This document covers essential Dovecot configuration topics for version 2.4.x. Note that configuration syntax has changed significantly from previous versions.
SSL/TLS certificates are critical for securing your mail server. Dovecot requires certificates in PEM format.
Obtain your SSL certificate from a Certificate Authority (CA). You’ll receive:
domain.crt)intermediate.crt)domain.key)Create a certificate bundle file by concatenating your domain certificate with the intermediate certificates:
cat domain.crt intermediate.crt > ssl-bundle.crt
Edit the SSL configuration file:
sudo nano /etc/dovecot/conf.d/10-ssl.conf
For Dovecot 2.4, use the following configuration:
# SSL configuration
ssl = required
ssl_cert = </etc/ssl/certs/ssl-bundle.crt
ssl_key = </etc/ssl/private/domain.key
# SSL protocols (enhanced security)
ssl_min_protocol = TLSv1.2
# Cipher preferences
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
# Prefer server ciphers
ssl_prefer_server_ciphers = yes
# DH parameters (if using DHE)
# ssl_dh = </etc/ssl/dhparam.pem
Ensure certificates have correct permissions:
sudo chmod 644 /etc/ssl/certs/ssl-bundle.crt
sudo chmod 600 /etc/ssl/private/domain.key
sudo chown root:root /etc/ssl/certs/ssl-bundle.crt
sudo chown root:root /etc/ssl/private/domain.key
Dovecot supports shared mailboxes allowing multiple users to access the same mailbox.
CREATE TABLE shared_folders (
mailbox VARCHAR(255) NOT NULL,
user_id VARCHAR(255) NOT NULL,
rights VARCHAR(255) DEFAULT 'lrswipkxte',
PRIMARY KEY (mailbox, user_id)
);
/etc/dovecot/conf.d/15-mailboxes.conf:# Enable shared mailbox plugin
mail_plugins = $mail_plugins acl
# Configure shared mailboxes
namespace {
type = shared
separator = /
prefix = Shared/
location = maildir:%%h/Maildir:INDEX=%%h/Maildir/shared
subscriptions = no
list = children
}
# ACL plugin configuration
plugin {
acl = vfile:/etc/dovecot/conf.d/acls
acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes.acl
}
/etc/dovecot/conf.d/acls:# Example ACL file for shared folder
user=john allow=admin
user=jane allow=read,write
For simpler setups, you can use file-based shared folders:
# In /etc/dovecot/conf.d/15-mailboxes.conf
namespace {
type = shared
separator = /
prefix = Shared/
location = maildir:/var/mail/shared:INDEX=/var/mail/shared/dovecot-shared-index
subscriptions = no
list = children
}
# Master user configuration for shared access
service doveadm {
user = dovecot
unix_listener doveadm-dict {
user = dovecot
mode = 0600
}
}
ACLs allow fine-grained control over mailbox access permissions.
