Dovecot

Chapter 79: Dovecot IMAP/POP3 Server

Comprehensive Dovecot Configuration and Management

79.1 Dovecot Architecture Overview

What is Dovecot?

Dovecot is an open-source IMAP and POP3 server for Linux and UNIX-like systems. Known for its security, simplicity, and high performance, it’s widely deployed in production email environments ranging from small organizations to large-scale mail services.

┌────────────────────────────────────────────────────────────────────────┐
│                        DOVECOT ARCHITECTURE                            │
├────────────────────────────────────────────────────────────────────────┤
│                                                                        │
│  ┌─────────────────────────────────────────────────────────────────┐  │
│  │                      CLIENT CONNECTIONS                         │  │
│  │  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐           │  │
│  │  │ Thunder-│  │  iOS    │  │ Outlook │  │  Web    │           │  │
│  │  │  bird   │  │ Mail    │  │         │  │  Mail   │           │  │
│  │  └────┬────┘  └────┬────┘  └────┬────┘  └────┬────┘           │  │
│  └───────┼───────────┼───────────┼───────────┼──────────────────┘  │
│          │           │           │           │                      │
│          │           │           │           │                      │
│  ┌───────┴───────────┴───────────┴───────────┴──────────────────┐  │
│  │                     DOVECOT SERVER                             │  │
│  │                                                                  │  │
│  │  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐        │  │
│  │  │  IMAP (143) │  │ IMAPS (993)  │  │ POP3 (110)  │        │  │
│  │  │  POP3S(995) │  │              │  │              │        │  │
│  │  └──────┬───────┘  └──────┬───────┘  └──────┬───────┘        │  │
│  └─────────┼─────────────────┼─────────────────┼────────────────┘  │
│            │                 │                 │                    │
│  ┌─────────┴─────────────────┴─────────────────┴────────────────┐  │
│  │                    AUTHENTICATION LAYER                       │  │
│  │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐   │  │
│  │  │   PAM    │  │   LDAP   │  │  SQL     │  │  passwd  │   │  │
│  │  └──────────┘  └──────────┘  └──────────┘  └──────────┘   │  │
│  └──────────────────────────────────────────────────────────────┘  │
│            │                                                        │
│  ┌─────────┴──────────────────────────────────────────────────┐   │
│  │                      MAIL STORAGE LAYER                      │   │
│  │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐   │   │
│  │  │ Maildir  │  │   mbox   │  │   dbox   │  │  imapc   │   │   │
│  │  └──────────┘  └──────────┘  └──────────┘  └──────────┘   │   │
│  └──────────────────────────────────────────────────────────────┘  │
│                                                                        │
└────────────────────────────────────────────────────────────────────────┘

Key Features

Feature	Description	Benefit
High Performance	Optimized for modern hardware, multi-threaded	Handles thousands of concurrent users
Security First	SELinux support, privilege separation, encrypted passwords	Protects against attacks
Flexible Auth	PAM, LDAP, SQL, passwd, Kerberos	Integrates with existing infrastructure
Multiple Formats	Maildir, mbox, dbox, remote IMAP	Migration flexibility
Quota Support	User and mailbox quotas	Resource management
ACLs	IMAP ACL extension	Shared folder management
Sieve	Server-side filtering	Automated email organization
Replication	dsync-based replication	High availability

Protocol Comparison

┌────────────────────────────────────────────────────────────────────────┐
│                    IMAP vs POP3 COMPARISON                             │
├────────────────────────────────────────────────────────────────────────┤
│                                                                        │
│  ┌─────────────────────┬─────────────────────┬────────────────────┐ │
│  │ Feature              │ IMAP                 │ POP3               │ │
│  ├─────────────────────┼─────────────────────┼────────────────────┤ │
│  │ Default Port         │ 143 (plain)          │ 110 (plain)        │ │
│  │ Encrypted Port       │ 993 (IMAPS)          │ 995 (POP3S)        │ │
│  │ Mail Storage        │ On server            │ Downloaded         │ │
│  │ Multiple Devices    │ Yes (sync)           │ No                 │ │
│  │ Offline Access      │ Limited              │ Full               │ │
│  │ Bandwidth           │ More efficient       │ Less efficient     │ │
│  │ Server Resources    │ Higher               │ Lower              │ │
│  │ Complexity          │ Higher               │ Lower              │ │
│  │ Use Case            │ Multi-device access  │ Single computer    │ │
│  └─────────────────────┴─────────────────────┴────────────────────┘ │
│                                                                        │
│  RECOMMENDATION: Use IMAP for most scenarios                           │
│  - Cross-device synchronization                                      │
│  - Webmail integration                                               │
│  - Mobile device support                                              │
│                                                                        │
└────────────────────────────────────────────────────────────────────────┘

79.2 Installation

Package Installation

# Debian/Ubuntu
sudo apt update
sudo apt install dovecot dovecot-imapd dovecot-pop3d dovecot-lucene

# RHEL/CentOS/AlmaLinux
sudo yum install dovecot dovecot-pigeonhole

# Fedora
sudo dnf install dovecot dovecot-pigeonhole

# Arch Linux
sudo pacman -S dovecot

# openSUSE
sudo zypper install dovecot

Verification

# Check version
dovecot --version

# Verify installation
dovecot -n

# Check processes
ps aux | grep dovecot

# Check ports
ss -tlnp | grep -E "(imap|pop3)"
netstat -tlnp | grep -E "(imap|pop3)"

79.3 Core Configuration

Main Configuration File

# Enable protocols
protocols = imap pop3

# Listen addresses
listen = *, ::

# IPv6
ipv6 = yes

# Base directory for runtime data
base_dir = /var/run/dovecot/

# Login processes
loginProcesses = 32

# Number of IMAP/POP3 processes
default_process_limit = 1024

# Maximum connections per user
mail_max_userip_connections = 50

# Disable version display
version_avoid = 1

Protocol Configuration

# Service configurations
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }

  # Process limits
  process_min_avail = 3
  service_count = 0
}

service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }

  service_count = 0
}

# Limit connections
service imap {
  process_limit = 5000
  vsz_limit = 256M
}

service pop3 {
  process_limit = 2000
  vsz_limit = 256M
}

Authentication Configuration

# Disable plain text auth without SSL
disable_plaintext_auth = yes

# Authentication mechanisms
auth_mechanisms = plain login apop

# User database
userdb {
  driver = passwd
  args = blocking=yes
}

# Password database
passdb {
  driver = pam
  args = session=yes dovecot
}

# LDAP example
# passdb {
#   driver = ldap
#   args = /etc/dovecot/dovecot-ldap.conf
# }

# SQL example
# passdb {
#   driver = sql
#   args = /etc/dovecot/dovecot-sql.conf
# }

# Kerberos example
# auth_mechanisms = plain login gssapi
# passdb {
#   driver = gssapi
#   args = realm=EXAMPLE.COM
# }

# Default realm for LOGIN mechanism
auth_default_realm = example.com

Mail Location Configuration

# Mail location (Maildir format - recommended)
mail_location = maildir:~/Maildir

# Alternative: mbox format
# mail_location = mbox:~/mail:INBOX=/var/mail/%u

# Alternative: dbox format (Dovecot's high-performance format)
# mail_location = sdbox:~/mdbox

# Create mail directories if missing
mail_create_maildir_if_missing = yes

# Namespace configuration
namespace inbox {
  inbox = yes
  location =

  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }

  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }

  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }

  mailbox Archive {
    auto = subscribe
    special_use = \Archive
  }

  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
}

# Mailbox naming
mailbox_names = Trash, Sent, Drafts, Archive, Spam

# Locking
lock_method = fcntl

# Directory hierarchy
mail_dir = Maildir

# ACL plugin configuration
mail_plugins = acl
plugin {
  acl = vfile
}

SSL/TLS Configuration

# SSL required
ssl = required

# Certificate files
ssl_cert = </etc/ssl/certs/dovecot.crt
ssl_key = </etc/ssl/private/dovecot.key
ssl_ca = </etc/ssl/certs/ca-certificates.crt

