  └──────────┘   │  │
│  └──────────────────────────────────────────────────────────────┘  │
│            │                                                        │
│  ┌─────────┴──────────────────────────────────────────────────┐   │
│  │                      MAIL STORAGE LAYER                      │   │
│  │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐   │   │
│  │  │ Maildir  │  │   mbox   │  │   dbox   │  │  imapc   │   │   │
│  │  └──────────┘  └──────────┘  └──────────┘  └──────────┘   │   │
│  └──────────────────────────────────────────────────────────────┘  │
│                                                                        │
└────────────────────────────────────────────────────────────────────────┘

Key Features

Section titled “Key Features”
FeatureDescriptionBenefit
High PerformanceOptimized for modern hardware, multi-threadedHandles thousands of concurrent users
Security FirstSELinux support, privilege separation, encrypted passwordsProtects against attacks
Flexible AuthPAM, LDAP, SQL, passwd, KerberosIntegrates with existing infrastructure
Multiple FormatsMaildir, mbox, dbox, remote IMAPMigration flexibility
Quota SupportUser and mailbox quotasResource management
ACLsIMAP ACL extensionShared folder management
SieveServer-side filteringAutomated email organization
Replicationdsync-based replicationHigh availability

Protocol Comparison

Section titled “Protocol Comparison”
┌────────────────────────────────────────────────────────────────────────┐
│                    IMAP vs POP3 COMPARISON                             │
├────────────────────────────────────────────────────────────────────────┤
│                                                                        │
│  ┌─────────────────────┬─────────────────────┬────────────────────┐ │
│  │ Feature              │ IMAP                 │ POP3               │ │
│  ├─────────────────────┼─────────────────────┼────────────────────┤ │
│  │ Default Port         │ 143 (plain)          │ 110 (plain)        │ │
│  │ Encrypted Port       │ 993 (IMAPS)          │ 995 (POP3S)        │ │
│  │ Mail Storage        │ On server            │ Downloaded         │ │
│  │ Multiple Devices    │ Yes (sync)           │ No                 │ │
│  │ Offline Access      │ Limited              │ Full               │ │
│  │ Bandwidth           │ More efficient       │ Less efficient     │ │
│  │ Server Resources    │ Higher               │ Lower              │ │
│  │ Complexity          │ Higher               │ Lower              │ │
│  │ Use Case            │ Multi-device access  │ Single computer    │ │
│  └─────────────────────┴─────────────────────┴────────────────────┘ │
│                                                                        │
│  RECOMMENDATION: Use IMAP for most scenarios                           │
│  - Cross-device synchronization                                      │
│  - Webmail integration                                               │
│  - Mobile device support                                              │
│                                                                        │
└────────────────────────────────────────────────────────────────────────┘

79.2 Installation

Section titled “79.2 Installation”

Package Installation

Section titled “Package Installation”
Terminal window
# Debian/Ubuntu
sudo apt update
sudo apt install dovecot dovecot-imapd dovecot-pop3d dovecot-lucene


# RHEL/CentOS/AlmaLinux
sudo yum install dovecot dovecot-pigeonhole


# Fedora
sudo dnf install dovecot dovecot-pigeonhole


# Arch Linux
sudo pacman -S dovecot


# openSUSE
sudo zypper install dovecot

Verification

Section titled “Verification”
Terminal window
# Check version
dovecot --version


# Verify installation
dovecot -n


# Check processes
ps aux | grep dovecot


# Check ports
ss -tlnp | grep -E "(imap|pop3)"
netstat -tlnp | grep -E "(imap|pop3)"

79.3 Core Configuration

Section titled “79.3 Core Configuration”

Main Configuration File

Section titled “Main Configuration File”
/etc/dovecot/dovecot.conf
# Enable protocols
protocols = imap pop3


