Dovecot ( https://doc.dovecot.org ) is a small, powerfull, fast and very stable IMAP- Server for storing Mails, which can be used by any Mailclient like Thunderbird, Evolution…
You will need all stuff to have FreeIPA up, having understood dockers and running those services, so that LDAPs will work.
Dovecot does not use any Database, as Mails will be stored in MailDir- Format, which is using Directories and Files for each Mail, so mounting the mail- Directory is enough.
In your docker_compose- Directory, create the docker-compose.yml with the following content:
services:
# Small but performant and secure Imap- Server: https://hub.docker.com/r/dovecot/dovecot
dovecot:
image: dovecot/dovecot:latest
#For testing:
# image: dovecot/dovecot:latest-dev
restart: always
read_only: true
stop_grace_period: 1m
volumes:
- dovecot_config:/etc/dovecot
- dovecot_maildata:/srv/vmail
tmpfs:
- /tmp
- /run/dovecot
- /srv/mail
environment:
# Those passwords shuld not be used/only for testing
# They will allow any username with that password to connect
USER_PASSWORD: 'VERYSTRONGFIRSTPWD'
DOVEADM_PASSWORD: 'VERYSTRONGSECONDPWD'
ports:
- "993:31993"
#Listeners from Homepage
# POP3 on 31110, TLS 31995 (needs config file to enable, disabled by default)
# IMAP on 31143, TLS 31993
# Submission on 31587
# LMTPS on 31024
# ManageSieve on 34190
# HTTP API on 8080
# Metrics on 9090
networks:
- default
volumes:
dovecot_config:
dovecot_maildata:
networks:
# Still needs to be defined while without it won't enable ipv6
default:
driver: bridge
enable_ipv6: true
Basically, docker compose up -d will already start your Server.
In your Volume dovecot_config you will now find the directory conf.d - put some file in here like domainname.conf to have it loaded in your dovecot- config. It will overwrite all basic settings.
ssl = required
auth_allow_cleartext = no
#external connection: check SSL validity. Won't validate let's encrypt LDAP- Certs without importing CA
ssl_client_require_valid_cert = no
ssl_server {
cert_file = /etc/dovecot/ssl/domain.tld.crt
key_file = /etc/dovecot/ssl/domain.tld.key
}
#LDAP Auth
# Password lookup: will also do full user/pass bind to check, so this should be enough
# https://doc.dovecot.org/2.4.1/core/config/auth/databases/ldap.html#authentication-binds
#For debugging and also provides useful informations about logins
log_debug = category=auth
passdb ldap {
# will speed up check of user when using multiple queries to ldap-server like userdb- checking too
# will slow down if only one check is done per login
# use_worker = yes
driver = ldap
ldap_uris = ldaps://dockerproject-ipa-1:636
bind = yes
bind_userdn = uid=%{user},cn=users,cn=accounts,dc=domain,dc=tld
filter = (&(objectClass=posixAccount)(uid=%{user}))
ldap_base = dc=domain,dc=tld
}
Change Domain, tld and your docker-hostname to match your needs.
Also, you need your ACME- Certificates of Caddy copied to that Volume. I do it with the file cert_renew.sh
#!/bin/bash #Renew ACME Certs of Dovecot from Caddy cat /home/docker/docker_volumes/dockerproject_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/domain.tld/domain.tld.key> /home/docker/docker_volumes/pcserver2023_dovecot_config/_data/ssl/domain.tld.key cat /home/docker/docker_volumes/dockerproject_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/domain.tld/domain.tld.crt> /home/docker/docker_volumes/pcserver2023_dovecot_config/_data/ssl/domain.tld.crt
which i call every Day with dockers crontab.
Make sure that the files are accessible for dovecot (and if possible to noone else, not in container nor on your host).
Currently (02.08.2025) there are a few problems with Thunderbird and Dovecot.
Have a look at the page beneath to configure Thunderbird with the settings: