Monday, April 13, 2026¶
I’m trying to get Dovecot up and running correctly on laudate. that site was upgraded from Debian 12 to 13, but I told it to ignore my old dovecot configs because I prefer to start a setup from scratch.
Doveconf configuration is split over multiple files, which makes things more
maintainable but less readable. Fortunatly for simple minds like me, there is
the command doveconf -nP command who turns them into a single-file
config.
I used doveconf -nP to output my doveconf compilation of another server,
which still runs under Debian 12 and where dovecot works correctly:
auth_mechanisms = plain login
disable_plaintext_auth = no
mail_location = maildir:~/Maildir
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
protocols = " pop3"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
}
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
userdb {
driver = passwd
}
The dovecot upgrader tool converts this to:
# Conversion performed at 2026-04-13 07:03:22.768058
dovecot_config_version = 2.4.2
dovecot_storage_version = 2.4.0
auth_allow_cleartext = yes
auth_mechanisms = plain login
mail_driver = maildir
mail_path = ~/Maildir
mail_privileged_group = mail
protocols = pop3
ssl_client_ca_dir = /etc/ssl/certs
namespace inbox {
inbox = yes
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
}
passdb pam {
driver = pam
}
userdb passwd {
driver = passwd
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
}
ssl_server {
cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
dh_file = /usr/share/dovecot/dh.pem
key_file = # hidden, use -P to show it
}
# Warnings during conversion:
# - pruned default: inbox prefix = ''
Here is the output of doveconf -nP on laudate after the fresh
installation:
dovecot_config_version = 2.4.0
dovecot_storage_version = 2.4.0
fts_autoindex = yes
fts_autoindex_max_recent_msgs = 999
fts_search_add_missing = yes
mail_driver = mbox
mail_home = /home/%{user | username}
mail_inbox_path = /var/mail/%{user}
mail_path = %{home}/mail
mail_privileged_group = mail
protocols {
pop3 = yes
}
passdb pam {
}
userdb passwd {
}
namespace inbox {
inbox = yes
mailbox Drafts {
special_use = "\\Drafts"
}
mailbox Junk {
special_use = "\\Junk"
}
mailbox Trash {
special_use = "\\Trash"
}
mailbox Sent {
special_use = "\\Sent"
}
mailbox "Sent Messages" {
special_use = "\\Sent"
}
}
service imap-login {
inet_listener imap {
}
inet_listener imaps {
}
}
service pop3-login {
inet_listener pop3 {
}
inet_listener pop3s {
}
}
service submission-login {
inet_listener submission {
}
inet_listener submissions {
}
}
service lmtp {
unix_listener lmtp {
}
}
service imap {
}
service pop3 {
}
service submission {
}
service auth {
unix_listener auth-userdb {
}
}
service auth-worker {
}
service dict {
unix_listener dict {
}
}
ssl_server {
cert_file = /etc/dovecot/private/dovecot.pem
key_file = /etc/dovecot/private/dovecot.key
}
Then I use diff -y to compare these two files:
dovecot_config_version = 2.4.2 | dovecot_config_version = 2.4.0
dovecot_storage_version = 2.4.0 dovecot_storage_version = 2.4.0
auth_allow_cleartext = yes | fts_autoindex = yes
auth_mechanisms = plain login | fts_autoindex_max_recent_msgs = 999
mail_driver = maildir | fts_search_add_missing = yes
mail_path = ~/Maildir | mail_driver = mbox
> mail_home = /home/%{user | username}
> mail_inbox_path = /var/mail/%{user}
> mail_path = %{home}/mail
mail_privileged_group = mail mail_privileged_group = mail
protocols = pop3 | protocols {
ssl_client_ca_dir = /etc/ssl/certs | pop3 = yes
| }
> passdb pam {
> }
> userdb passwd {
> }
namespace inbox { namespace inbox {
inbox = yes inbox = yes
<
mailbox Drafts { mailbox Drafts {
special_use = \Drafts | special_use = "\\Drafts"
} }
<
mailbox Junk { mailbox Junk {
special_use = \Junk | special_use = "\\Junk"
> }
> mailbox Trash {
> special_use = "\\Trash"
} }
<
mailbox Sent { mailbox Sent {
special_use = \Sent | special_use = "\\Sent"
} }
<
mailbox "Sent Messages" { mailbox "Sent Messages" {
special_use = \Sent | special_use = "\\Sent"
} }
| }
mailbox Trash { | service imap-login {
special_use = \Trash | inet_listener imap {
> }
> inet_listener imaps {
} }
} }
| service pop3-login {
passdb pam { | inet_listener pop3 {
driver = pam | }
> inet_listener pop3s {
> }
} }
| service submission-login {
userdb passwd { | inet_listener submission {
driver = passwd | }
> inet_listener submissions {
> }
> }
> service lmtp {
> unix_listener lmtp {
> }
> }
> service imap {
> }
> service pop3 {
> }
> service submission {
} }
<
service auth { service auth {
unix_listener /var/spool/postfix/private/auth { | unix_listener auth-userdb {
group = postfix <
mode = 0666 <
user = postfix <
} }
} }
| service auth-worker {
service pop3-login { | }
inet_listener pop3 { | service dict {
port = 110 | unix_listener dict {
} }
} }
<
ssl_server { ssl_server {
cert_file = /etc/letsencrypt/live/mail.example.com/fullchain. | cert_file = /etc/dovecot/private/dovecot.pem
dh_file = /usr/share/dovecot/dh.pem | key_file = /etc/dovecot/private/dovecot.key
key_file = # hidden, use -P to show it | }
} <
<
# Warnings during conversion: <
# - pruned default: inbox prefix = '' <
I created a local.conf file where I plan to add my own settings. First
attempt:
ssl_server {
cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
}
Now Thunderbird reports a new error message:
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
This site attempts to identify itself with invalid information. Wrong Site. The certificate belongs to a different site, which could mean that someone is trying to impersonate this site.
And when I ask TB for details, it seems to report that it received a certificate for “example.com”, not “mail.example.com”. So the subdomain “mail.” has been lost somewhere.
But certbot certificates on laudate says that it mail.example.com:
Certificate Name: mail.example.com
Serial Number: 6056e09415ac60c5115699b575c5ac3989b
Key Type: RSA
Domains: mail.example.com
Expiry Date: 2026-07-08 06:24:24+00:00 (VALID: 85 days)
Certificate Path: /etc/letsencrypt/live/mail.example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.example.com/privkey.pem