Dovecot authentication process broken, where is the misconfiguration?

I know i think i goofed up, taking from different configuration guides and amalgamating them together. Where did i screw up exactly? My cloud provider unblocked the SMTP port for me, i might just be limited by that as well. I can send mail but not receive it though. Mail servers are the most byzantine to navigate of all linux services by far to me. I hope you all will understand. :sweat_smile:
Output from maillog

Apr  7 19:22:53 fnbpbc dovecot[1458]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=2001:19f0:9003:d2b:5400:4ff:fe4b:dc04, lip=2001:19f0:9003:d2b:5400:4ff:fe4b:dc04, secured, session=<QeSq88P43LMgARnwkAMNK1QABP/+S9wE>
Apr  7 19:23:12 fnbpbc dovecot[1458]: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=2001:19f0:9003:d2b:5400:4ff:fe4b:dc04, lip=2001:19f0:9003:d2b:5400:4ff:fe4b:dc04, secured, session=<VZ7H9MP4lMMgARnwkAMNK1QABP/+S9wE>
Apr  7 19:23:32 fnbpbc dovecot[1458]: imap-login: Error: auth-client: conn unix:login (pid=1453,uid=0): Timeout waiting for handshake from auth server. my pid=38308, input bytes=0
Apr  7 19:23:32 fnbpbc dovecot[1458]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs): user=<>, rip=2001:19f0:9003:d2b:5400:4ff:fe4b:dc04, lip=2001:19f0:9003:d2b:5400:4ff:fe4b:dc04, secured, session=<VZ7H9MP4lMMgARnwkAMNK1QABP/+S9wE>
Apr  7 19:23:53 fnbpbc dovecot[1458]: auth: Fatal: Invalid userdb template args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n - key must not be empty
Apr  7 19:23:53 fnbpbc dovecot[1453]: master: Error: service(auth): command startup failed, throttling for 60.000 secs
$ openssl s_client -CAfile /etc/pki/tls/cert.pem -connect
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN =
verify return:1
Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 28 22:28:37 2023 GMT; NotAfter: Jun 26 22:28:36 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
Server certificate
subject=CN =
issuer=C = US, O = Let's Encrypt, CN = R3
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
SSL handshake has read 4335 bytes and written 403 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 77270E025B5C3FAA469D96634B42C394B704F7DC7E47577C28AC95FE18BF2810
    Resumption PSK: E65D07616585E92977D1361267A38B0F4FD4E96519E331780C4CE306D34BB24494F8BE37E08BA6E100827B543D02FD77
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 7d cf c2 87 06 8c 06 d7-36 45 91 fa a8 19 b7 c8   }.......6E......
    0010 - 96 60 6f e4 c0 1c 34 6d-0a cb d9 ad 69 49 43 f3   .`o...4m....iIC.
    0020 - f4 2e d7 74 b5 dd ca 46-31 b3 dc d0 ad 3f 1f 85   ...t...F1....?..
    0030 - ef a0 c8 97 3d 68 85 bc-af 1e fc 52 bd 7a 51 16   ....=h.....R.zQ.
    0040 - 22 34 ba 35 45 8b ea 30-75 84 50 4e 8e ed 91 3a   "4.5E..0u.PN...:
    0050 - c8 1e bc 44 43 59 c4 92-b5 17 05 e5 64 1c 2d c2   ...DCY......d.-.
    0060 - b7 48 63 ee 34 21 de 7b-aa e0 19 32 ac 12 8c 77   .Hc.4!.{...2...w
    0070 - 8f 72 d3 99 6c ad b9 f0-02 f9 8f fd ee f7 f1 5b   .r..l..........[
    0080 - ee 81 29 ee 87 13 65 51-bf 5e d2 ad 90 ac dd 39   ..)...eQ.^.....9
    0090 - b9 34 ff e1 1e 03 37 13-85 70 86 99 67 1f 18 5d   .4....7..p..g..]
    00a0 - 78 78 eb 06 3a a0 36 fb-f0 f0 30 99 6a 97 98 5c   xx..:.6...0.j..\
    00b0 - c6 76 b1 b9 42 ec 72 6d-18 13 79 96 48 24 54 48   .v..B.rm..y.H$TH
    00c0 - 8c 99 b9 4f 18 f3 04 b1-e8 69 30 3b 30 b7 1a 70   ...O.....i0;0..p
    00d0 - cc 98 8a e8 11 c9 6d 81-73 63 28 48 d1 d8 0e 75

    Start Time: 1680898026
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
read R BLOCK
Post-Handshake New Session Ticket arrived:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 462BAB66F7D92804321B7E73D77A6F1CFA1A6B8328970ECC1B03D11E878126EA
    Resumption PSK: FD26FE7915EDA322992D7FD2C1C0BD0BDCC60191258C63ABAB435123B9D169D80B438B5EBFC60F3EDC566C3C0A427015
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 7d cf c2 87 06 8c 06 d7-36 45 91 fa a8 19 b7 c8   }.......6E......
    0010 - 9e 17 41 34 eb cf f4 bb-09 6e 12 6f ea 33 d7 b7   ..A4.....n.o.3..
    0020 - 61 44 84 e8 93 26 00 38-dd 85 df 56 e1 a4 80 ab   aD...&.8...V....
    0030 - da 43 b4 06 9d 1a 32 f2-93 f4 6b 9e 5d d4 7f ce   .C....2...k.]...
    0040 - ed 4e bd 77 9b c7 38 51-86 3a 48 d3 49 0a 48 a3   .N.w..8Q.:H.I.H.
    0050 - da 53 cd e8 a8 24 9a fb-a2 27 e9 80 f9 82 bf 4d   .S...$...'.....M
    0060 - 1c 50 92 b5 b7 4f e3 d3-0d e4 d7 6f be a2 70 b1   .P...O.....o..p.
    0070 - 10 a3 c0 ca 27 ad af 4f-a0 70 41 13 5d 9e 1b 1b   ....'..O.pA.]...
    0080 - 5b f3 84 8c f6 79 9f 51-4b 1b 6f 82 fc d1 5f cd   [....y.QK.o..._.
    0090 - a3 2a a4 0b ad a3 fd 6e-38 dc 9f b4 70 05 b4 73   .*.....n8...p..s
    00a0 - 52 6f e1 50 d8 a4 20 ef-32 d3 4f 3f fc a5 16 f9   Ro.P.. .2.O?....
    00b0 - 01 03 31 07 04 5b 79 3d-90 e8 be ca 62 bd 55 16   ..1..[y=....b.U.
    00c0 - bc 5d 04 97 57 f4 52 bc-c6 d9 37 d7 7b 53 f1 7b   .]..W.R...7.{S.{
    00d0 - df af 98 d7 ab cf ef 87-61 fd 9b 46 e6 5e a1 b9   ........a..F.^..

    Start Time: 1680898026
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
read R BLOCK
* BYE Auth process broken

On a related note, despite having configured wordpress as a multisite, it still takes over the mail subdomain, it did this with nextcloud as well. i have the DNS cnames configured and in the hosts file its correct, but wordpress insists that it doesnt end where another sub domain begins. maybe its a port binding issue?

For IMAP, you will need to have either port 143 (non-encrypted) or 993 (encrypted) open. Is the mail log you submitted coming from the machine you are trying to send and receive from or from the server?

On the send/receive server . it appears to be an internal error. I have the ports open through firewall-cmd, and i have configured my hosting provider to have the ports open on the cloud firewall.
output of lsof -i -P

dovecot    1453   root   21u  IPv4  19630      0t0  TCP *:110 (LISTEN)
dovecot    1453   root   22u  IPv6  19631      0t0  TCP *:110 (LISTEN)
dovecot    1453   root   23u  IPv4  19632      0t0  TCP *:995 (LISTEN)
dovecot    1453   root   24u  IPv6  19633      0t0  TCP *:995 (LISTEN)
dovecot    1453   root   40u  IPv4  19649      0t0  TCP *:143 (LISTEN)
dovecot    1453   root   41u  IPv6  19650      0t0  TCP *:143 (LISTEN)
dovecot    1453   root   42u  IPv4  19651      0t0  TCP *:993 (LISTEN)
dovecot    1453   root   43u  IPv6  19652      0t0  TCP *:993 (LISTEN)

Check your /etc/dovercot/conf.d/10-auth.conf file
You need at least one of those auth includes uncommented.

