FreeBSD mail server: IMAP using Dovecot

published on in category , Tags: freebsd mail dovecot

This is a follow-up post to the initial FreeBSD mail server article that I posted a few weeks ago. In this step, we will build upon what we set up in the first part and add the possibility to fetch email from a mail client using IMAP. We will still use system users for authentication, before we switch to virtual users in the next step.

In this series we will set up a fully-featured mail server in a FreeBSD jail using OpenSMTPd, Dovecot and rspamd. In contrast to many other guides, this one is split into multiple posts that can either be read and followed individually, or as a whole. After each post, you end up with a fully working system (that might lack some features ;)).

Dovecot, amongst its many configuration options, is decently easy to set up. The default configuration is suitable for the bigger part.

Installing Dovecot

In our mailserver jail (see first post of this series), we first install Dovecot:

pkg install dovecot

The default configuraton is in a separate folder, so we need to copy it first to the actual config directory so that it can be used:

cd /usr/local/etc/dovecot
cp -r example-config/* .

First off, we will clean up things a bit: POP3 is still enabled by default but unless you’re living in the early ’90s, there’s no reason to have it. We also won’t use Dovecot for mail submission since OpenSMTPd takes care of that already.

So, let’s edit /usr/local/etc/dovecot/dovecot.conf and remove pop3 and submission from protocols (and remove the comment so that the line is actually used):

protocols = imap lmtp

LMTP (Local Mail Transfer Protocol) is not used right now, but we will need it in the next step to deliver mail from the MTA (OpenSMTPd) to the MDA (Dovecot’s deliver).

Also, my FreeBSD jail is not set up to support IPv6, so listening for IPv6 connections will generate errors when we try to start Dovecot, so let’s disable it by removing :: from the listen property:

listen = *

TLS configuration

In the first post we already fetched initial TLS certificates from Let’s Encrypt (we will take care for renewing them later on), so we can reuse them for Dovecot as well. Make sure to exchange them with your paths, in case they differ (only the domain should differ though, if you followed the last guide).

Edit /usr/local/etc/dovecot/conf.d/10-ssl.conf and update ssl_key and ssl_cert:

ssl_key = </usr/local/etc/letsencrypt/live/
ssl_cert = </usr/local/etc/letsencrypt/live/

Also, let’s change SSL from supported to be required:

ssl = required

Mailbox configuration

Dovecot uses some standard mailboxes like Drafts, Junk, Trash and Sent additional to the Inbox. These are not created automatically, which will possibly yield some error messages when connecting a mail client. So we can set up Dovecot to create those mailboxes automatically. So edit /usr/local/etc/dovecot/conf.d/15-mailboxes.conf and add auto = create to the standard mailboxes:

namespace inbox {
  # These mailboxes are widely used and could perhaps be created automatically:
  mailbox Drafts {
    special_use = \Drafts
    auto = create
  mailbox Junk {
    special_use = \Junk
    auto = create
  mailbox Trash {
    special_use = \Trash
    auto = create

  # For \Sent mailboxes there are two widely used names. We'll mark both of
  # them as \Sent. User typically deletes one of them if duplicates are created.
  mailbox Sent {
    special_use = \Sent
    auto = create
  mailbox "Sent Messages" {
    special_use = \Sent


The configuration part is done, so we should be ready to enable and start Dovecot:

sysrc dovecot_enable=YES
service dovecot start

Dovecot writes to /var/log/maillog, just like OpenSMTPd. So check the logs to see if the startup was successful:

Jan  5 17:45:01 mail dovecot[98452]: master: Dovecot v2.3.15 (0503334ab1) starting up for imap, lmtp

Since we run in a jail with a private IP address, make sure that IMAP (Port 143) requests to the host IP are forwarded to your jail. If you followed the guide starting from the first part, we already set that up there.

You can use some online-tools like or to check the TLS configuration.

Setting up a client

Now that we have SMTP and IMAP running, we don’t need to play around with openssl s_client, but we can set up a desktop mail client (MUA) to fetch and send email. Since we use system users for authentication, username and password are the actual user logins.

In my example, I set up Thunderbird using the following credentials for our configuration:


Security: STARTTLS
Login method: Password, normal
Username/Password from the system user you created (no - since this is a system user)


Security: STARTTLS
Login method: Password, normal
Username/Password from the system user you created (no - since this is a system user)


Doable so far, right? Now we have a mail server that can send and receive email - at least with indulgent mail servers ;-) We don’t sign our messages with DKIM, don’t have a DMARC policy etc. And we don’t check incoming email for spam…. aaaand we don’t prevent bots from connecting to our SMTP yet, no matter how rude they are - if you check your maillog you will possibly see tons of incoming connections that will be dropped again due to the lack of proper login credentials and an open relay configuration.

We will take care for all of that next time.