Chapter 1. Configuring and maintaining a Dovecot IMAP and POP3 server
Dovecot is a high-performance mail delivery agent (MDA) with a focus on security. You can use IMAP or POP3-compatible email clients to connect to a Dovecot server and read or download emails.
Key features of Dovecot:
- The design and implementation focuses on security
- Two-way replication support for high availability to improve the performance in large environments
- 
					Supports the high-performance dboxmailbox format, but alsomboxandMaildirfor compatibility reasons
- Self-healing features, such as fixing broken index files
- Compliance with the IMAP standards
- Workaround support to bypass bugs in IMAP and POP3 clients
1.1. Setting up a Dovecot server with PAM authentication
Dovecot supports the Name Service Switch (NSS) interface as a user database and the Pluggable Authentication Modules (PAM) framework as an authentication backend. With this configuration, Dovecot can provide services to users who are available locally on the server through NSS.
Use PAM authentication if accounts:
- 
						Are defined locally in the /etc/passwdfile
- Are stored in a remote database but they are available locally through the System Security Services Daemon (SSSD) or other NSS plugins.
1.1.1. Installing Dovecot
					The dovecot package provides:
				
- 
							The dovecotservice and the utilities to maintain it
- Services that Dovecot starts on demand, such as for authentication
- Plugins, such as server-side mail filtering
- 
							Configuration files in the /etc/dovecot/directory
- 
							Documentation in the /usr/share/doc/dovecot/directory
Procedure
- Install the - dovecotpackage:- dnf install dovecot - # dnf install dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If Dovecot is already installed and you require clean configuration files, rename or remove the - /etc/dovecot/directory. Afterwards, reinstall the package. Without removing the configuration files, the- dnf reinstall dovecotcommand does not reset the configuration files in- /etc/dovecot/.
1.1.2. Configuring TLS encryption on a Dovecot server
Dovecot provides a secure default configuration. For example, TLS is enabled by default to transmit credentials and data encrypted over networks. To configure TLS on a Dovecot server, you only need to set the paths to the certificate and private key files. Additionally, you can increase the security of TLS connections by generating and by using Diffie-Hellman parameters to provide perfect forward secrecy (PFS).
Prerequisites
- Dovecot is installed.
- The following files have been copied to the listed locations on the server: - 
									The server certificate: /etc/pki/dovecot/certs/server.example.com.crt
- 
									The private key: /etc/pki/dovecot/private/server.example.com.key
- 
									The Certificate Authority (CA) certificate: /etc/pki/dovecot/certs/ca.crt
 
- 
									The server certificate: 
- 
							The hostname in the Subject DNfield of the server certificate matches the server’s Fully-qualified Domain Name (FQDN).
- If the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
- Set secure permissions on the private key file: - chown root:root /etc/pki/dovecot/private/server.example.com.key chmod 600 /etc/pki/dovecot/private/server.example.com.key - # chown root:root /etc/pki/dovecot/private/server.example.com.key # chmod 600 /etc/pki/dovecot/private/server.example.com.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Generate a file with Diffie-Hellman parameters: - openssl dhparam -out /etc/dovecot/dh.pem 4096 - # openssl dhparam -out /etc/dovecot/dh.pem 4096- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Depending on the hardware and entropy on the server, generating Diffie-Hellman parameters with 4096 bits can take several minutes. 
- Set the paths to the certificate and private key files in the - /etc/dovecot/conf.d/10-ssl.conffile:- Update the - ssl_certand- ssl_keyparameters, and set them to use the paths of the server’s certificate and private key:- ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt ssl_key = </etc/pki/dovecot/private/server.example.com.key - ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt ssl_key = </etc/pki/dovecot/private/server.example.com.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Uncomment the - ssl_caparameter, and set it to use the path to the CA certificate:- ssl_ca = </etc/pki/dovecot/certs/ca.crt - ssl_ca = </etc/pki/dovecot/certs/ca.crt- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Uncomment the - ssl_dhparameter, and set it to use the path to the Diffie-Hellman parameters file:- ssl_dh = </etc/dovecot/dh.pem - ssl_dh = </etc/dovecot/dh.pem- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 Important- To ensure that Dovecot reads the value of a parameter from a file, the path must start with a leading - <character.
Next step
1.1.3. Preparing Dovecot to use virtual users
By default, Dovecot performs many actions on the file system as the user who uses the service. However, configuring the Dovecot back end to use one local user to perform these actions has several benefits:
- Dovecot performs file system actions as a specific local user instead of using the user’s ID (UID).
- Users do not need to be available locally on the server.
- You can store all mailboxes and user-specific files in one root directory.
- Users do not require a UID and group ID (GID), which reduces administration efforts.
- Users who have access to the file system on the server cannot compromise their mailboxes or indexes because they cannot access these files.
- Setting up replication is easier.
Prerequisites
- Dovecot is installed.
Procedure
- Create the - vmailuser:- useradd --home-dir /var/mail/ --shell /usr/sbin/nologin vmail - # useradd --home-dir /var/mail/ --shell /usr/sbin/nologin vmail- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Dovecot will later use this user to manage the mailboxes. For security reasons, do not use the - dovecotor- dovenullsystem users for this purpose.
- If you use a different path than - /var/mail/, set the- mail_spool_tSELinux context on it, for example:- semanage fcontext -a -t mail_spool_t "<path>(/.)?"* restorecon -Rv <path> - # semanage fcontext -a -t mail_spool_t "<path>(/.)?"* # restorecon -Rv <path>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Grant write permissions on - /var/mail/only to the- vmailuser:- chown vmail:vmail /var/mail/ chmod 700 /var/mail/ - # chown vmail:vmail /var/mail/ # chmod 700 /var/mail/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Uncomment the - mail_locationparameter in the- /etc/dovecot/conf.d/10-mail.conffile, and set it to the mailbox format and location:- mail_location = sdbox:/var/mail/%n/ - mail_location = sdbox:/var/mail/%n/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - With this setting: - 
									Dovecot uses the high-performant dboxmailbox format insinglemode. In this mode, the service stores each mail in a separate file, similar to themaildirformat.
- 
									Dovecot resolves the %nvariable in the path to the username. This is required to ensure that each user has a separate directory for its mailbox.
 
- 
									Dovecot uses the high-performant 
1.1.4. Using PAM as the Dovecot authentication backend
By default, Dovecot uses the Name Service Switch (NSS) interface as the user database and the Pluggable Authentication Modules (PAM) framework as the authentication backend.
Customize the settings to adapt Dovecot to your environment and to simplify administration by using the virtual users feature.
Prerequisites
- Dovecot is installed.
- The virtual users feature is configured.
Procedure
- Update the - first_valid_uidparameter in the- /etc/dovecot/conf.d/10-mail.conffile to define the lowest user ID (UID) that can authenticate to Dovecot:- first_valid_uid = 1000 - first_valid_uid = 1000- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By default, users with a UID greater than or equal to - 1000can authenticate. If required, you can also set the- last_valid_uidparameter to define the highest UID that Dovecot allows to log in.
- In the - /etc/dovecot/conf.d/auth-system.conf.extfile, add the- override_fieldsparameter to the- userdbsection as follows:- userdb { driver = passwd override_fields = uid=vmail gid=vmail home=/var/mail/%n/ }- userdb { driver = passwd override_fields = uid=vmail gid=vmail home=/var/mail/%n/ }- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Due to the fixed values, Dovecot does not query these settings from the - /etc/passwdfile. As a result, the home directory defined in- /etc/passwddoes not need to exist.
Next step
1.1.5. Completing the Dovecot configuration
					Once you have installed and configured Dovecot, open the required ports in the firewalld service, and enable and start the service. Afterwards, you can test the server.
				
Prerequisites
- The following has been configured in Dovecot: - TLS encryption
- An authentication backend
 
- Clients trust the Certificate Authority (CA) certificate.
Procedure
- If you want to provide only an IMAP or POP3 service to users, uncomment the - protocolsparameter in the- /etc/dovecot/dovecot.conffile, and set it to the required protocols. For example, if you do not require POP3, set:- protocols = imap lmtp - protocols = imap lmtp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By default, the - imap,- pop3, and- lmtpprotocols are enabled.
- Open the ports in the local firewall. For example, to open the ports for the IMAPS, IMAP, POP3S, and POP3 protocols, enter: - firewall-cmd --permanent --add-service=imaps --add-service=imap --add-service=pop3s --add-service=pop3 firewall-cmd --reload - # firewall-cmd --permanent --add-service=imaps --add-service=imap --add-service=pop3s --add-service=pop3 # firewall-cmd --reload- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enable and start the - dovecotservice:- systemctl enable --now dovecot - # systemctl enable --now dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Use a mail client, such as Mozilla Thunderbird, to connect to Dovecot and read emails. The settings for the mail client depend on the protocol you want to use: - Expand - Table 1.1. Connection settings to the Dovecot server - Protocol - Port - Connection security - Authentication method - IMAP - 143 - STARTTLS - PLAIN[a] - IMAPS - 993 - SSL/TLS - PLAIN[a] - POP3 - 110 - STARTTLS - PLAIN[a] - POP3S - 995 - SSL/TLS - PLAIN[a] [a] The client transmits data encrypted through the TLS connection. Consequently, credentials are not disclosed.- Note that this table does not list settings for unencrypted connections because, by default, Dovecot does not accept plain text authentication on connections without TLS. 
- Display configuration settings with non-default values: - doveconf -n - # doveconf -n- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
1.2. Setting up a Dovecot server with LDAP authentication
If your infrastructure uses an LDAP server to store accounts, you can authenticate Dovecot users against it. In this case, you manage accounts centrally in the directory and, users do not required local access to the file system on the Dovecot server.
Centrally-managed accounts are also a benefit if you plan to set up multiple Dovecot servers with replication to make your mailboxes high available.
1.2.1. Installing Dovecot
					The dovecot package provides:
				
- 
							The dovecotservice and the utilities to maintain it
- Services that Dovecot starts on demand, such as for authentication
- Plugins, such as server-side mail filtering
- 
							Configuration files in the /etc/dovecot/directory
- 
							Documentation in the /usr/share/doc/dovecot/directory
Procedure
- Install the - dovecotpackage:- dnf install dovecot - # dnf install dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If Dovecot is already installed and you require clean configuration files, rename or remove the - /etc/dovecot/directory. Afterwards, reinstall the package. Without removing the configuration files, the- dnf reinstall dovecotcommand does not reset the configuration files in- /etc/dovecot/.
1.2.2. Configuring TLS encryption on a Dovecot server
Dovecot provides a secure default configuration. For example, TLS is enabled by default to transmit credentials and data encrypted over networks. To configure TLS on a Dovecot server, you only need to set the paths to the certificate and private key files. Additionally, you can increase the security of TLS connections by generating and by using Diffie-Hellman parameters to provide perfect forward secrecy (PFS).
Prerequisites
- Dovecot is installed.
- The following files have been copied to the listed locations on the server: - 
									The server certificate: /etc/pki/dovecot/certs/server.example.com.crt
- 
									The private key: /etc/pki/dovecot/private/server.example.com.key
- 
									The Certificate Authority (CA) certificate: /etc/pki/dovecot/certs/ca.crt
 