/etc/dovecot/conf.d/10-mail.conf, add ACL to mail plugins:mail_plugins = $mail_plugins acl
/etc/dovecot/conf.d/10-master.conf:service acl {
unix_listener acl {
mode = 0666
user = dovecot
group = dovecot
}
}
Dovecot supports the following ACL rights:
l (lookup) - User can see that mailbox existsr (read) - User can read messagesw (write) - User can modify flags/keywordss (seen) - User can modify \Seen flagt (deleted) - User can modify \Deleted flagi (insert) - User can insert new messagesp (post) - User can send mail to mailboxk (create) - User can create child mailboxesx (delete) - User can delete mailboxa (admin) - User has administrator rightsSet ACL for a user on a mailbox:
doveadm acl set -u john@example.com INBOX jane@domain.com lrswipkxte
View current ACLs:
doveadm acl get -u john@example.com INBOX
Remove ACL:
doveadm acl remove -u john@example.com INBOX jane@domain.com
Configure password database in /etc/dovecot/conf.d/10-auth.conf:
# Enable authentication mechanisms
auth_mechanisms = plain login
# Disable plaintext auth on unencrypted connections
disable_plaintext_auth = yes
# Password database
passdb {
driver = pam
args = session=yes dovecot
}
# User database
userdb {
driver = passwd
}
For SQL-based authentication, configure /etc/dovecot/conf.d/auth-sql.conf.ext:
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
And /etc/dovecot/dovecot-sql.conf.ext:
driver = mysql # or pgsql, sqlite
connect = host=localhost dbname=dovecot user=dovecot password=secret
default_pass_scheme = SHA512-CRYPT
password_query = SELECT username AS user, password FROM users WHERE username = '%u' AND active = 1
user_query = SELECT home, uid, gid FROM users WHERE username = '%u' AND active = 1
Recommended for most installations:
# In /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir:LAYOUT=fs
# For virtual users with domain separation
mail_location = maildir:/var/mail/vhosts/%d/%n
# With quota enforcement
mail_location = maildir:~/Maildir:INBOX=/var/mail/%u:LAYOUT=fs
# With compression (mdbox)
mail_location = mdbox:~/mdbox
Dovecot 2.4 introduced a new configuration parser with stricter syntax:
# at the beginning of a lineWhen migrating from 2.3.x to 2.4.x:
Quotas help manage disk space usage and prevent mailboxes from growing indefinitely.
/etc/dovecot/conf.d/10-mail.conf:mail_plugins = $mail_plugins quota
/etc/dovecot/conf.d/90-quota.conf:# Quota plugin configuration
plugin {
# Maildir++ quota (supports directories and subdirectories)
quota = maildir:User quota
quota_rule = *:storage=1G
quota_rule2 = *:messages=10000
# Alternative: Add quota to specific directories
quota_rule = Trash:storage=+10%%
quota_rule = Spam:storage=+10%%
}
/etc/dovecot/conf.d/10-master.conf:service quota-status {
executable = quota-status -p postfix
unix_listener quota-status {
mode = 0644
user = postfix
group = postfix
}
}
service quota {
executable = quota
unix_listener quota {
mode = 0666
user = dovecot
group = dovecot
}
}
maildir: Maildir++ quota formatdict: Dictionary-based quota (for clustered environments)fs: Filesystem-based quota (using OS quotas)Check user quota:
doveadm quota get -u username@example.com
Reset user quota:
doveadm quota recalc -u username@example.com
Sieve is a powerful scripting language for email filtering that allows users to create rules for sorting, forwarding, and rejecting emails.
/etc/dovecot/conf.d/90-sieve.conf:# Enable sieve plugin globally
mail_plugins = $mail_plugins sieve
# Sieve plugin configuration
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_global_dir = /var/lib/dovecot/sieve-global
sieve_before = /var/lib/dovecot/sieve-before/*
sieve_after = /var/lib/dovecot/sieve-after/*
}
/etc/dovecot/conf.d/90-managesieve.conf:# Managesieve service
service managesieve {
inet_listener sieve {
port = 4190
}
# Process limits
process_min_avail = 0
process_limit = 1024
}
# Authentication for managesieve
service auth {
unix_listener auth-userdb {
#mode = 0600
#user =
#group =
}
# Allows sieve script uploads
unix_listener auth-master {
mode = 0600
user = vmail
group = vmail
}
}
protocol sieve {
# Maximum size of a sieve script
sieve_max_script_size = 1M
# Maximum number of redirects a script can perform
sieve_redirect_max_actions = 1000
# Maximum number of fileinto actions
sieve_fileinto_copy_imap_keywords = yes
}
Upload a sieve script:
sievec /path/to/script.sieve
Activate a sieve script:
doveadm sieve activate -u username@example.com script_name
List sieve scripts:
doveadm sieve list -u username@example.com
After making changes, test your configuration:
sudo doveconf -n
sudo doveadm reload
Check logs for errors:
sudo journalctl -u dovecot -f