This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.

Dovecot LDA

The Dovecot LDA is a local delivery agent, which takes mail from an MTA and delivers it to a user's mailbox, while keeping Dovecot index files up to date. Nowadays you should probably use the LMTP server instead, because it's somewhat easier to configure (especially related to permissions) and gives better performance.

This page describes the common settings required to make LDA work. You should read it first, and then the MTA specific pages:

Main features of Dovecot LDA

Common configuration

The settings are listed in the example conf.d/15-lda.conf file. The important settings are:

Note that the config files must be world readable to enable dovecot-lda process read them, while running with user privileges. You can put password related settings to a separate file, which you include with !include_try and dovecot-lda skips them.


Parameters accepted by dovecot-lda:

Return values

dovecot-lda will exit with one of the following values:

System users

You can use LDA with a few selected system users (ie. user is found from /etc/passwd / NSS) by calling dovecot-lda in the user's ~/.forward file:

| "/usr/local/libexec/dovecot/dovecot-lda"

This should work with any MTA which supports per-user .forward files. For qmail's per-user setup, see LDA/Qmail.

This method doesn't require the authentication socket explained below since it's executed as the user itself.

Virtual users

With a lookup

Give the destination username to dovecot-lda with -d parameter, for example:


You'll need to set up a auth-userdb socket for dovecot-lda so it knows where to find mailboxes for the users:

service auth {
  unix_listener auth-userdb {
    mode = 0600
    user = vmail # User running dovecot-lda
    #group = vmail # Or alternatively mode 0660 + dovecot-lda user in this group

The auth-userdb socket can be used to do userdb lookups for given usernames or get a list of all users. Typically the result will contain the user's UID, GID and home directory, but depending on your configuration it may return other information as well. So the information is similar to what can be found from eg. /etc/passwd for system users. This means that it's probably not a problem to use mode=0666 for the socket, but you should try to restrict it more just to be safe.

Without a lookup

If you have already looked up the user's home directory and you don't need a userdb lookup for any other reason either (such as overriding settings for specific users), you can run dovecot-lda similar to how it's run for system users:

HOME=/path/to/user/homedir dovecot-lda -f $FROM_ENVELOPE

This way you don't need to have a master listener socket. Note that you should verify the user's existence prior to running dovecot-lda, otherwise you'll end up having mail delivered to nonexistent users as well.

You must have set the proper UID (and GID) before running dovecot-lda. It's not possible to run dovecot-lda as root without -d parameter.

Multiple UIDs

If you're using more than one UID for users, you're going to have problems running dovecot-lda, as most MTAs won't let you run dovecot-lda as root. Best solution is to use LMTP instead, but if you can't do that, there are two ways to work around this problem:

  1. Make dovecot-lda setuid-root.
  2. Use sudo to wrap the invocation of dovecot-lda.

Making dovecot-lda setuid-root:

Beware: it's insecure to make dovecot-lda setuid-root, especially if you have untrusted users in your system. Setuid-root dovecot-lda can be used to gain root privileges. You should take extra steps to make sure that untrusted users can't run it and potentially gain root privileges. You can do this by making sure only your MTA has execution access to it. For example:

# chgrp secmail /usr/local/libexec/dovecot/dovecot-lda
# chmod 04750 /usr/local/libexec/dovecot/dovecot-lda
# ls -l /usr/local/libexec/dovecot/dovecot-lda
-rwsr-x--- 1 root secmail 4023932 2010-06-15 16:23 dovecot-lda

Then start dovecot-lda as a user that belongs to secmail group. Note that you have to recreate these rights after each update of dovecot.

Using sudo:

Alternatively, you can use sudo to wrap the invocation of dovecot-lda. This has the advantage that updates will not clobber the setuid bit, but note that it is just as insecure being able to run dovecot-lda via sudo as setuid-root. Make sure you only give your MTA the ability to invoke dovecot-lda via sudo.

First configure sudo to allow 'dovelda' user to invoke dovecot-lda by adding the following to your /etc/sudoers:

Defaults:dovelda !syslog
dovelda          ALL=NOPASSWD:/usr/local/libexec/dovecot/dovecot-lda

Then configure your MTA to invoke dovecot-lda as user 'dovelda' and via sudo:

/usr/bin/sudo /usr/local/libexec/dovecot/dovecot-lda

instead of just plain /usr/local/libexec/dovecot/dovecot-lda.

Problems with dovecot-lda


If you want dovecot-lda to keep using Dovecot's the default log files:

You can also specify different log files for dovecot-lda. This way you don't have to give any extra write permissions to other log files or the syslog socket. You can do this by overriding the log_path and info_log_path settings:

protocol lda {
  # remember to give proper permissions for these files as well
  log_path = /var/log/dovecot-lda-errors.log
  info_log_path = /var/log/dovecot-lda.log

For using syslog with dovecot-lda, set the paths empty:

protocol lda {
  log_path =
  info_log_path =
  # You can also override the default syslog_facility:
  #syslog_facility = mail


None: LDA (last edited 2013-03-17 20:45:05 by TimoSirainen)