- 
									The server certificate: 
- 
							The hostname in the Subject DNfield of the server certificate matches the server’s Fully-qualified Domain Name (FQDN).
- If the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
- Set secure permissions on the private key file: - chown root:root /etc/pki/dovecot/private/server.example.com.key chmod 600 /etc/pki/dovecot/private/server.example.com.key - # chown root:root /etc/pki/dovecot/private/server.example.com.key # chmod 600 /etc/pki/dovecot/private/server.example.com.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Generate a file with Diffie-Hellman parameters: - openssl dhparam -out /etc/dovecot/dh.pem 4096 - # openssl dhparam -out /etc/dovecot/dh.pem 4096- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Depending on the hardware and entropy on the server, generating Diffie-Hellman parameters with 4096 bits can take several minutes. 
- Set the paths to the certificate and private key files in the - /etc/dovecot/conf.d/10-ssl.conffile:- Update the - ssl_certand- ssl_keyparameters, and set them to use the paths of the server’s certificate and private key:- ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt ssl_key = </etc/pki/dovecot/private/server.example.com.key - ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt ssl_key = </etc/pki/dovecot/private/server.example.com.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Uncomment the - ssl_caparameter, and set it to use the path to the CA certificate:- ssl_ca = </etc/pki/dovecot/certs/ca.crt - ssl_ca = </etc/pki/dovecot/certs/ca.crt- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Uncomment the - ssl_dhparameter, and set it to use the path to the Diffie-Hellman parameters file:- ssl_dh = </etc/dovecot/dh.pem - ssl_dh = </etc/dovecot/dh.pem- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 Important- To ensure that Dovecot reads the value of a parameter from a file, the path must start with a leading - <character.
Next step
1.2.3. Preparing Dovecot to use virtual users
By default, Dovecot performs many actions on the file system as the user who uses the service. However, configuring the Dovecot back end to use one local user to perform these actions has several benefits:
- Dovecot performs file system actions as a specific local user instead of using the user’s ID (UID).
- Users do not need to be available locally on the server.
- You can store all mailboxes and user-specific files in one root directory.
- Users do not require a UID and group ID (GID), which reduces administration efforts.
- Users who have access to the file system on the server cannot compromise their mailboxes or indexes because they cannot access these files.
- Setting up replication is easier.
Prerequisites
- Dovecot is installed.
Procedure
- Create the - vmailuser:- useradd --home-dir /var/mail/ --shell /usr/sbin/nologin vmail - # useradd --home-dir /var/mail/ --shell /usr/sbin/nologin vmail- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Dovecot will later use this user to manage the mailboxes. For security reasons, do not use the - dovecotor- dovenullsystem users for this purpose.
- If you use a different path than - /var/mail/, set the- mail_spool_tSELinux context on it, for example:- semanage fcontext -a -t mail_spool_t "<path>(/.)?"* restorecon -Rv <path> - # semanage fcontext -a -t mail_spool_t "<path>(/.)?"* # restorecon -Rv <path>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Grant write permissions on - /var/mail/only to the- vmailuser:- chown vmail:vmail /var/mail/ chmod 700 /var/mail/ - # chown vmail:vmail /var/mail/ # chmod 700 /var/mail/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Uncomment the - mail_locationparameter in the- /etc/dovecot/conf.d/10-mail.conffile, and set it to the mailbox format and location:- mail_location = sdbox:/var/mail/%n/ - mail_location = sdbox:/var/mail/%n/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - With this setting: - 
									Dovecot uses the high-performant dboxmailbox format insinglemode. In this mode, the service stores each mail in a separate file, similar to themaildirformat.
- 
									Dovecot resolves the %nvariable in the path to the username. This is required to ensure that each user has a separate directory for its mailbox.
 
