Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It’s fast, simple to set up, requires no special administration and it uses very little memory.
On writing this tutorial, we are imagining you have a basic linux box running
We have tested this settings mostly on Debian based operating system, Debian8 and Ubuntu 16.04

Incase of any difficulties please drop us a comment below and we will revert to you in a short while

Let’s start by installing all the necessary dovecot packages

# apt-get install dovecot-common dovecot-imapd dovecot-mysql dovecot-pop3d

By the way, if you don’t have mysql already installed. You can follow this link MySQL 5.x Installation on Debian 8 on how to install it

Now lets continue to Dovecot 2.2 Configurations to work with Mysql
First of all we will make a backup copy of the files that we will edit so that when we messup we can revert back to the original and refer what could be the issue

# mv /etc/dovecot/dovecot-sql.conf.ext /et/etc/dovecot/dovecot-sql.conf.ext.original 
# cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.original 
# cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.original

Now lets start by creating a new file  /etc/dovecot/dovecot-sql-conf.ext   and add the following configurations


# Driver type we will be using mysql as our database 
driver = mysql 

# Credentials to connect to the database 
connect = host=localhost dbname=databasename user=databaseusername password=dbpassword 

# Encryption type that will be used to hash the stored password on the mysql-database 
default_pass_scheme = MD5-CRYPT 

# The query below will be used to check the password of the user trying to login 

password_query = SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home,  'maildir:/var/vmail/%d/%n' as userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid  FROM mailbox WHERE username = '%u' AND active = '1' 

# The query that will be used to check if the the user exist on the database 

user_query = SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail,  5000 AS uid, 5000 AS gid, concat('dirsize:storage=', quota) AS quota  FROM mailbox WHERE username = '%u' AND active = '1'

We are also imagining that you have a system user vmail created on your linuxbox, if not use the two commands to create them


# groupadd -g 5000 vmail 
# useradd -g vmail -u 5000 vmail -d /var/vmail -m

Edit Another file /etc/dovecot/conf.d/10-mail.conf and fine the text in red, match them accordingly


mail_location = maildir:/var/vmail/%d/%n 
mail_uid = vmail 
mail_gid = vmail 
first_valid_uid = 5000 
last_valid_uid = 5000

Now lets edit file /etc/dovecot/conf.d/10-ssl.conf, find the text in red and match them accordingly


ssl = yes 
ssl_cert = </etc/ssl/certs/server.crt 
ssl_key = </etc/ssl/private/server.key

Edit another file /etc/dovecot/conf.d/10-auth.conf and change the settings of the file as shown below

# Disable LOGIN command and all other plaintext authentications unless 
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP 
# matches the local IP (ie. you're connecting from the same computer), the 
# connection is considered secure and plaintext authentication is allowed. 
disable_plaintext_auth = yes 

# Space separated list of wanted authentication mechanisms: 
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey 
# gss-spnego 
# NOTE: See also disable_plaintext_auth setting. 

auth_mechanisms = plain login 

## 
## Password and user databases 
## 
# Password database is used to verify user's password (and nothing more). 
# You can have multiple passdbs and userdbs. This is useful if you want to 
# allow both system users (/etc/passwd) and virtual users to login without 
# duplicating the system users into virtual database. 
# 
# <doc/wiki/PasswordDatabase.txt> 
# 
# User database specifies where mails are located and what user/group IDs 
# own them. For single-UID configuration use "static" userdb. 
# 
# <doc/wiki/UserDatabase.txt>
 
#!include auth-deny.conf.ext 
#!include auth-master.conf.ext 

#!include auth-system.conf.ext 
# Use the SQL database configuration for authentication rather than 
# any of these others. 
!include auth-sql.conf.ext 

#!include auth-ldap.conf.ext 
#!include auth-passwdfile.conf.ext 
#!include auth-checkpassword.conf.ext 
#!include auth-vpopmail.conf.ext 
#!include auth-static.conf.ext