# Listen addresses
listen = *, ::


# IPv6
ipv6 = yes


# Base directory for runtime data
base_dir = /var/run/dovecot/


# Login processes
loginProcesses = 32


# Number of IMAP/POP3 processes
default_process_limit = 1024


# Maximum connections per user
mail_max_userip_connections = 50


# Disable version display
version_avoid = 1

Protocol Configuration

Section titled “Protocol Configuration”
/etc/dovecot/conf.d/10-master.conf
# Service configurations
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }


  # Process limits
  process_min_avail = 3
  service_count = 0
}


service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }


  service_count = 0
}


# Limit connections
service imap {
  process_limit = 5000
  vsz_limit = 256M
}


service pop3 {
  process_limit = 2000
  vsz_limit = 256M
}

Authentication Configuration

Section titled “Authentication Configuration”
/etc/dovecot/conf.d/10-auth.conf
# Disable plain text auth without SSL
disable_plaintext_auth = yes


# Authentication mechanisms
auth_mechanisms = plain login apop


# User database
userdb {
  driver = passwd
  args = blocking=yes
}


# Password database
passdb {
  driver = pam
  args = session=yes dovecot
}


# LDAP example
# passdb {
#   driver = ldap
#   args = /etc/dovecot/dovecot-ldap.conf
# }


# SQL example
# passdb {
#   driver = sql
#   args = /etc/dovecot/dovecot-sql.conf
# }


# Kerberos example
# auth_mechanisms = plain login gssapi
# passdb {
#   driver = gssapi
#   args = realm=EXAMPLE.COM
# }


# Default realm for LOGIN mechanism
auth_default_realm = example.com

Mail Location Configuration

Section titled “Mail Location Configuration”
/etc/dovecot/conf.d/10-mail.conf
# Mail location (Maildir format - recommended)
mail_location = maildir:~/Maildir


# Alternative: mbox format
# mail_location = mbox:~/mail:INBOX=/var/mail/%u


# Alternative: dbox format (Dovecot's high-performance format)
# mail_location = sdbox:~/mdbox


# Create mail directories if missing
mail_create_maildir_if_missing = yes


# Namespace configuration
namespace inbox {
  inbox = yes
  location =


  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }


  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }


  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }


  mailbox Archive {
    auto = subscribe
    special_use = \Archive
  }


  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
}


# Mailbox naming
mailbox_names = Trash, Sent, Drafts, Archive, Spam


# Locking
lock_method = fcntl


# Directory hierarchy
mail_dir = Maildir


# ACL plugin configuration
mail_plugins = acl
plugin {
  acl = vfile
}

SSL/TLS Configuration

Section titled “SSL/TLS Configuration”
/etc/dovecot/conf.d/10-ssl.conf
# SSL required
ssl = required


# Certificate files
ssl_cert = </etc/ssl/certs/dovecot.crt
ssl_key = </etc/ssl/private/dovecot.key
ssl_ca = </etc/ssl/certs/ca-certificates.crt


# DH parameters
ssl_dh = </etc/dovecot/dh.pem


# Minimum TLS version
ssl_min_protocol = TLSv1.2


# Ciphers
ssl_cipher_list = HIGH:!aNULL:!MD5:!RC4


# Prefer server ciphers
ssl_prefer_server_ciphers = yes


# Disable compression (CRIME attack)
ssl_options = no_compression

Generating SSL Certificates

Section titled “Generating SSL Certificates”
Terminal window
# Generate self-signed certificate (for testing)
sudo openssl req -new -x509 -days 365 -nodes \
  -out /etc/ssl/certs/dovecot.crt \
  -keyout /etc/ssl/private/dovecot.key \
  -subj "/C=US/ST=State/L=City/O=Org/CN=mail.example.com"


