How to Install and Configure Dovecot IMAP Server on RHEL 7

How to Install and Configure Dovecot IMAP Server on RHEL 7

Dovecot is a secure, high-performance IMAP and POP3 server that integrates seamlessly with Postfix on RHEL 7. While Postfix handles the transport of mail (sending and receiving via SMTP), Dovecot provides the retrieval layer — allowing mail clients such as Thunderbird, Outlook, or Apple Mail to access stored messages using the IMAP or POP3 protocols. Dovecot is known for its strong security architecture, extensive authentication support, and clean configuration layout using split configuration files in /etc/dovecot/conf.d/. This guide covers installing Dovecot from the RHEL 7 repositories, configuring mailbox access, setting up SSL/TLS, integrating with Postfix, opening firewall ports, and verifying connectivity.

Prerequisites

• RHEL 7 system with Postfix already installed and running (see the Postfix configuration guide).
• Postfix configured to deliver to Maildir format: home_mailbox = Maildir/ in /etc/postfix/main.cf.
• Root or sudo privileges.
• An SSL certificate and key for TLS. For testing, the self-signed certificate generated during installation is acceptable; for production, use a CA-signed certificate.
• At least one local Linux user account to test authentication and mail retrieval.

Step 1: Install Dovecot

yum install -y dovecot

Verify the installed version:

dovecot --version

Dovecot installs its main configuration file at /etc/dovecot/dovecot.conf and a directory of modular configuration files at /etc/dovecot/conf.d/. Each numbered file in that directory controls a specific aspect of Dovecot’s behavior, making targeted configuration changes straightforward.

Step 2: Configure Protocols in dovecot.conf

Open the primary configuration file and enable the protocols you want Dovecot to serve.

vim /etc/dovecot/dovecot.conf

Find and set the protocols directive. If you only need IMAP, omit pop3:

# Enable IMAP and POP3
protocols = imap pop3

# For IMAP only (recommended):
# protocols = imap

Also confirm the listen directive. The default listens on all interfaces, which is correct for a mail server:

listen = *, ::

Step 3: Configure Mail Location in 10-mail.conf

This is the most critical configuration file — it tells Dovecot where to find each user’s mailbox on disk. It must match the delivery format configured in Postfix.

vim /etc/dovecot/conf.d/10-mail.conf

Set the mail_location directive to Maildir format:

# Maildir format in each user's home directory
mail_location = maildir:~/Maildir

# Alternatively, for a shared mail spool in mbox format:
# mail_location = mbox:~/mail:INBOX=/var/mail/%u

The %u token is a placeholder for the username. Using ~/Maildir places each user’s mail in their home directory, which is the correct location when Postfix is configured with home_mailbox = Maildir/.

Step 4: Configure Authentication in 10-auth.conf

vim /etc/dovecot/conf.d/10-auth.conf

For a basic setup using local system accounts, verify or set the following:

# Disable plaintext auth over unencrypted connections
disable_plaintext_auth = yes

# Allow plaintext only over SSL (comment out for testing without SSL)
# disable_plaintext_auth = no

# Authentication mechanisms
auth_mechanisms = plain login

# Use the system's /etc/passwd and PAM for authentication
!include auth-system.conf.ext

The !include auth-system.conf.ext line includes a configuration block that configures PAM-based authentication, which validates credentials against the system’s /etc/passwd and /etc/shadow files. This means any Linux user account on the server can authenticate to Dovecot with their system password.

Step 5: Configure SSL/TLS in 10-ssl.conf

vim /etc/dovecot/conf.d/10-ssl.conf

Dovecot ships with a self-signed certificate generated during installation at /etc/pki/dovecot/. Enable SSL and point to those files:

# Enable SSL
ssl = required

# SSL certificate and private key
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

# Minimum protocol version
ssl_protocols = !SSLv2 !SSLv3 !TLSv1

# Preferred cipher list (strong ciphers only)
ssl_cipher_list = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5

For a production server, replace the self-signed certificate with one from Let’s Encrypt or a commercial CA. Update ssl_cert and ssl_key to point to the new certificate and key files, then restart Dovecot.

To generate a new self-signed certificate manually if the default is missing:

openssl req -new -x509 -nodes -days 3650 
    -out /etc/pki/dovecot/certs/dovecot.pem 
    -keyout /etc/pki/dovecot/private/dovecot.pem 
    -subj "/CN=mail.example.com"

chmod 600 /etc/pki/dovecot/private/dovecot.pem

Step 6: Configure Postfix Integration

To ensure that Postfix delivers mail into the Maildir format that Dovecot reads, confirm main.cf has the correct setting:

grep home_mailbox /etc/postfix/main.cf
# Should return: home_mailbox = Maildir/

For deeper integration, you can configure Postfix to use Dovecot’s Local Delivery Agent (LDA) via the mailbox_transport parameter in /etc/postfix/main.cf. This allows Dovecot’s sieve filtering and quota enforcement to apply to inbound mail:

# In /etc/postfix/main.cf
mailbox_transport = dovecot
dovecot_destination_recipient_limit = 1

Then add a transport entry to /etc/postfix/master.cf:

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver
    -f ${sender} -d ${recipient}

For a simple setup, the home_mailbox = Maildir/ approach in Postfix is sufficient and requires no changes to master.cf.

Step 7: Start and Enable Dovecot

systemctl start dovecot
systemctl enable dovecot
systemctl status dovecot

Check the journal for any startup errors:

journalctl -u dovecot -n 50

Step 8: Open Firewall Ports

# IMAP (port 143) and IMAPS (port 993)
firewall-cmd --permanent --add-service=imap
firewall-cmd --permanent --add-service=imaps

# POP3 (port 110) and POP3S (port 995) — if enabled
firewall-cmd --permanent --add-service=pop3
firewall-cmd --permanent --add-service=pop3s

firewall-cmd --reload
firewall-cmd --list-services

Step 9: Test with telnet and openssl s_client

Test unencrypted IMAP (port 143) using telnet:

telnet localhost 143

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
a001 LOGIN testuser password
a001 OK [CAPABILITY ...] Logged in
a002 SELECT INBOX
* 3 EXISTS
* 0 RECENT
a002 OK [READ-WRITE] Select completed.
a003 LOGOUT

Test SSL-encrypted IMAPS (port 993) using openssl:

openssl s_client -connect localhost:993 -crlf

After the TLS handshake you will see the Dovecot IMAP banner. Type IMAP commands as shown above to verify authentication and mailbox access. Press Ctrl+C to exit.

Dovecot on RHEL 7 provides a production-grade IMAP and POP3 server that pairs perfectly with Postfix. The split configuration file layout in /etc/dovecot/conf.d/ makes it easy to manage individual aspects of the server without risking changes to unrelated settings. With 10-mail.conf mapping to the Postfix Maildir, 10-auth.conf delegating credential validation to PAM, and 10-ssl.conf enforcing encrypted connections, you have a secure and maintainable mail retrieval server. The logical next step is to add a Postfix SASL configuration so that mail clients can authenticate to Postfix for outbound submission on port 587, using Dovecot’s authentication socket as the SASL backend.