Dovecot

Here is how I set up dovecot.

$ doas pkg_add dovecot

In /etc/dovecot/dovecot.conf, add these lines at the very bottom:

service lmtp {
  user = vmail
}

#auth_verbose=yes
#auth_debug=yes
#auth_debug_passwords=yes
#mail_debug=yes
#auth_verbose_passwords=sha1
verbose_ssl=yes

You can turn on debugging, verbose ssl, and so forth as you need to help troubleshoot.

In /etc/dovecot/conf.d/10-auth.conf, I make these changes:

#!include auth-system.conf.ext
passdb {
   args = scheme=blf-crypt /etc/mail/passwd
   driver = passwd-file
}

userdb {
   args = uid=vmail gid=vmail home=/var/vmail/%d/%n
   driver = static
}

Comment out auth-system.conf.ext and add the new passdb/userdb conf settings.

In /etc/dovecot/conf.d/10-mail.conf:

mail_location = maildir:/var/vmail/%d/%n/Maildir

In /etc/dovecot/conf.d/10-ssl.conf, I make these changes:

ssl = required                                                                        
...
ssl_cert = </etc/ssl/ircnow.org.fullchain.pem
ssl_key = </etc/ssl/private/ircnow.org.key
ssl_dh_parameters_length = 2048

As hinted in the instructions in the dovecot README in /usr/local/share/doc/pkg-readmes/dovecot, you want to add to /etc/login.conf:

dovecot:\
         :openfiles-cur=4096:\
         :openfiles-max=8192:\
         :tc=daemon:

WARNING: You must use tabs and not spaces. If you use spaces in /etc/login.conf, the settings will not work.

NOTE: Allowing more open files than suggested in the README can help if you have many IP addresses.

Then rebuild login.conf.db:

# [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf

Troubleshooting

$ openssl s_client -starttls imap -connect username.coconut.ircnow.org:143