Dovecot on Ubuntu 24.04 on Azure User Guide
Overview
This guide covers the deployment and configuration of Dovecot on Ubuntu 24.04 on Azure using cloudimg Azure Marketplace images. Dovecot is one of the most widely deployed open source IMAP and POP3 servers in the world, chosen for its security focus, standards compliance and excellent performance. It runs as a headless daemon administered through the configuration files in /etc/dovecot and the doveadm command line.
The image installs the Ubuntu 24.04 archive packages dovecot-core, dovecot-imapd, dovecot-pop3d and dovecot-lmtpd (Dovecot 2.3.21, dual licensed MIT and LGPL 2.1) and configures a self contained, secure by default single node mail store. One virtual mailbox is provisioned with its mail kept in Maildir format under a dedicated unprivileged vmail account, delivery is over LMTP so the whole setup works end to end with no external dependency, and IMAP and POP3 are served over TLS.
Security by design, no default credential. No default or shared credential ships in the image. On the first boot of every VM the dovecot-firstboot.service runs once. It generates a per instance mailbox password, hashes it into the Dovecot password database, regenerates the TLS private key and certificate, and writes the plaintext login to /root/dovecot-credentials.txt (mode 0600, root only). The captured image ships no certificate, no password and only an empty password database, so no mailbox can authenticate until first boot provisions the instance.
Security by design, no plaintext authentication over the network. Dovecot is configured with disable_plaintext_auth = yes and ssl = required, so a remote client's plaintext LOGIN on the non TLS ports (143 and 110) is refused until the connection is upgraded with STARTTLS. IMAP over implicit TLS (993) and POP3 over implicit TLS (995) are the recommended client ports. Only the virtual mailbox user can authenticate, because system and shell accounts are excluded from mail login.
What is included:
-
Dovecot 2.3.21 from the Ubuntu 24.04 archive (
dovecot-core,dovecot-imapd,dovecot-pop3d,dovecot-lmtpd), run under systemd (dovecot.service) -
A self contained single node mail store: one virtual mailbox in Maildir format under a dedicated unprivileged
vmailaccount, with local delivery over LMTP -
IMAP served over TLS on 993 and with STARTTLS on 143, and POP3 over TLS on 995 and with STARTTLS on 110
-
A per instance mailbox password and a fresh TLS key and certificate generated on first boot, documented in
/root/dovecot-credentials.txt(0600), so no image ever ships a usable or default credential -
Plaintext authentication disabled on non TLS connections (
disable_plaintext_auth = yes,ssl = required) -
Ubuntu 24.04 LTS base with latest security patches applied at build time, and unattended security upgrades kept enabled
-
Azure Linux Agent for seamless cloud integration and SSH key injection
-
24/7 cloudimg support with a guaranteed 24 hour response SLA
Prerequisites
-
Active Azure subscription, SSH public key, VNet and subnet in the target region
-
Subscription to the Dovecot listing on Azure Marketplace
-
Network Security Group rules allowing TCP 22 (admin), TCP 993 (IMAPS) and TCP 995 (POP3S) for secure client access, and optionally TCP 143 (IMAP with STARTTLS) and TCP 110 (POP3 with STARTTLS)
Recommended virtual machine size: Standard_B2s (2 vCPU, 4 GB RAM) is a comfortable starting point for a small mailbox server. Scale up for more mailboxes, larger mail volumes or higher concurrency.
Step 1: Deploy from the Azure Portal
Search Dovecot in Marketplace, select the cloudimg publisher, and click Create. Configure the Network Security Group to allow TCP 22 for administration and TCP 993 and TCP 995 for secure IMAP and POP3 access. Assign a public IP so remote mail clients can connect.
Step 2: Deploy from the Azure CLI
RG="mail-prod"; LOCATION="eastus"; VM_NAME="dovecot1"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/dovecot-ubuntu-24-04/versions/<version>"
az group create --name "$RG" --location "$LOCATION"
az vm create --resource-group "$RG" --name "$VM_NAME" \
--image "$GALLERY_IMAGE_ID" --size Standard_B2s \
--admin-username azureuser --generate-ssh-keys --public-ip-sku Standard
# secure IMAP (993), secure POP3 (995), and the STARTTLS ports (143, 110)
az vm open-port --resource-group "$RG" --name "$VM_NAME" --port 993 --priority 1001
az vm open-port --resource-group "$RG" --name "$VM_NAME" --port 995 --priority 1002
az vm open-port --resource-group "$RG" --name "$VM_NAME" --port 143 --priority 1003
az vm open-port --resource-group "$RG" --name "$VM_NAME" --port 110 --priority 1004
Step 3: First boot
On the first boot of every VM the dovecot-firstboot.service runs once. It generates the per instance mailbox password, hashes it into the Dovecot password database, regenerates the TLS private key and certificate, writes the plaintext login to /root/dovecot-credentials.txt, and starts Dovecot. Allow about 20 seconds after the VM is first reachable.
Step 4: Confirm the service is running
SSH in and confirm Dovecot is active and inspect its effective configuration.
sudo systemctl is-active dovecot
sudo doveconf -n | head -30

Step 5: Read the per instance mailbox login
The mailbox password is unique to this VM and is written to a root only file on first boot.
sudo cat /root/dovecot-credentials.txt
The file contains the mailbox username (mailbox@localhost), the per instance password, and the IMAP host and ports. Store it somewhere safe.
Step 6: Inspect the TLS mail listeners
Dovecot serves IMAP on 143 (STARTTLS) and 993 (implicit TLS), and POP3 on 110 (STARTTLS) and 995 (implicit TLS).
sudo ss -tlnp | grep -E ':(143|993|110|995|24) ' | sort
sudo doveconf disable_plaintext_auth ssl
The disable_plaintext_auth = yes and ssl = required settings mean a remote client's plaintext authentication on 143 or 110 is refused until the connection is upgraded with STARTTLS.

