Installing SSL on Dovecot (IMAP/POP3)

Dovecot is the most popular IMAP and POP3 server for Linux. Securing it with SSL/TLS is mandatory for protecting your users' login credentials and email privacy. This guide covers the SSL configuration for Dovecot.

Prerequisites

Before you begin, ensure you have:

Root access to the server
Dovecot installed and running
Your SSL certificate files (CRT and Key)

Step 1 — Configure Dovecot (10-ssl.conf)

The SSL settings in Dovecot are typically located in /etc/dovecot/conf.d/10-ssl.conf.

# Enable SSL
ssl = required

# Path to certificate and key
# Note: Use < prefix for paths
ssl_cert = </etc/ssl/certs/mail.yourdomain.crt
ssl_key = </etc/ssl/private/mail.yourdomain.key

# (Optional) If you have a CA Bundle, append it to the certificate file
# or use ssl_ca if your Dovecot version supports it.

# Preferred SSL protocols and ciphers
ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

💡

Certificate format: Dovecot expects the certificate and the intermediate CA chain to be in the same file. You can combine them using: cat cert.crt bundle.crt > combined.crt.

Step 2 — Restart Dovecot

After updating the configuration, restart the Dovecot service:

sudo systemctl restart dovecot

Step 3 — Verify Installation

Test the IMAP/TLS connection using openssl:

openssl s_client -connect mail.yourdomain.com:993

For POP3/TLS:

openssl s_client -connect mail.yourdomain.com:995

If successful, you will see your certificate details and a "Secure" connection status.

Prerequisites

Step 1 — Configure Dovecot (10-ssl.conf)

Step 2 — Restart Dovecot

Step 3 — Verify Installation

Related Guides