Fix Dovecot IMAP Login Failed

What's Actually Happening

Dovecot IMAP server rejects login attempts. Email clients cannot authenticate and access mailboxes.

The Error You'll See

```bash $ openssl s_client -connect localhost:993

* OK [CAPABILITY IMAP4rev1] Dovecot ready. a1 LOGIN user password a1 NO [AUTHENTICATIONFAILED] Authentication failed. ```

Connection error:

bash

* BYE Disconnected for inactivity.

SSL error:

bash

* BAD [ALERT] SSL/TLS handshake failed

User not found:

bash

a1 NO [AUTHENTICATIONFAILED] Authentication failed.

Why This Happens

1.Wrong password - Invalid credentials
2.User not found - User doesn't exist in system
3.Authentication backend - PAM or SQL auth failing
4.SSL/TLS issues - Certificate problems
5.Mail location - Mail directory missing
6.Permission denied - Cannot access mail files
7.Configuration errors - Invalid dovecot.conf

Step 1: Check Dovecot Status

```bash # Check Dovecot service: systemctl status dovecot

# Check process: ps aux | grep dovecot

# Check listening ports: ss -tlnp | grep dovecot

# IMAP ports: # 143 - IMAP # 993 - IMAPS

# POP3 ports: # 110 - POP3 # 995 - POP3S

# Check logs: journalctl -u dovecot -f

# Dovecot logs: tail -f /var/log/mail.log tail -f /var/log/dovecot.log

# Check configuration: doveconf -n

# Check version: dovecot --version

# Test connection: telnet localhost 143 # Then: a1 CAPABILITY

# Test IMAPS: openssl s_client -connect localhost:993 ```

Step 2: Test Authentication

```bash # Test login locally: doveadm auth test user@domain.com password

# Check user: doveadm user user@domain.com

# List users: doveadm user '*'

# Check authentication cache: doveadm auth cache

# Debug authentication: doveadm -D auth test user@domain.com

# Check password database: doveconf -n passdb

# Check user database: doveconf -n userdb

# Test with telnet: telnet localhost 143 a1 LOGIN user@domain.com password

# Expected response: # a1 OK [CAPABILITY ...] Logged in

# Check for auth errors: grep "auth|login|failed" /var/log/mail.log | tail -20

# Check passdb configuration: grep -A 10 "passdb {" /etc/dovecot/dovecot.conf ```

Step 3: Check User Configuration

```bash # Check if user exists in system: id user

# Check if mail user: grep user /etc/passwd

# Check user database: # For system users: passdb { driver = pam }

userdb { driver = passwd }

# For SQL users: passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext }

# Check SQL configuration: cat /etc/dovecot/dovecot-sql.conf.ext

# Test SQL query: # Connect to database and test query manually

# Check LDAP configuration: passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }

# Check static userdb: userdb { driver = static args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n }

# Test user lookup: doveadm user -u user@domain.com

# Check user attributes: doveadm user -f home user@domain.com doveadm user -f mail user@domain.com ```

Step 4: Check Mail Location

```bash # Check mail location: doveconf -n mail_location

# Common mail locations: mail_location = maildir:~/Maildir mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_location = mdbox:~/mdbox

# Check user's mail directory: ls -la /home/user/Maildir ls -la /var/mail/user

# Create mail directory: mkdir -p /home/user/Maildir/{cur,new,tmp} chown -R user:user /home/user/Maildir chmod -R 700 /home/user/Maildir

# For virtual users: mkdir -p /var/mail/vhosts/domain.com/user chown -R vmail:vmail /var/mail/vhosts

# Check mail location in config: grep mail_location /etc/dovecot/conf.d/*.conf

# Check namespace configuration: namespace inbox { inbox = yes location = mailbox Drafts { auto = create } }

# Test mail access: doveadm -D fetch -u user@domain.com body 0 ```

Step 5: Check SSL Configuration

```bash # Check SSL config: doveconf -n ssl

# SSL certificate: ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem

# Check certificate files: ls -la /etc/ssl/certs/dovecot.pem ls -la /etc/ssl/private/dovecot.pem

# Verify certificate: openssl x509 -in /etc/ssl/certs/dovecot.pem -text -noout | head -20

# Check certificate expiration: openssl x509 -in /etc/ssl/certs/dovecot.pem -noout -dates

# Verify key: openssl rsa -in /etc/ssl/private/dovecot.pem -check

# Check key permissions: chmod 600 /etc/ssl/private/dovecot.pem

# SSL protocols: ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1

# Cipher suites: ssl_cipher_list = HIGH:!aNULL:!MD5

# Force SSL: ssl = required

# Disable plaintext auth: disable_plaintext_auth = yes

# Test SSL: openssl s_client -connect localhost:993 -quiet ```

Step 6: Fix Permission Issues

```bash # Check Dovecot user: id dovecot

# Check mail user: id vmail

# Check directory permissions: ls -la /var/mail/ ls -la /home/user/Maildir/

# Fix permissions: chown -R user:mail /var/mail/user chmod 600 /var/mail/user

# For Maildir: chown -R user:user ~/Maildir chmod -R 700 ~/Maildir

# Check service permissions: ls -la /var/run/dovecot/

# Fix dovecot directory: chown -R dovecot:dovecot /var/run/dovecot/

# Check login user: grep "login_user" /etc/dovecot/dovecot.conf

# Default: login_user = dovenull

# Check for permission errors: grep "Permission denied" /var/log/mail.log

# Check SELinux: ls -laZ /var/mail/

# Fix SELinux: restorecon -Rv /var/mail/ ```

Step 7: Check Authentication Mechanisms

```bash # Check auth mechanisms: doveconf -n auth_mechanisms

# Common mechanisms: auth_mechanisms = plain login

# CRAM-MD5: auth_mechanisms = plain login cram-md5

# Check PLAIN auth: # Requires SSL/TLS for security

# Check LOGIN auth: # Legacy mechanism for Outlook

# Test mechanism: telnet localhost 143 a1 CAPABILITY # Shows: AUTH=PLAIN AUTH=LOGIN

# Enable mechanisms: auth_mechanisms = plain login

# Disable insecure: # Don't use without SSL

# Check auth process: ps aux | grep dovecot-auth

# Auth socket: ls -la /var/run/dovecot/auth-userdb ls -la /var/run/dovecot/auth-client

# Socket permissions: mode = 0666 user = postfix group = postfix ```

Step 8: Debug Authentication

```bash # Enable debug logging: # In /etc/dovecot/dovecot.conf: auth_debug = yes auth_debug_passwords = yes auth_verbose = yes mail_debug = yes

# Restart: systemctl restart dovecot

# Watch logs: tail -f /var/log/mail.log

# Debug auth test: doveadm -D auth test user@domain.com password

# Check detailed output: # Look for: # - Password comparison # - User lookup # - Passdb lookup

# Disable debug after troubleshooting: auth_debug = no auth_debug_passwords = no auth_verbose = yes # Keep this

# Check for specific errors: # "Password mismatch" - Wrong password # "User not found" - User doesn't exist # "Permission denied" - File permission issue

# Check passdb result: doveadm auth -x service=imap user@domain.com ```

Step 9: Check Firewall and Network

```bash # Check firewall: iptables -L -n | grep -E "143|993|110|995"

# Allow IMAP: iptables -I INPUT -p tcp --dport 143 -j ACCEPT iptables -I INPUT -p tcp --dport 993 -j ACCEPT

# Allow POP3: iptables -I INPUT -p tcp --dport 110 -j ACCEPT iptables -I INPUT -p tcp --dport 995 -j ACCEPT

# Using ufw: ufw allow 143/tcp ufw allow 993/tcp ufw allow 110/tcp ufw allow 995/tcp

# Test port: nc -zv localhost 143 nc -zv localhost 993

# Check from client: telnet mail-server 143

# Test with email client: # Configure client with: # Server: mail.example.com # Port: 993 (IMAPS) # Username: user@domain.com # Password: password