Whichever one is will let you know which rabbit hole to start down.

Note that you shouldn’t edit the stock files in /etc/dovecot. Create /etc/dovecot/local.conf and override the default settings there. This makes it easier to track what you’ve changed and you’ll automatically get any new settings in future versions when you update.

(I also recommend installing etckeeper to track edits to your /etc files.)

The server log indicates that something is misconfigured in the authentication system. I’d suggest posting your local.conf so we can see what you customized. Your client is connecting but the authentication phase is failing because Dovecot is trying to forward the auth stuff to some other service that’s not responding.

1 Like

Note that you shouldn’t edit the stock files in /etc/dovecot

Oops thanks for pointing that out. None of the online guides i was using mentioned that. You would think so though.
Anyway, here’s wonderwall.

$ cat 10-auth.conf

## Authentication processes

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth and PAM require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
auth_username_format = %n

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login
## Password and user databases

# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
# <doc/wiki/PasswordDatabase.txt>
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext

$ cat dovecot.conf

# If you're in a hurry, see

# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.

# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace  "

# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local { }, remote { }

# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var

# Protocols we want to be serving.
protocols = imap lmtp pop3
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::

# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot

# Greeting message for clients.
#login_greeting = Dovecot ready.

# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =

# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =

# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =

# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no

# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes

# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server

# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ

## Dictionary server settings

# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".

dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

cat 10-master.conf

#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
    port = 143
  inet_listener imaps {
    port = 993
    ssl = yes

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit

service pop3-login {
  inet_listener pop3 {
    port = 110
  inet_listener pop3s {
    port = 995
    ssl = yes

service submission-login {
  inet_listener submission {
    #port = 587

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port =

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024

service submission {
  # Max. number of SMTP Submission processes (connections)
  #process_limit = 1024

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
    #user =
    #group =

   #Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  user = postfix
  group = postfix

  # Auth process is run as this user.
  #user = $default_internal_user

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  #user = root

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user =
    #group =

Try “doveconf -n”, which dumps just the non-default settings to stdout.

BTW, there’s a dovecot mailing list. Dovecot | Mailing Lists

1 Like

sorry for the late reply
still havent solved this since i am working on other projects
should i just delete this config and start over with the custom one?
i’ve noticed i have there the disable_plaintext and auth_mechanism params appear to conflict. maybe this has something to do with it
$dovecot -n

# Pigeonhole version 0.5.16 (09c29328)
# OS: Linux 6.2.9-1.el9.elrepo.x86_64 x86_64 Rocky Linux release 9.1 (Blue Onyx) ext4
# Hostname:
auth_mechanisms = plain login
auth_username_format = %n
first_valid_uid = 1000
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    auto = create
    special_use = \Drafts
  mailbox Junk {
    auto = create
    special_use = \Junk
  mailbox Sent {
    auto = create
    special_use = \Sent
  mailbox "Sent Messages" {
    special_use = \Sent
  mailbox Trash {
    auto = create
    special_use = \Trash
  prefix =
passdb {
  args = scheme=PLAIN username_format=%u /etc/dovecot/dovecot-users
  driver = passwd-file
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
protocols = imap lmtp pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
service imap-login {
  inet_listener imap {
    port = 143
  inet_listener imaps {
    port = 993
    ssl = yes
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
service pop3-login {
  inet_listener pop3 {
    port = 110
  inet_listener pop3s {
    port = 995
    ssl = yes
ssl = required
ssl_cert = /etc/letsencrypt/live/
ssl_cipher_list = PROFILE=SYSTEM
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
  args = args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
  driver = static
protocol lda {
  mail_plugins = " sieve"

You might have better luck on the dovecot mailing list. But I did find some links that look promising: