Getting your mail is not something which can always be done via telnet (insecure) or SSH (e.g. in the case of virtual accounts.)1 Dovecot allows you to get your mail using the POP3 and/or IMAP protocols.



yum install dovecot  
systemctl enable dovecot


Turn off SSL (for now) in /etc/dovecot/conf.d/10-ssl.conf.

ssl = no

Initial Configuration

Edit /etc/dovecot/dovecot.conf and set the protocols you want to serve

protocols = imap pop3

Listen on IPv4 and IPv6 interfaces

listen = *, ::

Location for run time data

base_dir = /var/run/dovecot/

Now, in /etc/dovecot/conf.d/10-mail.conf, tell Dovecot where to find the messages

mail_location = maildir:~/Maildir

Start the service and make sure it’s running

[root@example ~]# systemctl start dovecot  
[root@example ~]# netstat -tulpn | grep dovecot  
tcp   0      0*         LISTEN      7183/dovecot  
tcp   0      0*         LISTEN      7183/dovecot  
tcp   0      0 :::110           :::*              LISTEN      7183/dovecot  
tcp   0      0 :::143           :::*              LISTEN      7183/dovecot


You can now telnet to either ports 110 (POP3) or 143 (IMAP). The syntaxes differ quite a bit.

Make sure firewall is poked :)


Now we use TLS with the POP3 and IMAP ports. All authentication and message transfer will be done only over a secure connection.

Edit /etc/dovecot/conf.d/10-ssl.conf to mandate SSL

ssl = required

And configure the certificates and keys you will use

ssl_cert = </etc/pki/tls/certs/  
ssl_key = </etc/pki/tls/private/  
ssl_ca = </etc/pki/CA/certs/ca-bundle.pem

Now disable plaintext authentication in /etc/dovecot/10-auth.conf

disable_plaintext_auth = yes

Restart the dovecot service. You’ll see ports 993 and 995 in the netstat output. Use OpenSSL to test the POP3S service first:

openssl s_client -connect

You should be able to log in and check some test messages. The IMAP service should work fine as well.

Importantly, you should not be able to authenticate insecurely.

[root@example ~]# telnet 110
Connected to  
Escape character is '^]'.  
+OK Dovecot ready.  
user testuser
-ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

This is good. Test like crazy!

Other Notes



  1. I suppose you could use OpenSSL… but who does that? ↩︎