LogoفارسیFA

Troubleshooting Dovecot in DirectAdmin – Fixing IMAP Errors, Authentication Issues, and SSL Certificate Checks

Dovecot is the IMAP/POP3 server used by DirectAdmin. Sometimes users encounter errors such as “Connection dropped by IMAP server” or “unknown user” during authentication. This guide explains how to fix corrupted Dovecot indexes, understand authentication logs, hide unnecessary warnings, and manually inspect SSL certificates on IMAP ports 143 and 993.

Dovecot in DirectAdmin

~2 min read • Updated Mar 1, 2026

1. ERROR: Connection dropped by imap server – Query: SELECT "INBOX"


If your webmail or email client shows this error:


ERROR: Connection dropped by imap server
Query: SELECT "INBOX"

First, check the mail log for clues:


/var/log/maillog

Common cause: Corrupted Dovecot index files

This often happens after Dovecot upgrades. The fix is simple: delete the index files so Dovecot can rebuild them.

Steps:


cd /home/username/imap/domain.com/user/Maildir
rm -f dovecot*

After the user logs in again (webmail or email client), Dovecot will recreate the indexes and the issue should be resolved.

---

2. Why do I see: shadow([email protected],127.0.0.1): unknown user?


Dovecot uses two separate authentication databases:

  • System accounts/etc/shadow
  • Virtual email accounts/etc/virtual/domain.com/passwd

A valid email account exists in only one of these databases. Dovecot checks both, so if the user is not found in the first database, you will see:


shadow([email protected],127.0.0.1): unknown user
passwd([email protected],127.0.0.1): unknown user

This is normal and does NOT indicate a problem.

Hide these messages:

Edit /etc/dovecot/dovecot.conf in the “Authentication processes” section:


auth_verbose = no
auth_debug = no
---

3. How to Manually Check the IMAP SSL Certificate (Ports 143 & 993)


Many email clients now require valid SSL certificates. You can manually inspect the certificate used by Dovecot.

Check port 143 (STARTTLS):


openssl s_client -connect server.hostname.com:143 -starttls imap -servername server.hostname.com

Check port 993 (IMAPS):


openssl s_client -connect server.hostname.com:993 -servername server.hostname.com

What to look for:

  • CN (Common Name) must match the server hostname
  • Check the subject= field in the certificate output

Example:


-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.directadmin.com

Exit the IMAP session:


01 logout

If the certificate is self signed:

You will see:


Verify return code: 18 (self signed certificate)

Note: The -servername parameter enables SNI, allowing Dovecot to present the correct certificate when multiple certificates are configured.

Written & researched by Dr. Shahin Siami

Next Article