# Generate DH parameters
sudo openssl dhparam -out /etc/dovecot/dh.pem 4096


# Set permissions
sudo chmod 640 /etc/ssl/private/dovecot.key
sudo chown root:dovecot /etc/ssl/private/dovecot.key


# Using Let's Encrypt (recommended for production)
# Install certbot, then:
sudo certbot certonly --standalone -d mail.example.com
sudo cp /etc/letsencrypt/live/mail.example.com/fullchain.pem /etc/ssl/certs/dovecot.crt
sudo cp /etc/letsencrypt/live/mail.example.com/privkey.pem /etc/ssl/private/dovecot.key


# Reload Dovecot
sudo systemctl reload dovecot

79.4 Advanced Configuration

Section titled “79.4 Advanced Configuration”

Quota Configuration

Section titled “Quota Configuration”
/etc/dovecot/conf.d/90-quota.conf
# Install quota plugin
# apt install dovecot-pop3d-imapd (Debian)


# Enable quota plugin
mail_plugins = $mail_plugins quota


# Quota backend
plugin {
  quota = maildir:user
  quota_rule = *:storage=10GB
  quota_rule2 = *:messages=100000
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
}


# Service for quota warnings
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  user = dovecot
  unix_listener quota-warning {
    user = dovecot
  }
}
/usr/local/bin/quota-warning.sh
#!/bin/bash
PERCENT=$1
USER=$2


cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota="
From: postmaster@example.com
Subject: Quota Warning


Your mailbox is now at $PERCENT% of its quota.
Please delete some messages to free up space.
EOF

Sieve Filtering

Section titled “Sieve Filtering”
/etc/dovecot/conf.d/90-sieve.conf
# Install pigeonhole (Sieve plugin)
# apt install dovecot-pigeonhole


# Enable sieve
mail_plugins = $mail_plugins sieve


plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_default = /etc/dovecot/sieve/default.sieve
  sieve_global_dir = /etc/dovecot/sieve/global/
}


# Vacation auto-reply
plugin {
  sieve_vacation_use_domain = yes
  sieve_vacation_default_period = 7d
  sieve_vacation_max_period = 30d
}
/etc/dovecot/sieve/default.sieve
require ["fileinto", "vacation"];


# Spam to Junk folder
if header :contains "X-Spam-Flag" "YES" {
    fileinto "Junk";
    stop;
}


# Archive old messages
if currentdate :year >= 2024 {
    fileinto "Archive.2024";
}


# Vacation auto-reply
# vacation :days 7 :subject "Out of Office" "I'm currently out of office.";

ACL Configuration

Section titled “ACL Configuration”
/etc/dovecot/conf.d/90-acl.conf
# Enable ACL plugin
mail_plugins = $mail_plugins acl


# ACL file location
plugin {
  acl = vfile
  acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
}


# IMAP ACL extension
protocol imap {
  mail_plugins = $mail_plugins acl imap_acl
}
Terminal window
# Per-user ACL in Maildir
# ~/Maildir/shared:user@example.com=lrswipkxtecda


# Global ACL
# /etc/dovecot/dovecot-acl


# Example: Grant access to shared folder
# user=admin@example.com lrwstipekxa
# group=team@example.com lrwstipekxa

Replication (High Availability)

Section titled “Replication (High Availability)”
/etc/dovecot/conf.d/90-replication.conf
# Enable replication
mail_plugins = $mail_plugins notify replication


plugin {
  replication_max_conns = 10
  sync_time_to_live = 7d
  replicator_rows_per_checkpoint = 1000
  replicator_sync_time_to_live = 1d
}


# Replication destination
service replicator {
  process_min_avail = 1
  user = vmail
}


# Dovecot director for load balancing (in master-slave setup)
# See Chapter 80: Email Security for HA setup

79.5 Database Integration

Section titled “79.5 Database Integration”

MySQL/MariaDB

Section titled “MySQL/MariaDB”
/etc/dovecot/dovecot-sql.conf
driver = mysql
connect = host=localhost dbname=mailserver user=mailuser password=secret
default_pass_scheme = SHA256-CRYPT


