December 29, 2025 at 3:28 PM, "Ethan Merrill via dovecot" <dovecot@dovecot.org mailto:dovecot@dovecot.org?to=%22Ethan%20Merrill%20via%20dovecot%22%20%3Cdovecot%40dovecot.org%3E > wrote:
Hello, I hope this is the right mailing list to send questions to. Please direct me where to go if it is not. Thanks.
I am setting up a postfix/dovecot email server on a Debian 13 VPS. Dovecot is v2.4.1. I have thus far been able to successfully configure the server for smtp and imap support for my primary domain (we'll say
user@example.comwho is a linux user with a home folder). I have been even been able to configure postfix to have virtual mailboxes and aliases, and from ssh I can can even see that the mail gets delivered to the correct place. However, I am struggling to set up dovecot to authenticate a virtual mailbox user (we'll sayuser@example.netwho only has a virtual mailbox).This documentation page describes the process to configure multiple authentication databases. It describes being able to use multiple
passdbanduserdbsections in order to authenticate dovecot users. Based upon what it suggested, I tried this configuration:Snippet from /etc/dovecot/dovecot.conf
passdb passwd-file {
So example.net => /etc/dovecot/passwd/example.net
passwd_file_path = /etc/dovecot/passwd/%{user | domain} }
Fall thru to PAM for unix users
passdb pam { }
userdb passwd-file { passwd_file_path = /etc/dovecot/passwd/%{user | domain} }
Fall thru to /etc/passwd for unix users
userdb passwd { }
Snippet from /etc/dovecot/passwd/example.net
support@example.net:$y$j9...hash...:800:800::/var/postfix/virtual/example.net/support:: mailto:support@example.net:$y$j9...hash...:800:800::/var/postfix/virtual/example.net/support::
This is the configuration I landed on that hypothetically checks multiple databases for authentication that allows at least
user@example.comto still login with Thunderbird and do email stuff. However it does not authenticateuser@example.net. The biggest difference between my config and the example is that they use asqldatabase while I am trying thepasswd-filedatabase. In principle this seems like it should work, unless I am understanding the dovecot docs or have made my passwd file incorrectly. I even tried reversing the order ofuserdbandpassdbsections to see if it would help to no avail.This thread seems to address a similar issue, and more or less has the same configuration setup suggested as the one in the snippet above. It's also from 2006 so the API looks kinda different from the current docs.
This thread is from 2013 addressing a similar issue, but despite again different API it translates to more or less what the snippet above shows.
Here is the journalctl output from when I tried to login as
user@example.net:journalctl -xeu dovecot | tail
Dec 29 11:38:19 example.com auth[4719]: pam_unix(dovecot:auth): check pass; user unknown Dec 29 11:38:19 example.com auth[4719]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user@example.net rhost=10.0.0.1 Dec 29 11:38:28 example.com auth[4719]: pam_unix(dovecot:auth): check pass; user unknown Dec 29 11:38:28 example.com auth[4719]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user@example.net rhost=10.0.0.1 Dec 29 11:41:19 example.com dovecot[4700]: imap-login: Login aborted: Inactivity (auth failed, 2 attempts in 180 secs) (auth_failed): user=<user@example.net>, method=LOGIN, rip=10.0.0.1, lip=10.0.0.2, TLS, session=<z8Tj3hlHkLxJMmuL>
The last message referring to "Inactivity" is because at that point fail2ban blocked my IP, but before that it was consistent with results I have been getting.
I'm at an absolute loss. I feel like I've trawled every doc I could find, every config file involved in the setup process, all the Stack Exchange answers that seem to exist. Honestly it baffles me to see that even what looks like the same setup as official documentation, it just doesn't... work? Can anybody point to me what is going wrong?
Thanks for reading, ~ Ethan Merrill Hello, I hope this is the right mailing list to send questions to. Please direct me where to go if it is not. Thanks.
I am setting up a postfix/dovecot email server on a Debian 13 VPS. Dovecot is v2.4.1. I have thus far been able to successfully configure the server for smtp and imap support for my primary domain (we'll say
user@example.comwho is a linux user with a home folder). I have been even been able to configure postfix to have virtual mailboxes and aliases, and from ssh I can can even see that the mail gets delivered to the correct place. However, I am struggling to set up dovecot to authenticate a virtual mailbox user (we'll sayuser@example.netwho only has a virtual mailbox). [1]This documentation page describes the process to configure multiple authentication databases. It describes being able to use multiplepassdbanduserdbsections in order to authenticate dovecot users. Based upon what it suggested, I tried this configuration:Snippet from /etc/dovecot/dovecot.conf
passdb passwd-file {
So [2]example.net => /etc/dovecot/passwd/example.net
passwd_file_path = /etc/dovecot/passwd/%{user | domain} }
Fall thru to PAM for unix users
passdb pam { } userdb passwd-file { passwd_file_path = /etc/dovecot/passwd/%{user | domain} }
Fall thru to /etc/passwd for unix users
userdb passwd { }
Snippet from /etc/dovecot/passwd/example.net
[3]support@example.net:$y$j9...hash...:800:800::/var/postfix/virtual/example.net/support::
This is the configuration I landed on that hypothetically checks multiple databases for authentication that allows at least
user@example.comto still login with Thunderbird and do email stuff. However it does not authenticateuser@example.net. The biggest difference between my config and the example is that they use asqldatabase while I am trying thepasswd-filedatabase. In principle this seems like it should work, unless I am understanding the dovecot docs or have made my passwd file incorrectly. I even tried reversing the order ofuserdbandpassdbsections to see if it would help to no avail. [4]This thread seems to address a similar issue, and more or less has the same configuration setup suggested as the one in the snippet above. It's also from 2006 so the API looks kinda different from the current docs. [5]This thread is from 2013 addressing a similar issue, but despite again different API it translates to more or less what the snippet above shows. Here is the journalctl output from when I tried to login asuser@example.net:journalctl -xeu dovecot | tail
Dec 29 11:38:19 [6]example.com auth[4719]: pam_unix(dovecot:auth): check pass; user unknown Dec 29 11:38:19 [7]example.com auth[4719]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot [8]ruser=user@example.net rhost=10.0.0.1 Dec 29 11:38:28 [9]example.com auth[4719]: pam_unix(dovecot:auth): check pass; user unknown Dec 29 11:38:28 [10]example.com auth[4719]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot [11]ruser=user@example.net rhost=10.0.0.1 Dec 29 11:41:19 [12]example.com dovecot[4700]: imap-login: Login aborted: Inactivity (auth failed, 2 attempts in 180 secs) (auth_failed): user=<[13]user@example.net>, method=LOGIN, rip=10.0.0.1, lip=10.0.0.2, TLS, session=<z8Tj3hlHkLxJMmuL>
The last message referring to "Inactivity" is because at that point fail2ban blocked my IP, but before that it was consistent with results I have been getting. I'm at an absolute loss. I feel like I've trawled every doc I could find, every config file involved in the setup process, all the Stack Exchange answers that seem to exist. Honestly it baffles me to see that even what looks like the same setup as official documentation, it just doesn't... work? Can anybody point to me what is going wrong? Thanks for reading, ~ Ethan Merrill
References
I simply define my virtual domains in Postfix:
==============================
VIRTUAL DOMAINS
==============================
virtual_alias_domains = new.domain virtual_alias_maps = hash:/etc/postfix/virtual
Then, in /etc/postfix/virtual, I add the alias:
newuser@new.domain newuser
And that’s it.
Could you share your doveconf -n?