This article will detail the installation and configuration of an IMAP email server using Dovecot 2.3.x. Connections to the server will be secured with TLS encryption.
This article assumes that Internet email delivery to the local system has been already been setup and is working Therefore any required local users have already been created with email being successfully delivered to their INBOX mailboxes. This prerequisite can be accomplished by installing and running Postfix as described in Postfix - SMTP Email Server.
Additional Requirements
For this setup there are some additional requirements that should be met. However, the exact implementations are beyond the scope of this article.
- DNS
Add host DNS records for the dovecot service(s) i.e. imap.example.org., or mail.example.org.
- TLS
A valid server certificate associated with the mail server's FQDN is required to enable and use TLS encryption.
- Firewall
The firewall of the Dovecot server should be configured to allow in the required TCP port(s): When TLS encryption is used it's IMAPS port 995. Without encryption it's IMAP port 143.
Install Dovecot
Install Dovecot via your preferred method.pkg install mail/dovecot
Follow the post install instructions for Dovecot:
You must create the configuration files yourself. Copy them over
to /usr/local/etc/dovecot and edit them as desired:
cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot
The default configuration includes IMAP and POP3 services, will
authenticate users against the system's passwd file, and will use
the default /var/mail/$USER mbox files.
Next, enable dovecot in /etc/rc.conf:
sysrc dovecot_enable="YES"
Configure Dovecot
Dovecot uses multiple configuration files that control Dovecot services and subsystems. Dovecot organizes related configuration directives into specific files located in /usr/local/etc/dovecot/conf.d/
We will be editing the following files:
/usr/local/etc/dovecot/dovecot.conf/usr/local/etc/dovecot/conf.d/10-auth.conf/usr/local/etc/dovecot/conf.d/10-mail.conf/usr/local/etc/dovecot/conf.d/10-ssl.conf/usr/local/etc/dovecot/conf.d/15-mailboxes.conf
Edit /usr/local/etc/dovecot/dovecot.conf
# Protocols we want to be serving. #protocols = imap pop3 lmtp submission protocols = imap
# Greeting message for clients.
#login_greeting = Dovecot ready. login_greeting = mail.example.org ready.
Edit /usr/local/etc/dovecot/conf.d/10-auth.conf
# Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting.
#disable_plaintext_auth = yes disable_plaintext_auth = no
# Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. #auth_mechanisms = plain
auth_mechanisms = plain login
Auth methods plain and login are interchangeable as both are plaintext authentication. We want to allow both for compatibility with various email clients that may use one method or the other.
Edit /usr/local/etc/dovecot/conf.d/10-mail.conf
#mail_location = mail_location = mbox:~/mail:INBOX=/var/mail/%u
Edit /usr/local/etc/dovecot/conf.d/10-ssl.conf
To facilitate proper TLS validation, the certificate specified should be the combined fullchain.pem which contains the server certificate as well as the issuing CAs certificates. The specified cert and key files need only be readable by root and can remain in their original locations if desired.
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert = </etc/ssl/certs/dovecot.pem #ssl_key = </etc/ssl/private/dovecot.pem ssl_cert = </path/to/your/mail.example.org/fullchain.pem ssl_key = </path/to/your/mail.example.org/privatekey.pem
Set the minimum TLS version to TLSv1.2 and disable non Elliptic-curve Diffie-Hellman (ECDH) ciphers:
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3, # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. #ssl_min_protocol = TLSv1 ssl_min_protocol = TLSv1.2 # SSL ciphers to use, the default is: #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
To auto create and subscribe to commonly used mailbox special folders i.e. Junk, Sent, and Trash:
Edit /usr/local/etc/dovecot/conf.d/15-mailboxes.conf
Insert auto = subscribe into the configuration of each of the three mailbox folders, and delete or comment out the second extra "Sent Messages" folder. Lastly, add imap_capability = +SPECIAL-USE to the end of the configuration file to facilitate the use of RFC 6154 special use flags.
namespace inbox {
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox Spam {
special_use = \Junk
auto = subscribe
}
mailbox Trash {
special_use = \Trash
auto = subscribe
}
mailbox Sent {
special_use = \Sent
auto = subscribe
}
# mailbox "Sent Messages" {
# special_use = \Sent
# }
}
imap_capability = +SPECIAL-USE
Start Dovecot Services
service dovecot start
Configure an Email Client
To configure an email client i.e. Thunderbird, Outlook etc., use the following settings to configure incoming mail:
Server Name: mail.example.org
Protocol: IMAP
Port: 995
Connection security: SSL/TLS
Authentication method: Normal password (plaintext)
User Name: username
Test the Dovecot Server
Test the configuration of the Dovecot server by connecting with your configured email client.
Logging
Dovecot messages are logged to /var/log/maillog
Additional Information
Dovecot provides extensive documentation with examples at https://doc.dovecot.org