# DH parameters
ssl_dh = </etc/dovecot/dh.pem

# Minimum TLS version
ssl_min_protocol = TLSv1.2

# Ciphers
ssl_cipher_list = HIGH:!aNULL:!MD5:!RC4

# Prefer server ciphers
ssl_prefer_server_ciphers = yes

# Disable compression (CRIME attack)
ssl_options = no_compression

Generating SSL Certificates

# Generate self-signed certificate (for testing)
sudo openssl req -new -x509 -days 365 -nodes \
  -out /etc/ssl/certs/dovecot.crt \
  -keyout /etc/ssl/private/dovecot.key \
  -subj "/C=US/ST=State/L=City/O=Org/CN=mail.example.com"

# Generate DH parameters
sudo openssl dhparam -out /etc/dovecot/dh.pem 4096

# Set permissions
sudo chmod 640 /etc/ssl/private/dovecot.key
sudo chown root:dovecot /etc/ssl/private/dovecot.key

# Using Let's Encrypt (recommended for production)
# Install certbot, then:
sudo certbot certonly --standalone -d mail.example.com
sudo cp /etc/letsencrypt/live/mail.example.com/fullchain.pem /etc/ssl/certs/dovecot.crt
sudo cp /etc/letsencrypt/live/mail.example.com/privkey.pem /etc/ssl/private/dovecot.key

# Reload Dovecot
sudo systemctl reload dovecot

79.4 Advanced Configuration

Quota Configuration

# Install quota plugin
# apt install dovecot-pop3d-imapd (Debian)

# Enable quota plugin
mail_plugins = $mail_plugins quota

# Quota backend
plugin {
  quota = maildir:user
  quota_rule = *:storage=10GB
  quota_rule2 = *:messages=100000
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
}

# Service for quota warnings
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  user = dovecot
  unix_listener quota-warning {
    user = dovecot
  }
}

#!/bin/bash
PERCENT=$1
USER=$2

cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota="
From: postmaster@example.com
Subject: Quota Warning

Your mailbox is now at $PERCENT% of its quota.
Please delete some messages to free up space.
EOF

Sieve Filtering

# Install pigeonhole (Sieve plugin)
# apt install dovecot-pigeonhole

# Enable sieve
mail_plugins = $mail_plugins sieve

plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_default = /etc/dovecot/sieve/default.sieve
  sieve_global_dir = /etc/dovecot/sieve/global/
}

# Vacation auto-reply
plugin {
  sieve_vacation_use_domain = yes
  sieve_vacation_default_period = 7d
  sieve_vacation_max_period = 30d
}

require ["fileinto", "vacation"];

# Spam to Junk folder
if header :contains "X-Spam-Flag" "YES" {
    fileinto "Junk";
    stop;
}

# Archive old messages
if currentdate :year >= 2024 {
    fileinto "Archive.2024";
}

# Vacation auto-reply
# vacation :days 7 :subject "Out of Office" "I'm currently out of office.";

ACL Configuration

# Enable ACL plugin
mail_plugins = $mail_plugins acl

# ACL file location
plugin {
  acl = vfile
  acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
}

# IMAP ACL extension
protocol imap {
  mail_plugins = $mail_plugins acl imap_acl
}

# Per-user ACL in Maildir
# ~/Maildir/shared:user@example.com=lrswipkxtecda

# Global ACL
# /etc/dovecot/dovecot-acl

# Example: Grant access to shared folder
# user=admin@example.com lrwstipekxa
# group=team@example.com lrwstipekxa

Replication (High Availability)