# Check for rate limiting: grep "Maximum number of connections" /var/log/mail.log ```

Step 10: Dovecot Verification Script

```bash # Create verification script: cat << 'EOF' > /usr/local/bin/check-dovecot.sh #!/bin/bash

echo "=== Dovecot Service ===" systemctl status dovecot 2>/dev/null | head -5 || echo "Service not running"

echo "" echo "=== Process ===" ps aux | grep dovecot | grep -v grep || echo "No Dovecot process"

echo "" echo "=== Listening Ports ===" ss -tlnp 2>/dev/null | grep -E "143|993|110|995" || echo "No IMAP/POP3 ports listening"

echo "" echo "=== Configuration Test ===" doveconf -n 2>&1 | head -20 || echo "Configuration error"

echo "" echo "=== SSL Configuration ===" doveconf -n ssl 2>/dev/null | head -10 || echo "No SSL config"

echo "" echo "=== Mail Location ===" doveconf -n mail_location 2>/dev/null || echo "No mail location"

echo "" echo "=== Auth Mechanisms ===" doveconf -n auth_mechanisms 2>/dev/null || echo "Default mechanisms"

echo "" echo "=== User Database ===" doveconf -n userdb 2>/dev/null | head -10 || echo "No userdb config"

echo "" echo "=== Pass Database ===" doveconf -n passdb 2>/dev/null | head -10 || echo "No passdb config"

echo "" echo "=== SSL Certificate ===" cert=$(doveconf -n ssl_cert 2>/dev/null | awk '{print $3}' | tr -d '<') if [ -f "$cert" ]; then echo "Certificate: $cert" openssl x509 -in $cert -noout -dates 2>/dev/null || echo "Cannot read certificate" else echo "Certificate file not found" fi

echo "" echo "=== Test IMAP Connection ===" (echo "a1 CAPABILITY"; sleep 1; echo "a2 LOGOUT") | nc localhost 143 2>/dev/null | head -5 || echo "Cannot connect"

echo "" echo "=== Firewall ===" iptables -L -n 2>/dev/null | grep -E "143|993" || ufw status 2>/dev/null | grep -E "143|993" || echo "Check firewall manually"

echo "" echo "=== Recent Logs ===" journalctl -u dovecot --no-pager -n 10 2>/dev/null || tail /var/log/mail.log 2>/dev/null | grep dovecot | tail -10 || echo "No logs"

echo "" echo "=== Recommendations ===" echo "1. Verify user exists in password database" echo "2. Check mail directory exists with correct permissions" echo "3. Ensure SSL certificates valid if using IMAPS" echo "4. Configure auth_mechanisms appropriately" echo "5. Allow IMAP/POP3 ports in firewall" echo "6. Enable auth_debug for detailed troubleshooting" echo "7. Check passdb and userdb configuration" EOF

chmod +x /usr/local/bin/check-dovecot.sh

# Usage: /usr/local/bin/check-dovecot.sh ```

Check	Expected
Service running	dovecot process active
Ports listening	143, 993 accessible
User exists	User in passdb/userdb
Password correct	Authentication succeeds
Mail location	Directory exists
Permissions	User can access mail
SSL valid	Certificate not expired
Firewall	Ports allowed

Verify the Fix

```bash # After fixing Dovecot IMAP login

# 1. Check service systemctl status dovecot // Active running

# 2. Test auth doveadm auth test user@domain.com password // auth succeeded

# 3. Test IMAP telnet localhost 143 a1 LOGIN user@domain.com password // a1 OK Logged in

# 4. Test IMAPS openssl s_client -connect localhost:993 // SSL connection OK

# 5. List mailboxes a2 LIST "" "*" // Mailboxes listed

# 6. Monitor logs journalctl -u dovecot -f // No auth errors ```

[Fix Postfix Relay Access Denied](/articles/fix-postfix-relay-access-denied-after-server-migration)
[Fix Email Delivery Failed](/articles/fix-email-delivery-failed)
[Fix MySQL Connection Refused](/articles/fix-mysql-connection-refused)

What's Actually Happening

The Error You'll See

Why This Happens

Step 1: Check Dovecot Status

Step 2: Test Authentication

Step 3: Check User Configuration

Step 4: Check Mail Location

Step 5: Check SSL Configuration

Step 6: Fix Permission Issues

Step 7: Check Authentication Mechanisms

Step 8: Debug Authentication

Step 9: Check Firewall and Network

Step 10: Dovecot Verification Script

Dovecot IMAP Login Checklist

Verify the Fix

Related Issues

Share this guide

More Email Troubleshooting Guides

Fix Email Not Sending

Fix SendGrid Email Not Sending

Fix Email SPF Record Not Validating

Fix Email Not Received

Fix Email Sending Failed

Email Auto-Reply Loop