Last updated: 2026-06-25

Dovecot TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Dovecot, a secure and high-performance IMAP and POP3 mail server. TLS encryption protects email credentials and message content as they are retrieved by mail clients.

Prerequisites#

• Dovecot 2.3.0 or later (for ssl_min_protocol support; see Version Notes for older alternatives)
• OpenSSL 1.1.1 or later
• A valid SSL/TLS certificate from a trusted CA

Certificate Configuration#

Dovecot uses the < prefix to read file contents directly into the configuration:

ssl_cert = </etc/dovecot/ssl/fullchain.pem
ssl_key = </etc/dovecot/ssl/privkey.pem

The < prefix is required. Without it, Dovecot treats the value as a literal string, not a file path.

Path note: This guide uses custom paths under /etc/dovecot/ssl/. Distribution defaults differ: RHEL places certs in /etc/pki/dovecot/certs/ and keys in /etc/pki/dovecot/private/. Debian/Ubuntu uses /etc/dovecot/private/.

Enable and Require TLS#

Set ssl to required to enforce encrypted connections for all clients:

ssl = required

Available values:

• no - TLS disabled
• yes - TLS available but not required (clients can connect in plaintext)
• required - All connections must use TLS (recommended)

Protocol Versions#

Set the minimum TLS version to 1.2:

ssl_min_protocol = TLSv1.2

Cipher Suites#

Configure strong cipher suites with forward secrecy:

ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

For TLS 1.3 cipher suites (Dovecot 2.3.15+):

ssl_cipher_suites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

Enable server cipher preference:

ssl_prefer_server_ciphers = yes

ECDH Curve#

Specify the elliptic curves for key exchange:

ssl_curve_list = P-256:P-384

DH Parameters#

For older clients that use DHE key exchange, generate strong DH parameters. With a modern ECDHE-only cipher list this is optional, but harmless to include:

ssl_dh = </etc/dovecot/ssl/dh.pem

Generate the DH parameters file:

openssl dhparam -out /etc/dovecot/ssl/dh.pem 4096

Disable Plaintext Authentication Without TLS#

Prevent clients from sending passwords over unencrypted connections:

auth_mechanisms = plain login
disable_plaintext_auth = yes

With ssl = required, this is redundant but provides defense in depth.

Per-Protocol Settings#

If you run both IMAP and POP3, you can apply TLS settings per protocol:

protocol imap {
    ssl_cert = </etc/dovecot/ssl/imap-fullchain.pem
    ssl_key = </etc/dovecot/ssl/imap-privkey.pem
}

protocol pop3 {
    ssl_cert = </etc/dovecot/ssl/pop3-fullchain.pem
    ssl_key = </etc/dovecot/ssl/pop3-privkey.pem
}

In most cases, a single certificate for all protocols is sufficient.

Version Notes#

Several TLS directives were introduced in different Dovecot releases. If you are running an older version, substitute or omit the following:

• ssl_min_protocol - Requires Dovecot 2.3.0+. On older versions, use the legacy syntax instead: ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1
• ssl_cipher_suites (TLS 1.3 ciphers) - Requires Dovecot 2.3.15+. Omit this line on older versions; TLS 1.3 will still work with default cipher selection if your OpenSSL supports it.
• ssl_curve_list - Requires Dovecot 2.3.0+. Omit on older versions.

Dovecot 2.4 - Dovecot 2.4.0 (December 2024) is the current stable series and renames several of the settings below. On 2.4, ssl_cert / ssl_key / ssl_ca / ssl_dh become ssl_server_cert_file / ssl_server_key_file / ssl_server_ca_file / ssl_server_dh_file, and the leading < prefix is dropped (the value is now a plain file path). ssl_prefer_server_ciphers becomes ssl_server_prefer_ciphers, and disable_plaintext_auth = yes becomes auth_allow_cleartext = no (note the inverted sense). The ssl_min_protocol, ssl_cipher_list, ssl_cipher_suites, and ssl_curve_list directives are unchanged. The 2.3 configuration shown below still documents the 2.3 syntax; translate the names above when deploying on 2.4.

Complete Configuration#

Add these settings to /etc/dovecot/conf.d/10-ssl.conf (or your main dovecot.conf):

# Require TLS
ssl = required

# Certificate files
ssl_cert = </etc/dovecot/ssl/fullchain.pem
ssl_key = </etc/dovecot/ssl/privkey.pem

# Protocol version (requires Dovecot 2.3.0+)
# On older versions, use instead:
#   ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1
ssl_min_protocol = TLSv1.2

# TLS 1.2 cipher suites
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

# TLS 1.3 cipher suites (requires Dovecot 2.3.15+; omit on older versions)
ssl_cipher_suites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

