Self-hosted email infrastructure, honestly reviewed. What Dovecot actually is, what it doesn’t do, and when you should deploy an all-in-one stack instead.

TL;DR

What it is: Dovecot is an IMAP and POP3 server — the component that stores email and serves it to mail clients like Thunderbird, Apple Mail, or Outlook. It is not a complete email solution by itself [website].
Who it’s for: System administrators building mail servers from scratch, or technically inclined people who want control over their IMAP layer. Not a direct deployment choice for non-technical founders [website].
The catch: To send and receive email you also need a mail transfer agent (Postfix, Exim, or OpenSMTPD), and likely a webmail interface (Roundcube, SOGo) and spam filtering (rspamd, SpamAssassin). Dovecot handles one piece of that stack [website].
Cost savings: Dovecot CE is free. The real comparison is against hosted email services: Google Workspace runs approximately $6/user/month. A $10 VPS running a full mail stack (Dovecot + Postfix + rspamd + Roundcube) covers unlimited users for $120/year. At a 10-person team that’s ~$600/year saved — if someone technical handles the setup.
Key strength: One of the most deployed IMAP servers in the world. ISPs and hosting companies run it at billion-mailbox scale. The reliability and standards compliance track record is two decades deep [website].
Key weakness: Not for direct use by non-technical founders. Setup complexity is high, the license metadata on GitHub is listed as “NOASSERTION,” and Dovecot Pro (the enterprise tier) has no public pricing. For most people on this site, the practical path is an all-in-one stack like Mailcow or Mailu — both of which ship Dovecot underneath.

What is Dovecot

Dovecot is an open-source IMAP and POP3 server. In the email delivery chain it sits between your mail transfer agent (which receives and routes email) and your mail client (which reads it). When you open Thunderbird and click “Get Mail,” Dovecot is what answers.

The project was started by Timo Sirainen and the homepage calls it “The Secure IMAP server” [website]. That framing reflects the project’s actual design priority — security and correctness over feature breadth. The GitHub description is even more minimal: “Dovecot mail server” [github]. That brevity is consistent with how the project presents itself: it does one thing and takes it seriously.

What makes Dovecot notable is deployment scale. The company behind Dovecot Pro positions it as “The World’s Leading Email Backend Platform” aimed at “the world’s largest Telcos, ISPs, and Hosters” [website]. That’s not marketing exaggeration — Dovecot genuinely runs infrastructure for providers serving millions of users, and has done so for long enough that its reliability is demonstrated rather than claimed.

The thing to understand before spending an afternoon with it: Dovecot is a component, not a product. It handles mail storage and IMAP/POP3 serving. It does not send email (that’s Postfix or Exim), does not filter spam (that’s rspamd or SpamAssassin), and does not provide a web interface (that’s Roundcube or SOGo). A working self-hosted email server needs all of these pieces integrated correctly.

Timo Sirainen’s development blog [1] — started in 2010 — gives an early window into how the project was being shaped: plans for mailbox list indexes, scalability improvements for high-latency storage, and abstracted filesystem backends were already in progress at v2.0 design stage. That early architectural ambition tracks with where Dovecot landed: highly scalable, filesystem-agnostic, deeply configurable.

Why people choose it

The third-party review landscape for Dovecot as software is thin. This tool doesn’t generate Trustpilot reviews or G2 comparisons because it operates below the abstraction layer where most users make choices. You don’t choose Dovecot the way you choose a SaaS product — you choose it because you’re building a mail server and Dovecot is the standard answer that sysadmins have reached for for 20 years.

The reasons it holds that position are practical:

Standards compliance. The website states that “Dovecot passes all IMAP server standard compliancy tests while most other servers fail many of them” [website]. For IMAP, compliance gaps cause real user-visible failures — messages not syncing, flags not persisting, client behavior breaking on edge cases. The project treats RFC implementation as a first-class concern.

