Dovecot is a high-performance, secure IMAP and POP3 server that works seamlessly alongside Postfix to deliver a complete mail server stack on RHEL 8. While Postfix handles sending and receiving mail via SMTP, Dovecot allows mail clients like Thunderbird or Outlook to retrieve messages using IMAP or POP3. Dovecot is also SELinux-aware and actively maintained, making it the recommended choice for RHEL environments. This tutorial covers installing Dovecot, configuring it to serve the Maildir format written by Postfix, enabling TLS, and opening the firewall.
Prerequisites
- RHEL 8 server with Postfix installed and configured to use
home_mailbox = Maildir/ - At least one local user account with a populated
~/Maildir/directory - Root or
sudoaccess - A TLS certificate and key (self-signed is acceptable for testing; use Let’s Encrypt for production)
- Firewalld running and active
Step 1 — Install Dovecot
Install Dovecot from the AppStream repository.
dnf install -y dovecotThe main configuration directory is /etc/dovecot/. The primary file is dovecot.conf, and protocol-specific settings live under conf.d/. Dovecot ships with sensible defaults, so most of the work is enabling the right options.
Step 2 — Enable IMAP and POP3 Protocols
Edit /etc/dovecot/dovecot.conf and set the protocols directive. By default it may be commented out, which enables only IMAP.
protocols = imap pop3If you want to serve only IMAP (the preferred modern protocol), set protocols = imap. For TLS-only variants, you would add imaps and pop3s here as well.
Step 3 — Configure the Mail Location
Tell Dovecot where to find mail for each user. Edit /etc/dovecot/conf.d/10-mail.conf.
mail_location = maildir:~/MaildirThis matches the home_mailbox = Maildir/ setting in Postfix’s main.cf, ensuring both services read from and write to the same directory. The tilde (~) expands to the authenticated user’s home directory at runtime.
Step 4 — Harden Authentication Settings
Edit /etc/dovecot/conf.d/10-auth.conf to require that plaintext credentials only be sent over TLS.
disable_plaintext_auth = yes
auth_mechanisms = plain loginWith disable_plaintext_auth = yes, Dovecot will reject LOGIN or PLAIN authentication unless the connection is encrypted. This prevents credentials from being transmitted in cleartext over the network.
Step 5 — Configure TLS in 10-ssl.conf
Edit /etc/dovecot/conf.d/10-ssl.conf to enable TLS and point Dovecot to your certificate files.
ssl = required
ssl_cert = Replace the paths with those of your actual certificate and private key. Dovecot ships with a self-signed certificate in /etc/pki/dovecot/ that you can use for initial testing. Set ssl = required to enforce encrypted connections; setting it to yes makes TLS optional.
Step 6 — Start Dovecot, Open the Firewall, and Test
Enable and start the Dovecot service, then open the required firewall ports.
systemctl enable --now dovecot
systemctl status dovecotfirewall-cmd --permanent --add-service=imap
firewall-cmd --permanent --add-service=imaps
firewall-cmd --permanent --add-service=pop3
firewall-cmd --permanent --add-service=pop3s
firewall-cmd --reloadTest basic IMAP connectivity using telnet or openssl s_client from a client machine.
telnet mail.example.com 143You should see a Dovecot banner: * OK [CAPABILITY ...] Dovecot ready. Type a1 LOGIN username password to authenticate (only works if TLS is not yet enforced or you have a local test). For TLS, test with openssl s_client -connect mail.example.com:993.
Conclusion
Dovecot is now serving IMAP and POP3 on your RHEL 8 server, reading mail from the Maildir directories written by Postfix. Authentication is protected by the TLS requirement, and the firewall exposes only the necessary ports. You can now connect any standard mail client using your server’s hostname and your Linux account credentials.
Next steps: How to Configure DKIM, SPF, and DMARC on RHEL 8, How to Enable Let’s Encrypt TLS for Dovecot and Postfix on RHEL 8, and How to Set Up SpamAssassin with Postfix on RHEL 8.