# Password query
password_query = SELECT email AS user, password FROM mailbox WHERE email = '%u' AND active = '1'


# User query
user_query = SELECT CONCAT('/var/vmail/', maildir) AS home, \
             CONCAT('maildir:', CONCAT('/var/vmail/', maildir)) AS mail, \
             5000 AS uid, 5000 AS gid, \
             CONCAT('*:bytes=', quota) AS quota_rule \
             FROM mailbox WHERE email = '%u' AND active = '1'

PostgreSQL

Section titled “PostgreSQL”
/etc/dovecot/dovecot-sql.conf
driver = pgsql
connect = host=localhost dbname=mailserver user=mailuser password=secret
default_pass_scheme = SHA256-CRYPT


password_query = SELECT email AS user, password FROM mailbox WHERE email = '%u' AND active = true


user_query = SELECT '/var/vmail/' || maildir AS home, \
             'maildir:/var/vmail/' || maildir AS mail, \
             5000 AS uid, 5000 AS gid, \
             '*:bytes=' || quota AS quota_rule \
             FROM mailbox WHERE email = '%u' AND active = true

LDAP

Section titled “LDAP”
/etc/dovecot/dovecot-ldap.conf
hosts = ldap.example.com:389
dn = cn=admin,dc=example,dc=com
dnpass = secret


# LDAP search base
base = ou=people,dc=example,dc=com


# User lookup
user_filter = (&(objectClass=posixAccount)(mail=%u))


# Attribute mapping
user_attrs = mail=mail,homeDirectory=home,uidNumber=uid,gidNumber=gid


# Password lookup
pass_filter = (&(objectClass=posixAccount)(mail=%u))
pass_attrs = userPassword=password

79.6 Management and Administration

Section titled “79.6 Management and Administration”

Configuration Testing

Section titled “Configuration Testing”
Terminal window
# Show effective configuration
dovecot -n


# Test configuration syntax
dovecot -F


# Test specific configuration file
dovecot -c /etc/dovecot/dovecot.conf -n


# Check for configuration errors
dovecot -a 2>&1 | grep -i error

User Management

Section titled “User Management”
Terminal window
# Test authentication
doveadm auth test user@example.com password


# Force authentication cache clear
doveadm auth cache flush


# List mailboxes
doveadm mailbox list -u user@example.com


# List quota usage
doveadm quota get -u user@example.com


# Set quota
doveadm quota set -u user@example.com 5GB


# Force user re-login (kick)
doveadm kick user@example.com


# Refresh user database
doveadm user '*'

Mailbox Operations

Section titled “Mailbox Operations”
Terminal window
# Create mailbox
doveadm mailbox create -u user@example.com INBOX.Archive


# Delete mailbox
doveadm mailbox delete -u user@example.com INBOX.Archive


# Rename mailbox
doveadm mailbox rename -u user@example.com OldArchive NewArchive


# Subscribe/unsubscribe
doveadm mailbox subscribe -u user@example.com INBOX.Archive
doveadm mailbox unsubscribe -u user@example.com INBOX.Archive


# List messages
doveadm fetch -u user@example.com text mailbox INBOX all


# Expunge deleted messages
doveadm expunge -u user@example.com mailbox INBOX


# Search messages
doveadm search -u user@example.com mailbox INBOX flagged

Debugging

Section titled “Debugging”
/etc/dovecot/conf.d/10-logging.conf
# Enable debug logging
auth_debug = yes
auth_verbose = yes
mail_debug = yes


# View logs in real-time
tail -f /var/log/dovecot.log
journalctl -u dovecot -f


# Debug authentication
doveadm auth trace user@example.com


# Debug IMAP commands
# Add to configuration:
# protocol imap {
#   imap_logging = yes
# }


# Connection tracking
doveadm connection list

Performance Monitoring

Section titled “Performance Monitoring”
Terminal window
# Check process count
ps aux | grep dovecot | wc -l