# Cipher preference
ssl_prefer_server_ciphers = yes

# ECDH curves (requires Dovecot 2.3.0+; omit on older versions)
ssl_curve_list = P-256:P-384

# DH parameters (optional with ECDHE-only ciphers)
ssl_dh = </etc/dovecot/ssl/dh.pem

# Disable plaintext auth without TLS
disable_plaintext_auth = yes

Listener Configuration#

Dovecot listens on the following default ports. Verify they are configured in /etc/dovecot/conf.d/10-master.conf:

• 143 - IMAP with STARTTLS
• 993 - IMAPS (implicit TLS, recommended)
• 110 - POP3 with STARTTLS
• 995 - POP3S (implicit TLS, recommended)

Implicit TLS (ports 993/995) is preferred over STARTTLS because the connection is encrypted from the start, with no plaintext preamble that could be intercepted.

service imap-login {
    inet_listener imap {
        port = 143
    }
    inet_listener imaps {
        port = 993
        ssl = yes
    }
}

service pop3-login {
    inet_listener pop3 {
        port = 110
    }
    inet_listener pop3s {
        port = 995
        ssl = yes
    }
}

Mutual TLS (mTLS)#

Standard TLS authenticates only the server and protects the connection from eavesdropping. Mutual TLS adds client authentication, requiring the connecting client to also present a certificate. For a mail server this is an uncommon requirement: most IMAP and POP3 clients authenticate with a username and password, not a certificate. It may be useful in environments where mail access is restricted to managed devices with known certificates, or for service accounts used by internal mail tooling.

To require client certificates, add the following to your SSL configuration (10-ssl.conf):

ssl_ca = </etc/dovecot/ssl/client-ca.pem
ssl_verify_client = yes

• ssl_ca - CA certificate used to verify client certificates. The < prefix reads the file contents directly, as with ssl_cert and ssl_key.
• ssl_verify_client = yes - Require a valid client certificate. Connections without one are rejected.
• ssl_verify_client = relaxed - Allow connections without a certificate but log a warning if a presented certificate is invalid.

Client certificate verification in Dovecot operates at the TLS layer. Users still authenticate with their normal credentials (PLAIN/LOGIN) after the TLS handshake. Set ssl_verify_client = yes only when all your mail clients support client certificates and are configured with them.

See RFC 8446 §4.3.2 for the TLS Certificate Request specification, and Wikipedia: Mutual authentication for a general overview.

Security Notes#

The cipher suite and protocol configuration in this guide addresses the following known TLS vulnerabilities:

• POODLE (CVE-2014-3566, 2014): SSL 3.0 is disabled. TLS_FALLBACK_SCSV was added in OpenSSL 1.0.1j / 1.0.2 (October 2014); SSL 3.0 disabled by default in OpenSSL 1.1.0 (August 2016).
• BEAST (CVE-2011-3389, 2011): Mitigated by recommending TLS 1.2 as the minimum; AEAD-only ciphers eliminate the CBC padding oracle.
• CRIME (CVE-2012-4929, 2012): TLS compression is off by default in OpenSSL 1.1.0+; do not enable it.
• Lucky13 (2013): AEAD-only cipher list eliminates CBC padding timing side-channels entirely.
• FREAK (CVE-2015-0204, 2015): EXPORT-grade ciphers are excluded from the cipher string. Removed from OpenSSL 1.1.0 (August 2016).
• LOGJAM (CVE-2015-4000, 2015): Short-key DHE is excluded; only ECDHE key exchange is recommended.
• Sweet32 (CVE-2016-2183, 2016): 3DES is excluded from the cipher string.
• ROBOT (2017): Static RSA key exchange is excluded; only ECDHE is recommended.
• Downgrade attacks: TLS_FALLBACK_SCSV prevents protocol version rollback.
• Renegotiation injection (CVE-2009-3555, 2009): Secure renegotiation is enforced by default in OpenSSL 0.9.8m+; TLS 1.3 removes renegotiation entirely.

The following are not addressable through TLS configuration alone:

• Heartbleed (CVE-2014-0160, 2014): A memory disclosure bug in OpenSSL 1.0.1 through 1.0.1f. Fixed in OpenSSL 1.0.1g (April 7, 2014). Addressed by patching OpenSSL, not by TLS configuration.
• BREACH (CVE-2013-3587, 2013): Not applicable. BREACH targets HTTP-level response compression; IMAP/POP3 do not involve HTTP.
• DROWN (CVE-2016-0800, 2016): Requires SSLv2 to be enabled on any server sharing the same private key. Ensure SSLv2 is disabled on all services that use the same certificate and key pair.

Verification#

Test the Dovecot configuration and restart:

doveconf -n | grep ssl
systemctl restart dovecot

Test IMAPS:

openssl s_client -connect mail.example.com:993

Test IMAP with STARTTLS:

openssl s_client -connect mail.example.com:143 -starttls imap

Check Dovecot's log for TLS connection details:

doveadm log find
journalctl -u dovecot | grep TLS

Test your IMAPS and POP3S certificates externally with the Mr.DNS SSL/TLS Certificate Check (port 993 for IMAPS, 995 for POP3S).