# Enable replication
mail_plugins = $mail_plugins notify replication

plugin {
  replication_max_conns = 10
  sync_time_to_live = 7d
  replicator_rows_per_checkpoint = 1000
  replicator_sync_time_to_live = 1d
}

# Replication destination
service replicator {
  process_min_avail = 1
  user = vmail
}

# Dovecot director for load balancing (in master-slave setup)
# See Chapter 80: Email Security for HA setup

79.5 Database Integration

MySQL/MariaDB

driver = mysql
connect = host=localhost dbname=mailserver user=mailuser password=secret
default_pass_scheme = SHA256-CRYPT

# Password query
password_query = SELECT email AS user, password FROM mailbox WHERE email = '%u' AND active = '1'

# User query
user_query = SELECT CONCAT('/var/vmail/', maildir) AS home, \
             CONCAT('maildir:', CONCAT('/var/vmail/', maildir)) AS mail, \
             5000 AS uid, 5000 AS gid, \
             CONCAT('*:bytes=', quota) AS quota_rule \
             FROM mailbox WHERE email = '%u' AND active = '1'

PostgreSQL

driver = pgsql
connect = host=localhost dbname=mailserver user=mailuser password=secret
default_pass_scheme = SHA256-CRYPT

password_query = SELECT email AS user, password FROM mailbox WHERE email = '%u' AND active = true

user_query = SELECT '/var/vmail/' || maildir AS home, \
             'maildir:/var/vmail/' || maildir AS mail, \
             5000 AS uid, 5000 AS gid, \
             '*:bytes=' || quota AS quota_rule \
             FROM mailbox WHERE email = '%u' AND active = true

LDAP

hosts = ldap.example.com:389
dn = cn=admin,dc=example,dc=com
dnpass = secret

# LDAP search base
base = ou=people,dc=example,dc=com

# User lookup
user_filter = (&(objectClass=posixAccount)(mail=%u))

# Attribute mapping
user_attrs = mail=mail,homeDirectory=home,uidNumber=uid,gidNumber=gid

# Password lookup
pass_filter = (&(objectClass=posixAccount)(mail=%u))
pass_attrs = userPassword=password

79.6 Management and Administration

Configuration Testing

# Show effective configuration
dovecot -n

# Test configuration syntax
dovecot -F

# Test specific configuration file
dovecot -c /etc/dovecot/dovecot.conf -n

# Check for configuration errors
dovecot -a 2>&1 | grep -i error

User Management

# Test authentication
doveadm auth test user@example.com password

# Force authentication cache clear
doveadm auth cache flush

# List mailboxes
doveadm mailbox list -u user@example.com

# List quota usage
doveadm quota get -u user@example.com

# Set quota
doveadm quota set -u user@example.com 5GB

# Force user re-login (kick)
doveadm kick user@example.com

# Refresh user database
doveadm user '*'

Mailbox Operations

# Create mailbox
doveadm mailbox create -u user@example.com INBOX.Archive

# Delete mailbox
doveadm mailbox delete -u user@example.com INBOX.Archive

# Rename mailbox
doveadm mailbox rename -u user@example.com OldArchive NewArchive

# Subscribe/unsubscribe
doveadm mailbox subscribe -u user@example.com INBOX.Archive
doveadm mailbox unsubscribe -u user@example.com INBOX.Archive

# List messages
doveadm fetch -u user@example.com text mailbox INBOX all

# Expunge deleted messages
doveadm expunge -u user@example.com mailbox INBOX

# Search messages
doveadm search -u user@example.com mailbox INBOX flagged

Debugging

# Enable debug logging
auth_debug = yes
auth_verbose = yes
mail_debug = yes

# View logs in real-time
tail -f /var/log/dovecot.log
journalctl -u dovecot -f

# Debug authentication
doveadm auth trace user@example.com

# Debug IMAP commands
# Add to configuration:
# protocol imap {
#   imap_logging = yes
# }

# Connection tracking
doveadm connection list

Performance Monitoring

# Check process count
ps aux | grep dovecot | wc -l

# Connection counts
ss -tn | grep -E "(imap|pop3)" | wc -l

# Per-user connections
doveadm connection list | awk '{print $4}' | sort | uniq -c | sort -rn

# Statistics
doveadm stats

# Active user count
doveadm user '*' | wc -l

79.7 Troubleshooting

Common Issues and Solutions

Issue	Symptoms	Solution
Authentication fails	Can’t login	Check `auth_debug`, verify PAM/LDAP/SQL
Slow login	High latency	Check userdb, enable caching
Certificate errors	SSL/TLS issues	Regenerate certs, check permissions
Quota not working	No quota enforcement	Verify quota plugin loaded
Mail not delivered	Bounces	Check dovecot-lda, master configuration
High load	Slow response	Reduce connections, increase processes
Permission denied	Can’t access mail	Check file permissions, SELinux

Diagnostic Commands

# Check configuration syntax
dovecot -n

# Check authentication
doveadm auth test user password

# Check mail location
doveadm mailbox list -u user

# Check user info
doveadm user user@example.com

# Check logs
tail -100 /var/log/dovecot.log

# Check system logs
journalctl -u dovecot --since "1 hour ago"

# Check SSL
openssl s_client -connect localhost:993 -showcerts

# Check ports
ss -tlnp | grep dovecot

# Check SELinux (if enabled)
getsebool -a | grep dovecot
setsebool -P dovecot_use_nfs 1

Log Analysis

# Failed authentication
grep "auth failed" /var/log/dovecot.log

# Connection issues
grep -E "(connection closed|disconnected)" /var/log/dovecot.log

# Quota exceeded
grep -i quota /var/log/dovecot.log

# Performance issues
grep -E "(warning|error)" /var/log/dovecot.log | tail -50

79.8 Production Configuration Examples

Small Office (10-50 users)

protocols = imap pop3
listen = *
base_dir = /var/run/dovecot/

# Auth
disable_plaintext_auth = yes
auth_mechanisms = plain login

# Mail
mail_location = maildir:~/Maildir
mail_create_maildir_if_missing = yes

# Users (PAM)
userdb {
  driver = passwd
}
passdb {
  driver = pam
}

# SSL
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.crt
ssl_key = </etc/ssl/private/dovecot.key
ssl_min_protocol = TLSv1.2

# Performance
default_process_limit = 256
mail_max_userip_connections = 20

# Logging
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log

Enterprise (1000+ users)

protocols = imap pop3
listen = *, [::]
base_dir = /var/run/dovecot/

# Auth (LDAP with caching)
disable_plaintext_auth = yes
auth_mechanisms = plain login
auth_cache_size = 10240
auth_cache_ttl = 1 hour

# Mail (dbox for performance)
mail_location = sdbox:~/mdbox
mail_fsync = always

# Users (LDAP)
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf
}
userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap-user.conf
}

# Quota
mail_plugins = $mail_plugins quota
plugin {
  quota = maildir:user
}

# Sieve
mail_plugins = $mail_plugins sieve
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}

# SSL/TLS
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.crt
ssl_key = </etc/ssl/private/dovecot.key
ssl_dh = </etc/dovecot/dh.pem
ssl_prefer_server_ciphers = yes

# Performance tuning
default_process_limit = 2048
mail_max_userip_connections = 100
mail_process_size = 256
vsz_limit = 512M

# Logging
log_path = /var/log/dovecot.log
auth_verbose = yes
mail_debug = no

# Master process for reliability
service stats {
  unix_listener stats-reader {
    user = dovecot
    group = dovecot
    mode = 0660
  }
  unix_listener stats-writer {
    user = dovecot
    group = dovecot
    mode = 0660
  }
}

High Availability Setup

# On both servers - /etc/dovecot/dovecot.conf
# Using keepalived or similar for IP failover

protocols = imap pop3

# Director for load balancing
login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot

# Shared storage (NFS or distributed filesystem)
mail_location = maildir:/shared/mail/%n

# Performance
service imap-login {
  process_min_avail = 4
  service_count = 0
}

79.9 Security Hardening

Security Checklist

┌────────────────────────────────────────────────────────────────────────┐
│                    DOVECOT SECURITY CHECKLIST                          │
├────────────────────────────────────────────────────────────────────────┤
│                                                                        │
│  Authentication:                                                       │
│  □ disable_plaintext_auth = yes                                      │
│  □ Use strong password schemes (SHA256-CRYPT, ARGON2)                │
│  □ Enable authentication caching with encryption                     │
│  □ Rate limiting for failed attempts                                 │
│                                                                        │
│  Encryption:                                                           │
│  □ ssl = required                                                    │
│  □ Use valid TLS certificates                                        │
│  □ Disable SSLv3, TLS 1.0, 1.1                                       │
│  □ Use strong ciphers                                                │
│  □ Configure perfect forward secrecy                                │
│                                                                        │
│  Access Control:                                                       │
│  □ Limit connections per IP                                          │
│  □ Limit connections per user                                        │
│  □ Use firewall to restrict access                                   │
│  □ Implement fail2ban for brute force                                │
│                                                                        │
│  System:                                                               │
│  □ Run as non-root user                                              │
│  □ Restrict config file permissions                                  │
│  □ Keep dovecot updated                                              │
│  □ Monitor logs regularly                                            │
│  □ Enable SELinux/AppArmor                                           │
│                                                                        │
└────────────────────────────────────────────────────────────────────────┘

Fail2Ban Integration

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/dovecot.log
maxretry = 5
bantime = 3600
findtime = 600

[Definition]
failregex = auth failed: .+ rip=<HOST>
            imap-login: .+ rip=<HOST>
            pop3-login: .+ rip=<HOST>
ignoreregex =

Firewall Configuration

# iptables rules
sudo iptables -A INPUT -p tcp --dport 993 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 995 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 143 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 110 -s 10.0.0.0/8 -j ACCEPT

# Drop everything else
sudo iptables -A INPUT -p tcp --dport 993 -j DROP
sudo iptables -A INPUT -p tcp --dport 995 -j DROP
sudo iptables -A INPUT -p tcp --dport 143 -j DROP
sudo iptables -A INPUT -p tcp --dport 110 -j DROP

79.10 Interview Questions

Q1: What is Dovecot and what protocols does it support?

Answer: Dovecot is an open-source IMAP and POP3 server for Linux and UNIX systems. It supports:

IMAP (Internet Message Access Protocol) on ports 143 (plain) and 993 (SSL/TLS)
POP3 (Post Office Protocol) on ports 110 (plain) and 995 (SSL/TLS)
LMTP (Local Mail Transfer Protocol) for final delivery

Q2: What is the difference between IMAP and POP3?

Answer:

IMAP: Mail stays on server, synchronized across multiple devices, supports folders, supports server-side search, better for mobile and multi-device access
POP3: Downloads mail to local device, typically deletes from server, limited folder support, simpler but less feature-rich

For most modern use cases, IMAP is recommended.

Q3: How do you configure Dovecot to use LDAP for authentication?

Answer:

Install dovecot-ldap package
Configure /etc/dovecot/dovecot-ldap.conf with:
- LDAP server host and port
- Bind DN and password
- Search base
- User and password filter
- Attribute mappings
Update 10-auth.conf to use LDAP passdb/userdb
Test with doveadm auth test

Q4: What is the purpose of the mail_location directive?

Answer: mail_location specifies where mail is stored and in what format. Common formats:

maildir:~/Maildir - Maildir format (recommended, each message is a file)
mbox:~/mail:INBOX=/var/mail/%u - mbox format (single file per mailbox)
sdbox:~/mdbox - Dovecot’s high-performance dbox format
imapc: - Remote IMAP (proxy to another server)

Q5: How do you troubleshoot authentication failures in Dovecot?

Answer:

Enable debug logging in 10-logging.conf:
```
auth_debug = yes
auth_verbose = yes
```
Check /var/log/dovecot.log for details
Test authentication: doveadm auth test user@domain password
Verify password database configuration
Check PAM/ LDAP/ SQL configuration
Verify SSL certificate issues
Check for SELinux/AppArmor blocking

Q6: What is the difference between dovecot.conf and the conf.d directory?

Answer:

dovecot.conf - Main configuration file, includes other config files
/etc/dovecot/conf.d/ - Modular configuration directory with numbered files:
- 10-*.conf - Basic settings
- 15-*.conf - Plugin configurations
- 90-*.conf - Advanced/custom settings

Dovecot reads files in order (10, 15, 20, etc.), so later settings override earlier ones. The !include directive in dovecot.conf loads these files.

Q7: How do you implement quotas in Dovecot?

Answer:

Enable quota plugin in configuration:

mail_plugins = $mail_plugins quota
plugin {
  quota = maildir:user
  quota_rule = *:storage=5GB
}

Configure quota backend (maildir, dict, sql)
Set per-user quotas via userdb or SQL
Optional: Set up quota warnings with doveadm
Test with doveadm quota get -u user@domain

Q8: What security measures should be implemented for a production Dovecot server?

Answer:

Use TLS/SSL (ssl = required)
Disable plaintext auth over unencrypted connections
Use strong password schemes (SHA256-CRYPT, ARGON2)
Implement rate limiting
Use fail2ban for brute force protection
Restrict access via firewall
Keep software updated
Run with minimal privileges
Enable SELinux/AppArmor
Monitor logs regularly
Use valid SSL certificates

Q9: How does Dovecot handle user authentication?

Answer: Dovecot uses a pluggable authentication system:

Client connects and requests authentication
Dovecot checks passdb for valid credentials
If valid, looks up user in userdb for uid, gid, home, mail location
Returns success or failure to client

Supported passdb drivers: pam, ldap, sql, passwd, shadow, bcrypt, argon2 Supported userdb drivers: passwd, ldap, sql, static, nss

Q10: What is the purpose of namespaces in Dovecot?

Answer: Namespaces organize mailboxes and provide:

Inbox namespace: Standard inbox with special-use folders (Sent, Drafts, Trash)
Shared namespaces: For shared mailboxes between users
Public namespaces: For public folders accessible to all users

Namespaces allow different folder layouts, prefixes, and ACLs for different purposes.

Quick Reference

Essential Commands

# Test configuration
dovecot -n

# Test authentication
doveadm auth test user@example.com password

# List mailboxes
doveadm mailbox list -u user@example.com

# Check quota
doveadm quota get -u user@example.com

# Force re-login
doveadm kick user@example.com

# View connections
doveadm connection list

# Restart service
sudo systemctl restart dovecot

Default Ports

Service	Plain	SSL/TLS
IMAP	143	993
POP3	110	995
LMTP	24	-
ManageSieve	4190	-

Configuration Files

File	Purpose
dovetcot.conf	Main configuration
10-auth.conf	Authentication settings
10-mail.conf	Mail storage settings
10-ssl.conf	SSL/TLS settings
10-master.conf	Service/process settings
10-logging.conf	Logging settings
90-quota.conf	Quota plugin
90-sieve.conf	Sieve plugin
90-acl.conf	ACL plugin

Summary

In this chapter, you learned:

✅ Dovecot architecture and protocol comparison
✅ Installation across different Linux distributions
✅ Core configuration (auth, mail, SSL)
✅ Advanced features (quota, sieve, ACL, replication)
✅ Database integration (MySQL, PostgreSQL, LDAP)
✅ Management and administration commands
✅ Troubleshooting common issues
✅ Production configuration examples
✅ Security hardening best practices
✅ Interview questions and answers

Next Chapter

Chapter 80: Email Security

Last Updated: February 2026