# Connection counts
ss -tn | grep -E "(imap|pop3)" | wc -l


# Per-user connections
doveadm connection list | awk '{print $4}' | sort | uniq -c | sort -rn


# Statistics
doveadm stats


# Active user count
doveadm user '*' | wc -l

79.7 Troubleshooting

Section titled “79.7 Troubleshooting”

Common Issues and Solutions

Section titled “Common Issues and Solutions”
IssueSymptomsSolution
Authentication failsCan’t loginCheck auth_debug, verify PAM/LDAP/SQL
Slow loginHigh latencyCheck userdb, enable caching
Certificate errorsSSL/TLS issuesRegenerate certs, check permissions
Quota not workingNo quota enforcementVerify quota plugin loaded
Mail not deliveredBouncesCheck dovecot-lda, master configuration
High loadSlow responseReduce connections, increase processes
Permission deniedCan’t access mailCheck file permissions, SELinux

Diagnostic Commands

Section titled “Diagnostic Commands”
Terminal window
# Check configuration syntax
dovecot -n


# Check authentication
doveadm auth test user password


# Check mail location
doveadm mailbox list -u user


# Check user info
doveadm user user@example.com


# Check logs
tail -100 /var/log/dovecot.log


# Check system logs
journalctl -u dovecot --since "1 hour ago"


# Check SSL
openssl s_client -connect localhost:993 -showcerts


# Check ports
ss -tlnp | grep dovecot


# Check SELinux (if enabled)
getsebool -a | grep dovecot
setsebool -P dovecot_use_nfs 1

Log Analysis

Section titled “Log Analysis”
Terminal window
# Failed authentication
grep "auth failed" /var/log/dovecot.log


# Connection issues
grep -E "(connection closed|disconnected)" /var/log/dovecot.log


# Quota exceeded
grep -i quota /var/log/dovecot.log


# Performance issues
grep -E "(warning|error)" /var/log/dovecot.log | tail -50

79.8 Production Configuration Examples

Section titled “79.8 Production Configuration Examples”

Small Office (10-50 users)

Section titled “Small Office (10-50 users)”
/etc/dovecot/dovecot.conf
protocols = imap pop3
listen = *
base_dir = /var/run/dovecot/


# Auth
disable_plaintext_auth = yes
auth_mechanisms = plain login


# Mail
mail_location = maildir:~/Maildir
mail_create_maildir_if_missing = yes


# Users (PAM)
userdb {
  driver = passwd
}
passdb {
  driver = pam
}


# SSL
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.crt
ssl_key = </etc/ssl/private/dovecot.key
ssl_min_protocol = TLSv1.2


# Performance
default_process_limit = 256
mail_max_userip_connections = 20


# Logging
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log

Enterprise (1000+ users)

Section titled “Enterprise (1000+ users)”
/etc/dovecot/dovecot.conf
protocols = imap pop3
listen = *, [::]
base_dir = /var/run/dovecot/


# Auth (LDAP with caching)
disable_plaintext_auth = yes
auth_mechanisms = plain login
auth_cache_size = 10240
auth_cache_ttl = 1 hour


# Mail (dbox for performance)
mail_location = sdbox:~/mdbox
mail_fsync = always


# Users (LDAP)
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf
}
userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap-user.conf
}


# Quota
mail_plugins = $mail_plugins quota
plugin {
  quota = maildir:user
}


# Sieve
mail_plugins = $mail_plugins sieve
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}


# SSL/TLS
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.crt
ssl_key = </etc/ssl/private/dovecot.key
ssl_dh = </etc/dovecot/dh.pem
ssl_prefer_server_ciphers = yes


# Performance tuning
default_process_limit = 2048
mail_max_userip_connections = 100
mail_process_size = 256
vsz_limit = 512M


# Logging
log_path = /var/log/dovecot.log
auth_verbose = yes
mail_debug = no


# Master process for reliability
service stats {
  unix_listener stats-reader {
    user = dovecot
    group = dovecot
    mode = 0660
  }
  unix_listener stats-writer {
    user = dovecot
    group = dovecot
    mode = 0660
  }
}

