Dovecot IMAP Server and Daemontools

Text and color conventions used in this document:

This text provides notes and instructions.

This text gives terminal commands.
This text provides config file and shell script contents.

Here are tips and suggestions for using the Dovecot IMAP server on Debian Linux and running under the Daemontools program developed by DJB.

These notes represent one possible approach to setting up Dovecot IMAP on a qmail system. This setup may or may not be optimum for your needs. In particular, authentication without encryption to the normal IMAP port (143) is disabled so clients must use TLS or SSL in order to connect fully on an encrypted port and then authenticate.

This configuration also does not use tcpserver or sslserver. Dovecot can act as it's own super user and start up separate processes for each connection and this is what is being used with this configuration. This may not be as good of a solution as using tcpserver or sslserver but it is flexible and relatively easy to get going.

Download and Build

Download the latest version of Dovecot. I put all source code in /usr/local/src. CD to there and untar the source with this command. Note: This page may be out of sync with the latest version. Check the Dovecot download page to be sure (

cd /usr/local/src
wget -c
tar xzvf dovecot-1.x.x.tar.gz

Now cd to the resulting Dovecot source dir and start to configure and build Dovecot. I am using only one option but your requirments may be different so do ./configure --help to review all the options available. I decided to not use Dovecot's pop3 server as I already have Qmail's pop server set up. So my config file has this option to turn it off:

./configure --without-pop3d

Now continue on with the make and make install commands to build and install Dovecot.

Setup and Configuration

You must first create the dovecot user. This is not a login account but is used to run the application. The following command works on Debian. Other Linux variants may be slightly different so check the man page to be sure:

useradd -m -b /var/run -s /bin/false dovecot

The configuration file makes use of vpopmail for user authentication. This is a plain text form of authentication so in order to be secure, TLS or SSL should be used. And of course, this assumes that you have vpopmail installed. The location of the file using the default install is: /usr/local/etc/dovecot.conf. Also take note that this file is for version 1.1.2 of Dovecot. Earlier versions may not be compatible. Here is the complete configuration file I use:

protocols = imap imaps
listen = *
log_path = /dev/stderr
#info_log_path = defaults to log_path unless specified
disable_plaintext_auth = yes
shutdown_clients = yes
ssl_disable = no
login_dir = /var/run/dovecot
login_greeting = Acme IMAP service.  Non-subscribers are NOT welcome! 
# use this for Maildir format:
mail_location = maildir:~/Maildir
# Allow access only to vpopmail users
first_valid_uid = 89
last_valid_uid = 89
first_valid_gid = 89
last_valid_gid = 89
# use the same certs as SMTP:
ssl_cert_file = /var/qmail/control/servercert.pem
ssl_key_file = /var/qmail/control/servercert.pem

auth_process_size = 8192
auth_cache_size = 8192
auth_cache_ttl = 3600
auth default {
   mechanisms = plain
   passdb vpopmail {
      args = cache_key=%u%s *
   userdb vpopmail {
   user = vpopmail

namespace private   {
   separator = .
   prefix = INBOX.
   inbox = yes

# Hardlinks speed things up:
maildir_copy_with_hardlinks = yes
maildir_copy_preserve_filename = yes

One unique thing about the dovecot.conf file for daemontools is the line which configures logging to stderr. This will be clearer when the run script is considered. Other items to notice are the standard vpopmail user and group id's designated by the four first_valid_, last_valid_ entries. These are typically 89 if you followed the vpopmail configuration instructions. The certificates which will be used for TLS and/or SSL encryption are the same ones qmail uses for TLS in the SMTP service.

I also disable plain text login which prevents any user from logging in without a secure connection. This will not prevent an attempt but authentication will not be checked against the selected mechanism without a secure connection. An insecure attempt will result in a warning message which alerts the user to the fact that they are using an insecure connection and may have just compromised their login information.

The items under namespace private will allow for existing courier IMAP style folders. This is useful if you are migrating from courier IMAP.

Daemontools Config

Setup the service directories for dovecot under daemontools. I like to put all of my services to be run by daemon tools in a central location which is under /var/supervise/. But any location will work.

mkdir -p /var/supervise/dovecot/log
chmod 755 /var/supervise/dovecot /var/supervise/dovecot/log

Now setup the run script in /var/supervise/dovecut/run (or wherever you set up the service dirs).

exec /usr/local/sbin/dovecot -F 2>&1

This is a very straightforward run script with the exception of the -F. This option tells Dovecot to run in the foreground instead of as a daemon. Dovecot will not work under daemontools running in daemon mode (nor will any program). You will also note the common 2>&1 which tells the shell to pipe all error messages to standard output.

The log run file (located in /var/supervise/dovecot/log/run) can also be very simple. Here is mine which puts all log messages in /var/log/dovecot:

exec env - PATH="$VQ/bin:/usr/local/bin:/usr/bin:/bin" \
   multilog t n1024 s1048576 /var/log/dovecot

Make both run files executable and set permissions:

chmod 755 /var/supervise/dovecot/run /var/supervise/dovecot/log/run

Now start up the dovecot service in the standard way by linking to the /service/ directory:

cd /service
ln -s /var/supervise/dovecot/run ./ 


Using the tail command on the dovecot multilog file will allow you to watch the connections in real time while you test:

cd /var/log/dovecot
tail -n 25 -F current | tai64nlocal

Now, in a separate terminal, try connecting to the IMAP port of your server where dovecot is running. Telnet to port 143 of your server (standard IMAP port). Issue these commands:

a002 logout

Here is an example of output with a successful install:

user@puter:~$ telnet 143
Connected to
Escape character is '^]'.
* OK Message in dovecot.conf.
a001 OK Capability completed.
a002 logout
* BYE Logging out
a002 OK Logout completed.
Connection closed by foreign host.

If you want to do a more complete test via the terminal, here are some commands for testing IMAP with TLS. I have added some comments to these commands which are in parenthesis on the far right:

openssl s_client -starttls imap -crlf -connect
a01 login username passwd
a02 list "Maildir" "*"     (list all folders)
a04 FETCH 1:* FLAGS        (flags is kind of like status.  This is asking for 
                             status of all messages in the INBOX).
a05 FETCH 1 full           (get full header for the most recent message)
a06 FETCH 1 body[text]     (get body of message)
a07 logout

To delete a message:

a08 store 3 +FLAGS (\Deleted)  (The number here is the message number)
a09 expunge                    (expunge will commit the delete)

If you are successful using these commands to view and delete messages, you should have a working Dovecot IMAP server. You are now ready to use a normal IMAP client (such as Thunderbird for example). Settings for a particular IMAP client should be easy so fire it up and give it a try!


All material on is copyright © Bob Wooldridge
Contact: bobber @