• Written for CentOS 7.1, Dovecot 2.2.10.
  • Users are system users (in /etc/aliases)
  • Mailbox style is Maildir (in their home folders.)
  • Certificates are Comodo PositiveSSLs from


Getting your mail is not something which can always be done via telnet
(insecure) or SSH (e.g. in the case of virtual accounts.)[^1]
Dovecot allows you to get your mail using the
POP3 and/or IMAP protocols.


  • The Dovecot instance will use POP3S and IMAPS in addition to POP3
    and IMAP. When TLS properly implemented/initiated with the latter
    pair, there’s really no reason why the former would be required.
    Seems to be some
    about this.
  • The Comodo certificates were chosen since they would work with

    and most other MUAs.


yum install dovecot  
systemctl enable dovecot


Turn off SSL (for now) in /etc/dovecot/conf.d/10-ssl.conf.

ssl = no

Initial Configuration

Edit /etc/dovecot/dovecot.conf and set the protocols you want to serve

protocols = imap pop3

Listen on IPv4 and IPv6 interfaces

listen = *, ::

Location for run time data

base_dir = /var/run/dovecot/

Now, in /etc/dovecot/conf.d/10-mail.conf, tell Dovecot where to find
the messages

mail_location = maildir:~/Maildir

Start the service and make sure it’s running

[root@example ~]# systemctl start dovecot  
[root@example ~]# netstat -tulpn | grep dovecot  
tcp   0      0*         LISTEN      7183/dovecot  
tcp   0      0*         LISTEN      7183/dovecot  
tcp   0      0 :::110           :::*              LISTEN      7183/dovecot  
tcp   0      0 :::143           :::*              LISTEN      7183/dovecot


You can now telnet to either ports 110 (POP3)
or 143 (IMAP).
The syntaxes differ quite a bit.

Make sure firewall is poked :)


Now we use TLS with the POP3 and IMAP ports. All authentication and
message transfer will be done only over a secure connection.

Edit /etc/dovecot/conf.d/10-ssl.conf to mandate SSL

ssl = required

And configure the certificates and keys you will use

ssl_cert = </etc/pki/tls/certs/  
ssl_key = </etc/pki/tls/private/  
ssl_ca = </etc/pki/CA/certs/ca-bundle.pem

Now disable plaintext authentication in /etc/dovecot/10-auth.conf

disable_plaintext_auth = yes

Restart the dovecot service. You’ll see ports 993 and 995 in the
netstat output. Use OpenSSL to test the POP3S service first:

openssl s_client -connect

You should be able to log in and check some test messages. The IMAP
service should work fine as well.

Importantly, you should not be able to authenticate insecurely.

[root@example ~]# telnet 110
Connected to  
Escape character is '^]'.  
+OK Dovecot ready.  
user testuser
-ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

This is good. Test like crazy!

Other Notes

  • When creating a CA bundle, go Root ‚Üí Intermediate ‚Üí
    Intermediate → … → Your Certificate

  • When connecting via OpenSSL, note how POP3 and IMAP servers respond
    (with the greeting ‚ÄúI am ready‚ÄĚ):

      # IMAP  
      # POP3  
      +OK I am ready.

    If using Gmail as an MUA, it expects a POP3 server/response.



[^1]: I suppose you could use OpenSSL…
but who does that?