Dovecot IMAP Server einrichten - E-Mails abrufen

Dovecot ist ein sicherer und schneller IMAP/POP3-Server. Er ermöglicht E-Mail-Clients wie Thunderbird oder Outlook den Zugriff auf Postfächer.

Installation

Debian/Ubuntu

apt update
apt install dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd

CentOS/RHEL

dnf install dovecot

Service aktivieren

systemctl enable --now dovecot

Grundkonfiguration

Protokolle aktivieren

# /etc/dovecot/dovecot.conf

protocols = imap pop3 lmtp
listen = *, ::

Mail-Speicherort

# /etc/dovecot/conf.d/10-mail.conf

# Maildir-Format
mail_location = maildir:~/Maildir

# Oder für virtuelle Benutzer
mail_location = maildir:/var/mail/vhosts/%d/%n

Authentifizierung

# /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = yes
auth_mechanisms = plain login

# Standard-Auth (Unix-Benutzer)
!include auth-system.conf.ext

# Virtuelle Benutzer (SQL/LDAP)
# !include auth-sql.conf.ext

SSL/TLS einrichten

Zertifikate

# /etc/dovecot/conf.d/10-ssl.conf

ssl = required
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

# Moderne Einstellungen
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

Ports

IMAP:    143 (STARTTLS)
IMAPS:   993 (SSL/TLS)
POP3:    110 (STARTTLS)
POP3S:   995 (SSL/TLS)

Postfix-Integration

LMTP-Zustellung

# /etc/dovecot/conf.d/10-master.conf

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}

# /etc/postfix/main.cf

virtual_transport = lmtp:unix:private/dovecot-lmtp

SASL-Authentifizierung

# /etc/dovecot/conf.d/10-master.conf

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

Virtuelle Benutzer

Passwort-Datei

# /etc/dovecot/conf.d/auth-passwdfile.conf.ext

passdb {
  driver = passwd-file
  args = scheme=SHA512-CRYPT /etc/dovecot/users
}

userdb {
  driver = passwd-file
  args = /etc/dovecot/users
}

Benutzer anlegen

# /etc/dovecot/users

# Format: user:password:uid:gid:realname:home:shell
user@example.com:{SHA512-CRYPT}$6$...:5000:5000::/var/mail/vhosts/example.com/user::

# Passwort generieren
doveadm pw -s SHA512-CRYPT

SQL-Backend (MySQL)

# /etc/dovecot/conf.d/auth-sql.conf.ext

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}

userdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}

# /etc/dovecot/dovecot-sql.conf.ext

driver = mysql
connect = host=localhost dbname=mailserver user=mailuser password=password

default_pass_scheme = SHA512-CRYPT

password_query = SELECT email as user, password FROM virtual_users WHERE email='%u'

user_query = SELECT 'maildir:/var/mail/vhosts/%d/%n' as mail, 5000 AS uid, 5000 AS gid FROM virtual_users WHERE email='%u'

Sieve (Filterregeln)

Installation

apt install dovecot-sieve dovecot-managesieved

Konfiguration

# /etc/dovecot/conf.d/90-sieve.conf

plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_default = /var/mail/sieve/default.sieve
  sieve_global_dir = /var/mail/sieve/global/
}

LMTP mit Sieve

# /etc/dovecot/conf.d/20-lmtp.conf

protocol lmtp {
  mail_plugins = $mail_plugins sieve
}

Beispiel-Sieve-Script

# ~/.dovecot.sieve

require ["fileinto", "envelope"];

# Spam in Ordner verschieben
if header :contains "X-Spam-Flag" "YES" {
    fileinto "Junk";
    stop;
}

# Mailingliste
if header :contains "List-Id" "announce" {
    fileinto "Lists.Announcements";
    stop;
}

# Absender-Regel
if address :is "from" "boss@example.com" {
    fileinto "Important";
}

Sieve kompilieren

sievec ~/.dovecot.sieve

Quotas

Quota-Plugin

# /etc/dovecot/conf.d/90-quota.conf

plugin {
  quota = maildir:User quota
  quota_rule = *:storage=1G
  quota_rule2 = Trash:storage=+100M

