Actions: | Security

Navigation: Home | Services | Tools | Articles | Other

Configuring Dovecot2 IMAP server as part of a full mail solution

One of major parts of creating a mail solution is configuring the IMAP server. I chose Dovecot, because it's fairly simple to understand, it can be easily used to meet moderately sophisticated needs and is very well supported by its author and its community. Also, from a performance/security perspective it has a very good record.

In this article I will go over a number of the settings and provide a configuration approach for dovecot2 that I use to provide service for various domains. I also use Dovecot as the SASL authenticator for Postfix SMTP-AUTH.

I will try to give details about what I'm trying to achieve and why this is sufficient for a competent, experienced unix sysadmin who might not have run an IMAP server or Dovecot before.

Notes about the wider mail environment

A few background notes about dovecot

Configuration details



mail_gid = vmail
mail_uid = vmail
mail_location = maildir:/var/mailstore/%d/%u/mail

where %d is the domain and %u is the username as described in Also, this is the location for some mail storage settings such as when mailboxes are on NFS and for shared mailboxes, but we'll address those later.

A postmaster address must be defined so that bounces can come from somewhere.


postmaster_address =


Dovecot needs to know about accounts. For which accounts should it deliver messages received over LMTP? For which accounts should it serve messages over IMAP? As with most of the dovecot config files, the auth file is extensively commented and mostly fairly self-explanatory.

The Authentication Mechanism that I use is always PLAIN because it is the simplest and easiest to debug in the event that a user is having trouble. SSL/TLS is used to ensure that neither authentication credentials nor messages are sent in the clear aross the network.

A password database is required but a separate user database is optional.

For my minimal config, there are only a few settings of interest.


disable_plaintext_auth = yes
auth_mechanisms = plain
!include auth-sql.conf.ext


passdb {
       driver = sql
       args = /etc/dovecot/dovecot-sql.conf

userdb {
       driver = static
       args = uid=vmail gid=vmail home=/var/mail/mailstore/%d/%u


#driver = sqlite
#connect = /etc/dovecot/dovecot.sqlite

#driver = mysql
#connect = host=localhost dbname=mailaccounts user=vmail password=sekrit

#driver = mysql
#connect = host=localhost dbname=mailaccounts user=vmail password=sekrit

password_query = SELECT userid AS username, domain, password \
  FROM users WHERE userid = '%n' AND domain = '%d'
iterate_query = SELECT userid AS username, domain FROM users

Pick the stanza for your driver and connect parameters correctly.

Password Database

The simplest SQL schema that I can devise that permits virtual users and multiple domains has only three fields:

    userid VARCHAR(128) NOT NULL,
    domain VARCHAR(128) NOT NULL,
    password VARCHAR(64) NOT NULL

select * from users;

My password database always contains a password column that has the password scheme embedded in {} at the beginning of the value, that way neither dovecot nor the admin next looking into the mail setup gets confused about how passwords are hashed.

User Database

The user database needs to know uid, gid, home (in order to find sieve scripts), and possibly mail if you want to override the mail_location setting. In my basic configuration, I just use static values as can be seen in conf.d/auth-sql.conf.ext.


I'm not interested in offering IMAP service that is not encrypted, but fortunately, it's easy to provide. All you need are the key, the cert and the CA's cert.


ssl_cert = </etc/dovecot/
ssl_key = </etc/dovecot/
ssl_ca = </etc/dovecot/cacert.pem


Now we actually need to listen for requests. IMAP client connections, authentication connections that allow our SMTP server, postfix, to do SMTP-AUTH and LMTP connections so the SMTP server can hand mail messages to dovecot for local delivery.


service imap-login {
  inet_listener imap {
      port = 0
  inet_listener imaps {
      port = 993

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix


service auth {
  # Postfix smtp-auth
    unix_listener /var/spool/postfix/private/auth {
        mode = 0660
        user = postfix
        group = postfix

This is now a complete, but fairly bare dovecot2 configuration. There is much extra functionality that can be added and much work might need to be done for performance, scaleability or robustness. But this is a good start.



At the very least I always add sieve filtering. When dovecot receives a message over LMTP for local delivery, it should be run against a sieve script so that the message can be directed to the desired subfolder of the user's mailbox.


protocol lmtp {
    mail_plugins = $mail_plugins sieve


plugin {
       sieve = /var/mailstore/%d/%u/.dovecot.sieve