Step 7: Prove the mailbox credential round trip
The image ships a self contained round trip check that connects over implicit TLS on 993, proves a wrong password is rejected and the per instance password is accepted, selects the INBOX, then delivers a message over LMTP and reads it back over IMAP.
echo | sudo openssl s_client -connect 127.0.0.1:993 -brief 2>&1 | grep -Ei 'protocol|cipher|verify|subject'
sudo python3 /usr/local/sbin/cloudimg-dovecot-roundtrip.py
The final OK full: line confirms the whole path works: implicit TLS on 993, a wrong password rejected, the per instance password accepted and the INBOX selectable, and an LMTP delivered message read back over IMAP.

The hardened configuration at a glance: the password database is a root readable Dovecot password file with a SHA512 hashed per instance password, the TLS certificate and key are unique to this VM and root owned, the system PAM login path is disabled so only the virtual mailbox can authenticate, and plaintext authentication is refused on non TLS connections.

Step 8: Connect a mail client
Point any standards compliant IMAP or POP3 client at the VM public IP using the mailbox username and the per instance password from the credentials file.
- IMAP over TLS: host
<vm-ip>, port993, SSL/TLS, usernamemailbox@localhost, password from the file - POP3 over TLS: host
<vm-ip>, port995, SSL/TLS, same username and password - IMAP or POP3 with STARTTLS: ports
143or110, connection security STARTTLS
The TLS certificate is self signed and unique to this VM, so a client will prompt to trust it. Step 10 covers replacing it with a certificate for your own domain.
Step 9: Add more mailboxes
Add further virtual mailboxes by generating a hashed password with doveadm pw and appending a line to the password file, then reloading Dovecot. Each line is user:hash:uid:gid::home:: with the vmail uid and gid (5000).
# generate a hash for a new mailbox (you will be prompted for the password)
HASH=$(doveadm pw -s SHA512-CRYPT -p '<new-password>')
echo "alice@<your-domain>:${HASH}:5000:5000::/var/vmail/alice@<your-domain>::" \
| sudo tee -a /etc/dovecot/cloudimg-users
sudo systemctl reload dovecot
Step 10: Install a real TLS certificate
For production, replace the per instance self signed certificate with a certificate for your own domain, for example from Let's Encrypt, and point Dovecot at it.
sudo certbot certonly --standalone -d mail.<your-domain>
sudo sed -i 's#^ssl_cert = .*#ssl_cert = </etc/letsencrypt/live/mail.<your-domain>/fullchain.pem#' /etc/dovecot/conf.d/99-cloudimg.conf
sudo sed -i 's#^ssl_key = .*#ssl_key = </etc/letsencrypt/live/mail.<your-domain>/privkey.pem#' /etc/dovecot/conf.d/99-cloudimg.conf
sudo systemctl restart dovecot
Step 11: Front Dovecot with an MTA for real mail
Dovecot is the mailbox store (IMAP and POP3) and local delivery agent (LMTP). To send and receive mail with the outside world, put a mail transfer agent such as Postfix in front of it and have Postfix deliver inbound mail to Dovecot over LMTP. Configure Postfix for your own domain and DNS (MX, SPF, DKIM and DMARC records), and keep outbound relay restricted to authenticated submission.
# example only — install and configure Postfix for your own domain
sudo apt-get install -y postfix
sudo postconf -e "mailbox_transport = lmtp:inet:127.0.0.1:24"
sudo postconf -e "myhostname = mail.<your-domain>"
sudo systemctl restart postfix
Note: Azure blocks outbound SMTP on port 25 by default for most subscriptions. To send mail directly you can request an outbound port 25 exception from Azure, or relay outbound mail through a smart host on port 587. Inbound mail and IMAP or POP3 access are unaffected.
Step 12: Support and Licensing
Dovecot Community Edition is dual licensed under the MIT and LGPL 2.1 licenses, both permissive and redistributable. cloudimg provides the packaging, hardening and Azure integration, with 24/7 support and a guaranteed 24 hour response SLA.
Trademark notice. cloudimg is not affiliated with or endorsed by the Dovecot project or Open-Xchange. This image packages the open source Dovecot software for convenient deployment on Azure.
Deploy on Azure
Find Dovecot on Ubuntu 24.04 LTS by cloudimg on the Azure Marketplace and click Create, or deploy from the Azure CLI as shown above.
Need Help?
Contact cloudimg support at support@cloudimg.co.uk for deployment assistance, configuration guidance, or licensing questions.