How to setup iPhone 3GS with Postfix + Dovecot + SSL

Post date: Dec 31, 2011 1:57:50 PM

How to setup iPhone 3GS/Postfix/Dovecot/SSL


GOAL: To have a single document that outlines how to set up an iPhone with Postfix and Dovecot utilizing SSL.

NOTES: Many of the steps were taken from the links at bottom. This may work with other versions of iPhones, but since I have not tested them, I cannot confirm it will work.

REQUIREMENTS: iPhone 3GS, dovecot 1.2.11 and postfix 2.6.5 or later.


Distribution: Debian Testing

Architecture: 64-bit


1. Setup dovecot for retrieval e-mail.

2. Setup postfix for sending e-mail.


1. Creating a private key

openssl genrsa -out ca.key 1024

2. Create a Certificate Signing Request (CSR) to request certificate from external certification

openssl req -new -key ca.key -out ca.csr

3. How to create self-signed certificate

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

4. This will create 3 files:

-rw-r--r-- 1 abc users 924 2010-03-18 05:51 ca.crt

-rw-r--r-- 1 abc users 729 2010-03-18 05:51 ca.csr

-rw-r--r-- 1 abc users 887 2010-03-18 05:49 ca.key

5. Copy these following files to the SSL directory containing the cert/private keys respectively

sudo cp ca.crt /etc/ssl/certs/dovecot.pem

sudo cp ca.key /etc/ssl/private/dovecot.pem

7. Edit dovecot.conf and ensure protocols includes imaps

protocols = imap imaps

8. Ensure that the ssl_cert_file and ssl_key_file parameters are pointing to the right SSL certs created earlier

ssl_cert_file = /etc/dovecot/certs/dovecot.pem

ssl_key_file = /etc/dovecot/private/dovecot.pem

9. Additionally, make sure the client auth is in included (copy/paste below)

# It's possible to export the authentication interface to other programs:

socket listen {

master {

# Master socket provides access to userdb information. It's typically

# used to give Dovecot's local delivery agent access to userdb so it

# can find mailbox locations.

path = /var/run/dovecot/auth-master

mode = 0600

# Default user/group is the one who started dovecot-auth (root)

#user =

#group =


client {

# The client socket is generally safe to export to everyone. Typical use

# is to export it to your SMTP server so it can do SMTP AUTH lookups

# using it.

path = /var/spool/postfix/private/auth

mode = 0660

user = postfix

group = postfix



9. Make sure port 993/tcp (IMAPS) is allowed on the firewall

10. In the postfix configuration, add/modify the following parameters

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

11. Restart dovecot and postfix, then try and read your e-mail from your iPhone.


1. Edit /etc/postfix/, ensure the SSL/TLS sections looks like this:

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $mydomain

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem

smtpd_tls_key_file = /etc/ssl/private/dovecot.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_use_tls = yes

broken_sasl_auth_clients = yes

2. Also in /etc/postfix/, setup access for SASL authenticated connections

smtpd_recipient_restrictions =




3. In /etc/postfix/, ensure the following lines are in place:

smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

tlsmgr unix - - - 1000? 1 tlsmgr