Phase 3: Dovecot IMAP

Objective

Install and configure dovecot as the IMAP server. Maildir storage, TLS via Vault certificate, authentication against local users (AD integration as stretch goal).

Concepts

Term Meaning

Term	Meaning
MDA (Mail Delivery Agent)	Software that delivers mail to the recipient’s mailbox. Dovecot serves as both MDA and IMAP server.
IMAP (Internet Message Access Protocol)	Protocol for reading mail from a server. Mail stays on server — multiple clients can access it.
Maildir	One-file-per-message storage format. Three subdirectories: `new/`, `cur/`, `tmp/`. Concurrent-safe, no locking.
IMAPS	IMAP over implicit TLS (port 993). Connection is encrypted from the first byte.

MDA (Mail Delivery Agent)

Software that delivers mail to the recipient’s mailbox. Dovecot serves as both MDA and IMAP server.

IMAP (Internet Message Access Protocol)

Protocol for reading mail from a server. Mail stays on server — multiple clients can access it.

Maildir

One-file-per-message storage format. Three subdirectories: new/, cur/, tmp/. Concurrent-safe, no locking.

IMAPS

IMAP over implicit TLS (port 993). Connection is encrypted from the first byte.

Installation

sudo dnf install -y dovecot
sudo systemctl enable dovecot

Configuration

# Mail location — Maildir format
sudo sed -i 's|^#mail_location =.*|mail_location = maildir:~/Maildir|' /etc/dovecot/conf.d/10-mail.conf

# Verify
sudo awk '/^mail_location/' /etc/dovecot/conf.d/10-mail.conf

TLS Configuration

# Use same Vault-issued cert as postfix
sudo tee /etc/dovecot/conf.d/10-ssl.conf.local <<'DOVECOT'
ssl = required
ssl_cert = </etc/ssl/certs/mail-01.crt
ssl_key = </etc/ssl/private/mail-01.key
ssl_ca = </etc/ssl/certs/mail-01-ca.crt
ssl_min_protocol = TLSv1.2
DOVECOT

# Include local config
echo '!include conf.d/10-ssl.conf.local' | sudo tee -a /etc/dovecot/local.conf

Authentication

# Default: PAM authentication (local users)
# Verify auth mechanism
sudo awk '/^auth_mechanisms/' /etc/dovecot/conf.d/10-auth.conf

# Ensure passdb and userdb use PAM
sudo doveconf -n | grep -E 'passdb|userdb'

Firewall

sudo firewall-cmd --permanent --add-service=imaps
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Restart and Verify

sudo systemctl restart dovecot
sudo systemctl status dovecot

# Test TLS connection
openssl s_client -connect 10.50.1.91:993

# Test with aerc (from workstation)
# Add to ~/.config/aerc/accounts.conf:
# [mail-lab]
# source = imaps://evan@mail-01.inside.domusdigitalis.dev:993
# outgoing = smtp+starttls://evan@mail-01.inside.domusdigitalis.dev:587
# default = INBOX
# from = Evan Rosado <evan@inside.domusdigitalis.dev>

Verification Checklist

Dovecot running: systemctl is-active dovecot
IMAPS responds: openssl s_client -connect 10.50.1.91:993 shows certificate
Login works: doveadm auth test evan
aerc connects and shows test message from Phase 2
SELinux permits: sudo ausearch -m avc -ts recent | grep dovecot shows no denials