High Availability Setup

Section titled “High Availability Setup”
Terminal window
# On both servers - /etc/dovecot/dovecot.conf
# Using keepalived or similar for IP failover


protocols = imap pop3


# Director for load balancing
login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot


# Shared storage (NFS or distributed filesystem)
mail_location = maildir:/shared/mail/%n


# Performance
service imap-login {
  process_min_avail = 4
  service_count = 0
}

79.9 Security Hardening

Section titled “79.9 Security Hardening”

Security Checklist

Section titled “Security Checklist”
┌────────────────────────────────────────────────────────────────────────┐
│                    DOVECOT SECURITY CHECKLIST                          │
├────────────────────────────────────────────────────────────────────────┤
│                                                                        │
│  Authentication:                                                       │
│  □ disable_plaintext_auth = yes                                      │
│  □ Use strong password schemes (SHA256-CRYPT, ARGON2)                │
│  □ Enable authentication caching with encryption                     │
│  □ Rate limiting for failed attempts                                 │
│                                                                        │
│  Encryption:                                                           │
│  □ ssl = required                                                    │
│  □ Use valid TLS certificates                                        │
│  □ Disable SSLv3, TLS 1.0, 1.1                                       │
│  □ Use strong ciphers                                                │
│  □ Configure perfect forward secrecy                                │
│                                                                        │
│  Access Control:                                                       │
│  □ Limit connections per IP                                          │
│  □ Limit connections per user                                        │
│  □ Use firewall to restrict access                                   │
│  □ Implement fail2ban for brute force                                │
│                                                                        │
│  System:                                                               │
│  □ Run as non-root user                                              │
│  □ Restrict config file permissions                                  │
│  □ Keep dovecot updated                                              │
│  □ Monitor logs regularly                                            │
│  □ Enable SELinux/AppArmor                                           │
│                                                                        │
└────────────────────────────────────────────────────────────────────────┘

Fail2Ban Integration

Section titled “Fail2Ban Integration”
/etc/fail2ban/jail.local
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/dovecot.log
maxretry = 5
bantime = 3600
findtime = 600
/etc/fail2ban/filter.d/dovecot.conf
[Definition]
failregex = auth failed: .+ rip=<HOST>
            imap-login: .+ rip=<HOST>
            pop3-login: .+ rip=<HOST>
ignoreregex =

Firewall Configuration

Section titled “Firewall Configuration”
Terminal window
# iptables rules
sudo iptables -A INPUT -p tcp --dport 993 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 995 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 143 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 110 -s 10.0.0.0/8 -j ACCEPT


# Drop everything else
sudo iptables -A INPUT -p tcp --dport 993 -j DROP
sudo iptables -A INPUT -p tcp --dport 995 -j DROP
sudo iptables -A INPUT -p tcp --dport 143 -j DROP
sudo iptables -A INPUT -p tcp --dport 110 -j DROP

79.10 Interview Questions

Section titled “79.10 Interview Questions”

Q1: What is Dovecot and what protocols does it support?

Section titled “Q1: What is Dovecot and what protocols does it support?”

Answer: Dovecot is an open-source IMAP and POP3 server for Linux and UNIX systems. It supports:

  • IMAP (Internet Message Access Protocol) on ports 143 (plain) and 993 (SSL/TLS)
  • POP3 (Post Office Protocol) on ports 110 (plain) and 995 (SSL/TLS)
  • LMTP (Local Mail Transfer Protocol) for final delivery

Q2: What is the difference between IMAP and POP3?

Section titled “Q2: What is the difference between IMAP and POP3?”

Answer:

  • IMAP: Mail stays on server, synchronized across multiple devices, supports folders, supports server-side search, better for mobile and multi-device access
  • POP3: Downloads mail to local device, typically deletes from server, limited folder support, simpler but less feature-rich

For most modern use cases, IMAP is recommended.