  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
}

service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  user = dovecot
}

Quota aktivieren

# /etc/dovecot/conf.d/20-imap.conf

protocol imap {
  mail_plugins = $mail_plugins quota imap_quota
}

# /etc/dovecot/conf.d/20-lmtp.conf
protocol lmtp {
  mail_plugins = $mail_plugins quota
}

Quota abfragen

doveadm quota get -u user@example.com
doveadm quota recalc -u user@example.com

Namespaces

Shared Folders

# /etc/dovecot/conf.d/10-mail.conf

namespace {
  type = private
  separator = /
  prefix =
  inbox = yes
}

namespace {
  type = shared
  separator = /
  prefix = shared/%%u/
  location = maildir:/var/mail/shared/%%u:INDEX=~/Maildir/shared/%%u
  subscriptions = no
  list = children
}

Public Folders

namespace {
  type = public
  separator = /
  prefix = Public/
  location = maildir:/var/mail/public
  subscriptions = no
}

Logging

Log-Konfiguration

# /etc/dovecot/conf.d/10-logging.conf

log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
debug_log_path = /var/log/dovecot-debug.log

auth_verbose = yes
auth_verbose_passwords = no
mail_debug = no

Logs lesen

tail -f /var/log/dovecot.log
doveadm log errors

Verwaltung mit doveadm

Benutzer verwalten

# Alle Mailboxen auflisten
doveadm mailbox list -u user@example.com

# Mailbox erstellen
doveadm mailbox create -u user@example.com Archive

# Mails suchen
doveadm search -u user@example.com mailbox INBOX from boss@example.com

# Mails löschen (älter als 30 Tage im Trash)
doveadm expunge -u user@example.com mailbox Trash savedbefore 30d

Index-Verwaltung

# Index neu aufbauen
doveadm index -u user@example.com INBOX

# Alle Benutzer
doveadm index -A INBOX

Verbindungen

# Aktive Verbindungen
doveadm who

# Benutzer trennen
doveadm kick user@example.com

Client-Einstellungen

IMAP

Server: mail.example.com
Port: 993
Sicherheit: SSL/TLS
Authentifizierung: Normal password
Benutzername: user@example.com

SMTP (Postfix)

Server: mail.example.com
Port: 587
Sicherheit: STARTTLS
Authentifizierung: Normal password
Benutzername: user@example.com

Troubleshooting

Verbindungstest

# IMAP-Test
openssl s_client -connect mail.example.com:993

# Nach Verbindung:
a LOGIN user@example.com password
b LIST "" "*"
c LOGOUT

# Telnet (unverschlüsselt)
telnet mail.example.com 143

Authentifizierung testen

doveadm auth test user@example.com password
doveadm auth login user@example.com password

Häufige Fehler

# Permission denied
# → Berechtigungen prüfen
ls -la /var/mail/vhosts/

# Auth failed
# → Passwort-Hash prüfen
doveadm pw -t '{SHA512-CRYPT}$6$...' -p 'password'

# Mailbox not found
# → mail_location prüfen
doveadm user user@example.com

Sicherheit

Fail2ban

# /etc/fail2ban/jail.local

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/dovecot.log
maxretry = 5
bantime = 3600

Firewall

ufw allow 993/tcp  # IMAPS
ufw allow 995/tcp  # POP3S
ufw allow 143/tcp  # IMAP (optional)
ufw allow 110/tcp  # POP3 (optional)

Zusammenfassung

| Befehl | Funktion | |--------|----------| | doveadm who | Aktive Verbindungen | | doveadm kick user | Benutzer trennen | | doveadm auth test | Auth testen | | doveadm mailbox list | Ordner auflisten | | doveadm quota get | Quota anzeigen | | doveadm pw | Passwort-Hash erstellen |

| Port | Protokoll | |------|-----------| | 993 | IMAPS (SSL) | | 995 | POP3S (SSL) | | 143 | IMAP (STARTTLS) | | 110 | POP3 (STARTTLS) |

Fazit

Dovecot ist der Standard-IMAP-Server für Linux. Die Integration mit Postfix über LMTP und SASL ist unkompliziert. Sieve ermöglicht serverseitige Filterregeln, und Quotas begrenzen den Speicherverbrauch. Für Produktivsysteme empfiehlt sich eine Kombination mit Postfix und Anti-Spam-Maßnahmen. Komplettlösungen wie iRedMail oder Mailcow vereinfachen das Setup erheblich.