- 
									Dovecot uses the high-performant 
1.2.4. Using LDAP as the Dovecot authentication backend
Users in an LDAP directory can usually authenticate themselves to the directory service. Dovecot can use this to authenticate users when they log in to the IMAP and POP3 services. This authentication method has several benefits, such as:
- Administrators can manage users centrally in the directory.
- The LDAP accounts do not require any special attributes. They only need to be able to authenticate to the LDAP server. Consequently, this method is independent from the password storage scheme used on the LDAP server.
- Users do not need to be available locally on the server through the Name Service Switch (NSS) interface and the Pluggable Authentication Modules (PAM) framework.
Prerequisites
- Dovecot is installed.
- The virtual users feature is configured.
- Connections to the LDAP server support TLS encryption.
- RHEL on the Dovecot server trusts the Certificate Authority (CA) certificate of the LDAP server.
- If users are stored in different trees in the LDAP directory, a dedicated LDAP account for Dovecot exists to search the directory. This account requires permissions to search for Distinguished Names (DNs) of other users.
- If the FIPS mode is enabled, this Dovecot server supports the Extended Master Secret (EMS) extension or uses TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
- Configure the authentication backends in the - /etc/dovecot/conf.d/10-auth.conffile:- Comment out - includestatements for- auth-*.conf.extauthentication backend configuration files that you do not require, for example:- #!include auth-system.conf.ext - #!include auth-system.conf.ext- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enable LDAP authentication by uncommenting the following line: - !include auth-ldap.conf.ext - !include auth-ldap.conf.ext- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Edit the - /etc/dovecot/conf.d/auth-ldap.conf.extfile, and add the- override_fieldsparameter as follows to the- userdbsection:- userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext override_fields = uid=vmail gid=vmail home=/var/mail/%n/ }- userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext override_fields = uid=vmail gid=vmail home=/var/mail/%n/ }- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Due to the fixed values, Dovecot does not query these settings from the LDAP server. Consequently, these attributes also do not have to be present. 
- Create the - /etc/dovecot/dovecot-ldap.conf.extfile with the following settings:- Depending on the LDAP structure, configure one of the following: - If users are stored in different trees in the LDAP directory, configure dynamic DN lookups: - dn = cn=dovecot_LDAP,dc=example,dc=com dnpass = <password> pass_filter = (&(objectClass=posixAccount)(uid=%n)) - dn = cn=dovecot_LDAP,dc=example,dc=com dnpass = <password> pass_filter = (&(objectClass=posixAccount)(uid=%n))- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Dovecot uses the specified DN, password, and filter to search the DN of the authenticating user in the directory. In this search, Dovecot replaces - %nin the filter with the username. Note that the LDAP search must return only one result.
- If all users are stored under a specific entry, configure a DN template: - auth_bind_userdn = cn=%n,ou=People,dc=example,dc=com - auth_bind_userdn = cn=%n,ou=People,dc=example,dc=com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Enable authentication binds to the LDAP server to verify Dovecot users: - auth_bind = yes - auth_bind = yes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the URL to the LDAP server: - uris = ldaps://LDAP-srv.example.com - uris = ldaps://LDAP-srv.example.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For security reasons, only use encrypted connections by using LDAPS or the - STARTTLScommand over the LDAP protocol. For the latter, additionally add- tls = yesto the settings.- For a working certificate validation, the hostname of the LDAP server must match the hostname used in its TLS certificate. 
- Enable the verification of the LDAP server’s TLS certificate: - tls_require_cert = hard - tls_require_cert = hard- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the base DN to the DN where to start searching for users: - base = ou=People,dc=example,dc=com - base = ou=People,dc=example,dc=com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the search scope: - scope = onelevel - scope = onelevel- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Dovecot searches with the - onelevelscope only in the specified base DN and with the- subtreescope also in subtrees.
 
- Set secure permissions on the - /etc/dovecot/dovecot-ldap.conf.extfile:- chown root:root /etc/dovecot/dovecot-ldap.conf.ext chmod 600 /etc/dovecot/dovecot-ldap.conf.ext - # chown root:root /etc/dovecot/dovecot-ldap.conf.ext # chmod 600 /etc/dovecot/dovecot-ldap.conf.ext- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next step
1.2.5. Completing the Dovecot configuration
					Once you have installed and configured Dovecot, open the required ports in the firewalld service, and enable and start the service. Afterwards, you can test the server.
				
Prerequisites
- The following has been configured in Dovecot: - TLS encryption
- An authentication backend
 
- Clients trust the Certificate Authority (CA) certificate.
Procedure
- If you want to provide only an IMAP or POP3 service to users, uncomment the - protocolsparameter in the- /etc/dovecot/dovecot.conffile, and set it to the required protocols. For example, if you do not require POP3, set:- protocols = imap lmtp - protocols = imap lmtp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By default, the - imap,- pop3, and- lmtpprotocols are enabled.
- Open the ports in the local firewall. For example, to open the ports for the IMAPS, IMAP, POP3S, and POP3 protocols, enter: - firewall-cmd --permanent --add-service=imaps --add-service=imap --add-service=pop3s --add-service=pop3 firewall-cmd --reload - # firewall-cmd --permanent --add-service=imaps --add-service=imap --add-service=pop3s --add-service=pop3 # firewall-cmd --reload- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enable and start the - dovecotservice:- systemctl enable --now dovecot - # systemctl enable --now dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Use a mail client, such as Mozilla Thunderbird, to connect to Dovecot and read emails. The settings for the mail client depend on the protocol you want to use: - Expand - Table 1.2. Connection settings to the Dovecot server - Protocol - Port - Connection security - Authentication method - IMAP - 143 - STARTTLS - PLAIN[a] - IMAPS - 993 - SSL/TLS - PLAIN[a] - POP3 - 110 - STARTTLS - PLAIN[a] - POP3S - 995 - SSL/TLS - PLAIN[a] [a] The client transmits data encrypted through the TLS connection. Consequently, credentials are not disclosed.- Note that this table does not list settings for unencrypted connections because, by default, Dovecot does not accept plain text authentication on connections without TLS. 
- Display configuration settings with non-default values: - doveconf -n - # doveconf -n- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
1.3. Setting up a Dovecot server with MariaDB SQL authentication
If you store users and passwords in a MariaDB SQL server, you can configure Dovecot to use it as the user database and authentication backend. With this configuration, you manage accounts centrally in a database, and users have no local access to the file system on the Dovecot server.
Centrally managed accounts are also a benefit if you plan to set up multiple Dovecot servers with replication to make your mailboxes highly available.
1.3.1. Installing Dovecot
					The dovecot package provides:
				
- 
							The dovecotservice and the utilities to maintain it
- Services that Dovecot starts on demand, such as for authentication
- Plugins, such as server-side mail filtering
- 
							Configuration files in the /etc/dovecot/directory
- 
							Documentation in the /usr/share/doc/dovecot/directory
Procedure
- Install the - dovecotpackage:- dnf install dovecot - # dnf install dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If Dovecot is already installed and you require clean configuration files, rename or remove the - /etc/dovecot/directory. Afterwards, reinstall the package. Without removing the configuration files, the- dnf reinstall dovecotcommand does not reset the configuration files in- /etc/dovecot/.
1.3.2. Configuring TLS encryption on a Dovecot server
Dovecot provides a secure default configuration. For example, TLS is enabled by default to transmit credentials and data encrypted over networks. To configure TLS on a Dovecot server, you only need to set the paths to the certificate and private key files. Additionally, you can increase the security of TLS connections by generating and by using Diffie-Hellman parameters to provide perfect forward secrecy (PFS).
Prerequisites
- Dovecot is installed.
- The following files have been copied to the listed locations on the server: - 
									The server certificate: /etc/pki/dovecot/certs/server.example.com.crt
- 
									The private key: /etc/pki/dovecot/private/server.example.com.key
- 
									The Certificate Authority (CA) certificate: /etc/pki/dovecot/certs/ca.crt
 
- 
									The server certificate: 
- 
							The hostname in the Subject DNfield of the server certificate matches the server’s Fully-qualified Domain Name (FQDN).
- If the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
- Set secure permissions on the private key file: - chown root:root /etc/pki/dovecot/private/server.example.com.key chmod 600 /etc/pki/dovecot/private/server.example.com.key - # chown root:root /etc/pki/dovecot/private/server.example.com.key # chmod 600 /etc/pki/dovecot/private/server.example.com.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Generate a file with Diffie-Hellman parameters: - openssl dhparam -out /etc/dovecot/dh.pem 4096 - # openssl dhparam -out /etc/dovecot/dh.pem 4096- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Depending on the hardware and entropy on the server, generating Diffie-Hellman parameters with 4096 bits can take several minutes. 
- Set the paths to the certificate and private key files in the - /etc/dovecot/conf.d/10-ssl.conffile:- Update the - ssl_certand- ssl_keyparameters, and set them to use the paths of the server’s certificate and private key:- ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt ssl_key = </etc/pki/dovecot/private/server.example.com.key - ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt ssl_key = </etc/pki/dovecot/private/server.example.com.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Uncomment the - ssl_caparameter, and set it to use the path to the CA certificate:- ssl_ca = </etc/pki/dovecot/certs/ca.crt - ssl_ca = </etc/pki/dovecot/certs/ca.crt- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Uncomment the - ssl_dhparameter, and set it to use the path to the Diffie-Hellman parameters file:- ssl_dh = </etc/dovecot/dh.pem - ssl_dh = </etc/dovecot/dh.pem- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 Important- To ensure that Dovecot reads the value of a parameter from a file, the path must start with a leading - <character.
Next step
1.3.3. Preparing Dovecot to use virtual users
By default, Dovecot performs many actions on the file system as the user who uses the service. However, configuring the Dovecot back end to use one local user to perform these actions has several benefits:
- Dovecot performs file system actions as a specific local user instead of using the user’s ID (UID).
- Users do not need to be available locally on the server.
- You can store all mailboxes and user-specific files in one root directory.
- Users do not require a UID and group ID (GID), which reduces administration efforts.
- Users who have access to the file system on the server cannot compromise their mailboxes or indexes because they cannot access these files.
- Setting up replication is easier.
Prerequisites
- Dovecot is installed.
Procedure
- Create the - vmailuser:- useradd --home-dir /var/mail/ --shell /usr/sbin/nologin vmail - # useradd --home-dir /var/mail/ --shell /usr/sbin/nologin vmail- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Dovecot will later use this user to manage the mailboxes. For security reasons, do not use the - dovecotor- dovenullsystem users for this purpose.
- If you use a different path than - /var/mail/, set the- mail_spool_tSELinux context on it, for example:- semanage fcontext -a -t mail_spool_t "<path>(/.)?"* restorecon -Rv <path> - # semanage fcontext -a -t mail_spool_t "<path>(/.)?"* # restorecon -Rv <path>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Grant write permissions on - /var/mail/only to the- vmailuser:- chown vmail:vmail /var/mail/ chmod 700 /var/mail/ - # chown vmail:vmail /var/mail/ # chmod 700 /var/mail/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Uncomment the - mail_locationparameter in the- /etc/dovecot/conf.d/10-mail.conffile, and set it to the mailbox format and location:- mail_location = sdbox:/var/mail/%n/ - mail_location = sdbox:/var/mail/%n/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - With this setting: - 
									Dovecot uses the high-performant dboxmailbox format insinglemode. In this mode, the service stores each mail in a separate file, similar to themaildirformat.
- 
									Dovecot resolves the %nvariable in the path to the username. This is required to ensure that each user has a separate directory for its mailbox.
 
