IMAP or POP3 Email Server With Dovecot

This article will detail the installation and configuration of an IMAP / POP3 email server using Dovecot 2.3.x. Connections to the server will be secured with TLS encryption.

This article assumes that Internet email delivery to the system has been previously setup and is working  Therefore any required local users have already been created with email being successfully delivered to their mailboxes. This prerequisite can be accomplished by installing and configuring Postfix, and following the steps detailed in this article.


Additional Requirements

For this setup there are some additional requirements that should be met. However, the exact implementations are beyond the scope of this article.


A host A record and optionally an AAAA record for that resolves to the Internet IP address(es) of the Dovecot server

- Firewall

Depending on the type of mailbox service you choose to host, the firewall should be configured to allow either imaps TCP port 995 or pop3s port 993.


A valid server certificate associated with the mail server's FQDN is required to enable and use TLS encryption. To support TLS 1.3 encryption, ensure openssl 1.1.1 is installed, use openssl version to check.


Install Dovecot

Install Dovecot via your preferred method pkg, portmaster, synth etc.
pkg install mail/dovecot

Follow the post install instructions for Dovecot:

You must create the configuration files yourself. Copy them over
to /usr/local/etc/dovecot and edit them as desired:

cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot

The default configuration includes IMAP and POP3 services, will
authenticate users against the system's passwd file, and will use
the default /var/mail/$USER mbox files.

Next, enable dovecot in /etc/rc.conf:

sysrc dovecot_enable="YES"


Configure Dovecot

Dovecot uses multiple configuration files that control Dovecot services and subsystems. Dovecot organizes related configuration directives into specific files located in /usr/local/etc/dovecot/conf.d/

We will be editing the following files:



Edit /usr/local/etc/dovecot/dovecot.conf

# Protocols we want to be serving.
#protocols = imap pop3 lmtp submission
protocols = imap

# Greeting message for clients.
#login_greeting = Dovecot ready. login_greeting = ready.


Edit /usr/local/etc/dovecot/conf.d/10-auth.conf

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes disable_plaintext_auth = no

# Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. #auth_mechanisms = plain
auth_mechanisms = login

plain and login are interchangeable as both are plaintext authentication. We want to allow it, so you may specify either or both.


Edit /usr/local/etc/dovecot/conf.d/10-mail.conf

#mail_location = 
mail_location = mbox:~/mail:INBOX=/var/mail/%u


Edit /usr/local/etc/dovecot/conf.d/10-ssl.conf

To facilitate proper TLS validation, the certificate specified should be the combined fullchain.pem which contains the server certificate as well as the issuing CAs certificates. The specified cert and key files need only be readable by root and can remain in their original locations if desired.

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/ can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert = </etc/ssl/certs/dovecot.pem #ssl_key = </etc/ssl/private/dovecot.pem ssl_cert = </path/to/your/ ssl_key = </path/to/your/

Set the minimum TLS version to TLSv1.2 and disable non Elliptic-curve Diffie-Hellman (ECDH) ciphers:

# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
#ssl_min_protocol = TLSv1
ssl_min_protocol = TLSv1.2

# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH


Enable and Start Dovecot Services

Enable Dovecot in /etc/rc.conf
sysrc dovecot_enable="YES"

Start the services
service dovecot start


Configure an Email Client

To configure an email client i.e. Thunderbird, Outlook etc., use the following settings to configure incoming mail:

Server Name:
Protocol: IMAP or POP3
Port: 995 or 993
Connection security: SSL/TLS
Authentication method: Normal password (plaintext)
User Name: username


Test the Dovecot Server

Test the configuration of the Dovecot server by connecting with your configured email client.



Dovecot logs all successful and failed connection attempts to /var/log/maillog


Additional Information

Dovecot provides extensive documentation with examples at