Edit file /etc/dovecot/conf.d/10-mail.conf

# Location for users' mailboxes. The default is empty, which means that Dovecot 
# tries to find the mailboxes automatically. This won't work if the user 
# doesn't yet have any mail, so you should explicitly tell Dovecot the full 
# location. 
# 
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) 
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are 
# kept. This is called the "root mail directory", and it must be the first 
# path given in the mail_location setting. 
# 
# There are a few special variables you can use, eg.: 
# 
# %u - username 
# %n - user part in user@domain, same as %u if there's no domain 
# %d - domain part in user@domain, empty if there's no domain 
# %h - home directory 
# 
# See doc/wiki/Variables.txt for full list. Some examples: 
# 
# mail_location = maildir:~/Maildir 
# mail_location = mbox:~/mail:INBOX=/var/mail/%u 
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n 
# 
# <doc/wiki/MailLocation.txt> 
# 
mail_location = maildir:/var/vmail/%d/%n 


# System user and group used to access mails. If you use multiple, userdb 
# can override these by returning uid or gid fields. You can use either numbers 
# or names. <doc/wiki/UserIds.txt> 
mail_uid = vmail 
mail_gid = vmail 

# Valid UID range for users, defaults to 500 and above. This is mostly 
# to make sure that users can't log in as daemons or other system users. 
# Note that denying root logins is hardcoded to dovecot binary and can't 
# be done even if first_valid_uid is set to 0. 
# 
# Use the vmail user uid here. 
first_valid_uid = 5000 
last_valid_uid = 5000

Edit file /etc/dovecot/conf.d/10-ssl.conf

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> 
ssl = yes 

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before 
# dropping root privileges, so keep the key file unreadable by anyone but 
# root. Included doc/mkcert.sh can be used to easily generate self-signed 
# certificate, just make sure to update the domains in dovecot-openssl.cnf 
# 
# The generated snakeoil certificate: 
#ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem 
#ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key 
# Purchased certificate: 
ssl_cert = </etc/ssl/certs/server.crt 
ssl_key = </etc/ssl/private/server.key 

# If key file is password protected, give the password here. Alternatively 
# give it when starting dovecot with -p parameter. Since this file is often 
# world-readable, you may want to place this setting instead to a different 
# root owned 0600 file by using ssl_key_password = <path. 
#ssl_key_password = 

# PEM encoded trusted certificate authority. Set this only if you intend to use 
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s) 
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) 
ssl_ca = </etc/ssl/certs/ca-bundle.crt 

# DH parameters length to use. In light of Logjam, has to be 2048 or more. 
# See: https://weakdh.org/sysadmin.html 
ssl_dh_parameters_length = 2048 

# SSL protocols to use. Don't use the no-longer secure protocols. 
ssl_protocols = !SSLv2 !SSLv3 

# SSL ciphers to use. See: 
# https://weakdh.org/sysadmin.html 
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ 

ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA 
# Prefer the server's order of ciphers over client's. 

ssl_prefer_server_ciphers = yes

Edit file /etc/dovecot/conf.d/10-master.conf


service auth { 
# auth_socket_path points to this userdb socket by default. It's typically 
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have 
# full permissions to this socket are able to get a list of all usernames and 
# get the results of everyone's userdb lookups. 
# 
# The default 0666 mode allows anyone to connect to the socket, but the 
# userdb lookups will succeed only if the userdb returns an "uid" field that 
# matches the caller process's UID. Also if caller's uid or gid matches the 
# socket's uid or gid the lookup succeeds. Anything else causes a failure. 
# 
# To give the caller full permissions to lookup all users, set the mode to 
# something else than 0666 and Dovecot lets the kernel enforce the 
# permissions (e.g. 0777 allows everyone full permissions). 
unix_listener auth-userdb { 
mode = 0666 
user = vmail 
group = mail 
} 

unix_listener /var/spool/postfix/private/auth { 
mode = 0666 
# Assuming the default Postfix user and group 
user = postfix 
group = postfix 
}

Now lets give a proper permission to our files

chown -R vmail:dovecot /etc/dovecot 
chmod -R o-rwx /etc/dovecot

Restart Dovecot for the changes to take effect


# /etc/init.d/dovecot restart

Thats it !!!!!!!!!!!!!!! Try to login using a virtual user and see if its working
If you face any difficulties please dont hesitate to drop us a comment,
Also we will keep updating this post, if we see any new better changes, please keep visiting

Loading