- 
									Dovecot uses the high-performant 
1.3.4. Using a MariaDB SQL database as the Dovecot authentication backend
Dovecot can read accounts and passwords from a MariaDB database and use it to authenticate users when they log in to the IMAP or POP3 service. The benefits of this authentication method include:
- Administrators can manage users centrally in a database.
- Users have no access locally on the server.
Prerequisites
- Dovecot is installed.
- The virtual users feature is configured.
- Connections to the MariaDB server support TLS encryption.
- 
							The dovecotDBdatabase exists in MariaDB, and theuserstable contains at least ausernameandpasswordcolumn.
- 
							The passwordcolumn contains passwords encrypted with a scheme that Dovecot supports.
- 
							The passwords either use the same scheme or have a {pw-storage-scheme}prefix.
- 
							The dovecotMariaDB user has read permission on theuserstable in thedovecotDBdatabase.
- 
							The certificate of the Certificate Authority (CA) that issued the MariaDB server’s TLS certificate is stored on the Dovecot server in the /etc/pki/tls/certs/ca.crtfile.
- If the FIPS mode is enabled, this Dovecot server supports the Extended Master Secret (EMS) extension or uses TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
- Install the - dovecot-mysqlpackage:- dnf install dovecot-mysql - # dnf install dovecot-mysql- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the authentication backends in the - /etc/dovecot/conf.d/10-auth.conffile:- Comment out - includestatements for- auth-*.conf.extauthentication backend configuration files that you do not require, for example:- #!include auth-system.conf.ext - #!include auth-system.conf.ext- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enable SQL authentication by uncommenting the following line: - !include auth-sql.conf.ext - !include auth-sql.conf.ext- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Edit the - /etc/dovecot/conf.d/auth-sql.conf.extfile, and add the- override_fieldsparameter to the- userdbsection as follows:- userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext override_fields = uid=vmail gid=vmail home=/var/mail/%n/ }- userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext override_fields = uid=vmail gid=vmail home=/var/mail/%n/ }- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Due to the fixed values, Dovecot does not query these settings from the SQL server. 
- Create the - /etc/dovecot/dovecot-sql.conf.extfile with the following settings:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - To use TLS encryption to the database server, set the - ssl_caoption to the path of the certificate of the CA that issued the MariaDB server certificate. For a working certificate validation, the hostname of the MariaDB server must match the hostname used in its TLS certificate.- If the password values in the database contain a - {<pw-storage-scheme>}prefix, you can omit the- default_pass_schemesetting.- The queries in the file must be set as follows: - 
									For the user_queryparameter, the query must return the username of the Dovecot user. The query must also return only one result.
- 
									For the password_queryparameter, the query must return the username and the password, and Dovecot must use these values in theuserandpasswordvariables. Therefore, if the database uses different column names, use theASSQL command to rename a column in the result.
- 
									For the iterate_queryparameter, the query must return a list of all users.
 
- 
									For the 
- Set secure permissions on the - /etc/dovecot/dovecot-sql.conf.extfile:- chown root:root /etc/dovecot/dovecot-sql.conf.ext chmod 600 /etc/dovecot/dovecot-sql.conf.ext - # chown root:root /etc/dovecot/dovecot-sql.conf.ext # chmod 600 /etc/dovecot/dovecot-sql.conf.ext- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next step
1.3.5. Completing the Dovecot configuration
					Once you have installed and configured Dovecot, open the required ports in the firewalld service, and enable and start the service. Afterwards, you can test the server.
				
Prerequisites
- The following has been configured in Dovecot: - TLS encryption
- An authentication backend
 
- Clients trust the Certificate Authority (CA) certificate.
Procedure
- If you want to provide only an IMAP or POP3 service to users, uncomment the - protocolsparameter in the- /etc/dovecot/dovecot.conffile, and set it to the required protocols. For example, if you do not require POP3, set:- protocols = imap lmtp - protocols = imap lmtp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By default, the - imap,- pop3, and- lmtpprotocols are enabled.
- Open the ports in the local firewall. For example, to open the ports for the IMAPS, IMAP, POP3S, and POP3 protocols, enter: - firewall-cmd --permanent --add-service=imaps --add-service=imap --add-service=pop3s --add-service=pop3 firewall-cmd --reload - # firewall-cmd --permanent --add-service=imaps --add-service=imap --add-service=pop3s --add-service=pop3 # firewall-cmd --reload- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enable and start the - dovecotservice:- systemctl enable --now dovecot - # systemctl enable --now dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Use a mail client, such as Mozilla Thunderbird, to connect to Dovecot and read emails. The settings for the mail client depend on the protocol you want to use: - Expand - Table 1.3. Connection settings to the Dovecot server - Protocol - Port - Connection security - Authentication method - IMAP - 143 - STARTTLS - PLAIN[a] - IMAPS - 993 - SSL/TLS - PLAIN[a] - POP3 - 110 - STARTTLS - PLAIN[a] - POP3S - 995 - SSL/TLS - PLAIN[a] [a] The client transmits data encrypted through the TLS connection. Consequently, credentials are not disclosed.- Note that this table does not list settings for unencrypted connections because, by default, Dovecot does not accept plain text authentication on connections without TLS. 
- Display configuration settings with non-default values: - doveconf -n - # doveconf -n- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
1.4. Configuring replication between two Dovecot servers
With two-way replication, you can make your Dovecot server high-available, and IMAP and POP3 clients can access a mailbox on both servers. Dovecot keeps track of changes in the index logs of each mailbox and solves conflicts in a safe way.
Perform this procedure on both replication partners.
Replication works only between server pairs. Consequently, in a large cluster, you need multiple independent backend pairs.
Prerequisites
- Both servers use the same authentication backend. Preferably, use LDAP or SQL to maintain accounts centrally.
- 
						The Dovecot user database configuration supports user listing. Use the doveadm user '*'command to verify this.
- 
						Dovecot accesses mailboxes on the file system as the vmailuser instead of the user’s ID (UID).
Procedure
- Create the - /etc/dovecot/conf.d/10-replication.conffile and perform the following steps in it:- Enable the - notifyand- replicationplugins:- mail_plugins = $mail_plugins notify replication - mail_plugins = $mail_plugins notify replication- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add a - service replicatorsection:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - With these settings, Dovecot starts at least one replicator process when the - dovecotservice starts. Additionally, this section defines the settings on the- replicator-doveadmsocket.
- Add a - service aggregatorsection to configure the- replication-notify-fifopipe and- replication-notifysocket:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add a - service doveadmsection to define the port of the replication service:- service doveadm { inet_listener { port = 12345 } }- service doveadm { inet_listener { port = 12345 } }- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the password of the - doveadmreplication service:- doveadm_password = <replication_password> - doveadm_password = <replication_password>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The password must be the same on both servers. 
- Configure the replication partner: - plugin { mail_replica = tcp:server2.example.com:12345 }- plugin { mail_replica = tcp:server2.example.com:12345 }- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Define the maximum number of parallel - dsyncprocesses:- replication_max_conns = 20 - replication_max_conns = 20- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The default value of - replication_max_connsis- 10.
 
