Dovecot/TLS

Overview
This guide will show you how to enable TLS/SSL support in Dovecot 2.0, enabling you to encrypt all POP3 and IMAP communications.

This guide assumes you already have a working Dovecot installation.

Certificate Creation
This guide will not deal with certificate creation since that is already covered elsewhere. If you want an easy-to-use graphical program for managing self-signed certificates, you may wish to check out.

You will need to save the certificate files &mdash; there should be two: a key file and a certificate file &mdash; onto the server. For example, you may choose to keep yours in a directory called.

Your certificate file should have permissions root:root 0444. The certificate file is sent to anyone who requests it. So, being world readable is acceptable since it is not private. However, your key file should have permissions root:root 0400 as it should be kept private.

Package Setup
You first need to ensure that you have Dovecot compiled with SSL support. For this to happen, Dovecot needs to be compiled with the USE flag.

Add the following to :

And recompile Dovecot with:

Configuration
By default, Dovecot is configured with SSL enabled and uses self-signed certificates in. If you want to disable the use of unencrypted IMAP and/or POP3 communication:

You now want to tell Dovecot where to find your certificate files. This example uses files stored in, and the key and certificate files are respectively called and.

You also need to tell Dovecot the pass phrase needed to decrypt the key file, if you have it protected by a pass phrase. We'll place this in a separate file:

To ensure that no other users can read the pass phrase, change the permissions so that only root can read the above file:

Then we'll include it:

Now that you have SSL setup, you may want to disable plain text authentication. This only means that Dovecot will not accept plain text authentication over an unencrypted connection.

Finally, restart Dovecot with: