Dovecot installation guide


You will need to have setup Let’s Encrypt before going to this guide.


$ sudo apt install dovecot-imapd dovecot-managesieved


Create System User

User vmail will be used to store mail related data

$ sudo adduser --system --home /var/vmail/ --uid 800 --group vmail
Adding system user `vmail' (UID 800) ...
Adding new group `vmail' (GID 800) ...
Adding new user `vmail' (UID 800) with group `vmail' ...
Creating home directory `/var/vmail/' ...

If the command complains about the UID or GID being in use, just increment the number. It can be anything between 500 and 999.



Edit file /etc/dovecot/conf.d/10-auth.conf and make sure the only included authentication mechanism is passwdfile.

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

Edit file /etc/dovecot/conf.d/auth-passwdfile.conf.ext and set option default_fields

# Authentication for passwd-file users. Included from 10-auth.conf.
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>

passdb {
  driver = passwd-file
  args = scheme=CRYPT username_format=%u /etc/dovecot/users

userdb {
  driver = passwd-file
  args = username_format=%u /etc/dovecot/users

  # Default fields that can be overridden by passwd-file
  #default_fields = quota_rule=*:storage=1G
  default_fields = uid=vmail gid=vmail home=/var/vmail/%u

  # Override fields from passwd-file
  #override_fields = home=/home/virtual/%u

Create file /etc/dovecot/users

$ sudo touch /etc/dovecot/users
$ sudo chmod 640 /etc/dovecot/users
$ sudo chown root:dovecot /etc/dovecot/users

Add a User

First generate an encrypted password for the user

$ doveadm pw -s SHA512-CRYPT
Enter new password: 
Retype new password: 

Now add a line to /etc/dovecot/users

# Format is <user>:<password>::::::
# Generate passwords with: doveadm pw -s SHA512-CRYPT

Mail Storage

Configuration of the mail storage is done in /etc/dovecot/conf.d/10-mail.conf

mail_location = mdbox:~/mdbox



To enable sieve filters during mail delivery, edit file /etc/dovecot/conf.d/15-lda.conf and uncomment/modify the following lines

protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve


The manageSieve allows you mail client to set and modify the sieve scripts on your server. To enable it, uncomment/modify the following lines in /etc/dovecot/conf.d/20-managesieve.conf

protocols = $protocols sieve

service managesieve-login {
  inet_listener sieve {
    port = 4190

If you change default port, don't forget to change it in the firewall configuration bellow.


You will need to open 2 ports in your firewall:

  • 993 for imap
  • 4190 for managesieve (if enabled above)

Assuming that you configured nftables as described, you can edit file /etc/nftables/main_config.conf and add

# Dovecot
add element  inet main  tcp_port_in { 993, 4190 }

and activate it using

$ sudo /etc/nftables/reload_main.conf


Generate Certificate

This part assume that you've setup Let’s Encrypt.

Add your domain to /etc/nginx/sites-available/noweb


Add your new certificate to /usr/local/etc/certmanage/main.json

    'domains': ['']

And finally generate the certificate

$ sudo systemctl reload nginx
$ sudo /usr/local/sbin/certmanage
Renewing certificate for that will expire on 0001-01-01

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert
   will expire on 2019-03-11. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          


Edit file /etc/dovecot/conf.d/10-ssl.conf and change the following settings

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/ can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/
ssl_key = </etc/letsencrypt/live/

# DH parameters length to use.
ssl_dh_parameters_length = 2048

# SSL protocols to use
ssl_protocols = TLSv1.2

# SSL ciphers to use

# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes


By default dovecot limit IMAP connections to 10 per IP and per user. Given that each email client can use multiple connections and that you might have multiple devices at home, it is quite easy to reach the limit.

On a server with few users, it is safe to raise the limit. To do so, edit mail_max_userip_connections in file /etc/dovecot/conf.d/20-imap.conf

protocol imap {

  # Maximum number of IMAP connections allowed for a user from each IP address.
  # NOTE: The username is compared case-sensitively.
  mail_max_userip_connections = 100



Create file /etc/fail2ban/jail.d/dovecot.conf with the following content

enabled  = true