- Set secure permissions on the - /etc/dovecot/conf.d/10-replication.conffile:- chown root:root /etc/dovecot/conf.d/10-replication.conf chmod 600 /etc/dovecot/conf.d/10-replication.conf - # chown root:root /etc/dovecot/conf.d/10-replication.conf # chmod 600 /etc/dovecot/conf.d/10-replication.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enable the - nis_enabledSELinux Boolean to allow Dovecot to open the- doveadmreplication port:- setsebool -P nis_enabled on - # setsebool -P nis_enabled on- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure - firewalldrules to allow only the replication partner to access the replication port, for example:- firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.0.2.1/32" port protocol="tcp" port="12345" accept" firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv6" source address="2001:db8:2::1/128" port protocol="tcp" port="12345" accept" firewall-cmd --reload - # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.0.2.1/32" port protocol="tcp" port="12345" accept" # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv6" source address="2001:db8:2::1/128" port protocol="tcp" port="12345" accept" # firewall-cmd --reload- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The subnet masks - /32for the IPv4 and- /128for the IPv6 address limit the access to the specified addresses.
- Perform this procedure also on the other replication partner.
- Reload Dovecot: - systemctl reload dovecot - # systemctl reload dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Perform an action in a mailbox on one server and then verify if Dovecot has replicated the change to the other server.
- Display the replicator status: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Display the replicator status of a specific user: - doveadm replicator status <user_name> - # doveadm replicator status <user_name> username priority fast sync full sync success sync failed <user_user> none 02:05:28 04:19:07 02:05:28 -- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
1.5. Automatically subscribing users to IMAP mailboxes
				Typically, IMAP server administrators want Dovecot to automatically create certain mailboxes, such as Sent and Trash, and subscribe the users to them. You can set this in the configuration files.
			
				Additionally, you can define special-use mailboxes. IMAP clients often support defining mailboxes for special purposes, such as for sent emails. To avoid that the user has to manually select and set the correct mailboxes, IMAP servers can send a special-use attribute in the IMAP LIST command. Clients can then use this attribute to identify and set, for example, the mailbox for sent emails.
			
Prerequisites
- Dovecot is configured.
Procedure
- Update the - inboxnamespace section in the- /etc/dovecot/conf.d/15-mailboxes.conffile:- Add the - auto = subscribesetting to each special-use mailbox that should be available to users, for example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If your mail clients support more special-use mailboxes, you can add similar entries. The - special_useparameter defines the value that Dovecot sends in the- special-useattribute to the clients.
- Optional: If you want to define other mailboxes that have no special purpose, add - mailboxsections for them in the user’s inbox, for example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can set the - autoparameter to one of the following values:- 
										subscribe: Automatically creates the mailbox and subscribes the user to it.
- 
										create: Automatically creates the mailbox without subscribing the user to it.
- 
										no(default): Dovecot neither creates the mailbox nor does it subscribe the user to it.
 
