I finally succumbed and set up Dovecot on my server. I still profess that (remote, using a tmux session) mutt straight into a (postfix) maildir is the ultimate email experience, but now that I’m back to my main computing device being a phone it has become a pain in the arse using mutt via a teeny tiny terminal on my phone (how on earth I ever did so much on my iPhone SE before this I don’t know). I.e. writing emails is not a great experience and I rarely sort through and archive/delete stuff from my phone, instead waiting until I can get on the family computer.

Setting up Dovecot via a teeny tiny terminal on my phone was one of the reasons I put this off so long, but I had enough snippets of free time over the holidays to persevere and do it.

I used this old NetBSD guide as a basis with a few tweaks to suit the peculiarities of my setup:

  • dovecot.conf

    I just need this protocol:

      protocols = imap

  • ./conf.d/10-auth.conf

    For the time being, I’m including auth-static instead of auth-system. More on that in a bit.

  • ./conf.d/10-logging.conf

    The default didn’t seem to log anything for me and so since I was debugging connections I set:

      log_path = /var/log/dovecot

    And

      auth_verbose = yes

  • ./conf.d/10-master.conf

    The postfix smtp auth bits per the article (“Just follow the provided instructions”) since being able to send email is useful too.

  • ./conf.d/10-ssl.conf

    Pointing ssl_key and ssl_cert at my Let’s Encrypt certs (fullchain.pem) and setting:

      ssl = required

    Instead of yes

  • ./conf.d/auth-static.conf.ext

    For now at least, since my server is effectively single user with just my email on it, I’m using the static auth settings. This feels wrong, but I can’t actually think why this is worse than using system auth (PAM)… yet. I did use doveadm to encrypt a long random password though so it isn’t stored in the file as plain text (not that it really matters anyway, perhaps if this was a shared machine).

      passdb {
    driver = static
    args = password={SCHEME}[REDACTED]
  }

    I have email for two domains on my host so my userdb looks like:

      userdb {  driver = static
    args = uid=999 gid=99 mail_location=maildir:/path/to/Mail/%u:LAYOUT=fs:INBOX=/path/to/Mail/%u/Inbox
  }

    My postfix setup is using the “filesystem” maildir layout - I can’t remember doing that on purpose so I presume it was the default when I set it up. I also had to include the INBOX arg as otherwise I got all my other folders mapped, but no actual inbox.

    With this setup, since the username isn’t used for static auth, I use the domain as the username in my client and it maps to the right mailbox. I could (should?) tweak that so the username is the email address and then pull the domain from that, but it doesn’t really matter.

I will see how this goes, keep an eye on the logs and perhaps think of further ways to lock it down; Maybe limiting number of clients or perhaps only running Dovecot when I need it.

[EDIT: 2024-02-24] Added that full chain cert is needed_