Q3: How do you configure Dovecot to use LDAP for authentication?

Section titled “Q3: How do you configure Dovecot to use LDAP for authentication?”

Answer:

  1. Install dovecot-ldap package
  2. Configure /etc/dovecot/dovecot-ldap.conf with:
    • LDAP server host and port
    • Bind DN and password
    • Search base
    • User and password filter
    • Attribute mappings
  3. Update 10-auth.conf to use LDAP passdb/userdb
  4. Test with doveadm auth test

Q4: What is the purpose of the mail_location directive?

Section titled “Q4: What is the purpose of the mail_location directive?”

Answer: mail_location specifies where mail is stored and in what format. Common formats:

  • maildir:~/Maildir - Maildir format (recommended, each message is a file)
  • mbox:~/mail:INBOX=/var/mail/%u - mbox format (single file per mailbox)
  • sdbox:~/mdbox - Dovecot’s high-performance dbox format
  • imapc: - Remote IMAP (proxy to another server)

Q5: How do you troubleshoot authentication failures in Dovecot?

Section titled “Q5: How do you troubleshoot authentication failures in Dovecot?”

Answer:

  1. Enable debug logging in 10-logging.conf: 
    auth_debug = yes
    auth_verbose = yes
  2. Check /var/log/dovecot.log for details
  3. Test authentication: doveadm auth test user@domain password
  4. Verify password database configuration
  5. Check PAM/ LDAP/ SQL configuration
  6. Verify SSL certificate issues
  7. Check for SELinux/AppArmor blocking

Q6: What is the difference between dovecot.conf and the conf.d directory?

Section titled “Q6: What is the difference between dovecot.conf and the conf.d directory?”

Answer:

  • dovecot.conf - Main configuration file, includes other config files
  • /etc/dovecot/conf.d/ - Modular configuration directory with numbered files:
    • 10-*.conf - Basic settings
    • 15-*.conf - Plugin configurations
    • 90-*.conf - Advanced/custom settings

Dovecot reads files in order (10, 15, 20, etc.), so later settings override earlier ones. The !include directive in dovecot.conf loads these files.

Q7: How do you implement quotas in Dovecot?

Section titled “Q7: How do you implement quotas in Dovecot?”

Answer:

  1. Enable quota plugin in configuration: 
    mail_plugins = $mail_plugins quota
    plugin {
      quota = maildir:user
      quota_rule = *:storage=5GB
    }
  2. Configure quota backend (maildir, dict, sql)
  3. Set per-user quotas via userdb or SQL
  4. Optional: Set up quota warnings with doveadm
  5. Test with doveadm quota get -u user@domain

Q8: What security measures should be implemented for a production Dovecot server?

Section titled “Q8: What security measures should be implemented for a production Dovecot server?”

Answer:

  1. Use TLS/SSL (ssl = required)
  2. Disable plaintext auth over unencrypted connections
  3. Use strong password schemes (SHA256-CRYPT, ARGON2)
  4. Implement rate limiting
  5. Use fail2ban for brute force protection
  6. Restrict access via firewall
  7. Keep software updated
  8. Run with minimal privileges
  9. Enable SELinux/AppArmor
  10. Monitor logs regularly
  11. Use valid SSL certificates

Q9: How does Dovecot handle user authentication?

Section titled “Q9: How does Dovecot handle user authentication?”

Answer: Dovecot uses a pluggable authentication system:

  1. Client connects and requests authentication
  2. Dovecot checks passdb for valid credentials
  3. If valid, looks up user in userdb for uid, gid, home, mail location
  4. Returns success or failure to client

Supported passdb drivers: pam, ldap, sql, passwd, shadow, bcrypt, argon2 Supported userdb drivers: passwd, ldap, sql, static, nss

Q10: What is the purpose of namespaces in Dovecot?

Section titled “Q10: What is the purpose of namespaces in Dovecot?”

Answer: Namespaces organize mailboxes and provide:

  • Inbox namespace: Standard inbox with special-use folders (Sent, Drafts, Trash)
  • Shared namespaces: For shared mailboxes between users
  • Public namespaces: For public folders accessible to all users

Namespaces allow different folder layouts, prefixes, and ACLs for different purposes.

Quick Reference

Section titled “Quick Reference”

Essential Commands

Section titled “Essential Commands”
Terminal window
# Test configuration
dovecot -n


# Test authentication
doveadm auth test user@example.com password


# List mailboxes
doveadm mailbox list -u user@example.com


# Check quota
doveadm quota get -u user@example.com


# Force re-login
doveadm kick user@example.com


# View connections
doveadm connection list


# Restart service
sudo systemctl restart dovecot

Default Ports

Section titled “Default Ports”
ServicePlainSSL/TLS
IMAP143993
POP3110995
LMTP24-
ManageSieve4190-

Configuration Files

Section titled “Configuration Files”
FilePurpose
dovetcot.confMain configuration
10-auth.confAuthentication settings
10-mail.confMail storage settings
10-ssl.confSSL/TLS settings
10-master.confService/process settings
10-logging.confLogging settings
90-quota.confQuota plugin
90-sieve.confSieve plugin
90-acl.confACL plugin

Common Mistakes & Anti-Patterns

Section titled “Common Mistakes & Anti-Patterns”

1. Not Using SSL/TLS

Section titled “1. Not Using SSL/TLS”

❌ WRONG: Plain text connections

# Insecure
protocol imap {
  imap_log_in_failed = yes
}
# Plain IMAP without SSL!

✅ CORRECT: Enforce SSL/TLS

10-ssl.conf
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.crt
ssl_key = </etc/ssl/private/dovecot.key
ssl_min_protocol = TLSv1.2

2. Weak Authentication

Section titled “2. Weak Authentication”

❌ WRONG: Plain text auth allowed

# Insecure
disable_plaintext_auth = no
auth_mechanisms = plain login

✅ CORRECT: Require strong auth

disable_plaintext_auth = yes
auth_mechanisms = plain login apppassword

3. Wrong File Permissions

Section titled “3. Wrong File Permissions”

❌ WRONG: SSL certs readable by anyone

Terminal window
# Wrong
chmod 644 /etc/ssl/private/dovecot.key
# Anyone can read private key!

✅ CORRECT: Restrict permissions

Terminal window
chown root:dovecot /etc/ssl/private/dovecot.key
chmod 640 /etc/ssl/private/dovecot.key

4. Not Configuring Quota

Section titled “4. Not Configuring Quota”

❌ WRONG: No quota enforcement

# Users can fill disk
# No quota warnings

✅ CORRECT: Set up quota

90-quota.conf
plugin {
  quota = maildir:userquota:ns=
  quota_rule = *:storage=1GB
  quota_warning = storage=95%% quota-warning 95 %u
}

5. Not Using Index Files

Section titled “5. Not Using Index Files”

❌ WRONG: Slow mailbox access

# Default - might be slow
# No indexing configured

✅ CORRECT: Enable indexing

10-mail.conf
mail_location = maildir:~/Maildir:INDEX=/var/index/%u
# Improves search performance

Summary

Section titled “Summary”

In this chapter, you learned:

  • ✅ Dovecot architecture and protocol comparison
  • ✅ Installation across different Linux distributions
  • ✅ Core configuration (auth, mail, SSL)
  • ✅ Advanced features (quota, sieve, ACL, replication)
  • ✅ Database integration (MySQL, PostgreSQL, LDAP)
  • ✅ Management and administration commands
  • ✅ Troubleshooting common issues
  • ✅ Production configuration examples
  • ✅ Security hardening best practices
  • ✅ Interview questions and answers

Next Chapter

Section titled “Next Chapter”

Chapter 80: Email Security

Last Updated: February 2026