Performance under load. Dovecot claims to be “among the best performing IMAP servers while still supporting the standard mbox and Maildir formats” [website]. The indexes are self-optimizing — they “contain exactly what the user’s client commonly needs, no more and no less” [website], which reduces I/O per IMAP connection at scale.

Flexible authentication. Dovecot supports LDAP, SQL (any database via driver), PAM, passwd/shadow files, and Lua-scripted custom backends. The website calls this “extremely flexible and feature-rich” [website]. In practice, this means it integrates into almost any existing user management system without requiring you to change it.

Direct MTA integration. Postfix (v2.3+) and Exim (v4.64+) can delegate SMTP authentication directly to Dovecot’s auth backend [website]. This matters operationally: you configure authentication once in Dovecot rather than maintaining duplicate auth configuration across your MTA and IMAP server.

Self-healing. Dovecot attempts to repair broken index files automatically rather than surfacing errors to users [website]. At scale this reduces alert fatigue — index corruption happens, and silent recovery is better than a wave of support tickets.

Features

Based on the official website and documentation:

Mail storage and protocol:

IMAP4rev1 and POP3 protocol serving [website]
Storage formats: mbox, Maildir, and mdbox (Dovecot’s own high-performance format) [website]
Clustered filesystem support — multiple servers can read and write the same mailboxes simultaneously [website]
NFS support with documented workarounds for NFS caching problems [website]

Authentication:

Passdb/userdb split architecture: separate databases for password validation and user info lookup
Supported backends: LDAP, SQL (MySQL/PostgreSQL/SQLite), PAM, passwd, static, Lua scripts [website]
SASL mechanisms: PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA-1, GSSAPI
SMTP AUTH delegation for Postfix and Exim — no separate SASL configuration needed [website]

Sieve filtering (via Pigeonhole plugin):

Server-side mail filtering via Sieve (RFC 5228)
ManageSieve protocol for remote rule management
Extensions: vacation autoreplies, fileinto, regex, variables, include, and others
Dovecot and Pigeonhole v2.4.2 released October 2025 [website]

Performance and reliability:

Transparent index files for fast folder status, message counts, and sort operations [website]
Self-optimizing indexes, self-healing on corruption [website]
Crash safety — any crash is treated as a bug to fix, not acceptable behavior [website]
Client compatibility workarounds for known buggy IMAP/POP3 clients, selectively enabled [website]

Extensibility:

Plugin architecture: quota, ACL, full-text search, virtual mailboxes, lazy-expunge, and more are plugins [website]
Lua scripting for custom hooks and behavior [website]
Plugins can add new IMAP commands, modify existing behavior, inject data into index files, or add support for new mailbox formats [website]

Enterprise / Pro tier (not CE):

obox format (object storage backend for S3, Ceph, and similar) — Pro only
Director proxy layer for large multi-server installations — Pro only
Dedicated support and SLA — commercial only [website]

Pricing: SaaS vs self-hosted math

Dovecot’s pricing has two modes, and they’re aimed at completely different audiences.

Dovecot Community Edition: Free. The license metadata on GitHub is listed as “NOASSERTION” [github] — meaning the machine-readable SPDX identifier is absent. The actual CE license is a mix of LGPL v2.1 and MIT for different components. This is not a commercial restriction situation, but enterprises doing legal due diligence should read the actual LICENSE files rather than relying on GitHub’s license detection.

Dovecot Pro: Contact sales. No public pricing. Targeted at ISPs, telcos, and large hosting companies [website]. If Pro pricing matters to your decision, you’ll be negotiating based on deployment scale.

For non-technical founders, the real comparison is against hosted email:

Option	Cost
Google Workspace Business Starter	~$6/user/month
Microsoft 365 Business Basic	~$6/user/month
Zoho Mail paid tier	~$1/user/month
Self-hosted VPS (unlimited users)	$5–20/month for the server

For a 10-person team, Google Workspace costs roughly $720/year. A $10/month Hetzner VPS running Mailcow (which ships Dovecot internally) costs $120/year — approximately $600/year saved. At 50 users the saving is over $3,000/year.

