This article will detail the installation and configuration of an IMAP / POP3 email server using Dovecot 2.3.x. Connections to the server will be secured with TLS encryption.
This article assumes that Internet email delivery to the system has been previously setup and is working Therefore any required local users have already been created with email being successfully delivered to their mailboxes. This prerequisite can be accomplished by installing and configuring Postfix, and following the steps detailed in this article.
Additional Requirements
For this setup there are some additional requirements that should be met. However, the exact implementations are beyond the scope of this article.
- DNS
A host A record and optionally an AAAA record for mail.example.org that resolves to the Internet IP address(es) of the Dovecot server
- Firewall
Depending on the type of mailbox service you choose to host, the firewall should be configured to allow either imaps TCP port 995 or pop3s port 993.
- TLS
A valid server certificate associated with the mail server's FQDN is required to enable and use TLS encryption. To support TLS 1.3 encryption, ensure openssl 1.1.1 is installed, use openssl version to check.
Install Dovecot
Install Dovecot via your preferred method pkg, portmaster, synth etc.pkg install mail/dovecot
Follow the post install instructions for Dovecot:
You must create the configuration files yourself. Copy them over
to /usr/local/etc/dovecot and edit them as desired:
cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot
The default configuration includes IMAP and POP3 services, will
authenticate users against the system's passwd file, and will use
the default /var/mail/$USER mbox files.
Next, enable dovecot in /etc/rc.conf:
sysrc dovecot_enable="YES"
Configure Dovecot
Dovecot uses multiple configuration files that control Dovecot services and subsystems. Dovecot organizes related configuration directives into specific files located in /usr/local/etc/dovecot/conf.d/
We will be editing the following files:
/usr/local/etc/dovecot/dovecot.conf/usr/local/etc/dovecot/conf.d/10-auth.conf/usr/local/etc/dovecot/conf.d/10-mail.conf/usr/local/etc/dovecot/conf.d/10-ssl.conf
Edit /usr/local/etc/dovecot/dovecot.conf
# Protocols we want to be serving. #protocols = imap pop3 lmtp submission protocols = imap
# Greeting message for clients.
#login_greeting = Dovecot ready. login_greeting = mail.example.org ready.
Edit /usr/local/etc/dovecot/conf.d/10-auth.conf
# Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting.
#disable_plaintext_auth = yes disable_plaintext_auth = no
# Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. #auth_mechanisms = plain
auth_mechanisms = login
plain and login are interchangeable as both are plaintext authentication. We want to allow it, so you may specify either or both.
Edit /usr/local/etc/dovecot/conf.d/10-mail.conf
#mail_location = mail_location = mbox:~/mail:INBOX=/var/mail/%u
Edit /usr/local/etc/dovecot/conf.d/10-ssl.conf
To facilitate proper TLS validation, the certificate specified should be the combined fullchain.pem which contains the server certificate as well as the issuing CAs certificates. The specified cert and key files need only be readable by root and can remain in their original locations if desired.
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert = </etc/ssl/certs/dovecot.pem #ssl_key = </etc/ssl/private/dovecot.pem ssl_cert = </path/to/your/mail.example.org/fullchain.pem ssl_key = </path/to/your/mail.example.org/privatekey.pem
Set the minimum TLS version to TLSv1.2 and disable non Elliptic-curve Diffie-Hellman (ECDH) ciphers:
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3, # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. #ssl_min_protocol = TLSv1 ssl_min_protocol = TLSv1.2 # SSL ciphers to use, the default is: #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
Enable and Start Dovecot Services
Enable Dovecot in /etc/rc.confsysrc dovecot_enable="YES"
Start the servicesservice dovecot start
Configure an Email Client
To configure an email client i.e. Thunderbird, Outlook etc., use the following settings to configure incoming mail:
Server Name: mail.example.org
Protocol: IMAP or POP3
Port: 995 or 993
Connection security: SSL/TLS
Authentication method: Normal password (plaintext)
User Name: username
Test the Dovecot Server
Test the configuration of the Dovecot server by connecting with your configured email client.
Logging
Dovecot logs all successful and failed connection attempts to /var/log/maillog
Additional Information
Dovecot provides extensive documentation with examples at https://doc.dovecot.org