How to install and secure Dovecot in Plesk 12

dovecotI’ve just installed the Dovecot Mail Service on one of my Plesk 12 servers. It’s an alternative to the old favourite Courier IMAP/POP and a new addition in Plesk 12.

Dovecot does more or less the same as Courier (i.e. lets you receive mail), but it’s a bit more configurable and debug friendly. It also offers server-side mail filtering which is accessible via the Plesk Webmail services Roundcube and Horde.

In this article I’ll show you how to install Dovecot in Plesk 12, and how to add your own SSL certificates for mail. In my previous article I’ve explained how to do this with the standard Courier Mail service.

 

Installing Dovecot in Plesk 12

Head over to

  • Tools and Settings (or the Server Tab)
  • under the Plesk heading
  • Updates and Upgrades

Select Add or Remove Components and under Mail Hosting Features, find the option for Different IMAP/POP3 server:

Screen Shot 2015-01-03 at 15.14.37

You can only install either Courier or Dovecot. Switching will automatically uninstall the component you currently have and instead install the other one.

Note that switching Courier for Dovecot will preserve all mailboxes and will not affect your outgoing mail services. Give Plesk a moment until your see the “installation has finished” message.

You’re now running Dovecot!

 

Patching Dovecot SSL Certificates

As with Courier, Dovecot will use self-signed certificates for secure connections. This means that a nasty window is likely to pop up when clients connect. You can suppress this window by specifying your own SSL Certificates.

Screen Shot 2015-01-03 at 15.12.08

 

The default configuration file for Dovecot is in /etc/dovecot/dovecot.conf. However the file states that any changes you make here are wiped when an upgrade comes along. Instead, take a look at the /etc/dovecot/conf.d/ directory in which you’ll find three files by default:

  • 10-plesk-security.conf
  • 15-plesk-auth.conf
  • 90-plesk-sieve.conf

You can add your own configuration snippets here, each beginning with a number and ending with .conf. The lower the number, the earlier your snippet is loaded. The higher the number, the later it is loaded. You get the picture.

Let’s create /etc/dovecot/conf.d/5-ssl.conf for our purposes. Because I had already configured my certificates for Courier they are still in /usr/share/imapd.pem – but feel free to place your .pem files anywhere you like. Here’s what my file looks like:

Dovecot lets you have separate files for the certificate and the private key, something that’s not possible in Courier as far as I know. Dovecot is also happy to keep those in the same file though as in my example, and as in Courier. Easy going I say!

For the changes to take effect we need to restart the Plesk Mail Service like so:

That’s it!

 

How do I add a certificate for outgoing mail?

Postfix (and QMail) deal with sending mail, Dovecot and Courier only deal with receiving it. I’ve described how to add SSL Certificates to Postfix in my article about Courer.

 

Further Reading

 

Jay is the CEO and founder of WP Hosting, a boutique style managed WordPress hosting and support service. He has been working with Plesk since version 9 and is a qualified Parallels Automation Professional. In his spare time he likes to develop iOS apps and WordPress plugins, or draw on tablet devices. He blogs about his coding journey at http://wpguru.co.uk and http://pinkstone.co.uk.

17 thoughts on “How to install and secure Dovecot in Plesk 12

  1. You may want to add the following directives for added security:

    Strong DH params

    ssl_dh_parameters_length = 2048

    Disable insecure SSL protocols

    ssl_protocols = !SSLv2 !SSLv3

  2. for dovecot in debian/ubuntu you have to add a > before the paths otherwise it gives an error.
    i wasted a few hours for this little detail. also in debian/ubuntu use

    Path to your Certificate, preferred permissions: root:root 0444

    ssl_cert = </path/to/cert.pem

    Path to your Private Key, preferred permissions: root:root 0400

    ssl_key= </path/to/private.key

  3. I followed the steps, but when i open ssl test i get the following message:

    :993
    CONNECTED(00000003)
    write:errno=104

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 0 bytes and written 249 bytes

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE

  4. I used this “openssl s_client -showcerts -connect mail.myserver.com:993” to test the SSL.

    After loading the new SSL certificate my email stops working as-well.

    Before patching, the results showed the default PLESK certificate.

    1. Oh yes, I had that problem on a couple of systems too. I’m sure there’s a perfectly logical explanation for it, and with several decades of research we’ll probably get to the bottom of it.

      But a much easier solution is to ditch Dovecot and use Courier instead. I know it makes zero sense, but I’ve noticed that on some systems, Dovecot just doesn’t want to work – and on others, I have trouble with Courier. They’re really easy to switch, and all your mail account settings are preserved.

  5. ok i will try that out, glad to know if not the only one experiencing this issue. Thanks alot for your help. Appreciate it 🙂

    1. Any time! Out of interest, what operating system are you using? I’ve had these issues with both CentOS 6 and 7, with plain vanilla installations. Let me know and I’ll forward the issue to the Plesk team – they love fixing things 😉

  6. I’m using ‪CentOS 6.7, it’s a new setup. Dedicated server from 1and1.

    I just tried courier, followed your other article. I am getting the exact error 🙁
    (CERT OK fails on TLS check.)

    This is weird. Would you be able to take a look for me? I don’t mind paying for the service.

  7. I’ve had a good bit of trouble getting it to work and testing it correctly.
    Here is my configuration

    /etc/dovecot/conf.d/5-custom-ssl.conf
    for debugging

    verbose_ssl = yes

    ssl = yes

    Path to your Certificate, preferred permissions: root:root 0444

    ssl_cert = </usr/local/etc/ssl/dovecot-cert.pem

    Path to your Private Key, preferred permissions: root:root 0400

    ssl_key = </usr/local/etc/ssl/dovecot-key.pem

    Path to your CA file,

    ssl_ca = </usr/local/etc/ssl/comodo-positiveSSL/AddTrustExternalCARoot.crt
    ssl_ca = </usr/local/etc/ssl/comodo-positiveSSL/COMODORSAAddTrustCA.crt
    ssl_ca = </usr/local/etc/ssl/comodo-positiveSSL/COMODORSADomainValidationSecureServerCA.crt

    ssl_verify_client_cert = yes
    auth_ssl_require_client_cert = yes

    #auth_ssl_username_from_cert = yes

    #EOF

    openssl s_client -CApath /etc/ssl/certs -CAfile /etc/ssl/certs/ca-bundle.crt -cert ./postfix-cert.pem -key ./postfix-key.pem -connect smtp.foobar.com:110 -starttls pop
    openssl s_client -CApath /etc/ssl/certs -CAfile /etc/ssl/certs/ca-bundle.crt -cert ./postfix-cert.pem -key ./postfix-key.pem -connect smtp.foobar.com:143 -starttls imap

    Post about Postfix & Dovecot, *(post is still under moderation)
    https://talk.plesk.com/threads/postfix-dovecot-cert-error.334931/#post-808783

  8. Hi there!

    I noticed on your Further Reading section you mentioned “Check your new mail server with this handy online tool”.

    We created a secure email checker with a little better UI that may give a better experience to your readers.

    Here’s the link: https://www.paubox.com/secure-email-check

    Let me know if you think it’s an improvement, thank you!

    Cheers,
    Arianna

Add your voice!