Dovecot ( https://doc.dovecot.org ) is a small, powerfull, fast and very stable IMAP- Server for storing Mails, which can be used by any Mailclient like Thunderbird, Evolution…

You will need all stuff to have FreeIPA up, having understood dockers and running those services, so that LDAPs will work.

Dovecot does not use any Database, as Mails will be stored in MailDir- Format, which is using Directories and Files for each Mail, so mounting the mail- Directory is enough.

In your docker_compose- Directory, create the docker-compose.yml with the following content:

services:
# Small but performant and secure Imap- Server: https://hub.docker.com/r/dovecot/dovecot
  dovecot:
    image: dovecot/dovecot:latest
#For testing:
#    image: dovecot/dovecot:latest-dev
    restart: always
    read_only: true
    stop_grace_period: 1m
    volumes:
      - dovecot_config:/etc/dovecot
      - dovecot_maildata:/srv/vmail
    tmpfs:
      - /tmp
      - /run/dovecot
      - /srv/mail
    environment:
      # Those passwords shuld not be used/only for testing
      # They will allow any username with that password to connect
      USER_PASSWORD: 'VERYSTRONGFIRSTPWD'
      DOVEADM_PASSWORD: 'VERYSTRONGSECONDPWD'
    ports:
      - "993:31993"
#Listeners from Homepage
#    POP3 on 31110, TLS 31995 (needs config file to enable, disabled by default)
#    IMAP on 31143, TLS 31993
#    Submission on 31587
#    LMTPS on 31024
#    ManageSieve on 34190
#    HTTP API on 8080
#    Metrics on 9090
    networks:
      - default

volumes:
  dovecot_config:
  dovecot_maildata:

networks:
# Still needs to be defined while without it won't enable ipv6
  default:
    driver: bridge
    enable_ipv6: true

Basically, docker compose up -d will already start your Server.

In your Volume dovecot_config you will now find the directory conf.d - put some file in here like domainname.conf to have it loaded in your dovecot- config. It will overwrite all basic settings.

ssl = required
auth_allow_cleartext = no

#external connection: check SSL validity. Won't validate let's encrypt LDAP- Certs without importing CA
ssl_client_require_valid_cert = no

ssl_server {
  cert_file = /etc/dovecot/ssl/obel1x.de.crt
  key_file = /etc/dovecot/ssl/obel1x.de.key
}

#LDAP Auth
# Password lookup: will also do full user/pass bind to check, so this should be enough
# https://doc.dovecot.org/2.4.1/core/config/auth/databases/ldap.html#authentication-binds

#For debugging and also provides useful informations about logins
log_debug = category=auth

passdb ldap {
# will speed up check of user when using multiple queries to ldap-server like userdb- checking too
# will slow down if only one check is done per login
#  use_worker = yes
  driver = ldap
  ldap_uris = ldaps://dockerproject-ipa-1:636
  bind = yes
  bind_userdn = uid=%{user},cn=users,cn=accounts,dc=domain,dc=tld
  filter = (&(objectClass=posixAccount)(uid=%{user}))
  ldap_base = dc=domain,dc=tld
}

Change Domain, tld and your docker-hostname to match your needs.

Also, you need your ACME- Certificates of Caddy copied to that Volume. I do it with the file cert_renew.sh

#!/bin/bash
#Renew ACME Certs of Dovecot from Caddy
cat /home/docker/docker_volumes/dockerproject_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/domain.tld/domain.tld.key> /home/docker/docker_volumes/pcserver2023_dovecot_config/_data/ssl/domain.tld.key
cat /home/docker/docker_volumes/dockerproject_caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/domain.tld/domain.tld.crt> /home/docker/docker_volumes/pcserver2023_dovecot_config/_data/ssl/domain.tld.crt

which i call every Day with dockers crontab.

Make sure that the files are accessible for dovecot (and if possible to noone else, not in container nor on your host).

Currently (02.08.2025) there are a few problems with Thunderbird and Dovecot.

Have a look at the page beneath to configure Thunderbird with the settings:

• mail.server.default.allow_utf8_accept = false
• mail.imap.use_literal_plus = false

https://yellowshoes.de/2025/07/31/thunderbird-dovecot-2-4-disconnected-too-many-invalid-imap-commands/