The caveat the math requires: that saving assumes someone technical handles setup and maintenance. If you’re paying a sysadmin $100/hour for even 2 hours per month, the break-even point shifts considerably. Self-hosted email is cost-effective only when in-house technical capacity exists.

Data on current pricing from third-party sources is not available for this review. The numbers above are publicly listed service pricing at time of writing — verify before committing.

Deployment reality check

Dovecot’s documentation at doc.dovecot.org is dense and thorough. The README points directly to the docs and the mailing list rather than attempting a quick-start [github] — the right call for infrastructure software with this many configuration dimensions.

What you need for a working mail server:

Linux VPS (Debian/Ubuntu recommended for package availability)
Dovecot (IMAP/POP3 serving — the thing this review covers)
Postfix or Exim (SMTP — receiving and sending email)
rspamd or SpamAssassin (spam filtering)
OpenDKIM or equivalent (DKIM signing)
SSL certificates (Let’s Encrypt via Certbot)
Roundcube, SOGo, or Snappymail (webmail, if you need a browser interface)
Correct DNS: MX record, SPF, DKIM, DMARC

Setting this up manually takes an experienced sysadmin half a day. Setting it up correctly — particularly deliverability, where SPF/DKIM/DMARC misconfiguration causes Gmail and Outlook to silently discard your outbound email — is where most first attempts fail. New mail servers have no sender reputation, and major providers are aggressive about unknown senders.

The practical recommendation: Don’t run bare Dovecot unless you specifically need that control level. Use an all-in-one stack that ships Dovecot pre-configured:

Mailcow — Docker-based, Dovecot + Postfix + rspamd + SOGo, active community, modern admin UI
Mailu — Similar stack, lighter-weight, more opinionated configuration defaults
Mail-in-a-Box — Most automated and opinionated, easiest for non-sysadmins, Dovecot underneath

Webuzo, a server control panel, lists Dovecot 2.3.21.1 as an installable application [2] — panel-based deployment is possible, but you’re still responsible for integrating the rest of the mail stack.

What can go sideways:

Email deliverability is separate from Dovecot configuration and is the hardest part — a new server’s IP has no reputation
Client quirks: Dovecot has workarounds for known buggy clients, but they’re opt-in [website]
NFS shared storage has caching issues; Dovecot documents workarounds but they add configuration complexity [website]
CE support is the mailing list at [email protected], not a ticket system [github]; posts from non-subscribers wait in a moderation queue [github]

Pros and cons

Pros

Two decades of production deployment. At 1,185 GitHub stars [github], the star count radically undersells this project — it’s infrastructure software that major ISPs run quietly at scale. The track record is real.
Genuine standards compliance. Claims to pass all IMAP compliance tests while most other servers fail many [website]. For IMAP this prevents subtle, hard-to-debug client sync failures.
Authentication flexibility. LDAP, SQL, PAM, Lua scripting — Dovecot integrates into essentially any existing user directory [website].
Self-healing indexes. Automatic repair of index corruption reduces operational noise and user-visible failures [website].
Plugin architecture. Quota, ACL, FTS, virtual folders, lazy-expunge — all plugins. Complexity is opt-in [website].
Clean MTA integration. Postfix and Exim can delegate SMTP AUTH to Dovecot directly, eliminating auth configuration duplication [website].
Active maintenance. Version 2.4.2 shipped October 2025; v2.4.0 in January 2025 [website]. This is not an abandoned project.

Cons

Not a complete solution. Dovecot alone cannot send or receive email. This cannot be overstated for non-technical evaluators.
License metadata is absent. GitHub shows “NOASSERTION” [github]. The actual CE license is valid for commercial use, but legal teams doing formal review will need to examine the actual license files rather than relying on automated detection.
Dovecot Pro pricing is opaque. Enterprise features (object storage backend, director proxy, SLA support) are commercial-only with no public pricing [website].
CE support is mailing-list only. No issue tracker for community users, no Slack or Discord — just email to [email protected] with a moderation queue for new posters [github].
Steep learning curve. Understanding passdb/userdb architecture, namespace configuration, mail location syntax, and plugin setup takes real investment. The documentation is good but assumes familiarity with mail server concepts.
No direct path for non-technical founders. The target audience for this site should not be deploying raw Dovecot — they should be deploying Mailcow or Mailu, which ship Dovecot inside them.

Who should use this / who shouldn’t

Deploy Dovecot directly if:

You’re a sysadmin building a custom mail server and need granular control over the IMAP layer.
You’re extending an existing mail infrastructure and need to replace or upgrade the IMAP component independently.
You’re running a hosting company or ISP that will serve thousands to millions of mailboxes.
You want to understand the IMAP layer before committing to an all-in-one stack.

Deploy Mailcow or Mailu (which ship Dovecot inside) if:

You’re a non-technical founder who wants to escape Google Workspace or Microsoft 365 bills.
You want self-hosted email without a week of configuration work.
You want a web UI for administration rather than editing config files.

Stay on Google Workspace or Microsoft 365 if:

Nobody on your team has Linux server administration experience.
Email deliverability is business-critical and you can’t afford the weeks it takes for a new server’s IP to build sender reputation.
The per-user monthly cost is tolerable given the operational cost of running your own mail server.

Consider a privacy-first hosted provider (Migadu, Fastmail, Proton for Business) if:

You want independence from Google’s data practices without the operational burden of self-hosting.
Your team is small enough that per-user pricing stays manageable.

Alternatives worth considering

For non-technical founders, the real comparison is between all-in-one email stacks that bundle Dovecot:

Mailcow (https://mailcow.email) — The most actively maintained Docker-based stack. Dovecot + Postfix + rspamd + SOGo. Free community edition, paid support subscriptions available.
Mailu (https://mailu.io) — Similar stack, lighter-weight, more opinionated. Fully open source.
Mail-in-a-Box (https://mailinabox.email) — Most automated setup path, limited customization by design, free and open source. Dovecot underneath.
iRedMail (https://www.iredmail.org) — Another full-stack installer. Open source and paid tiers. Also uses Dovecot.

If you specifically need to compare Dovecot against other IMAP server implementations:

Cyrus IMAP — The other serious enterprise IMAP option. More complex administration, used heavily by universities and large institutions, less common in modern self-hosted stacks than Dovecot.
Courier IMAP — Older and less actively maintained. Not the right choice for new deployments.
UW IMAP — Largely historical at this point; rarely appears in current recommendations.

For the use case this site targets — founders escaping SaaS bills — the honest path is: start with Mailcow or Mailu. Both use Dovecot internally. You inherit Dovecot’s reliability and compliance without needing to become a mail server expert yourself.

Bottom line

Dovecot is infrastructure, not a product. It’s the IMAP server running underneath your email provider’s platform, underneath Mailcow and Mailu, underneath a large fraction of the internet’s hosted email. Its quality is real — the standards compliance, the performance at scale, the security focus, the operational reliability. These aren’t marketing claims; they’re the reason major ISPs have run Dovecot for two decades.

But Dovecot alone does nothing useful for a non-technical founder trying to cut a Google Workspace bill. You need it paired with a mail transfer agent, spam filtering, webmail, correct DNS, and someone who knows how to wire it together. The practical path for most people reading this is Mailcow or Mailu — complete, Docker-based mail stacks that ship Dovecot pre-configured. That’s how you get Dovecot’s reliability without the week of sysadmin work. If the deployment itself is the blocker, that’s exactly the kind of infrastructure setup that upready.dev handles for clients.

Sources

Timo Sirainen — “I’m web 2.0?” — Dovecot IMAP Server Development blog, February 2010. http://blog.dovecot.org/2010/02/im-web-20.html
Webuzo — Dovecot app listing — Server control panel showing Dovecot version 2.3.21.1. https://www.webuzo.com/apps/utilities/Dovecot

Primary sources: