DETHINKED > Mail Server > How to Install Dovecot IMAP Server and Enable TLS Encryption on Ubuntu 20.04
How to Install Dovecot IMAP Server and Enable TLS Encryption on Ubuntu 20.04
Categories

How to Install Dovecot IMAP Server and Enable TLS Encryption on Ubuntu 20.04

This is Part 2 of the tutorial on how to build a mail server on Ubuntu 20.04. In Part One, we installed Postfix as the SMTP server. In this section, we’ll continue by installing Dovecot as the IMAP server so that our mail server can be used to send and receive emails through desktop or mobile mail clients like Thunderbird or Outlook. We’ll also enable TLS encryption to make our emails more secure and protected from interception.

We won’t use POP3 as the Mail User Agent protocol because it’s no longer commonly used.

Let’s get started with installing Dovecot IMAP Server and enabling TLS encryption on our Ubuntu Server.

1. Request SSL for the Server Hostname Using Let’s Encrypt

First, update your repository:

sudo apt update

Next, we’ll request an SSL certificate from Let’s Encrypt. We’ll use Nginx to verify the certificate. If you’re using Apache, install python3-certbot-apache instead.

sudo apt -y install certbot python3-certbot-nginx

Create a server block for your FQDN hostname (use hostname --fqdn to check). For example:

sudo nano /etc/nginx/sites-available/mailserver.yourdomain.com

Insert the following block (adjust for your hostname):

server {
    listen 80;
    root /var/www/mailserver.yourdomain.com;
    index index.html;
    server_name mailserver.yourdomain.com;

    location / {
        try_files $uri $uri/ =404;
    }
}

Activate the block:

sudo ln -s /etc/nginx/sites-available/mailserver.yourdomain.com /etc/nginx/sites-enabled/
sudo mkdir /var/www/mailserver.yourdomain.com
sudo systemctl reload nginx
sudo ufw allow 'Nginx HTTP'

Now request the SSL certificate:

sudo certbot certonly --nginx

Follow the prompts:

  • Enter your email
  • Agree to the terms
  • Choose your domain (e.g. option 1 for mailserver.yourdomain.com)

SSL certificates will be stored at:

/etc/letsencrypt/live/mailserver.yourdomain.com/

2. Enable Submission in Postfix

To allow sending/receiving email via clients like Outlook or Thunderbird, enable submission:

sudo nano /etc/postfix/master.cf

Add the following to the bottom of the file:

submission inet n - y - - smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth

To support Outlook (port 465), also add:

smtps inet n - y - - smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth

Now edit Postfix main config:

sudo nano /etc/postfix/main.cf

Update TLS settings with the correct certificate path:

smtpd_tls_cert_file=/etc/letsencrypt/live/mailserver.yourdomain.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mailserver.yourdomain.com/privkey.pem

Add these lines:

smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Restart Postfix:

sudo systemctl restart postfix

Allow the necessary ports:

sudo ufw allow 'Postfix Submission'
sudo ufw allow 'Postfix SMTPS'

3. Install and Enable Dovecot (IMAP Server)

sudo apt -y install dovecot-core dovecot-imapd

Enable IMAP in Dovecot:

sudo nano /etc/dovecot/dovecot.conf

Add at the bottom:

protocols = imap

4. Set Mailbox Location

Update mailbox storage format to Maildir:

sudo nano /etc/dovecot/conf.d/10-mail.conf

Change:

mail_location = maildir:~/Maildir

Then:

sudo adduser dovecot mail

5. Configure Authentication

Edit:

sudo nano /etc/dovecot/conf.d/10-auth.conf

Add at the bottom:

disable_plaintext_auth = yes
auth_username_format = %n

Then change:

auth_mechanisms = plain login

6. Enable TLS in Dovecot

sudo nano /etc/dovecot/conf.d/10-ssl.conf

Update:

ssl = required
ssl_cert = </etc/letsencrypt/live/mailserver.yourdomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mailserver.yourdomain.com/privkey.pem

Add:

ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1
ssl_min_protocol = TLSv1.2

7. Enable SASL Auth for Postfix

sudo nano /etc/dovecot/conf.d/10-master.conf

Find service auth and set:

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

8. Auto-Create Mail Folders

Edit:

sudo nano /etc/dovecot/conf.d/15-mailboxes.conf

Example:

mailbox Drafts {
  special_use = \Drafts
  auto = create
}

Repeat for Inbox, Sent, Junk, Trash, etc.

9. Install and Configure Dovecot LMTP

sudo apt -y install dovecot-lmtpd

Enable in:

sudo nano /etc/dovecot/dovecot.conf

Update:

protocols = imap lmtp

Then:

sudo nano /etc/dovecot/conf.d/10-master.conf

Add:

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}

Edit Postfix:

sudo nano /etc/postfix/main.cf

Add:

mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtputf8_enable = no

Restart services:

sudo systemctl restart postfix dovecot

Open IMAP ports:

sudo ufw allow 'Dovecot IMAP'
sudo ufw allow 'Dovecot Secure IMAP'

10. Test with Thunderbird or Outlook

Your email account is your Ubuntu username + domain.
For example, if your Ubuntu user is john, then your email is john@yourdomain.com.

To add a new email account:

sudo adduser newusername

Then test using a mail client like Thunderbird:

Manual Config Example:

  • Incoming (IMAP):
    Host: mailserver.yourdomain.com
    Port: 143
    SSL: STARTTLS
    Auth: Normal Password
  • Outgoing (SMTP):
    Host: mailserver.yourdomain.com
    Port: 587
    SSL: STARTTLS
    Auth: Normal Password

Use the username without @yourdomain.com in both fields.

What’s Next?

If you can send and receive emails from Thunderbird — congrats! 🎉 You’ve successfully completed Part 2.

However, your emails may still be flagged as spam. In the next part, we’ll set up SPF and DKIM records to help improve deliverability and trust.

👉 Stay tuned for Part 3: How to Configure SPF and DKIM for Mail Server on Ubuntu!

More Reading

Post navigation

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You might also like

Stay a while and read more posts like this

Categories

Basic Linux Server Hardening on Ubuntu 20.04: Lock It Before You Lose It

Nginx Hardening
Categories

Locking Down Nginx: How I Hardened My Web Server Configuration

Categories

Disable Root SSH Access on Ubuntu 20.04: One Small Step for Security, One Giant Leap for Sanity

Categories

How to Hide Your Server’s OS Signature from Prying Eyes

Subscribe to our newsletter