- 
										
 
- Reload Dovecot: - systemctl reload dovecot - # systemctl reload dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Use an IMAP client and access your mailbox. - Mailboxes with the setting - auto = subscribeare automatically visible. If the client supports special-use mailboxes and the defined purposes, the client automatically uses them.
1.6. Configuring an LMTP socket and LMTPS listener
SMTP servers, such as Postfix, use the Local Mail Transfer Protocol (LMTP) to deliver emails to Dovecot. If the SMTP server runs:
- On the same host as Dovecot, use an LMTP socket
- On a different host, use an LMTP service - By default, the LMTP protocol is not encrypted. However, if you configured TLS encryption, Dovecot uses the same settings automatically for the LMTP service. SMTP servers can then connect to it by using the LMTPS protocol or the - STARTTLScommand over LMTP.
Prerequisites
- Dovecot is installed.
- If you want to configure an LMTP service, TLS encryption is configured in Dovecot.
Procedure
- Verify that the LMTP protocol is enabled: - doveconf -a | grep -E "^protocols" - # doveconf -a | grep -E "^protocols" protocols = imap pop3 lmtp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The protocol is enabled, if the output contains - lmtp.
- If the - lmtpprotocol is disabled, edit the- /etc/dovecot/dovecot.conffile, and append- lmtpto the values in the- protocolsparameter:- protocols = ... lmtp - protocols = ... lmtp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Depending on whether you need an LMTP socket or service, make the following changes in the - service lmtpsection in the- /etc/dovecot/conf.d/10-master.conffile:- LMTP socket: By default, Dovecot automatically creates the - /var/run/dovecot/lmtpsocket.- Optional: Customize the ownership and permissions: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- LMTP service: Add a - inet_listenersub-section:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Configure - firewalldrules to allow only the SMTP server to access the LMTP port, for example:- firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.0.2.1/32" port protocol="tcp" port="24" accept" firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv6" source address="2001:db8:2::1/128" port protocol="tcp" port="24" accept" firewall-cmd --reload - # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.0.2.1/32" port protocol="tcp" port="24" accept" # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv6" source address="2001:db8:2::1/128" port protocol="tcp" port="24" accept" # firewall-cmd --reload- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The subnet masks - /32for the IPv4 and- /128for the IPv6 address limit the access to the specified addresses.
- Reload Dovecot: - systemctl reload dovecot - # systemctl reload dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- If you configured the LMTP socket, verify that Dovecot has created the socket and that the permissions are correct: - ls -l /var/run/dovecot/lmtp - # ls -l /var/run/dovecot/lmtp srw-------. 1 postfix postfix 0 Nov 22 17:17 /var/run/dovecot/lmtp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the SMTP server to submit emails to Dovecot using the LMTP socket or service. - When you use the LMTP service, ensure that the SMTP server uses the LMTPS protocol or sends the - STARTTLScommand to use an encrypted connection.
1.7. Disabling the IMAP or POP3 service in Dovecot
By default, Dovecot provides IMAP and POP3 services. If you require only one of them, you can disable the other to reduce the surface for attack.
Prerequisites
- Dovecot is installed.
Procedure
- Uncomment the - protocolsparameter in the- /etc/dovecot/dovecot.conffile, and set it to use the required protocols. For example, if you do not require POP3, set:- protocols = imap lmtp - protocols = imap lmtp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By default, the - imap,- pop3, and- lmtpprotocols are enabled.
- Reload Dovecot: - systemctl reload dovecot - # systemctl reload dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Close the ports that are no longer required in the local firewall. For example, to close the ports for the POP3S and POP3 protocols, enter: - firewall-cmd --remove-service=pop3s --remove-service=pop3 firewall-cmd --reload - # firewall-cmd --remove-service=pop3s --remove-service=pop3 # firewall-cmd --reload- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Display all ports in - LISTENmode opened by the- dovecotprocess:- ss -tulp | grep dovecot - # ss -tulp | grep dovecot tcp LISTEN 0 100 0.0.0.0:993 0.0.0.0:* users:(("dovecot",pid=1405,fd=44)) tcp LISTEN 0 100 0.0.0.0:143 0.0.0.0:* users:(("dovecot",pid=1405,fd=42)) tcp LISTEN 0 100 [::]:993 [::]:* users:(("dovecot",pid=1405,fd=45)) tcp LISTEN 0 100 [::]:143 [::]:* users:(("dovecot",pid=1405,fd=43))- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, Dovecot listens only on the TCP ports - 993(IMAPS) and- 143(IMAP).- Note that Dovecot only opens a port for the LMTP protocol if you configure the service to listen on a port instead of using a socket. 
1.8. Enabling server-side email filtering by using Sieve on a Dovecot IMAP server
You can upload Sieve scripts to a server using the ManageSieve protocol. Sieve scripts define rules and actions that a server should validate and perform on incoming emails. For example, users can use Sieve to forward emails from a specific sender, and administrators can create a global filter to move mails flagged by a spam filter into a separate IMAP folder.
				The ManageSieve plugin adds support for Sieve scripts and the ManageSieve protocol to a Dovecot IMAP server.
			
Use only clients that support using the ManageSieve protocol over TLS connections. Disabling TLS for this protocol causes clients to send credentials in plain text over the network.
Prerequisites
- Dovecot is configured and provides IMAP mailboxes.
- TLS encryption is configured in Dovecot.
- The mail clients support the ManageSieve protocol over TLS connections.
Procedure
- Install the - dovecot-pigeonholepackage:- dnf install dovecot-pigeonhole - # dnf install dovecot-pigeonhole- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Uncomment the following line in - /etc/dovecot/conf.d/20-managesieve.confto enable the- sieveprotocol:- protocols = $protocols sieve - protocols = $protocols sieve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This setting activates Sieve in addition to the other protocols that are already enabled. 
- Open the ManageSieve port in - firewalld:- firewall-cmd --permanent --add-service=managesieve firewall-cmd --reload - # firewall-cmd --permanent --add-service=managesieve # firewall-cmd --reload- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Reload Dovecot: - systemctl reload dovecot - # systemctl reload dovecot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Use a client and upload a Sieve script. Use the following connection settings: - Port: 4190
- Connection security: SSL/TLS
- Authentication method: PLAIN
 
- Send an email to the user who has the Sieve script uploaded. If the email matches the rules in the script, verify that the server performs the defined actions.
1.9. How Dovecot processes configuration files
				The dovecot package provides the main configuration file /etc/dovecot/dovecot.conf and multiple configuration files in the /etc/dovecot/conf.d/ directory. Dovecot combines the files to build the configuration when you start the service.
			
				The main benefit of multiple config files is to group settings and increase readability. If you prefer a single configuration file, you can instead maintain all settings in /etc/dovecot/dovecot.conf and remove all include and include_try statements from that file.