How to Install and Configure Dovecot IMAP Server on RHEL 9

November 28, 2025
Linux
Comment off

Dovecot is a fast, secure, and easy-to-configure IMAP and POP3 server that works seamlessly alongside Postfix on RHEL 9. Once Postfix is delivering incoming mail to a user’s Maildir, Dovecot allows mail clients such as Thunderbird or Outlook to retrieve those messages over IMAP or POP3 — with optional SSL/TLS encryption for both protocols. This tutorial covers installing Dovecot, configuring mail storage, enabling SSL, opening the appropriate firewall ports, and testing access from the command line. Complete the Postfix tutorial before beginning this one.

Prerequisites

A RHEL 9 server with Postfix installed and configured with home_mailbox = Maildir/
TLS certificate and private key (reuse the Postfix certificate or obtain a new one)
sudo or root access
At least one local system user account with a home directory to use as a test mailbox

Step 1 — Install Dovecot

sudo dnf install -y dovecot

# Verify the version installed
dovecot --version

The main configuration file is /etc/dovecot/dovecot.conf and protocol-specific and feature-specific settings are split into files under /etc/dovecot/conf.d/.

Step 2 — Enable Protocols and Set Mail Location

Edit /etc/dovecot/dovecot.conf to enable IMAP and POP3, then configure the mail storage location in 10-mail.conf.

sudo vi /etc/dovecot/dovecot.conf

Ensure the following line is present (uncomment it if needed):

protocols = imap pop3 lmtp

Now set the mail location to Maildir format, matching Postfix’s home_mailbox setting:

sudo vi /etc/dovecot/conf.d/10-mail.conf

# Find and set this line:
mail_location = maildir:~/Maildir

Step 3 — Configure Authentication

Edit /etc/dovecot/conf.d/10-auth.conf to allow plain text authentication over TLS and enable system user authentication.

sudo vi /etc/dovecot/conf.d/10-auth.conf

# Allow plain text auth (only safe over TLS)
disable_plaintext_auth = yes

# Authentication mechanisms
auth_mechanisms = plain login

# Ensure this line is NOT commented out:
!include auth-system.conf.ext

To enable Postfix to use Dovecot for SASL authentication (submission port), expose the auth socket by editing /etc/dovecot/conf.d/10-master.conf and ensuring the LMTP and auth-userdb service blocks are uncommented:

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

Step 4 — Configure SSL/TLS

Edit /etc/dovecot/conf.d/10-ssl.conf to point to your certificate and key files.

sudo vi /etc/dovecot/conf.d/10-ssl.conf

ssl = required

ssl_cert = </etc/pki/tls/certs/postfix.crt
ssl_key = </etc/pki/tls/private/postfix.key

# Modern cipher configuration (TLS 1.2+)
ssl_min_protocol = TLSv1.2
ssl_cipher_list = HIGH:!aNULL:!MD5

Step 5 — Start Dovecot and Open Firewall Ports

# Enable and start Dovecot
sudo systemctl enable --now dovecot
sudo systemctl status dovecot

# Open IMAP, IMAPS, POP3, POP3S ports
sudo firewall-cmd --permanent --add-service=imap
sudo firewall-cmd --permanent --add-service=imaps
sudo firewall-cmd --permanent --add-service=pop3
sudo firewall-cmd --permanent --add-service=pop3s
sudo firewall-cmd --reload

# Verify listening ports
ss -tlnp | grep -E '143|993|110|995'

Step 6 — Create a Test User and Verify IMAP Access

Create a local user, initialise their Maildir, send a test message via Postfix, then connect with openssl s_client to confirm Dovecot is serving IMAPS on port 993.

# Create a test user
sudo useradd -m testuser
sudo passwd testuser

# Create the Maildir structure
sudo -u testuser mkdir -p /home/testuser/Maildir/{new,cur,tmp}

# Send a test email
echo "Hello from Dovecot test" | mail -s "IMAP Test" testuser@localhost

# Test IMAP over TLS (type commands after the banner)
openssl s_client -connect localhost:993 -quiet

After connecting, issue IMAP commands manually:

a1 LOGIN testuser yourpassword
a2 LIST "" "*"
a3 SELECT INBOX
a4 FETCH 1 BODY[]
a5 LOGOUT

Conclusion

You have installed Dovecot on RHEL 9, configured Maildir storage to match Postfix, enabled system-user authentication, enforced TLS on all connections, exposed the auth socket for Postfix SASL, opened the necessary firewall ports, and verified IMAP access using openssl s_client. Your server now provides a complete inbound mail stack: Postfix receives messages and Dovecot serves them to mail clients over encrypted IMAP or POP3.

Next steps: How to Configure DKIM, SPF, and DMARC on RHEL 9, How to Install and Configure Postfix Mail Server on RHEL 9, and How to Set Up a DNS Server with BIND9 on RHEL 9.